Re: Straw poll on getcert

[Robert Moskowitz <rgm-sec@xxxxxxxxxxxxxxx>]

At 04:22 PM 8/29/2000 -0400, Daniel Fox wrote:

look carefully at the model that Steve and I proposed.  The 
CA/authenticator could be a different system from the gateway.  The gateway 
has its long-term cert from this CA/authenticator.  The remote client does 
a getcert with the CA/authenticator over HTTPS (in either the 4.1 or 4.2 
senarios).  The remote client uses this cert for an IKE MM cert sig 
exchange with the gateway.   Only in the 4.4 senario does the 
CA/authenticator need to communicate (the shared secret) with the gateway.

> Are we essentially providing legacy authentication services to the PKI
> initiation request?  Suppose we choose Client-Side Certificate Generation.
> How does the VPN gateway send a CMP request to the CA on behalf of the IRAC
> when the IRAC has the private key but the gateway does not?
>
> Perhaps we should do Client-Side Certificate Generation, but the getcert
> protocol would instead get the secret and reference number for CMP
> initiation.  Then, the client would talk CMP directly with the CA to
> initiate membership in the PKI.  Then, IKE.
>
> Or is there a larger purpose to this?

Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@xxxxxxxxxxxxxxx