[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Thoughts on draft-bellovin-ipsra-getcert-00.txt
It is good to see that there is at least one proposal for this soon-to-be
WG to consider. However, I'm wondering if we want to go down the path
suggested in this draft versus reusing things already standardized in the
IETF. Wearing my WG co-chair hat, I'd like to see what we do be as simple
and complete as possible.
The proposal here is essentially yet another certificate enrollment
protocol with the addition of an encrypted authentication exchange. To be
sure, it is much simpler than either of the two standards-track enrollment
protocols (CMP and CMC), but it is not clear that we want to invent a new
enrollment protocol for IPsec remote access. Both CMP and CMC could easily
be profiled to include a protected authentication step.
Legacy authentication used to create certificates *is* a PKI, so
certificate-based solutions are a way to help start a PKI that is targeted
to the IPsec gateways. Thus, we have two options:
- help them move towards a PKI through auth-supported certs
- use auth-supported shared secrets (the third option in Steve's draft)
We know that both certs and shared secrets will work well with IPsec. The
question is whether this group wants to do one or both.
--Paul Hoffman, Director
--Internet Mail Consortium