1 / 11

CMP Interop Project

CMP Interop Project. December 6, 2000 Robert Moskowitz rgm@icsa.net. CMP Interop Goals. Establish the baseline of mandatory CMP functions Done! Establish the optional, but important CMP functions Done!

giona
Download Presentation

CMP Interop Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CMP Interop Project December 6, 2000 Robert Moskowitz rgm@icsa.net

  2. CMP Interop Goals • Establish the baseline of mandatory CMP functions • Done! • Establish the optional, but important CMP functions • Done! • Expose any deficiencies of difficulties with the specification and provide needed feedback to the IETF on recommended changes to the specification • Progress! • Provide the foundation for future product testing so that customers will be able to buy PKI products with confidence • Light at the end of the tunnel!

  3. What is CMP Interop?Mandatory and Desired • Support DSA and RSA algorithms • in certificate templates and for use in PKI Protection and POP (Proof of Possession) • digitalSignature and dataEncipherment in keyUsage • separately and together in certificates • PKI Protection and POP • CMP Transport Method • TCP direct (port 829) and HTTP

  4. What is CMP Interop cont. • CMP Transactions • ir, cr, rr, kur, and ccr (CA implementations only) • ir with one or two certificate requests • Transaction sequence • Req/rep (ImplicitConfirm) • Req/err (bad request) • Req/rep/certconf/pkiconf • Req/rep/err/pkiconf (bad certificate) • Req/rep/certconf/err (bad confirmation) • PKI Protection • MAC (shared secret for ir) • SIG (using a signing cert.)

  5. What is CMP Interop cont. • Over 80 testing combinations! • Not all need be supported by all vendors • All need to be supported by some vendors • Or specification changed • Yes CMP can be as complex as you wish • But it does not have to be so for all implementations!

  6. Baltimore Certicom (Trustpoint) Cylink Cryplib (open source) Entegrity Entrust IBM TC Trustcenter RSA Research SSH Sun (Java) Now inactive ICSA Labs is coordinating/running Interop efforts Active Interop Participants

  7. Pending Interop Participants • Motus Technologies • NIST • Open CA • Siemens • Utimaco

  8. Lessons Learned • CA policy has a major impact on EE use of CMP • Need to collect basic policy items • A few areas in specs are unclear • Need list ‘lore’ to implement • Changes to Internet Drafts published

  9. Conclusions • Over the Internet workshops are viable • Engineers can work around timezone problems easier than getting travel authorizatoin • CMP Interop does not currently exist • All participants were using pre-production code • Basic CMP Interop WAS achieved this year • EE to CA, not CA to CA

  10. Pending Work Items • Next year to finish up Interop • CMP Transport polling • QC 'protection' of transactions • application testing • using certificates in real applications • ICSA Labs will be able to develop a compliance criteria for CMP • More participation needed

  11. Pending Work Items • Next year to finish up Interop • CMP Transport polling • QC 'protection' of transactions • application testing • using certificates in real applications • ICSA Labs will be able to develop a compliance criteria for CMP • More participation needed

More Related