2.2.2 SignCert Request

The SignCert Request is the message sent by a client when the end user is asked to provide OTP credentials in order to perform OTP authentication.

The message MUST be a Unicode XML 1.0 document that uses the following XML namespace as its default:

http://schemas.microsoft.com/otpcep/1.0/protocol

The XML document MUST contain a signCertRequest element. The message MUST NOT include additional data before or after the XML document. The XML document MAY contain trailing whitespace as part of the encoded content, as specified in [XML] section 2.1.

 <xs:element name="signCertRequest">
   <xs:complexType>
     <xs:attribute name="username" type="xs:string" 
          use="required" />
     <xs:attribute name="oneTimePassword" type="xs:string" 
          use="required" />
     <xs:attribute name="certRequest" type="otpcep:CertificateRequestBase64Binary" 
          use="required" />
   </xs:complexType>
 </xs:element>

The signCertRequest element contains the following attributes:

username:  A NULL-terminated string that contains the user name.

oneTimePassword:  A NULL-terminated string that contains the user's one-time credentials. The one-time credentials MUST contain an ever-changing one-time password (OTP) part. The one-time credentials MAY contain a static password (PIN) part.

certRequest:  The certificate enrollment request in PKCS #10 format ([RFC2986]). The request MUST be created by using the certificate template as defined in section 1.5.

The request MUST be digitally signed with a valid signature, as specified in [RFC2986].