Embed Size (px)
Citation preview
11 A Division of TruSecure Corporation
CMP Interop Project
December 6, 2000
Robert [email protected]
22 A Division of TruSecure Corporation
CMP Interop Goals
Establish the baseline of mandatory CMP functions Done!
Establish the optional, but important CMP functions Done!
Expose any deficiencies of difficulties with the specification and provide needed feedback to the IETF on recommended changes to the specification Progress!
Provide the foundation for future product testing so that customers will be able to buy PKI products with confidence Light at the end of the tunnel!
33 A Division of TruSecure Corporation
What is CMP Interop?Mandatory and Desired
Support DSA and RSA algorithms in certificate templates and for use in PKI
Protection and POP (Proof of Possession) digitalSignature and dataEncipherment in
keyUsage separately and together in certificates PKI Protection and POP
CMP Transport Method TCP direct (port 829) and HTTP
44 A Division of TruSecure Corporation
What is CMP Interop cont.
CMP Transactions ir, cr, rr, kur, and ccr (CA implementations only)
ir with one or two certificate requests
Transaction sequence Req/rep (ImplicitConfirm) Req/err (bad request) Req/rep/certconf/pkiconf Req/rep/err/pkiconf (bad certificate) Req/rep/certconf/err (bad confirmation)
PKI Protection MAC (shared secret for ir) SIG (using a signing cert.)
55 A Division of TruSecure Corporation
What is CMP Interop cont.
Over 80 testing combinations! Not all need be supported by all vendors All need to be supported by some vendors
Or specification changed
Yes CMP can be as complex as you wishBut it does not have to be so for all
implementations!
66 A Division of TruSecure Corporation
Active Interop Participants
Baltimore Certicom (Trustpoint) Cylink Cryplib (open source) Entegrity Entrust IBM TC Trustcenter
RSA Research SSH Sun (Java)
Now inactive
ICSA Labs is coordinating/running Interop efforts
77 A Division of TruSecure Corporation
Pending Interop Participants
Motus Technologies NIST Open CA Siemens Utimaco
88 A Division of TruSecure Corporation
CA policy has a major impact on EE use of CMP Need to collect basic policy items
A few areas in specs are unclear Need list ‘lore’ to implement
Changes to Internet Drafts published
Lessons Learned
99 A Division of TruSecure Corporation
Over the Internet workshops are viable Engineers can work around timezone problems
easier than getting travel authorizatoin CMP Interop does not currently exist
All participants were using pre-production code Basic CMP Interop WAS achieved this year
EE to CA, not CA to CA
Conclusions
1010 A Division of TruSecure Corporation
Pending Work Items
Next year to finish up Interop CMP Transport polling QC 'protection' of transactions application testing
using certificates in real applications
ICSA Labs will be able to develop a compliance criteria for CMP
More participation needed
1111 A Division of TruSecure Corporation
Pending Work Items
Next year to finish up Interop CMP Transport polling QC 'protection' of transactions application testing
using certificates in real applications
ICSA Labs will be able to develop a compliance criteria for CMP
More participation needed
