CDB-040804-1 Chris Bonatti (IECA, Inc.) Tel: (+1) 301-548-9569 Proposed PKI4IPSEC Certificate Management Requirements Document IETF #60 – PKI4IPSEC Working.

Slides:

Advertisements

Similar presentations

Dynamic Symmetric Key Provisioning Protocol (DSKPP)

Advertisements

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

MPKI Interoperability I-D ChangeLog from -01 to -02 Jan 16, 2004 Masaki SHIMAOKA SECOM Trust.net.

MPKI Interoperability I-D ChangeLog from -00 to -01 Oct 27, 2003 Masaki SHIMAOKA SECOM Trust.net.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Status report for draft-ietf-ipsec-pki-profile Paul Hoffman, Director VPN Consortium for Brian Korver

2/29/2004Profile-04 open issues draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues Gregory M Lebovitz

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Certificate Path Building draft-ietf-pkix-certpathbuild-01.txt Peter Hesse Matt Cooper Yuriy Dzambasow Susan Joseph Richard Nicholas.

MIF API draft-ietf-mif-api-extension-05 Dapeng Liu.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

Types of Formal Reports Chapter 14. Definition  Report is the term used for a group of documents that inform, analyze or recommend.  We will categorize.

The Internet IP Security PKI Profile of ISAKMP and PKIX draft-ietf-ipsec-pki-profile-03.txt Brian Korver Eric Rescorla.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.

UC Berkeley, Employment Services Candidate Gateway Tutorial External Applicants.

March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.

ENTERING ELIGIBLE ENERGY RESOURCE APPLICATIONS IN DELAFILE Version 2.0 August 25, 2015.

11/10/2003Pki4ipsec-nov03-agenda BOF Profiling Use of PKI in IPsec pki4ipsec Chairs: Gregory M Lebovitz Steve.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

7-1 Project Management from Simple to Complex. 7-2 This work is licensed under the Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported.

Technical Working Group December 2000 Mark Davis Andrew Nash.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.

July 27, 2009IETF NEA Meeting1 NEA Working Group IETF 75 Co-chairs: Steve Hanna

CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #59 – PKI4IPSEC Working.

A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.

Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Authority To Citizen Alerts IETF 81 Quebec. Note: Note Well the Note Well Any submission to the IETF intended by the Contributor for publication as all.

Draft-ietf-dime-ikev2-psk-diameter-0draft-ietf-dime-ikev2-psk-diameter-08 draft-ietf-dime-ikev2-psk-diameter-09 in progress Diameter IKEv2 PSK: Pre-Shared.

Path Construction “It’s Easy!” Mark Davis. Current WP Scope u Applications that make use of public key certificates have to validate certificate paths.

CMC and PKI4IPSEC Jim Schaad. Requirements Issues What does MAY really mean What does SHOULD really mean Requirements on Admin Peer Requirements on structure.

CDNI Requirements (draft-lefaucheur-cdni-requirements-02) CDNI Working Group IETF 81 Quebec City, Canada July 28, 2011 Kent Leung Yiu.

Rfc4474bis-01 IETF 90 (Toronto) STIR WG Jon. First principles (yet again) Separating the work into two buckets: 1) Signaling – What fields are signed,

PKI Future Directions 29 November 2001 Russ Housley RSA Laboratories CS – Class of 1981.

Pki4ipsec - IETF 59 - Seoul, Korea1 pki4ipsec Profiling Use of PKI in IPSEC WG.

SIP PUBLISH draft-ietf-simple-publish-01 Aki Niemi

Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-01 Suresh Krishnan Ana Kukec Khaja Ahmed.

SonOf3039 Status Russ Housley Security Area Director.

Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

European Research Council │ 1 ERC Advanced Grant Call 2 EPSS Changes / Improvements Section A1: Proposal and PI Information ► Linking of the 1st Keyword.

7/27/2004IETF San-Diego Plenary meeting 8/2004 EPON MIBs Lior Khermosh – Passave Technologies

Moving towards an IRS WG Charter Ross Callon IETF 85, Atlanta.

1 Header Compression over IPsec (HCoIPsec) Emre Ertekin, Christos Christou, Rohan Jasani {

Draft-ietf-sidr-roa-format draft-ietf-sidr-arch Matt Lepinski BBN Technologies.

Doc.: IEEE /0147r0 Submission January 2012 Rolf de Vegt (Qualcomm)) Slide ai Spec Development Process Update Proposal Date:

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Keyprov PSKC spec Philip Hoyer 71-st IETF, Philadelphia.

Portable Symmetric Key Container (PSKC) Mingliang Pei Philip Hoyer Dec. 3, th IETF, Vancouver.

Keyprov PSKC spec Philip Hoyer 71-st IETF, Philadelphia.

Application Cert Interop Project David Crowe PKI Forum, Jun 2001, Munich, Germany.

CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #61 – PKI4IPSEC Working.

Profiling Use of PKI in IPsec (pki4ipsec) Date: Monday, Mar 7, 2005 at Location: Rochester room Chairs: Paul Knight Gregory Lebovitz Mail list:

DHCP-DNS Interaction Bernie Volz IETF-61, DHC WG.

SCVP-28 Tim Polk November 8, Current Status Draft -27 was submitted in June ‘06 –AD requested a revised ID 8/11 –No related discussion on list –Editors.

Draft-dploy-requirements-00 Overview: draft-dploy-requirements-00 Gregory M Lebovitz pki4ipsec BOF.

Secure communication among services

Public Key Infrastructure Using X.509 (PKIX) Working Group

Resource Certificate Profile

Information session SCIENTIFIC NEGOTIATIONS Call FP7-ENV-2013-two-stage "Environment (including climate change)" Brussels 22/05/2013 José M. Jiménez.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

OCSP Requirements GGF13.

Presentation transcript:

CDB Chris Bonatti (IECA, Inc.) Tel: (+1) Proposed PKI4IPSEC Certificate Management Requirements Document IETF #60 – PKI4IPSEC Working Group 4 August 2004 – San Diego, California

CDB Status of Draft Publication history: –draft-dploy-requirements MAR –draft-bonatti-pki4ipsec-profile-reqts JAN-30 –draft-bonatti-pki4ipsec-profile-reqts JUL-19 We agreed after Seoul to make this a WG draft. Missed the publication deadline for a new WG -00 draft, so we republished as a personal draft. This revision attempts to answer several issues discussed in Seoul. We’re not nearly finished.

CDB Changes to Draft Numerous editorial changes to clean up language: IKE Peers → IPSec Peer, VPN Peer → IPSec Peer, VPN Administration function replaced with Admin after saying would refer to it as such, certificate → PKC. Figure 1 Architecture Framework for VPN-PKI Interactions split in to three pictures. Figure 1 now in 2.1 depicts just the VPN System. Figure 2 in 2.2 now depicts just the PKI system. Figure 3 in 2, 3 now shows the interactions (former Figure 1). Added subsections to 2.3 to address New PKC, Renewal PKC, and Revocation. Pictures were added to each to explain show the interactions for the IPsec Peer generated keys and PKC request. Other options should be explictly described in Section 3. Updated description of steps accordingly.

CDB Changes to Draft (2) In added a picture and a description of the steps in the picture to address IPsec Peer generated keys and PKC request but enrolls through Admin. In added a picture and a description of the steps in the picture to address Admin generated keys, PKC request and Admin performs enrollment.

CDB “Big” Issues Strategic Question: Do we need to pin everything down concretely in the requirements document, or do we note a requirement to “choose one MUST option” and lay out the pros and cons of the options. –Example is cert path validation checking. –It isn’t clear that any particular option is necessary to meet our charter objectives, but it is clear that a single choice of MUST happen. The cert management profile has to establish a MUST requirement for revocation/validation approach for the sake of interoperability. –Do we care about distributed validation? –Options are CRLs, OCSP or SCVP

CDB “Big” Issues (2) Need to determine the relationship between IKE certificates, and certificates for ongoing cert management use. –Do we use a different cert (or set of certs) for CM than the cert (or set of certs) that we use for IPSEC? –Don't think you can necessarily keep these from being different –Suggest that we require that the CM profile not preclude use of the same certs as the IKE cert profile. Clause specifies that CDP MUST be included and MUST specify the access method. –Need to agree what the MUST support access method should be. –Options are HTTP and LDAP. –Text presently makes HTTP the MUST support method.

CDB “Big” Issues (3) In the case where a certificate/authorization template is defined out of band by the domain operator on both the PKI and VPN Admin, and multiple templates exist on PKI for potentially multiple Admins, then how does the Admin reference the template? –Do we need to create a template/group identifier that both PKI and Admin will know about? –Would this require changes in CMC, or does it have something we can use? –What if attributes or their contents sent by Admin in certificate/authorization template conflict with the CA's policy?

CDB Ongoing Document Work Section needs to be generated to cover additional use case for PKI generation of keys. Closure on MUST ID fields in CM certificates: –Certificates MUST contain at least one of Subject or the SubjectAltName iPAddress, dNSName, or rfc822Name. –Some question of whether or how Key_ID will be supported. Perhaps SubjectAltName otherName can support. Section 4 (Security Considerations) needs to be generated. Annex D needs to be generated.

CDB Way Forward *Will* re-post the same version of the draft as a -00 WG document when submissions reopen. Issue log for cert management requirements is available on the supplemental website at: – –Look at the top under San Diego meeting Continue to address issues and massage requirements.

CDB Questions?