[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to communicate PKCS#10 requests to CA

To: <vinod.porwal@ishoni.com>, <ipsec@lists.tislabs.com>
Subject: Re: How to communicate PKCS#10 requests to CA
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Date: Tue, 23 May 2000 16:24:51 -0400
In-Reply-To: <000001bfc3d3$e5c5bb40$4c01a8c0@vinod>
Sender: owner-ipsec@lists.tislabs.com

At 03:25 PM 5/22/2000 +0530, Vinod Porwal wrote:

>How does an end-entity enroll to a CA ?   What protocol is used to
>communicate the PKCS#10 certificate request to the CA ?

You have 4 options:

The web method, which is pretty inconsistant.

SCEP -- draft-nourse-scep-02.txt  This enrolls, recommends out-of-band 
revocation, and does not support certificate overlap for rekeying or 
reissueing.  It is supported in some CA products.

RFC 2510 - 2511 (CMP) Full certificate life-cycle management protocol.  It 
uses CMRF instead of PKCS 10.  It is supported in some CA products.  I am 
running workshops to move from compliance to interoperablity.

RFC 2797 (CMC) Similar to CMP, in that it is a certificate management 
protocol, but it uses PKCS 10 and 7 for the most part rather than CRMF (RFC 
2511).  The only important certificate management transaction that seems to 
be missing from CMC is cross-certification.  There are no know 
implementations of CMC (at least no one has said so in any of the places I 
frequent)

Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com

References:

How to communicate PKCS#10 requests to CA

From: "Vinod Porwal" <vinod.porwal@ishoni.com>

Prev by Date: RE: NAT and IPSEC issues:- Question
Next by Date: L2TP-IPSec feature list
Prev by thread: How to communicate PKCS#10 requests to CA
Next by thread: RE: How to communicate PKCS#10 requests to CA
Index(es):
- Main
- Thread