[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PKI draft based on PKCS#10 and PKCS#7
Recently, there are several issues raised for the certificate management
protocol based on PKCS#7 and PKCS#10. We like to address those issues
here and open a discussion.
1) The draft does not cover all the functions required for a certificate
management protocol.
The most important functions of a certificate management protocol, the
enrollment operations, have been designed, implemented and tested, and these
are what we feel the most important pieces needed to get a functional PKI
solution into the marketplace in the very near future. It is also clear that,
the proposed protocol does not precluse other functionality required of
certificate management protocols. It is open ended and extensible.
We believe the proposed draft has its merit not only because it proposes a
solution to the existing certificate enrollment problem, but also because it
leverages the existing PKCS#7 and PKCS#10 technology and can be developed in a
relatively short time with the existing toolkit. It is certainly our
direction to futher improve the protocol, based on the standard requirement
and the actual customer experience.
2) The draft does not address effectively the authentication between the
end entity and the CA.
There are different models to carry out the authentication between the end
entity and the CA. The customers should be given the choices to make their
decision. In the current draft, the authentication between the end entity
and the CA is specified as out-of-band manual authentication, which is one
kind of model which satisfies certain customer need. However, there is no
restriction to integrate other authentication model into the protocol. It is
important to note that, since we are discussing the authentication at the
bootstrapping phase, out-of-band operation is required for any proposed method
at different stage.
3) The draft proposes a single key system
It is true the draft at the current state utilize a single key system. However,
PKCS#7 is a protocol which does not exclude the dual-key system. We are
working at various solutions which can expand the current protocol to handle
the dual-key system.
Xiaoyi Liu, Cisco System