[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PKI draft based on PKCS#10 and PKCS#7

To: ipsec@tis.com
Subject: PKI draft based on PKCS#10 and PKCS#7
From: Xiaoyi Liu <xliu@cisco.com>
Date: Fri, 8 Aug 1997 14:31:57 -0700 (PDT)
Cc: xliu@cisco.com (Xiaoyi Liu)
Sender: owner-ipsec@ex.tis.com

 
 Recently, there are several issues raised for the certificate management 
 protocol based on PKCS#7 and PKCS#10. We like to address those issues
 here and open a discussion.
 
 1) The draft does not cover all the functions required for a certificate
 management protocol.
 
 The most important functions of a certificate management protocol, the 
 enrollment operations, have been designed, implemented and tested, and these
 are what we feel the most important pieces needed to get a functional PKI 
 solution into the marketplace in the very near future. It is also clear that, 
 the proposed protocol does not precluse other functionality required of 
 certificate management protocols. It is open ended and extensible. 

 We believe the proposed draft has its merit not only because it proposes a 
 solution to the existing certificate enrollment problem, but also because it 
 leverages the existing PKCS#7 and PKCS#10 technology and can be developed in a 
 relatively short time with the existing toolkit. It is certainly our 
 direction to futher improve the protocol, based on the standard requirement
 and the actual customer experience.
 
 2) The draft does not address effectively the authentication between the
 end entity and the CA.
 
 There are different models to carry out the authentication between the end
 entity and the CA. The customers should be given the choices to make their
 decision. In the current draft, the authentication between the end entity
 and the CA is specified as out-of-band manual authentication, which is one
 kind of model which satisfies certain customer need. However, there is no
 restriction to integrate other authentication model into the protocol. It is
 important to note that, since we are discussing the authentication at the
 bootstrapping phase, out-of-band operation is required for any proposed method
 at different stage.
 
 3) The draft proposes a single key system
 
 It is true the draft at the current state utilize a single key system. However,
 PKCS#7 is a protocol which does not exclude the dual-key system. We are 
 working at various solutions which can expand the current protocol to handle 
 the dual-key system. 

 
 Xiaoyi Liu, Cisco System

Prev by Date: Re: Calling the question: derived vs. explicit IV
Next by Date: Question on authentication coverage in ESP...
Prev by thread: [Fwd: Re: Calling the question: derived vs. explicit IV]
Next by thread: Question on authentication coverage in ESP...
Index(es):
- Main
- Thread