Embed Size (px)
Citation preview
PKIF TWG ReportPKIF TWG Report29 June 200029 June 2000
Mark Davis
Andrew Nash
et al
Points of Interest
PKI Bench from Entegrity Why we are starting at 8:30 …
Management Protocols
Intent to give an overview and understanding of protocols
Decision considerations Presenters:
– SCEP – Bob Moskowitz– CMP – Stephen Farrell– CMC – Michael Myers
Lifecycle Protocols – SCEP
Put certificates in devices without Web browsers
IETF Draft, no activity Cisco reference implementation in progress Q How accurate is implementation to spec?
– A interoperation from spec observed
Lifecycle Protocols – CMP
PKIX certificate management Comprehensive for key and lifecycle
management (11 operations) High level of flexibility (EE-RA-RA-CA!) CRMF split out for reuse with CMC Version 2 based on Interoperability testing
results
Lifecycle Protocols – CMC
Reuse as much as possible of S/MIME library– Small footprint for PDAs, phones etc.
Alternative to CMP based on PKCS 7/10 using Cisco work
Uses CRMF Other requirements: single round trip certificate
requests, client side key generation Server side generation is possible Similar functionality between between CMC/CMP
Lifecycle Protocols – Panel Discussion Summary
Panel Consensus:– SCEP is tactical and targeted at routers– CMP and CMC are functionally equivalent– CMP and CMC are suitable for the same
application domains– Applications may choose between CMP and
CMC – PKI vendors should support both
Interoperability White Paper
Lead: Bob Moskowitz Abstract
Identify barriers to interoperability between PKI components. Provide a framework for future efforts to address these issues. Document issues for implementers.The initial framework will rely on the separation based on applications, components and enterprise relationships.
Interoperability White Paper
Authors– Bob Moskowitz, Frederik Loeckx, Francois
Rousseau, John Hughes, Steve Lloyd Work Plan
Solicit Input early July
Divide Work mid July
Write Draft late Summer
Review Draft September (Montreal)
Path Construction White Paper
Lead: Stephen Farrell Abstract
Applications that make use of public key certificates have to validate certificate paths. Before validating a certificate path, it is first necessary to construct that path. This means finding a set of certificates that appears to chain up to a trust point. This white paper describes issues that implementers of PKI technology have to face when developing certificate path construction code, for example, considering issues with different sources of certificates (LDAP, databases etc) and how to avoid "loops".
Path Construction White Paper
Authors:Stephen Farrell, Steve Koehler, Michael Myers,
Tim Polk, Steve Lloyd Work Plan
Solicit Input early July
Divide Work mid July
Write Draft late Summer
Review Draft September (Montreal)
LDAP White Paper
Lead: Aidan O’Brien Abstract:
Survey the problems associated with PKI interactions with LDAP and directories. Identify issues where existing standards and practices are insufficient and what partial solutions exist. Lay a foundation to assist in prioritizing future work on the use of LDAP within PKI.
LDAP White Paper
Authors:Aidan O’Brien, Gordon Buhle, Dave Bachmann,
Nada Kapidzic Cicovic, Jean Pawluk Work plan
Solicit Participation JuneAgree on Purpose JulyCollect issue contributions JulyReview Draft AugustPublish White Paper September
Working Session (1/2)
Report on Business Work Group and Technical Work Group Relationship
Application Certificates– Stay on current script approach
– Need volunteer for “standard” certificates library
– Data presentation – Sheet per application/PKI pair
– An additional Face to Face workshop is desired, but may be difficult to schedule
Working Session (2/2)
Certificate Validation– IETF WG revisiting requirements and protocols– Schedule presentation by IETF contributors in Montreal
B2B Protocols– Some standardization work– Deployment may be difficult– Work required by PKIF unclear
LDAP (from CMP interop discussion)– Multiple problems– Varying definition– Address these issues as part of LDAP white paper– Follow definition of work expected
Montreal Topics
Review work in progress– Demonstration planning (needs input from
BWG) IETF Remote Path Processing Review outcomes from LDAP white paper Further B2B Application discussion
Lifecycle Protocols – General Discussion
Smart Card requirements and support What Domains does each protocol address
– SCEP – tactical for in devices now that don’t have browsersSCEP is routers
– CMP and CMC similar domainsCMC with broad inputCMC may have advantage on PDA’s
– In IPSEC environment, how do CMC and CMP Suitability of CMC and CMP for store and forward POP requires multiple round trip Automatic cross certification of debatable use
May need better definition of terms (BWG is working on one) Implementation status “VeriSign is willing to support any protocol that shows emergence in the
marketplace.”Andrew Nash – “An issue of leadership.”
Is storing certificate in LDAP part of the Life Cycle Management protocolMay be policy statement outside lifecycle management protocolMust be specified in some terms for implementation of EEAwareness will impact implementationPKIF TWG may want to take this on
What should a PKIF do with SCEP and CMCSCEP not do anything about SCEPShould do CMC interop, scenarios, service providers should provide both, EE select
