[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: More on certificate enrollment...

To: Bernard Aboba <aboba@xxxxxxxxxxxxx>
Subject: Re: More on certificate enrollment...
From: Paul Krumviede <paul@xxxxxxx>
Date: Thu, 15 Jun 2000 11:23:57 -0700
Cc: "'IPSRA list'" <ietf-ipsra@xxxxxxxx>
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

--On Thursday, 15 June, 2000 11:00 -0700 Bernard Aboba <aboba@xxxxxxxxxxxxx> wrote:

It's a migration path because the underlying IKE software is completely
certificate-based.  Users can convert one at a time; the over-the-wire
IKE and the servers don't have to be touched when you start using
PKI-based permanent certificates.  Furthermore, once all of your users
have converted, you can delete the old software and be left with no
vestigal pieces of code.


So essentially we are addressing the issue of certificate enrollment
here. That is a good thing. In fact, I wish we would spend more time
discussing this instead of the interminable L2TP vs. IPSEC
tunnel mode flame wars. Boy, is that getting old.

For example, I am curious about the level of authentication that needs
to be provided for various certs.


this occasionally gets discussed in PKIX, in terms of what a CA should
verify. is that what you mean by authentication?

My understanding is that a level 1
cert as defined by Verisign requires that the certificate provider verify
that the user can receive email at the userID included in the cert.


I thought the actual check was that the email address be unique,
apparently in the sense that it hasn't been used as the subject (or
altSubjectName?) previously. I gather that if the requestor can't
receive email at the address then they won't get the notification
to go pick up the cert, but I think that the cert request will have
been processed and a certificate created.

If
the cert provider is the same as the email provider, this
assurance can be provided by having the user authenticate themselves
via the Web or other method. Alternatively, if the cert
provider is not the email provider, the cert can be sent to the user by
e-mail. Are we always assuming that the cert provider and email
provider will be the same for purposes of IPSRA? For example, are
we trying to support access to the Bigco.com Intranet from users
who identify themselves as bigcouser@xxxxxxx rather than
fred@xxxxxxxxx?


Working for a company that likes to change names and acquire
other companies, I'm not sure that we should make such an
assumption.

-paul

Follow-Ups:
- Re: More on certificate enrollment...
  - From: Yaron Sheffer

References:
- More on certificate enrollment...
  - From: Bernard Aboba

Prev by Date: More on certificate enrollment...
Next by Date: Authentication Mechanism Matrix (was L2TP vs IPSEC)
Previous by thread: More on certificate enrollment...
Next by thread: Re: More on certificate enrollment...
Index(es):
- Date
- Thread