[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to communicate PKCS#10 requests to CA
At 03:25 PM 5/22/2000 +0530, Vinod Porwal wrote:
>How does an end-entity enroll to a CA ? What protocol is used to
>communicate the PKCS#10 certificate request to the CA ?
You have 4 options:
The web method, which is pretty inconsistant.
SCEP -- draft-nourse-scep-02.txt This enrolls, recommends out-of-band
revocation, and does not support certificate overlap for rekeying or
reissueing. It is supported in some CA products.
RFC 2510 - 2511 (CMP) Full certificate life-cycle management protocol. It
uses CMRF instead of PKCS 10. It is supported in some CA products. I am
running workshops to move from compliance to interoperablity.
RFC 2797 (CMC) Similar to CMP, in that it is a certificate management
protocol, but it uses PKCS 10 and 7 for the most part rather than CRMF (RFC
2511). The only important certificate management transaction that seems to
be missing from CMC is cross-certification. There are no know
implementations of CMC (at least no one has said so in any of the places I
frequent)
Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com
References: