[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Thoughts on draft-bellovin-ipsra-getcert-00.txt

It is good to see that there is at least one proposal for this soon-to-be WG to consider. However, I'm wondering if we want to go down the path suggested in this draft versus reusing things already standardized in the IETF. Wearing my WG co-chair hat, I'd like to see what we do be as simple and complete as possible.

The proposal here is essentially yet another certificate enrollment protocol with the addition of an encrypted authentication exchange. To be sure, it is much simpler than either of the two standards-track enrollment protocols (CMP and CMC), but it is not clear that we want to invent a new enrollment protocol for IPsec remote access. Both CMP and CMC could easily be profiled to include a protected authentication step.

Legacy authentication used to create certificates *is* a PKI, so certificate-based solutions are a way to help start a PKI that is targeted to the IPsec gateways. Thus, we have two options:
- help them move towards a PKI through auth-supported certs
- use auth-supported shared secrets (the third option in Steve's draft)
We know that both certs and shared secrets will work well with IPsec. The question is whether this group wants to do one or both.


--Paul Hoffman, Director
--Internet Mail Consortium