80 likes | 96 Vues
Proposed PKI4IPSEC Certificate Management Requirements Document. IETF #61 – PKI4IPSEC Working Group 10 November 2004 – Washington, DC. Chris Bonatti (IECA, Inc.) <BonattiC@ieca.com> Tel: (+1) 301-548-9569. Status of Draft. Publication history: draft-dploy-requirements-00 2002-MAR
E N D
Proposed PKI4IPSEC Certificate Management Requirements Document IETF #61 – PKI4IPSEC Working Group10 November 2004 – Washington, DC Chris Bonatti (IECA, Inc.) <BonattiC@ieca.com> Tel: (+1) 301-548-9569
Status of Draft • Publication history: • draft-dploy-requirements-00 2002-MAR • draft-bonatti-pki4ipsec-profile-reqts-00 2004-JAN-30 • draft-bonatti-pki4ipsec-profile-reqts-01 2004-JUL-19 • draft-ietf-pki4ipsec-mgmt-profile-rqts-00 2004-AUG-4 • draft-ietf-pki4ipsec-mgmt-profile-rqts-01 2004-OCT-25 • August 4 version was substantially the same as July 19 version. • October 25 version addresses text comments identified around IETF #60. • We’re not nearly finished.
Document Structure 1. Introduction 2. Architecture • VPN System (VPN Peers & VPN Admin) • PKI System (CA, RA, Repository) • VPN-PKI interaction (steps in certificate life cycle) 3. Requirements • Subsections address different requirement areas 4. Security Considerations Annexes A. References B. Acknowledgements C. Editor's Address D. Summary of Requirements • Plan to include a summary table similar to those in RFCs 1122, 1123, and 2975. E. Change History
Section 3 Subsections 3.1 General Requirements 3.2 Authorization Transactions 3.3 Key Generation and PKC Request Construction 3.4 Enrollment (Sending Request and PKC Retrieval) 3.5 PKC Profile for PKI Interaction 3.6 PKC Renewals and Changes 3.7 Finding PKCs in Repositories 3.8 Revocation Action 3.9 Revocation Checking and Status Information
Changes to Draft • Numerous editorial changes: • Acronym fixes • Clarification of PKC Change definition • Rearranged and consolidated references • Clarified what “off-line” communication (out of band) entails.
Issues • Need to add more clarity on the makeup of the registration “template”. • Should the VPN Peer be able to cancel a pre-authorization in addition to the Admin. • Need to clarify error handling for the pre-enrollment process. • Lots of editorial holes to be filled, but the issues are less granular.
Way Forward • Issue log was created previously. This is more of an editorial work list than technical issues. • New issue tracker: • http://rt.psg.com/ • Work through issue log, discussing open issues on the list. Issues will gradually migrate to the tracker.