PKIF TWG Report 29 June 2000 Mark Davis Andrew Nash et al

Points of Interest u PKI Bench from Entegrity u Why we are starting at 8:30 …

Management Protocols u Intent to give an overview and understanding of protocols u Decision considerations u Presenters: –SCEP – Bob Moskowitz –CMP – Stephen Farrell –CMC – Michael Myers

Lifecycle Protocols – SCEP u Put certificates in devices without Web browsers u IETF Draft, no activity u Cisco reference implementation in progress u Q How accurate is implementation to spec? –A interoperation from spec observed

Lifecycle Protocols – CMP u PKIX certificate management u Comprehensive for key and lifecycle management (11 operations) u High level of flexibility (EE-RA-RA-CA!) u CRMF split out for reuse with CMC u Version 2 based on Interoperability testing results

Lifecycle Protocols – CMC u Reuse as much as possible of S/MIME library –Small footprint for PDAs, phones etc. u Alternative to CMP based on PKCS 7/10 using Cisco work u Uses CRMF u Other requirements: single round trip certificate requests, client side key generation u Server side generation is possible u Similar functionality between between CMC/CMP

Lifecycle Protocols – Panel Discussion Summary u Panel Consensus: –SCEP is tactical and targeted at routers –CMP and CMC are functionally equivalent –CMP and CMC are suitable for the same application domains –Applications may choose between CMP and CMC – PKI vendors should support both

Interoperability White Paper u Lead: Bob Moskowitz u Abstract Identify barriers to interoperability between PKI components. Provide a framework for future efforts to address these issues. Document issues for implementers. The initial framework will rely on the separation based on applications, components and enterprise relationships.

Interoperability White Paper u Authors –Bob Moskowitz, Frederik Loeckx, Francois Rousseau, John Hughes, Steve Lloyd u Work Plan Solicit Inputearly July Divide Workmid July Write Draftlate Summer Review DraftSeptember (Montreal)

Path Construction White Paper u Lead: Stephen Farrell u Abstract Applications that make use of public key certificates have to validate certificate paths. Before validating a certificate path, it is first necessary to construct that path. This means finding a set of certificates that appears to chain up to a trust point. This white paper describes issues that implementers of PKI technology have to face when developing certificate path construction code, for example, considering issues with different sources of certificates (LDAP, databases etc) and how to avoid "loops".

Path Construction White Paper u Authors: Stephen Farrell, Steve Koehler, Michael Myers, Tim Polk, Steve Lloyd u Work Plan Solicit Inputearly July Divide Workmid July Write Draftlate Summer Review DraftSeptember (Montreal)

LDAP White Paper u Lead: Aidan O’Brien u Abstract: Survey the problems associated with PKI interactions with LDAP and directories. Identify issues where existing standards and practices are insufficient and what partial solutions exist. Lay a foundation to assist in prioritizing future work on the use of LDAP within PKI.

LDAP White Paper u Authors: Aidan O’Brien, Gordon Buhle, Dave Bachmann, Nada Kapidzic Cicovic, Jean Pawluk u Work plan Solicit ParticipationJune Agree on PurposeJuly Collect issue contributionsJuly Review DraftAugust Publish White PaperSeptember

Working Session (1/2) u Report on Business Work Group and Technical Work Group Relationship u Application Certificates –Stay on current script approach –Need volunteer for “standard” certificates library –Data presentation – Sheet per application/PKI pair –An additional Face to Face workshop is desired, but may be difficult to schedule

Working Session (2/2) u Certificate Validation –IETF WG revisiting requirements and protocols –Schedule presentation by IETF contributors in Montreal u B2B Protocols –Some standardization work –Deployment may be difficult –Work required by PKIF unclear u LDAP (from CMP interop discussion) –Multiple problems –Varying definition –Address these issues as part of LDAP white paper –Follow definition of work expected

Montreal Topics u Review work in progress –Demonstration planning (needs input from BWG) u IETF Remote Path Processing u Review outcomes from LDAP white paper u Further B2B Application discussion

Lifecycle Protocols – General Discussion u Smart Card requirements and support u What Domains does each protocol address –SCEP – tactical for in devices now that don’t have browsers SCEP is routers –CMP and CMC similar domains CMC with broad input CMC may have advantage on PDA’s –In IPSEC environment, how do CMC and CMP u Suitability of CMC and CMP for store and forward POP requires multiple round trip u Automatic cross certification of debatable use May need better definition of terms (BWG is working on one) u Implementation status “VeriSign is willing to support any protocol that shows emergence in the marketplace.” Andrew Nash – “An issue of leadership.” u Is storing certificate in LDAP part of the Life Cycle Management protocol May be policy statement outside lifecycle management protocol Must be specified in some terms for implementation of EE Awareness will impact implementation PKIF TWG may want to take this on u What should a PKIF do with SCEP and CMC SCEP not do anything about SCEP Should do CMC interop, scenarios, service providers should provide both, EE select