1 / 9

CMP Presentation

CMP Presentation. Stephen Farrell Baltimore Technologies. Outline. Provide historical perspective Highlight major features of the protocol Provide a status update and expected future direction Thanks to: Steve Lloyd and Carlisle Adams who prepared the initial version of these slides.

lilka
Download Presentation

CMP Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CMP Presentation Stephen Farrell Baltimore Technologies

  2. Outline • Provide historical perspective • Highlight major features of the protocol • Provide a status update and expected future direction • Thanks to: • Steve Lloyd and Carlisle Adams who prepared the initial version of these slides

  3. Historical Perspective • Discussed within IETF PKIX working group since early 1996 • RFC 2510 (March 1999), update in draft stage • Editors: • Carlisle Adams (Entrust Technologies) • Stephen Farrell (Baltimore Technologies) • Reflects all aspects of comprehensive certificate/key life cycle management • Based on earlier experience with EU SESAME Project and Nortel’s (later Entrust’s) SEP • Major CMC/CMP kefuffle -> CRMF (RFC2511)

  4. Certificate/Key Life Cycle Management • Key pair generation • Certificate creation • Key pair distribution to end-entity as required • Encryption/decryption key pair backup • Encryption/decryption key pair recovery • Key update/renewal • Certificate revocation • Certificate and revocation information retrieval • Cross-certification • CA Key rollover • Certificate/key archival

  5. Noteworthy Features/Options • Accommodates multiple PKI-component variations (i.e., CA-CA, CA-RA, EE-CA, EE-RA, even EE-RA-RA-CA!) • Supports both hierarchical and networked trust models • Supports explicit POP when signing keys not available • Supports secure, in-band installation of PKI trust anchor • Supports generic message structure to convey additional operational aspects/information • Supports two-way, three-way and four-way protocol exchanges • RFC2511 (CRMF) common to CMC & CMP

  6. What about Interoperability? • As with any feature rich, flexible protocol, functional subsets are expected to be defined • Minimum interoperability profiles already specified (CMP Appendix B) • CA-TALK list (ICSA driven interop) has been working through this set of operations • Now a PKI Forum activity • Other profiles expected to be defined based on target domain requirements

  7. CMP 2000 (Version 2) • draft-ietf-pkix-rfc2510bis-00.txt • Nearing completion (“speak now or…”) • Main differences from RFC2510: • text is clarified based on experience with CMP interoperability trials and mail list feedback • confirmation for selected certificates added • additional acknowledgement message from CA to EE has been added to trigger EE operation (when req’d) • transport-specific issues removed (due to re-use elsewhere, e.g. TSP, LAAP,…) • POP simplified

  8. Conclusions • A widening range of PKI vendors are now involved with implementations • CMP supports all facets of comprehensive certificate/key life cycle management • CMP offers maximum flexibility to accommodate different requirements • Transport aspects being re-used elsewhere • Subsets of CMP can be implemented as required (e.g. TSP use of transports/headers)

  9. www.PKIForum.org

More Related