Presentation is loading. Please wait.

Presentation is loading. Please wait.

2/29/2004Profile-04 open issues draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues Gregory M Lebovitz

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "2/29/2004Profile-04 open issues draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues Gregory M Lebovitz"— Presentation transcript:

1 2/29/2004Profile-04 open issues draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues Gregory M Lebovitz gregory@netscreen.com

2 2/29/2004Profile-04 open issues Overview NAT-T considerations? Certificate Type? PKI Life Cycle Stuff pass in-band? Critical Bit? 2401bis sync’ing? CDP / AIA ?

3 2/29/2004Profile-04 open issues NAT-T How or Does NAT-T stuff affect us? Owner to write text and own this part of the document?

4 2/29/2004Profile-04 open issues Certificate Type? PKIX? –Signing? DNSsec signed stuff? PGP? Kerberos? SPKI Certificates? PKIX Attribute Certificates? PROPOSAL: –PKIX x.509 w/ RSA with SHA-1. DONE.

5 2/29/2004Profile-04 open issues PKI LifeCycle Stuff In-Band? CRLs? Intermediate Certs? Trust Anchors? Other revocation information?

6 2/29/2004Profile-04 open issues LifeCycle Stuff - PROPOSAL Philosophy: –Put all life cycle stuff in its own bucket, out of band of IKE, as a rule. It will be handled in charter items [2] and [3] –Minimize fragmentation and bloat to avoid UDP frag (FW’s choke on it) –Neither v1 nor v2 has adequate expression for querying detailed PKI elements, for revocation and intermediate certs. Proposal - MUST NOT REQUEST or SEND: –CRLs –Trust Anchors –Intermediate Certs –other revocation info

7 2/29/2004Profile-04 open issues Critical Bit Issue: –How do we handle critical extensions, if marked critical? –Drop or don’t drop if you don’t understand it Options

8 2/29/2004Profile-04 open issues 2401bis Sync’ing? SPD –Matching for cipher suite proposal –Pull from IKE_ID, and lookup for SPD match –Match to appropriate cert contents for validation of presented ID. PAD –Use anything else you want in cert or ID to lookup authorization, and do AAA

9 2/29/2004Profile-04 open issues CDP / AIA Inclusion? SHOULD? MUST? Not at all? Push to [2] and [3]? PROPOSAL –SHOULD send, MUST be able to process upon receipt –MUST accept certs w/o it

10 2/29/2004Profile-04 open issues KU & EKU Handling Background –CAs aren’t flexible enough with what they do/don’t allow to be configured for (E)KU. Therefore, we can’t depend on it. PROPOSAL: –Put whatever you want or nothing, it doesn’t matter. We will ignore it all together. –Receiver – Ignore it all together

11 2/29/2004Profile-04 open issues Others? Come to Microphone

12 2/29/2004Profile-04 open issues Let’s rev and go to WG last call! gregory@netscreen.com

Download ppt "2/29/2004Profile-04 open issues draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues Gregory M Lebovitz"

Similar presentations

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.

RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
CRL Processing Rules Santosh Chokhani November 2004.

CRL Processing Rules Santosh Chokhani November 2004.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Status report for draft-ietf-ipsec-pki-profile Paul Hoffman, Director VPN Consortium for Brian Korver

Status report for draft-ietf-ipsec-pki-profile Paul Hoffman, Director VPN Consortium for Brian Korver
Use of AIA for Attribute Certificates

Use of AIA for Attribute Certificates
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.
Trusted Archive Protocol (TAP) Carl Wallace

Trusted Archive Protocol (TAP) Carl Wallace
The Internet IP Security PKI Profile of ISAKMP and PKIX draft-ietf-ipsec-pki-profile-03.txt Brian Korver Eric Rescorla.

The Internet IP Security PKI Profile of ISAKMP and PKIX draft-ietf-ipsec-pki-profile-03.txt Brian Korver Eric Rescorla.
VDA Security Services Freeware Libraries Update IETF S/MIME WG 29 March 2000 John Pawling J.G. Van Dyke & Associates (VDA), Inc;

VDA Security Services Freeware Libraries Update IETF S/MIME WG 29 March 2000 John Pawling J.G. Van Dyke & Associates (VDA), Inc;
Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01.

Directories and PKI Keith Hazelton Senior IT Architect, UW-Madison PKI Summit, Snowmass, 9-Aug-01.
Applicability Statement v1.1 Feedback: DirectTrust May 5, 2015.

Applicability Statement v1.1 Feedback: DirectTrust May 5, 2015.

Similar presentations

Ads by Google