Proposed%20PKI4IPSEC%20Certificate%20Management%20Requirements%20Document

1
Proposed PKI4IPSEC Certificate Management
Requirements Document

• IETF 60 PKI4IPSEC Working Group4 August 2004
  San Diego, California

Chris Bonatti (IECA, Inc.) ltBonattiC_at_ieca.comgt Tel
(1) 301-548-9569
2
Status of Draft

• Publication history
• draft-dploy-requirements-00 2002-MAR
• draft-bonatti-pki4ipsec-profile-reqts-00 2004-JAN-
  30
• draft-bonatti-pki4ipsec-profile-reqts-01 2004-JUL-
  19
• We agreed after Seoul to make this a WG draft.
• Missed the publication deadline for a new WG -00
  draft, so we republished as a personal draft.
• This revision attempts to answer several issues
  discussed in Seoul.
• Were not nearly finished.

3
Changes to Draft

• Numerous editorial changes to clean up language
  IKE Peers ? IPSec Peer, VPN Peer ? IPSec Peer,
  VPN Administration function replaced with Admin
  after saying would refer to it as such,
  certificate ? PKC.
• Figure 1 Architecture Framework for VPN-PKI
  Interactions split in to three pictures.  Figure
  1 now in 2.1 depicts just the VPN System.  Figure
  2 in 2.2 now depicts just the PKI system.  Figure
  3 in 2, 3 now shows the interactions (former
  Figure 1).
• Added subsections to 2.3 to address New PKC,
  Renewal PKC, and Revocation.  Pictures were added
  to each to explain show the interactions for the
  IPsec Peer generated keys and PKC request.  Other
  options should be explictly described in Section
  3.  Updated description of steps accordingly.

4
Changes to Draft (2)

• In 3.4.6 added a picture and a description of the
  steps in the picture to address IPsec Peer
  generated keys and PKC request but enrolls
  through Admin.
• In 3.4.7 added a picture and a description of the
  steps in the picture to address Admin generated
  keys, PKC request and Admin performs enrollment.

5
Big Issues

• Strategic Question Do we need to pin everything
  down concretely in the requirements document, or
  do we note a requirement to choose one MUST
  option and lay out the pros and cons of the
  options.
• Example is cert path validation checking.
• It isnt clear that any particular option is
  necessary to meet our charter objectives, but it
  is clear that a single choice of MUST happen.
• The cert management profile has to establish a
  MUST requirement for revocation/validation
  approach for the sake of interoperability.
• Do we care about distributed validation?
• Options are CRLs, OCSP or SCVP

6
Big Issues (2)

• Need to determine the relationship between IKE
  certificates, and certificates for ongoing cert
  management use.
• Do we use a different cert (or set of certs) for
  CM than the cert (or set of certs) that we use
  for IPSEC?
• Don't think you can necessarily keep these from
  being different
• Suggest that we require that the CM profile not
  preclude use of the same certs as the IKE cert
  profile.
• Clause 3.2.3.3 specifies that CDP MUST be
  included and MUST specify the access method.
• Need to agree what the MUST support access method
  should be.
• Options are HTTP and LDAP.
• Text presently makes HTTP the MUST support method.

7
Big Issues (3)

• In the case where a certificate/authorization
  template is defined out of band by the domain
  operator on both the PKI and VPN Admin, and
  multiple templates exist on PKI for potentially
  multiple Admins, then how does the Admin
  reference the template?
• Do we need to create a template/group identifier
  that both PKI and Admin will know about?
• Would this require changes in CMC, or does it
  have something we can use?
• What if attributes or their contents sent by
  Admin in certificate/authorization template
  conflict with the CA's policy?

8
Ongoing Document Work

• Section 3.3.4 needs to be generated to cover
  additional use case for PKI generation of keys.
• Closure on MUST ID fields in CM certificates
• Certificates MUST contain at least one of Subject
  or the SubjectAltName iPAddress, dNSName, or
  rfc822Name.
• Some question of whether or how Key_ID will be
  supported. Perhaps SubjectAltName otherName can
  support.
• Section 4 (Security Considerations) needs to be
  generated.
• Annex D needs to be generated.

9
Way Forward

• Will re-post the same version of the draft as
  a-00 WG document when submissions reopen.
• Issue log for cert management requirements is
  available on the supplemental website at
• http//www.icsalabs.com/html/communities/pki4ipsec
  /
• Look at the top under San Diego meeting
• Continue to address issues and massage
  requirements.

10
Questions?