130 likes | 276 Views
CMP Interop Project. December 6, 2000 Robert Moskowitz rgm@icsa.net. CMP Interop Goals. Establish the baseline of mandatory CMP functions Done! Establish the optional, but important CMP functions Done!
E N D
CMP Interop Project December 6, 2000 Robert Moskowitz rgm@icsa.net
CMP Interop Goals • Establish the baseline of mandatory CMP functions • Done! • Establish the optional, but important CMP functions • Done! • Expose any deficiencies of difficulties with the specification and provide needed feedback to the IETF on recommended changes to the specification • Progress! • Provide the foundation for future product testing so that customers will be able to buy PKI products with confidence • Light at the end of the tunnel!
What is CMP Interop?Mandatory and Desired • Support DSA and RSA algorithms • in certificate templates and for use in PKI Protection and POP (Proof of Possession) • digitalSignature and dataEncipherment in keyUsage • separately and together in certificates • PKI Protection and POP • CMP Transport Method • TCP direct (port 829) and HTTP
What is CMP Interop cont. • CMP Transactions • ir, cr, rr, kur, and ccr (CA implementations only) • ir with one or two certificate requests • Transaction sequence • Req/rep (ImplicitConfirm) • Req/err (bad request) • Req/rep/certconf/pkiconf • Req/rep/err/pkiconf (bad certificate) • Req/rep/certconf/err (bad confirmation) • PKI Protection • MAC (shared secret for ir) • SIG (using a signing cert.)
What is CMP Interop cont. • Over 80 testing combinations! • Not all need be supported by all vendors • All need to be supported by some vendors • Or specification changed • Yes CMP can be as complex as you wish • But it does not have to be so for all implementations!
Baltimore Certicom (Trustpoint) Cylink Cryplib (open source) Entegrity Entrust IBM TC Trustcenter RSA Research SSH Sun (Java) Now inactive ICSA Labs is coordinating/running Interop efforts Active Interop Participants
Pending Interop Participants • Motus Technologies • NIST • Open CA • Siemens • Utimaco
Lessons Learned • CA policy has a major impact on EE use of CMP • Need to collect basic policy items • A few areas in specs are unclear • Need list ‘lore’ to implement • Changes to Internet Drafts published
Conclusions • Over the Internet workshops are viable • Engineers can work around timezone problems easier than getting travel authorizatoin • CMP Interop does not currently exist • All participants were using pre-production code • Basic CMP Interop WAS achieved this year • EE to CA, not CA to CA
Pending Work Items • Next year to finish up Interop • CMP Transport polling • QC 'protection' of transactions • application testing • using certificates in real applications • ICSA Labs will be able to develop a compliance criteria for CMP • More participation needed
Pending Work Items • Next year to finish up Interop • CMP Transport polling • QC 'protection' of transactions • application testing • using certificates in real applications • ICSA Labs will be able to develop a compliance criteria for CMP • More participation needed