1 / 21

CMC and PKI4IPSEC

CMC and PKI4IPSEC. Jim Schaad. Requirements Issues. What does MAY really mean What does SHOULD really mean Requirements on Admin <-> Peer Requirements on structure Remove requirements in PROFILE doc. How CMC wants to do this. Use standard request/response messages

iris-campos
Download Presentation

CMC and PKI4IPSEC

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CMC and PKI4IPSEC Jim Schaad

  2. Requirements Issues • What does MAY really mean • What does SHOULD really mean • Requirements on Admin <-> Peer • Requirements on structure • Remove requirements in PROFILE doc

  3. How CMC wants to do this • Use standard request/response messages • Use Transaction ID and nonces • Use Pending

  4. Pretty Picture REPOSITORY ----- CA | | | ----------------- RA --- Admin | | | ----------------- Peer -----------

  5. Basic Enroll Process • Establish Authorization • Distribute Authorization • Generate Public Key • Request Cert • Get Cert • Get trust anchor(s)

  6. Admin Authorization Process • Create Template • Request Authorizations • Get Authorizations Back • Distribute Authorizations

  7. Template Creation • Out Of Band negotiation • Template • Fixed portion • Restrictions • Control Items • Variable Portions • Substitution • if - then - else • types • General Name • UTF8 String • Time • Extension • Other? • Who can authorize

  8. Request Authorizations • Use CMC Request Body with new control • For n items provide • template id • variable portion tokens • Timeout • must not match any current authorization • comparison rules • Binary or intelligent • (ä has multiple encodings) • should collision in current message error for both? • should collision with existing item error for both? • Re-request authorization?

  9. Get Authorizations Back • Use CMC Response Message • for n items return • Auth token – PrintableString (ASCII) • Auth Passphrase – PrintableString (ASCII) • success/failure – error codes • Optional - token strings & id ? • requirement PKI may alter parameters and return to admin for check §3.2.5

  10. Distribute Authorization • Data to be distributed • Authentication Token • Passphrase • Name of entity to talk to • Optional Items • Trust anchor information • Restrictions • Key Type, Key Length,…

  11. Authorization Cancel • CMC Request/Response Pair w/ new controls • Authorization is identify by token • allow for bulk revoke or just singles? • May be signed by admin (SignedData) or use MAC by passphrase possessor (AuthData) • Race conditions between issuing a cert and cancel • Cancel of an issued Certificate • return either success or consumed (with cert identifier) • Query if authorization is still current?

  12. EE Request Structure SignedData identify key by SKI • id-cct-PKIData encap content • Controls • id-cmc-identification - auth token • id-cmc-identityProof - derived from passphrase • id-cmc-transactionID - random number • id-cmc-senderNonce - random number • CRMF CertRequest • certReqID - fixed value ok • subject name cn=<Auth Token> • Public Key • SKI Extension with possibly fixed value. • Other extensions as required

  13. EE Response Structure • SignedData by CA or RA • id-cct-PKIResponse encap content • Controls • id-cmc-statusInfoExt • id-cmc-authData • CMS objects • AuthData MAC by passphrase • id-cct-PKIResopnse encap content • Controls • id-cmc-trustRoots • Cert Bag - all certs including issued cert & root

  14. Error Responses • Error responses are sent signed or unsigned? (depends on error value?) • Add new set of error codes specific to the new controls • Number of errors depends on granularity

  15. Update, Renewal & Rekey • Update • New cert - different content - same/different key • Renewal • New cert - same content - same key • Rekey • New cert - same content - different key

  16. Renewal & Rekey • (EE generates new request w/ new key if needed) • Specify with original authorization or policy • Update later • keep state in RA database assoicated with Issuer/Serial# • renewal vs rekey vs dead • time to start renewal • query admin

  17. Update • In RA database w issuer/serial keep • token strings for update cert • allow for update of token strings by admin from cert id • OR • query admin • OR • Requires re-auth from Admin • Requires new auth token & passphrase • Requires re-enrollment from EE

  18. CMC Requirements • trans id • nonces • auth data from CMS for ee revoke • signed data using sig key

  19. Unmet Criteria • Must specify the “type” of enrollment • Update, Renewal, Rekey, Original

  20. Open Issues • In-line Authorization • Should Peers be able to specify non Public Key information • PKI Generation of keys -- bad idea? • Queue and Manually Approve • Advice to admin on all events

  21. Open Issues • Time out/race conditions • Use Pending from RA on an instant basis • Minimize network attack time • Requires some careful thought on error states and database information. • Admin Enrollment on behalf of a peer • Key generation on peer • Key geneneration on admin

More Related