[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Straw poll on getcert

At 04:22 PM 8/29/2000 -0400, Daniel Fox wrote:

look carefully at the model that Steve and I proposed. The CA/authenticator could be a different system from the gateway. The gateway has its long-term cert from this CA/authenticator. The remote client does a getcert with the CA/authenticator over HTTPS (in either the 4.1 or 4.2 senarios). The remote client uses this cert for an IKE MM cert sig exchange with the gateway. Only in the 4.4 senario does the CA/authenticator need to communicate (the shared secret) with the gateway.

Are we essentially providing legacy authentication services to the PKI
initiation request?  Suppose we choose Client-Side Certificate Generation.
How does the VPN gateway send a CMP request to the CA on behalf of the IRAC
when the IRAC has the private key but the gateway does not?

Perhaps we should do Client-Side Certificate Generation, but the getcert
protocol would instead get the secret and reference number for CMP
initiation.  Then, the client would talk CMP directly with the CA to
initiate membership in the PKI.  Then, IKE.

Or is there a larger purpose to this?

Robert Moskowitz ICSA Security Interest EMail: rgm-sec@xxxxxxxxxxxxxxx