1. CDB-040804-1 Chris Bonatti (IECA, Inc.) Tel: (+1) 301-548-9569 Proposed PKI4IPSEC Certificate Management Requirements Document IETF #60 – PKI4IPSEC Working Group 4 August 2004 – San Diego, California

2. CDB-040804-2 Status of Draft Publication history: –draft-dploy-requirements-002002-MAR –draft-bonatti-pki4ipsec-profile-reqts-002004-JAN-30 –draft-bonatti-pki4ipsec-profile-reqts-012004-JUL-19 We agreed after Seoul to make this a WG draft. Missed the publication deadline for a new WG -00 draft, so we republished as a personal draft. This revision attempts to answer several issues discussed in Seoul. We’re not nearly finished.

3. CDB-040804-3 Changes to Draft Numerous editorial changes to clean up language: IKE Peers → IPSec Peer, VPN Peer → IPSec Peer, VPN Administration function replaced with Admin after saying would refer to it as such, certificate → PKC. Figure 1 Architecture Framework for VPN-PKI Interactions split in to three pictures. Figure 1 now in 2.1 depicts just the VPN System. Figure 2 in 2.2 now depicts just the PKI system. Figure 3 in 2, 3 now shows the interactions (former Figure 1). Added subsections to 2.3 to address New PKC, Renewal PKC, and Revocation. Pictures were added to each to explain show the interactions for the IPsec Peer generated keys and PKC request. Other options should be explictly described in Section 3. Updated description of steps accordingly.

4. CDB-040804-4 Changes to Draft (2) In 3.4.6 added a picture and a description of the steps in the picture to address IPsec Peer generated keys and PKC request but enrolls through Admin. In 3.4.7 added a picture and a description of the steps in the picture to address Admin generated keys, PKC request and Admin performs enrollment.

5. CDB-040804-5 “Big” Issues Strategic Question: Do we need to pin everything down concretely in the requirements document, or do we note a requirement to “choose one MUST option” and lay out the pros and cons of the options. –Example is cert path validation checking. –It isn’t clear that any particular option is necessary to meet our charter objectives, but it is clear that a single choice of MUST happen. The cert management profile has to establish a MUST requirement for revocation/validation approach for the sake of interoperability. –Do we care about distributed validation? –Options are CRLs, OCSP or SCVP

6. CDB-040804-6 “Big” Issues (2) Need to determine the relationship between IKE certificates, and certificates for ongoing cert management use. –Do we use a different cert (or set of certs) for CM than the cert (or set of certs) that we use for IPSEC? –Don't think you can necessarily keep these from being different –Suggest that we require that the CM profile not preclude use of the same certs as the IKE cert profile. Clause 3.2.3.3 specifies that CDP MUST be included and MUST specify the access method. –Need to agree what the MUST support access method should be. –Options are HTTP and LDAP. –Text presently makes HTTP the MUST support method.

7. CDB-040804-7 “Big” Issues (3) In the case where a certificate/authorization template is defined out of band by the domain operator on both the PKI and VPN Admin, and multiple templates exist on PKI for potentially multiple Admins, then how does the Admin reference the template? –Do we need to create a template/group identifier that both PKI and Admin will know about? –Would this require changes in CMC, or does it have something we can use? –What if attributes or their contents sent by Admin in certificate/authorization template conflict with the CA's policy?

8. CDB-040804-8 Ongoing Document Work Section 3.3.4 needs to be generated to cover additional use case for PKI generation of keys. Closure on MUST ID fields in CM certificates: –Certificates MUST contain at least one of Subject or the SubjectAltName iPAddress, dNSName, or rfc822Name. –Some question of whether or how Key_ID will be supported. Perhaps SubjectAltName otherName can support. Section 4 (Security Considerations) needs to be generated. Annex D needs to be generated.

9. CDB-040804-9 Way Forward *Will* re-post the same version of the draft as a -00 WG document when submissions reopen. Issue log for cert management requirements is available on the supplemental website at: –http://www.icsalabs.com/html/communities/pki4ipsec/ –Look at the top under San Diego meeting Continue to address issues and massage requirements.

10. CDB-040804-10 Questions?