[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PIC and RFC 2510

To: Bernard Aboba <aboba@xxxxxxxxxxxxx>, ietf-ipsra@xxxxxxxx
Subject: Re: PIC and RFC 2510
From: Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>
Date: Fri, 31 Aug 2001 11:50:09 -0700
In-reply-to: <>
List-archive: <http://www.vpnc.org/ietf-ipsra/mail-archive/>
List-id: <ietf-ipsra.vpnc.org>
List-unsubscribe: <mailto:ietf-ipsra-request@vpnc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-ipsra@xxxxxxxxxxxxx

At 10:04 AM -0700 8/31/01, Bernard Aboba wrote:

RFC 2510 (and its successor in progress,
draft-ietf-pkix-rfc2510bis-04.txt),  includes a number of requirements for
Public Key Infrastructure Certificate Management Protocols.

Well, that is one way to look at 2510. Another way is to look at the twisted history of the PKIX Working Group and see that 2510 describes *one* of the standardized certificate management protocols, and that the "requirements" section in fact is a self-justification for the particular protocol.

For those of you who love IETF politics (which, of course, is not wholly unrelated to the existence this very Working Group), the "other" certificate management protocol to come out of the PKIX WG is CMC, RFC 2797. The two do essentially the same thing, but using different formats for the messages. The politics of why there are even two different protocols is out of scope for this working group (and should have been out of scope for PKIX, but wasn't).

Several approaches for credential negotiation were considered and rejected
for this protocol, in the interest of simplicity.

Right.

The general case would require negotiation of multiple properties in parallel, for example: - Is the private key generated by the Client or the AS. - What type of certificate is required, in particular which algorithm. - What length of keys is required, for each of the credential's components."

Smells like IKE. :-)

It would therefore appear that PIC does not meet the RFC 2510 requirements
for certificate management protocols.

Right. Remember, this WG even considered getting RFC 2510 (CMP) extended to handle multiple round trip legacy auth as the protocol for this group. We instead chose PIC.

How do we resolve this?

No need to resolve anything. PIC is not a generic certificate management protocol: it has a particular function for use in IPsec, and meets a particular requirement ("don't do the legacy authentication where most people want to do it, namely in IKE").

--Paul Hoffman, Director
--VPN Consortium

References:
- PIC and RFC 2510
  - From: Bernard Aboba

Prev by Date: PIC and RFC 2510
Next by Date: Reminder: last call for PIC in the IPSRA WG
Previous by thread: PIC and RFC 2510
Next by thread: Reminder: last call for PIC in the IPSRA WG
Index(es):
- Date
- Thread