From owner-scep Fri Feb 11 04:07:27 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id EAA11770 for scep-bks; Fri, 11 Feb 2000 04:07:27 -0800 (PST) Received: from aunt15.ausys.se (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id EAA11766 for ; Fri, 11 Feb 2000 04:07:26 -0800 (PST) Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id ; Fri, 11 Feb 2000 13:09:51 +0100 Message-ID: <41ACC8CF2BF1D011AEDD00805F31E54C035D352D@aunt15.ausys.se> From: Magnus Hessel To: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: RA-certificates and KeyUsage, BasicConstrains etc. Date: Fri, 11 Feb 2000 13:09:50 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I observe strange behavour when using my 1700 router with IOS 12.0.5T router software. Q1: A: Can I have a single RA certificate or has it got to be one for encryption and one for signature? B: If yes on A, what certificate data are required to be set? Q2: If I use multiple RA certificates, which keyusage MUST and MUST NOT be set for encryption and signature respectively. My observation is that if keyencipherment is set but not digitalsignature, then the certificate is considered an RA certificate. Where can I get more information about required CA and RA certificate profiles? Best Regards/ Magnus Hessel Software Engineer -It's nice to be important, but it's more important to be nice. iD2 Technologies -an Ericsson associate Liljeholmsv. 14, P.O Box 44055, 100 73 Stockholm, Sweden Phone: + 46 8 775 52 67 Fax:+46 8 726 79 12, E-mail: magnus.hessel@iD2tech.com http://www.id2tech.com > iD2 - Securing the Internet economy > > > From owner-scep Tue Feb 22 07:14:16 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id HAA10937 for scep-bks; Tue, 22 Feb 2000 07:14:16 -0800 (PST) Received: from host5.janus.sec.nl (IDENT:root@host5.janus.sec.nl [192.87.0.22]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA10932 for ; Tue, 22 Feb 2000 07:14:14 -0800 (PST) Received: from sec.nl (host2.janus.sec.nl [192.87.0.19]) by host5.janus.sec.nl (8.8.7/8.8.7) with ESMTP id QAA01846; Tue, 22 Feb 2000 16:19:08 +0100 Message-ID: <38B2A8EB.51D46D2B@sec.nl> Date: Tue, 22 Feb 2000 16:19:07 +0100 From: Janus Liebregts Organization: SURFnet ExpertiseCentrum bv X-Mailer: Mozilla 4.61 [en] (Win95; U) X-Accept-Language: nl,en MIME-Version: 1.0 To: "scep@vpnc.org" , "scep-interest@external.cisco.com" Subject: SCEP OpenSSL implementation Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms9D412A0ADABE32A8275E1B19" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a cryptographically signed message in MIME format. --------------ms9D412A0ADABE32A8275E1B19 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi sceptics, we are planning to implement SCEP on our OpenSSL-based CA. I'm sure some-one else has done this job or parts of this job before. If not, we are willing to post our (open-source) implementation. We as the dutch academic and higher education ISP, have an operational X.509 and LDAP infrastructure and are experimenting to integrate IPsec, X.509 and LDAP. regards, Janus Liebregts SURFnet ExpertiseCentrum bv The Netherlands http://www.sec.nl/persons/janus --------------ms9D412A0ADABE32A8275E1B19 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIJxgYJKoZIhvcNAQcCoIIJtzCCCbMCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC B9gwggQ5MIIDIaADAgECAgEKMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAk5MMRAwDgYD VQQKEwdTVVJGbmV0MRIwEAYDVQQDEwlPZmZpY2UtQ0ExIjAgBgkqhkiG9w0BCQEWE2NhLWFk bWluQHN1cmZuZXQubmwwHhcNMDAwMTE0MTM1NzM0WhcNMDAwNDAxMDAwMDAwWjB/MQswCQYD VQQGEwJOTDEkMCIGA1UEChMbU1VSRm5ldCBFeHBlcnRpc2VDZW50cnVtIGJ2MQkwBwYDVQQL EwAxGDAWBgNVBAMTD0phbnVzIExpZWJyZWd0czElMCMGCSqGSIb3DQEJARYWSmFudXMuTGll YnJlZ3RzQHNlYy5ubDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA8rDj3Whow1k2rPoy XFr42JLSPW9L57t2W7gdLwtjHjPQTfMUwBq2GROdFxFb1lCNkKrMwLIBPPDzxG2fQa3FlBpR qh2Mg/spgLhRgbGZ8q6TpGEin4tOWuysFjJlSCC3h+9OJsg1StdLZ4elEWHPtRV+JtJMpBy6 hmBkJ4yyc+sCAwEAAaOCAWowggFmMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBeAw HQYDVR0OBBYEFHkkyiecUhKDSgoi2uOJWkyxrGGdMIGrBgNVHSMEgaMwgaChgYqkgYcwgYQx CzAJBgNVBAYTAk5MMRAwDgYDVQQKEwdTVVJGbmV0MR4wHAYDVQQLExVodHRwOi8vcGtpLnN1 cmZuZXQubmwxHDAaBgNVBAMTE1NVUkZuZXQgUENBIFJvb3QgQ0ExJTAjBgkqhkiG9w0BCQEW FlNVUkZuZXQtUENBQFNVUkZuZXQubmyCEQDCq6cDAAAY2AAAAAUAAAAIMDgGCWCGSAGG+EIB AgQrFilodHRwczovL2NyZWNoZS53aW5kLnN1cmZuZXQubmwvb2ZmaWNlLWNhLzA9BglghkgB hvhCAQgEMBYuaHR0cHM6Ly9jcmVjaGUud2luZC5zdXJmbmV0Lm5sL29mZmljZS1DUFMuaHRt bDANBgkqhkiG9w0BAQUFAAOCAQEAhka6RgEM7bMovfcGAt+P+vfm0nNCg42mUteAsqh2BEo6 qAgvwRbcXzESki85hYHGcuCWUDh8hjWzeUqyNnX1zWFmO45j9KJg+aSC16A8pQCzlghAE+yx LP3FraYpR+5NcOWQDZwuvsPsEIeRfYOEswC5uTBE6gQust6+NBKdb5vvG4s0Dcf98IgRod8U ySeTJCStwIgrg3ag27IXbfyLlUzMycxHVNd/ytgosSKLYtb+cY6uwk/UltB6tMoDRJOBEsEG H0ZW1FynWxU4eov72haU4tjM7zeloh1O0aVlIjmAwaki9XyQdWwpA0Oadva5zLoknQmwWJC+ h+wrV2m53jCCA5cwggJ/oAMCAQICEQDCq6cDAAAY2AAAAAUAAAAIMA0GCSqGSIb3DQEBBQUA MIGEMQswCQYDVQQGEwJOTDEQMA4GA1UEChMHU1VSRm5ldDEeMBwGA1UECxMVaHR0cDovL3Br aS5zdXJmbmV0Lm5sMRwwGgYDVQQDExNTVVJGbmV0IFBDQSBSb290IENBMSUwIwYJKoZIhvcN AQkBFhZTVVJGbmV0LVBDQUBTVVJGbmV0Lm5sMB4XDTk5MTEyNTE2MjUyOFoXDTAyMTEyNDE2 MjUyOFowVzELMAkGA1UEBhMCTkwxEDAOBgNVBAoTB1NVUkZuZXQxEjAQBgNVBAMTCU9mZmlj ZS1DQTEiMCAGCSqGSIb3DQEJARYTY2EtYWRtaW5Ac3VyZm5ldC5ubDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALOwcNZSpOQ3BXQ8cVlFzRR71LnZb6ofGIh7drJUVcY9PyoP sVzsBYwBKGXOEEEH0LWPCaJri6Zzb5PmKnYRGTkV/xRTXxh62rbC8Qy1tzhFqQVouOf+4wXg GUaHlOQj6xGJantRgWqs/yPtcyghW/Urs8lhjnS/6LgPMtWTzp32ifa4Np18iF68SODStYd4 SqFkNYPAWVSEa/NqXG1GKJtwxryUsNSGEweku06fNIF8OiyT+2o33GdrxOn7/JgvdzBpjH16 PF9hP/Lz+Vj35TSDlk4NpYhdGLy5LJZIb7DQMAimLjAxjIWdOV38Y3Q6t7cfNoYku+mH/+BR uj8+PXkCAwEAAaMwMC4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAYYwEQYJYIZIAYb4QgEB BAQDAgAHMA0GCSqGSIb3DQEBBQUAA4IBAQBdwRb0fgGMmNq9EYBeK5LRhUWhAib4nxYa3CX8 0Gm+r8b9HnVXDQaEYSw9wCRaGqpxwpiTP6RItN6mKC6wOSaa8rp3cfcaMkfyApGAIrrEUlGX CNmObBfHnBfI9Qwywxwty90LCl0Rd4A6j3BRS7ORSbB+L/hsUIgHHgh6zmDG92BUkqPP/Ycc lI17BtsplygDh+kiL4VLBJIAU1+ALZFNat2jO5fZCXGIQ2Z90tOx8YT04f1J5O8mkIPXefsB kQBMiP3TBo6RUqk6FxO5VJMNDQ2SrWmH1aNlt3tG1lpOyV2hayGCz8f8Yd5csU3nAXC6+c7b jOLAcRX8C3U9d/XDMYIBtjCCAbICAQEwXDBXMQswCQYDVQQGEwJOTDEQMA4GA1UEChMHU1VS Rm5ldDESMBAGA1UEAxMJT2ZmaWNlLUNBMSIwIAYJKoZIhvcNAQkBFhNjYS1hZG1pbkBzdXJm bmV0Lm5sAgEKMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq hkiG9w0BCQUxDxcNMDAwMjIyMTUxOTA3WjAjBgkqhkiG9w0BCQQxFgQUVFhyMjGQrchuBfpj ZnazIYps+AUwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAw BwYFKw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAE gYCsdXqADwIQmIuxSdS/nXElnjLMRberrO1TcVJShfo8v2fuPWHB/FFZdjH5LmAQVf9RJpCS uvih7MEekQB7j3DMO04Xw8i39vaYTZlSKe9490FEYqNYiL17N/dac4BtsQLFObQTp5oMOMPe E85xiqGUOCJEkW8CLClZXM7CfJijhQ== --------------ms9D412A0ADABE32A8275E1B19-- From owner-scep Fri May 5 08:16:20 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id IAA11518 for scep-bks; Fri, 5 May 2000 08:16:20 -0700 (PDT) Received: from sothmxs01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA11514 for ; Fri, 5 May 2000 08:16:19 -0700 (PDT) Received: by sothmxs01.entrust.com with Internet Mail Service (5.5.2650.21) id ; Fri, 5 May 2000 11:16:02 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B1038D668D@sothmxs06.entrust.com> From: Marek Buchler To: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: Question on the Test Plan for IOS and CA Server Interoperability Date: Fri, 5 May 2000 09:46:37 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, CERT_ENROL_09 in revision 1.4 of the IOS-CA Server interop test plan states that the serial number should be both in the subject DN and in the subject alt name extension. Where is it supposed to go in the subject alt name? None of the name forms in GeneralName (in RFC 2459) seem suitable. Thanks, -Marek Buchler Marek Buchler Software Developer Entrust Technologies (613) 247-2586 Marek.Buchler@entrust.com From owner-scep Tue May 23 03:05:09 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id DAA08667 for scep-bks; Tue, 23 May 2000 03:05:09 -0700 (PDT) Received: from host5.janus.sec.nl (IDENT:root@host5.janus.sec.nl [192.87.0.22]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA08663 for ; Tue, 23 May 2000 03:05:07 -0700 (PDT) Received: from surfnet.nl (host2.janus.sec.nl [192.87.0.19]) by host5.janus.sec.nl (8.8.7/8.8.7) with ESMTP id KAA02072; Tue, 23 May 2000 10:52:22 +0200 Message-ID: <392A59E7.582DFC82@surfnet.nl> Date: Tue, 23 May 2000 12:13:59 +0200 From: Janus Liebregts Organization: SURFnet bv X-Mailer: Mozilla 4.61 [en] (Win95; U) X-Accept-Language: en,nl MIME-Version: 1.0 To: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: CA-products supporting SCEP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, is anyone aware of CA-products supporting SCEP? the only product I have thus far is Baltimore: http://www.baltimore.com/pkiworld/vpn/cisco.html Xcert anounced that the Sentry 4.1 release with SCEP-support was sceduled mid-2000 and ofcourse Verisign supports SCEP when using their service. regards, Janus Liebregts SURFnet The Netherlands From owner-scep Tue May 23 07:40:24 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA15647 for scep-bks; Tue, 23 May 2000 07:40:24 -0700 (PDT) Received: from pita.cisco.com (pita.cisco.com [171.71.68.13]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA15642 for ; Tue, 23 May 2000 07:40:23 -0700 (PDT) Received: from georgelake ([10.19.197.125]) by pita.cisco.com (8.8.8-Cisco List Logging/8.8.8) with SMTP id HAA00888; Tue, 23 May 2000 07:46:21 -0700 (PDT) Message-ID: <005e01bfc4c5$a3b8c560$7dc5130a@cisco.com> From: "George Lake" To: "Janus Liebregts" , , References: <392A59E7.582DFC82@surfnet.nl> Subject: Re: CA-products supporting SCEP Date: Tue, 23 May 2000 07:46:06 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Janus, Microsoft, Netscape, Verisign, Entrust, and Netscape currently support SCEP. -George ----- Original Message ----- From: Janus Liebregts To: ; Sent: Tuesday, May 23, 2000 3:13 AM Subject: CA-products supporting SCEP > Hi, > > is anyone aware of CA-products supporting SCEP? > > the only product I have thus far is Baltimore: > http://www.baltimore.com/pkiworld/vpn/cisco.html > > Xcert anounced that the Sentry 4.1 release with SCEP-support was > sceduled mid-2000 > > and ofcourse Verisign supports SCEP when using their service. > > regards, > Janus Liebregts > SURFnet > The Netherlands > > From owner-scep Tue May 23 07:44:33 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA15724 for scep-bks; Tue, 23 May 2000 07:44:33 -0700 (PDT) Received: from sigma.cisco.com (sigma.cisco.com [171.69.63.142]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA15719 for ; Tue, 23 May 2000 07:44:32 -0700 (PDT) Received: from jeremys7020 (ch2-dhcp136-178.cisco.com [161.44.136.178]) by sigma.cisco.com (8.8.8-Cisco List Logging/8.8.8) with SMTP id HAA17116; Tue, 23 May 2000 07:50:56 -0700 (PDT) Message-ID: <001101bfc4c6$bc2eb6d0$b2882ca1@cisco.com> From: "Jeremy Stieglitz" To: "Janus Liebregts" , , References: <392A59E7.582DFC82@surfnet.nl> Subject: Re: CA-products supporting SCEP Date: Tue, 23 May 2000 10:54:02 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Several of the leading PKI vendors already support SCEP in commercially available products. Contact Baltimore, Entrust, Microsoft, Netscape, SSH and VeriSign for more information on their solutions, version numbers, pricings, etc. New vendor support for SCEP is coming all the time. I believe that RSA recently announced Keon 5.5 with SCEP support, as well, Cybertrust, Thawte, Xcert, and others are expected to have SCEP support shortly or do already. If I have missed a PKI vendor with commercially available SCEP, please speak up! thanks, Jeremy Stieglitz. Product Line Manager, Identity Cisco Systems ----- Original Message ----- From: "Janus Liebregts" To: ; Sent: Tuesday, May 23, 2000 6:13 AM Subject: CA-products supporting SCEP > Hi, > > is anyone aware of CA-products supporting SCEP? > > the only product I have thus far is Baltimore: > http://www.baltimore.com/pkiworld/vpn/cisco.html > > Xcert anounced that the Sentry 4.1 release with SCEP-support was > sceduled mid-2000 > > and ofcourse Verisign supports SCEP when using their service. > > regards, > Janus Liebregts > SURFnet > The Netherlands > > From owner-scep Tue May 23 08:17:08 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id IAA16559 for scep-bks; Tue, 23 May 2000 08:17:08 -0700 (PDT) Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.43.88]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA16555 for ; Tue, 23 May 2000 08:17:07 -0700 (PDT) Received: from kahului.cisco.com (kahului.cisco.com [171.71.68.60]) by sj-msg-core-2.cisco.com (8.9.3/8.9.1) with ESMTP id IAA18828; Tue, 23 May 2000 08:20:38 -0700 (PDT) Received: from cisco.com (localhost [127.0.0.1]) by kahului.cisco.com (8.8.8-Cisco List Logging/CISCO.WS.1.2) with ESMTP id IAA29201; Tue, 23 May 2000 08:20:31 -0700 (PDT) Message-ID: <392AA1BE.4AF39571@cisco.com> Date: Tue, 23 May 2000 08:20:31 -0700 From: Mark Robb X-Mailer: Mozilla 4.73 [en] (X11; U; SunOS 5.6 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: Janus Liebregts CC: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: Re: CA-products supporting SCEP References: <392A59E7.582DFC82@surfnet.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Janus Liebregts wrote: > Hi, > > is anyone aware of CA-products supporting SCEP? > > the only product I have thus far is Baltimore: > http://www.baltimore.com/pkiworld/vpn/cisco.html > > Xcert anounced that the Sentry 4.1 release with SCEP-support was > sceduled mid-2000 > > and ofcourse Verisign supports SCEP when using their service. > > regards, > Janus Liebregts > SURFnet > The Netherlands Microsoft Win2000, Entrust, and Netscape CMS 4.1 are all vendor CA products which support SCEP. From owner-scep Tue May 23 10:00:01 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id KAA18575 for scep-bks; Tue, 23 May 2000 10:00:01 -0700 (PDT) Received: from tholian.securitydynamics.com (tholian.securid.com [204.167.112.129]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id JAA18565 for ; Tue, 23 May 2000 09:59:49 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.vpnc.org [208.184.76.50]) with SMTP; 23 May 2000 17:02:28 UT Received: from exrsa01.rsa.com ([10.81.217.7]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id NAA26406; Tue, 23 May 2000 13:06:32 -0400 (EDT) Received: by exrsa01.rsa.com with Internet Mail Service (5.5.2448.0) id <293KX52M>; Tue, 23 May 2000 10:06:36 -0700 Message-ID: From: "Huynh, Dung" To: "'Mark Robb'" , Janus Liebregts Cc: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: RE: CA-products supporting SCEP Date: Tue, 23 May 2000 10:05:58 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Janus, RSA Keon certificate server v5.5 also support SCEP. Dung Huynh RSA Security Inc. -----Original Message----- From: Mark Robb [mailto:markr@cisco.com] Sent: Tuesday, May 23, 2000 8:21 AM To: Janus Liebregts Cc: 'scep@vpnc.org'; 'scep-interest@external.cisco.com' Subject: Re: CA-products supporting SCEP Janus Liebregts wrote: > Hi, > > is anyone aware of CA-products supporting SCEP? > > the only product I have thus far is Baltimore: > http://www.baltimore.com/pkiworld/vpn/cisco.html > > Xcert anounced that the Sentry 4.1 release with SCEP-support was > sceduled mid-2000 > > and ofcourse Verisign supports SCEP when using their service. > > regards, > Janus Liebregts > SURFnet > The Netherlands Microsoft Win2000, Entrust, and Netscape CMS 4.1 are all vendor CA products which support SCEP. From owner-scep Tue May 23 10:37:46 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id KAA19614 for scep-bks; Tue, 23 May 2000 10:37:46 -0700 (PDT) Received: from e24.nc.us.ibm.com (e24.nc.us.ibm.com [32.97.136.230]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA19610 for ; Tue, 23 May 2000 10:37:44 -0700 (PDT) From: benantar@us.ibm.com Received: from southrelay02.raleigh.ibm.com (southrelay02.raleigh.ibm.com [9.37.3.209]) by e24.nc.us.ibm.com (8.9.3/8.9.3) with ESMTP id NAA22098; Tue, 23 May 2000 13:29:38 -0500 Received: from d54mta03.raleigh.ibm.com (d54mta03.raleigh.ibm.com [9.67.228.35]) by southrelay02.raleigh.ibm.com (8.8.8m3/NCO v4.9) with SMTP id NAA81722; Tue, 23 May 2000 13:42:05 -0400 Received: by d54mta03.raleigh.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 852568E8.00613A89 ; Tue, 23 May 2000 13:41:59 -0400 X-Lotus-FromDomain: IBMUS To: "Huynh, Dung" cc: "'Mark Robb'" , Janus Liebregts , "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Message-ID: <852568E8.0060B657.00@d54mta03.raleigh.ibm.com> Date: Tue, 23 May 2000 13:36:18 -0400 Subject: RE: CA-products supporting SCEP Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Since we are at it, the upcoming Tivoli PKI 3.2 (3Q00) will support SCEP. Messaoud Benantar Tivoli Systems, Inc. From owner-scep Tue May 23 11:12:04 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id LAA20659 for scep-bks; Tue, 23 May 2000 11:12:04 -0700 (PDT) Received: from pita.cisco.com (pita.cisco.com [171.71.68.13]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA20655 for ; Tue, 23 May 2000 11:12:03 -0700 (PDT) Received: from cowboy-mr.cisco.com (michaelr@michaelr-dsl3.cisco.com [144.254.251.228]) by pita.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id LAA05818; Tue, 23 May 2000 11:18:38 -0700 (PDT) Received: (from michaelr@localhost) by cowboy-mr.cisco.com (8.9.3/8.9.0) id LAA00548; Tue, 23 May 2000 11:18:03 -0700 (PDT) From: "Michael Reilly MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14634.52059.293773.54881@cowboy-mr.cisco.com> Date: Tue, 23 May 2000 11:18:03 -0700 (PDT) To: Janus Liebregts Cc: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: Re: CA-products supporting SCEP In-Reply-To: Janus Liebregts's message of 23 May 2000 12:13:59 +0200 References: <392A59E7.582DFC82@surfnet.nl> X-Mailer: VM 6.75 under 21.1 (patch 8) "Bryce Canyon" XEmacs Lucid Reply-To: michaelr@cisco.com Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Janus Liebregt writes - >>is anyone aware of CA-products supporting SCEP? These vendors support SCEP and have have been tested with Cisco routers, the Cisco PIX firewall and the Cisco VPN Client V1.1- (In alphabetical order) Entrust, Microsoft, Netscape, Verisign. We have not tested a Baltimore CA. michael IOS PKI Development Team From owner-scep Wed May 24 00:46:35 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id AAA07020 for scep-bks; Wed, 24 May 2000 00:46:35 -0700 (PDT) Received: from aunt15.ausys.se (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA07015 for ; Wed, 24 May 2000 00:46:34 -0700 (PDT) Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id ; Wed, 24 May 2000 09:53:02 +0200 Message-ID: <41ACC8CF2BF1D011AEDD00805F31E54C0408FFC2@aunt15.ausys.se> From: =?iso-8859-1?Q?Sten_Lannerstr=F6m?= To: Janus Liebregts Cc: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: RE: CA-products supporting SCEP Date: Wed, 24 May 2000 09:53:01 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Dear Janus, The prizeawarded iD2 Certificate Manager also support SCEP. http://www.id2tech.com Best regards, Sten Lannerstrom iD2 Technologies Janus Liebregts wrote: > Hi, > > is anyone aware of CA-products supporting SCEP? > > the only product I have thus far is Baltimore: > http://www.baltimore.com/pkiworld/vpn/cisco.html > > Xcert anounced that the Sentry 4.1 release with SCEP-support was > sceduled mid-2000 > > and ofcourse Verisign supports SCEP when using their service. > > regards, > Janus Liebregts > SURFnet > The Netherlands From owner-scep Thu Mar 15 11:09:43 2001 Received: by above.proper.com (8.9.3/8.9.3) id LAA29451 for scep-bks; Thu, 15 Mar 2001 11:09:43 -0800 (PST) Received: from nebula.x509.com (nebula.x509.com [199.175.150.19]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA29445 for ; Thu, 15 Mar 2001 11:09:40 -0800 (PST) Received: from crack.x509.com (crack.x509.com [199.175.150.1]) by nebula.x509.com (8.11.3/XCERT) with ESMTP id f2FJ97l14733; Thu, 15 Mar 2001 11:09:07 -0800 (PST) Received: from rsasecurity.com (mohammad.x509.com [199.175.148.177]) by crack.x509.com (8.11.3/XCERT) with ESMTP id f2FJ97b17227; Thu, 15 Mar 2001 11:09:07 -0800 (PST) Message-ID: <3AB11352.EEF78864@rsasecurity.com> Date: Thu, 15 Mar 2001 11:09:06 -0800 From: Mohammad Ashrafuzzaman Organization: RSA Security Inc. X-Mailer: Mozilla 4.6 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: scep@vpnc.org, scep-interest@external.cisco.com Subject: SCEP client supporting GetCACertChain Content-Type: multipart/mixed; boundary="------------0BC80270F0F961F836A23890" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. --------------0BC80270F0F961F836A23890 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, Is anyone aware of a SCEP client that supports the GetCACertChain functionality? Thanks, - Mohammad --------------0BC80270F0F961F836A23890 Content-Type: text/x-vcard; charset=us-ascii; name="mohammad.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mohammad Ashrafuzzaman Content-Disposition: attachment; filename="mohammad.vcf" begin:vcard n:Ashrafuzzaman;Mohammad tel;fax:604 640 6220 tel;home:604 526 9364 tel;work:604 640 6210 Ext 255 x-mozilla-html:FALSE url:www.rsasecurity.com org:RSA Security Inc.;Vancouver Development Centre version:2.1 email;internet:mohammad@rsasecurity.com title:Senior Software Development Engineer adr;quoted-printable:;;Suite 300, One Bentall Centre=0D=0A505 Burrard Street;Vancouver;British Columbia;V7X 1M3;Canada fn:Mohammad Ashrafuzzaman end:vcard --------------0BC80270F0F961F836A23890-- From owner-scep Thu Mar 15 15:26:23 2001 Received: by above.proper.com (8.9.3/8.9.3) id PAA15734 for scep-bks; Thu, 15 Mar 2001 15:26:23 -0800 (PST) Received: from thunder.dstc.qut.edu.au (thunder.dstc.qut.edu.au [131.181.71.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA15702 for ; Thu, 15 Mar 2001 15:26:16 -0800 (PST) Received: from dstc.qut.edu.au (garnet.dstc.qut.edu.au [131.181.71.36]) by thunder.dstc.qut.edu.au (8.10.1/8.10.1) with ESMTP id f2FNQBm29922; Fri, 16 Mar 2001 09:26:11 +1000 (EST) Message-Id: <200103152326.f2FNQBm29922@thunder.dstc.qut.edu.au> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Mohammad Ashrafuzzaman Cc: scep@vpnc.org, scep-interest@external.cisco.com Subject: Re: SCEP client supporting GetCACertChain In-reply-to: Your message of "Thu, 15 Mar 2001 11:09:06 PST." <3AB11352.EEF78864@rsasecurity.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 16 Mar 2001 09:26:11 +1000 From: Dean Povey Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: >Hi, > >Is anyone aware of a SCEP client that supports the GetCACertChain functionalit y? >Thanks, Hi Mohammed, Check out uPKI 1.1b2 (http://security.dstc.com/products/upki), which has a scepclient utility supporting GetCACert and GetCACertChain. -- Dean Povey, | e-m: povey@dstc.edu.au | JCSI: Java Crypto Toolkit Research Scientist | ph: +61 7 3864 5120 | uPKI: C PKI toolkit for embedded Security Unit, DSTC | fax: +61 7 3864 1282 | systems Brisbane, Australia | www: security.dstc.com | Oscar: C++ PKI toolkit From owner-scep Tue Jun 3 08:40:55 2003 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h53FetAF050389 for ; Tue, 3 Jun 2003 08:40:55 -0700 (PDT) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h53Fetur050388 for scep-bks; Tue, 3 Jun 2003 08:40:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from seguridata1.seguridata.com ([200.57.34.107]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h53FerAF050363 for ; Tue, 3 Jun 2003 08:40:53 -0700 (PDT) (envelope-from mars@seguridata.com) Received: from MarsXP ([200.67.231.235]) by seguridata1.seguridata.com with Microsoft SMTPSVC(5.0.2195.5329); Tue, 3 Jun 2003 10:42:17 -0500 From: "Miguel Rodriguez" To: "SCEP" Subject: newest SCEP spec Date: Tue, 3 Jun 2003 10:42:12 -0500 Message-ID: <002601c329e6$b34f6e50$a600a8c0@seguridata.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0027_01C329BC.CA796650" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-OriginalArrivalTime: 03 Jun 2003 15:42:17.0156 (UTC) FILETIME=[B6246040:01C329E6] Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_0027_01C329BC.CA796650 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable What is the newest (current) draft specifying SCEP? =20 Thanks, =20 Miguel A. Rodriguez Software Engineer SeguriDATA M=E9xico =20 ------=_NextPart_000_0027_01C329BC.CA796650 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

What is the newest (current) draft specifying = SCEP?

 

Thanks,

 

Miguel A. Rodriguez

Software Engineer

SeguriDATA

=

M=E9xico

 

------=_NextPart_000_0027_01C329BC.CA796650-- From owner-scep Wed Jun 4 14:13:47 2003 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54LBHAF056157 for ; Wed, 4 Jun 2003 14:13:47 -0700 (PDT) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h54LBHAG056156 for scep-bks; Wed, 4 Jun 2003 14:11:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54L8jAF056057 for ; Wed, 4 Jun 2003 14:11:16 -0700 (PDT) (envelope-from nourse@cisco.com) Received: from cisco.com (pita.cisco.com [171.71.68.13]) by sj-core-1.cisco.com (8.12.9/8.12.6) with ESMTP id h54L8fOo025872 for ; Wed, 4 Jun 2003 14:08:41 -0700 (PDT) Received: from [10.32.244.78] ([10.32.244.78]) by cisco.com (8.8.8-Cisco List Logging/8.8.8) with SMTP id OAA20190 for ; Wed, 4 Jun 2003 14:08:39 -0700 (PDT) X-Authentication-Warning: pita.cisco.com: [10.32.244.78] didn't use HELO protocol Subject: SCEP 07 draft From: Andrew Nourse To: scep@vpnc.org Content-Type: text/plain Message-Id: <1054760897.436.78.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Date: 04 Jun 2003 14:08:17 -0700 Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: A new SCEP draft is up. http://www.ietf.org/internet-drafts/draft-nourse-scep-07.txt Andy Nourse Cisco From owner-scep Fri Feb 20 00:47:53 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1K8lr2T071463; Fri, 20 Feb 2004 00:47:53 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1K8lqTL071461; Fri, 20 Feb 2004 00:47:52 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from web12607.mail.yahoo.com (web12607.mail.yahoo.com [216.136.173.230]) by above.proper.com (8.12.11/8.12.8) with SMTP id i1K8lqQF071452 for ; Fri, 20 Feb 2004 00:47:52 -0800 (PST) (envelope-from aravindforipsec@yahoo.com) Message-ID: <20040220084752.98937.qmail@web12607.mail.yahoo.com> Received: from [202.41.227.188] by web12607.mail.yahoo.com via HTTP; Fri, 20 Feb 2004 08:47:52 GMT Date: Fri, 20 Feb 2004 08:47:52 +0000 (GMT) From: =?iso-8859-1?q?Aravinda=20babu?= Subject: Testing of SCEP client To: scep@vpnc.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1959703051-1077266872=:98501" Content-Transfer-Encoding: 8bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --0-1959703051-1077266872=:98501 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi all, I am new to this mailing list.Recently we added SCEP client functionality in our SOHO firewall/vpn box.So i want to test this SCEP client functionality.I tried with OpenSCEP since 3 weeks.But no result.Is there any other companies provide SCEP server and CA server functionality freely so that i can test my box. Thanks in Advance, Aravind. --------------------------------- Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now --0-1959703051-1077266872=:98501 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit
Hi all,
 
 
          I am new to this mailing list.Recently we added SCEP client functionality in our SOHO firewall/vpn box.So i want to test this SCEP client functionality.I tried with OpenSCEP since 3 weeks.But no result.Is there any other companies provide SCEP server and CA server functionality freely so that i can test my box.
 
Thanks in Advance,
Aravind.

Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now --0-1959703051-1077266872=:98501-- From owner-scep Fri Feb 20 06:53:35 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KErYPn006722; Fri, 20 Feb 2004 06:53:34 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1KErYPr006721; Fri, 20 Feb 2004 06:53:34 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-1.cisco.com (sj-iport-1-in.cisco.com [171.71.176.70]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KErXhJ006714 for ; Fri, 20 Feb 2004 06:53:34 -0800 (PST) (envelope-from kanter@cisco.com) Received: from mira-sjc5-b.cisco.com (IDENT:mirapoint@mira-sjc5-b.cisco.com [171.71.163.14]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id i1KErTuA017418; Fri, 20 Feb 2004 06:53:29 -0800 (PST) Received: from kanter-w2k01.cisco.com ([10.32.224.124]) by mira-sjc5-b.cisco.com (Mirapoint Messaging Server MOS 3.3.6-GR) with SMTP id AQL91822; Fri, 20 Feb 2004 06:53:27 -0800 (PST) Message-Id: <4.3.2.7.2.20040220063728.047ad520@pita.cisco.com> X-Sender: kanter@pita.cisco.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 20 Feb 2004 06:53:23 -0800 To: Aravinda babu , scep@vpnc.org From: Howard Kanter Subject: Re: Testing of SCEP client In-Reply-To: <20040220084752.98937.qmail@web12607.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_208181399==_.ALT" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --=====================_208181399==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed You can test with Windows 2000 Professional and/or Server, and with Windows 2003 (not sure about XP) It has a CA server, however, you will need to add the SCEP client (mscep.dll) - it's part of the their Resource Toolkit, the setup program is called cepsetup.exe thx At 08:47 AM 2/20/2004 +0000, Aravinda babu wrote: >Hi all, > > > I am new to this mailing list.Recently we added SCEP client > functionality in our SOHO firewall/vpn box.So i want to test this SCEP > client functionality.I tried with OpenSCEP since 3 weeks.But no result.Is > there any other companies provide SCEP server and CA server functionality > freely so that i can test my box. > >Thanks in Advance, >Aravind. > > >Yahoo! >Messenger - Communicate instantly..."Ping" your friends today! >Download >Messenger Now --=====================_208181399==_.ALT Content-Type: text/html; charset="us-ascii" You can test with Windows 2000 Professional and/or Server, and with Windows 2003 (not sure about XP)
It has a CA server, however, you will need to add the SCEP client (mscep.dll) - it's part of the their Resource Toolkit, the setup program is called cepsetup.exe

thx



At 08:47 AM 2/20/2004 +0000, Aravinda babu wrote:
Hi all,
 
 
          I am new to this mailing list.Recently we added SCEP client functionality in our SOHO firewall/vpn box.So i want to test this SCEP client functionality.I tried with OpenSCEP since 3 weeks.But no result.Is there any other companies provide SCEP server and CA server functionality freely so that i can test my box.
 
Thanks in Advance,
Aravind.


Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now
--=====================_208181399==_.ALT-- From owner-scep Fri Feb 20 08:52:32 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KGqWse014493; Fri, 20 Feb 2004 08:52:32 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1KGqW5d014492; Fri, 20 Feb 2004 08:52:32 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from seguridata1.seguridata.com ([200.57.34.107]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KGqVjH014486 for ; Fri, 20 Feb 2004 08:52:31 -0800 (PST) (envelope-from mars@seguridata.com) Received: from MarsXP ([200.67.231.235]) by seguridata1.seguridata.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 20 Feb 2004 10:53:14 -0600 From: "Miguel Rodriguez" To: "SCEP" Subject: RE: Testing of SCEP client Date: Fri, 20 Feb 2004 10:53:35 -0600 Message-ID: <000f01c3f7d2$20359080$a600a8c0@seguridata.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0010_01C3F79F.D59B2080" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <20040220084752.98937.qmail@web12607.mail.yahoo.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-OriginalArrivalTime: 20 Feb 2004 16:53:15.0328 (UTC) FILETIME=[08705C00:01C3F7D2] Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_0010_01C3F79F.D59B2080 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Try using the MS Certificate Server (which is a CA) distributed with the Win 2K server platform. To enable the SCEP server functionality you must run a setup (cepsetup.exe) included in the Win 2K server resource kit CD. This SCEP server is an ISAPI filter that will receive your SCEP requests communicating with the MS Certificate server. Miguel A Rodriguez SeguriData Mexico -----Original Message----- From: owner-scep@mail.vpnc.org [mailto:owner-scep@mail.vpnc.org] On Behalf Of Aravinda babu Sent: Friday, February 20, 2004 2:48 AM To: scep@vpnc.org Subject: Testing of SCEP client Hi all, I am new to this mailing list.Recently we added SCEP client functionality in our SOHO firewall/vpn box.So i want to test this SCEP client functionality.I tried with OpenSCEP since 3 weeks.But no result.Is there any other companies provide SCEP server and CA server functionality freely so that i can test my box. Thanks in Advance, Aravind. _____ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now ------=_NextPart_000_0010_01C3F79F.D59B2080 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Message
Try=20 using the MS Certificate Server (which is a CA) distributed with the Win = 2K=20 server platform. To enable the SCEP server functionality you must run a = setup=20 (cepsetup.exe) included in the Win 2K server resource kit CD. This = SCEP=20 server is an ISAPI filter that will receive your SCEP=20 requests communicating with the MS Certificate = server.
 
Miguel=20 A Rodriguez
SeguriData
Mexico 
-----Original Message-----
From:=20 owner-scep@mail.vpnc.org [mailto:owner-scep@mail.vpnc.org] On = Behalf Of=20 Aravinda babu
Sent: Friday, February 20, 2004 2:48=20 AM
To: scep@vpnc.org
Subject: Testing of SCEP=20 client

Hi all,
 
 
          I am new = to this=20 mailing list.Recently we added SCEP client functionality in our SOHO=20 firewall/vpn box.So i want to test this SCEP client functionality.I = tried with=20 OpenSCEP since 3 weeks.But no result.Is there any other companies = provide SCEP=20 server and CA server functionality freely so that i can test my = box.
 
Thanks in Advance,
Aravind.

Yahoo!=20 Messenger - Communicate instantly..."Ping" your friends today! = Download=20 Messenger Now ------=_NextPart_000_0010_01C3F79F.D59B2080-- From owner-scep Fri Feb 20 10:16:17 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KIGHw9019091; Fri, 20 Feb 2004 10:16:17 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1KIGGZm019090; Fri, 20 Feb 2004 10:16:16 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from web14203.mail.yahoo.com (web14203.mail.yahoo.com [216.136.172.145]) by above.proper.com (8.12.11/8.12.8) with SMTP id i1KIGFIM019083 for ; Fri, 20 Feb 2004 10:16:16 -0800 (PST) (envelope-from liubinw@yahoo.com) Message-ID: <20040220181619.25959.qmail@web14203.mail.yahoo.com> Received: from [66.46.233.196] by web14203.mail.yahoo.com via HTTP; Fri, 20 Feb 2004 10:16:19 PST Date: Fri, 20 Feb 2004 10:16:19 -0800 (PST) From: bin liu Subject: RE: Testing of SCEP client To: Miguel Rodriguez , SCEP In-Reply-To: <000f01c3f7d2$20359080$a600a8c0@seguridata.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Aravind, You can also try Verisign's 60 day test drive in https://onsite.verisign.com/OSTestDriveMS40ServiceEnrollIPSec.htm, we have just tested our scep client with it and MS CA, as well as OpenSCEP, they are all working fine. Eric Liu Vanguard Management Solution --- Miguel Rodriguez wrote: > Try using the MS Certificate Server (which is a CA) > distributed with the > Win 2K server platform. To enable the SCEP server > functionality you must > run a setup (cepsetup.exe) included in the Win 2K > server resource kit > CD. This SCEP server is an ISAPI filter that will > receive your SCEP > requests communicating with the MS Certificate > server. > > Miguel A Rodriguez > SeguriData > Mexico > > -----Original Message----- > From: owner-scep@mail.vpnc.org > [mailto:owner-scep@mail.vpnc.org] On > Behalf Of Aravinda babu > Sent: Friday, February 20, 2004 2:48 AM > To: scep@vpnc.org > Subject: Testing of SCEP client > > > Hi all, > > > I am new to this mailing list.Recently we > added SCEP client > functionality in our SOHO firewall/vpn box.So i want > to test this SCEP > client functionality.I tried with OpenSCEP since 3 > weeks.But no > result.Is there any other companies provide SCEP > server and CA server > functionality freely so that i can test my box. > > Thanks in Advance, > Aravind. > > > > _____ > > > o.com> Yahoo! Messenger - Communicate > instantly..."Ping" your friends > today! > o.com/download/index.html> Download Messenger Now > > __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools From owner-scep Fri Feb 20 10:49:58 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KInwQc020512; Fri, 20 Feb 2004 10:49:58 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1KInwVD020511; Fri, 20 Feb 2004 10:49:58 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-2.cisco.com (sj-iport-2-in.cisco.com [171.71.176.71]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KInvnp020502 for ; Fri, 20 Feb 2004 10:49:57 -0800 (PST) (envelope-from michaelr@cisco.com) Received: from sj-core-5.cisco.com (171.71.177.238) by sj-iport-2.cisco.com with ESMTP; 20 Feb 2004 10:59:17 +0000 Received: from franklin.cisco.com (franklin.cisco.com [171.70.156.17]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id i1KInruA006104; Fri, 20 Feb 2004 10:49:54 -0800 (PST) Received: from cisco.com (200@stealth-10-32-244-139.cisco.com [10.32.244.139]) by franklin.cisco.com (8.8.6 (PHNE_17190)/CISCO.SERVER.1.2) with SMTP id KAA29209; Fri, 20 Feb 2004 10:49:52 -0800 (PST) Message-ID: <403656D0.3030801@cisco.com> Date: Fri, 20 Feb 2004 10:49:52 -0800 From: Michael Reilly Organization: Cisco Systems User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20040115 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: bin liu CC: Miguel Rodriguez , SCEP Subject: Re: Testing of SCEP client References: <20040220181619.25959.qmail@web14203.mail.yahoo.com> In-Reply-To: <20040220181619.25959.qmail@web14203.mail.yahoo.com> X-Enigmail-Version: 0.83.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: We strongly recommend that you test with at least Microsoft and Verisign CAs. Microsoft uses RA mode and verisign does not. By testing with both you know you code will be able to handle either type of CA. michael bin liu wrote: > Hi Aravind, > You can also try Verisign's 60 day test drive in > https://onsite.verisign.com/OSTestDriveMS40ServiceEnrollIPSec.htm, > we have just tested our scep client with it and MS CA, > as well as OpenSCEP, they are all working fine. > > Eric Liu > Vanguard Management Solution > > --- Miguel Rodriguez wrote: > >>Try using the MS Certificate Server (which is a CA) >>distributed with the >>Win 2K server platform. To enable the SCEP server >>functionality you must >>run a setup (cepsetup.exe) included in the Win 2K >>server resource kit >>CD. This SCEP server is an ISAPI filter that will >>receive your SCEP >>requests communicating with the MS Certificate >>server. >> >>Miguel A Rodriguez >>SeguriData >>Mexico >> >>-----Original Message----- >>From: owner-scep@mail.vpnc.org >>[mailto:owner-scep@mail.vpnc.org] On >>Behalf Of Aravinda babu >>Sent: Friday, February 20, 2004 2:48 AM >>To: scep@vpnc.org >>Subject: Testing of SCEP client >> >> >>Hi all, >> >> >> I am new to this mailing list.Recently we >>added SCEP client >>functionality in our SOHO firewall/vpn box.So i want >>to test this SCEP >>client functionality.I tried with OpenSCEP since 3 >>weeks.But no >>result.Is there any other companies provide SCEP >>server and CA server >>functionality freely so that i can test my box. >> >>Thanks in Advance, >>Aravind. >> >> >> >> _____ >> >> >> > > >>o.com> Yahoo! Messenger - Communicate >>instantly..."Ping" your friends >>today! >> > > >>o.com/download/index.html> Download Messenger Now >> >> > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail SpamGuard - Read only the mail you want. > http://antispam.yahoo.com/tools -- ---- ---- ---- Michael Reilly michaelr@cisco.com Cisco Systems, Santa Cruz, CA From owner-scep Fri Feb 20 17:45:32 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1L1jW1d043263; Fri, 20 Feb 2004 17:45:32 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1L1jWa6043262; Fri, 20 Feb 2004 17:45:32 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from smtp.cs.auckland.ac.nz (smtp.cs.auckland.ac.nz [130.216.33.151]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1L1jSca043250 for ; Fri, 20 Feb 2004 17:45:31 -0800 (PST) (envelope-from pgut001@cs.auckland.ac.nz) Received: from localhost (csmail.cs.auckland.ac.nz [130.216.33.150]) by smtp.cs.auckland.ac.nz (Postfix) with ESMTP id 2932134017 for ; Sat, 21 Feb 2004 14:43:33 +1300 (NZDT) Received: from 218-101-44-155.paradise.net.nz (218-101-44-155.paradise.net.nz [218.101.44.155]) by mail.cs.auckland.ac.nz (Horde) with HTTP for ; Sat, 21 Feb 2004 14:45:29 +1300 Message-ID: <20040221144529.8kpdlwggg848ok8k@mail.cs.auckland.ac.nz> Date: Sat, 21 Feb 2004 14:45:29 +1300 From: Peter Gutmann To: scep@vpnc.org Subject: Re: Testing of SCEP client MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.0-cvs Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: =?iso-8859-1?q?Aravinda=20babu?= writes: >I am new to this mailing list.Recently we added SCEP client functionality in >our SOHO firewall/vpn box.So i want to test this SCEP client functionality.I >tried with OpenSCEP since 3 weeks.But no result.Is there any other companies >provide SCEP server and CA server functionality freely so that i can test my >box. http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ should do it, it's open-source and does both client and server. (There is one deviation from the SCEP spec, it uses a standard HTTP engine that can't do the (nonstandard) non-idempotent PUT required by SCEP, so you'll have to use HTTP POST rather than PUT to submit requests. I've grumbled about this before, this really should be fixed in the spec since it breaks HTTP proxies and caches). Peter. From owner-scep Mon Feb 23 02:05:19 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1NA5IHd076379; Mon, 23 Feb 2004 02:05:18 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1NA5Igh076378; Mon, 23 Feb 2004 02:05:18 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from span.corp.yahoo.com (web12610.mail.yahoo.com [216.136.173.201]) by above.proper.com (8.12.11/8.12.8) with SMTP id i1NA5IhJ076366 for ; Mon, 23 Feb 2004 02:05:18 -0800 (PST) (envelope-from aravindforipsec@yahoo.com) Message-ID: <20040223100513.65427.qmail@span.corp.yahoo.com> Received: from [202.41.227.188] by web12610.mail.yahoo.com via HTTP; Mon, 23 Feb 2004 10:05:13 GMT Date: Mon, 23 Feb 2004 10:05:13 +0000 (GMT) From: =?iso-8859-1?q?Aravinda=20babu?= Subject: Re: Testing of SCEP client To: scep@vpnc.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1131581997-1077530713=:64833" Content-Transfer-Encoding: 8bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --0-1131581997-1077530713=:64833 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi all, Thanks for all of your responses. Regards, Aravind. --------------------------------- Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now --0-1131581997-1077530713=:64833 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit
Hi all,
 
  Thanks for all of your responses.
 
Regards,
Aravind.

Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now --0-1131581997-1077530713=:64833-- From owner-scep Wed Feb 25 20:21:45 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1Q4Li0o063339; Wed, 25 Feb 2004 20:21:45 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1Q4LiaI063338; Wed, 25 Feb 2004 20:21:44 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from tiedye.tiedye.com (tiedye.tiedye.com [216.36.81.114]) by above.proper.com (8.12.11/8.12.8) with SMTP id i1Q4LhfS063328 for ; Wed, 25 Feb 2004 20:21:44 -0800 (PST) (envelope-from nourse@tiedye.tiedye.com) Received: from tiedye.tiedye.com (ip-216-36-81-116.dsl.lax.megapath.net [216.36.81.116]) by tiedye.tiedye.com (Postfix) with SMTP id E8A41324 for ; Wed, 25 Feb 2004 20:19:20 -0800 (PST) Message-ID: <403D7459.7010308@tiedye.tiedye.com> Date: Wed, 25 Feb 2004 20:21:45 -0800 From: AndyTiedye User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3 X-Accept-Language: en-us, en MIME-Version: 1.0 To: scep@vpnc.org Subject: POST vs GET X-Enigmail-Version: 0.81.7.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Peter Gutmann <> wrote on Friday, February 20, 2004 5:45 PM: >> > > http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ should do it, it's > open-source and does both client and server. > (There is one deviation from the SCEP spec, it uses a standard HTTP > engine that can't do the (nonstandard) non-idempotent PUT required > by SCEP, so you'll have to use HTTP POST rather than PUT to submit > requests. That would prevent it from working with any existing client or CA server. It is actually a GET, not a PUT. What standard does it violate besides the obvious esthetic ones? >> I've grumbled about this before, this really should be fixed in >> the spec > We are working on a new rev to the SCEP specification, so this might be a good time to talk about it. We can't make the big ugly GETs go away, because that is what all of the installed base uses, and what all of the current CAs expect. If we change the spec to allow POST, how would a client tell if it is talking to a CA that supports it? Should there be a GET that gets the SCEP version number and/or capabilities? >> since it breaks HTTP proxies and caches). > Proxies and caches should be able to handle the fact that web pages don't stay the same forever. Andy Nourse Cisco From owner-scep Thu Jun 3 11:44:01 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i53Ii1ue021594; Thu, 3 Jun 2004 11:44:01 -0700 (PDT) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i53Ii1dX021593; Thu, 3 Jun 2004 11:44:01 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from seguridata1.seguridata.com ([200.57.34.107]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i53Ii0qh021558 for ; Thu, 3 Jun 2004 11:44:01 -0700 (PDT) (envelope-from mars@seguridata.com) Received: from MarsXP ([200.67.231.235]) by seguridata1.seguridata.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 3 Jun 2004 13:44:32 -0500 From: "Miguel Rodriguez" To: "SCEP" Subject: CRL number size in Cisco VPN3000 Date: Thu, 3 Jun 2004 13:41:59 -0500 Message-ID: <001e01c4499a$7822bbf0$a600a8c0@seguridata.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001F_01C44970.8F4CB3F0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal X-OriginalArrivalTime: 03 Jun 2004 18:44:32.0328 (UTC) FILETIME=[CF33B480:01C4499A] Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_001F_01C44970.8F4CB3F0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi! Does anyone know if the Cisco VPN3000 can handle version 2 CRLs with 20 byte crl numbers (as mandated by RFC 3280)? Does it have a limitation on the size of the crl number field? Thanks in advance, Miguel A. Rodriguez Software Engineer SeguriDATA Mexico ------=_NextPart_000_001F_01C44970.8F4CB3F0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Message
Hi! = Does anyone know=20 if the Cisco VPN3000 can handle version 2 CRLs with 20 byte crl numbers = (as=20 mandated by RFC 3280)?
 
Does = it have a=20 limitation on the size of the crl number field?
 
Thanks = in=20 advance,
 
Miguel A.=20 Rodriguez
Software=20 Engineer
SeguriDATA
Mexico
------=_NextPart_000_001F_01C44970.8F4CB3F0-- From owner-scep Fri Apr 15 08:20:00 2005 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j3FFK0sl082000; Fri, 15 Apr 2005 08:20:00 -0700 (PDT) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j3FFK0Hb081999; Fri, 15 Apr 2005 08:20:00 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from p62e727.kagwnt01.ap.so-net.ne.jp (p62e727.kagwnt01.ap.so-net.ne.jp [219.98.231.39]) by above.proper.com (8.12.11/8.12.9) with SMTP id j3FFJmKQ081917; Fri, 15 Apr 2005 08:19:51 -0700 (PDT) (envelope-from ASCMCDGALSN@motorcadegm.com) Received: from unknown (HELO speakeasy.net) by speakeasy.net with DES-FWM3-SHA encrypted SMTP for ; Fri, 15 Apr 2005 20:16:22 +0400 Message-Id: Date: Fri, 15 Apr 2005 14:14:22 -0200 From: "Rocco" To: Subject: save with us Tommy Reply-To: MIME-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Swiss pharmacy online warehouse

Valium $69, Levitra $69, Cialis $89
Viagra $69, Tramadol $69, Ambien $109
Phentermine $69, Xanax $99, Soma $59

With each purchase you get:

Home delivery.
Total confidentiality.
F.D.A ApprovedDrugs.


















you skye me barge me you aborigine me chlorinate me you thomistic me u me you bater me opine me you shod me rodeo me you depressible me school me you bing me camino me quit From owner-scep Sun May 8 13:51:10 2005 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j48KpAwT032119; Sun, 8 May 2005 13:51:10 -0700 (PDT) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j48KpAgu032118; Sun, 8 May 2005 13:51:10 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from 208.184.76.50 ([219.95.212.186]) by above.proper.com (8.12.11/8.12.9) with SMTP id j48Komno031962; Sun, 8 May 2005 13:50:52 -0700 (PDT) (envelope-from lhuuwoiatkr@pjkd.com) Received: from unknown (HELO speakeasy.net) by speakeasy.net with DES-REG3-SHA encrypted SMTP for ; Mon, 09 May 2005 00:47:47 +0300 Message-Id: Date: Sun, 08 May 2005 14:46:47 -0700 From: "Darla Pryor" To: Subject: size does matter! Reply-To: MIME-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: mediocre taos obligatory lorelei
Breakthrough in medicine
more info...









neoconservative defecate doomsday solicitude avowal kraut custodian luminous
sulfide legend flood oatmeal grapefruit bit eater susanne
those orkney acrimonious aorta bloodshot endomorphism
no From owner-scep Tue Jul 26 02:16:22 2005 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j6Q9GMHm020956; Tue, 26 Jul 2005 02:16:22 -0700 (PDT) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j6Q9GMFn020955; Tue, 26 Jul 2005 02:16:22 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from huawei.com (szxga01-in.huawei.com [61.144.161.53]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j6Q9GJ8o020889 for ; Tue, 26 Jul 2005 02:16:20 -0700 (PDT) (envelope-from vinodn@huawei.com) Received: from huawei.com (szxga01-in [172.24.2.3]) by szxga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0IK800EB29ZKHS@szxga01-in.huawei.com> for scep@vpnc.org; Tue, 26 Jul 2005 17:21:20 +0800 (CST) Received: from szxml02-in ([172.24.1.6]) by szxga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0IK800BHY9ZJWC@szxga01-in.huawei.com> for scep@vpnc.org; Tue, 26 Jul 2005 17:21:19 +0800 (CST) Received: from Vinod2076 ([10.18.8.229]) by szxml02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTPA id <0IK80038YA1LCG@szxml02-in.huawei.com> for scep@vpnc.org; Tue, 26 Jul 2005 17:22:35 +0800 (CST) Date: Tue, 26 Jul 2005 14:46:48 +0530 From: Vinod Duggirala N Subject: Hi - Some basic doubts in SCEP Specification Version 11. To: scep@vpnc.org Reply-to: vinodn@huawei.com Message-id: <000001c591c2$c0cbecc0$e508120a@china.huawei.com> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 X-Mailer: Microsoft Outlook, Build 10.0.3416 Content-type: multipart/alternative; boundary="Boundary_(ID_+1vrvnS+FFwVlf9B2ivVWw)" Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. --Boundary_(ID_+1vrvnS+FFwVlf9B2ivVWw) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Hi, Just now, I have joined in this SCEP group. I have couple of doubts in implementing the SCEP specification. Right now, I am working with the version 11. 1. Other than PKIMessage case, at all places content type has been considered as SIMPLE DATA. Instead of Enveloped or Signed. i.e. {pkcs-7 1} 2. In the content type authenticated attribute also, it is SIMPLE DATA type, even thought the actual content is enveloped or signed. 3. For extension request, pkcs-9-at-extensionRequest OBJECT IDENTIFIER: = {pkcs-9 14}, is already exists. But different ID given for the same id-extensionReq 4. In Appendix F. CA Capabilities, If a CA is not supporting any one of the capabilities. Then is the response should be empty string i.e. "". Some Other Observations: 5. In the section, 5.4.1 GetCRL Message format, It has been used as CertCRL instead of GetCRL 6. In the section, 5.1.1 PKCSReq Message Format, It has been used as pkcsCertRepSigned, instead of pkcsCertReqSigned. Thanks in advance. Thanks & Regards, Duggirala Naga Vinod _____ --Boundary_(ID_+1vrvnS+FFwVlf9B2ivVWw) Content-type: text/html; charset=us-ascii Content-transfer-encoding: 7BIT

Hi,

 

Just now, I have joined in this SCEP group. I have couple of doubts in implementing the SCEP specification. Right now, I am working with the version 11.

 

  1. Other than PKIMessage case, at all places content type has been considered as SIMPLE DATA. Instead of Enveloped or Signed. i.e. {pkcs-7 1}
  2. In the content type authenticated attribute also, it is SIMPLE DATA type, even thought the actual content is enveloped or signed.
  3. For extension request, pkcs-9-at-extensionRequest OBJECT IDENTIFIER: = {pkcs-9 14}, is already exists. But different ID given for the same id-extensionReq  
  4. In Appendix F. CA Capabilities, If a CA is not supporting any one of the capabilities. Then is the response should be empty string i.e. “”.

 

Some Other Observations:

 

  1. In the section, 5.4.1 GetCRL Message format, It has been used as CertCRL instead of GetCRL
  2. In the section, 5.1.1 PKCSReq Message Format, It has been used as pkcsCertRepSigned, instead of pkcsCertReqSigned.

 

Thanks in advance.

 

Thanks & Regards,

Duggirala Naga Vinod

 

--Boundary_(ID_+1vrvnS+FFwVlf9B2ivVWw)-- From owner-scep Mon Nov 6 13:48:59 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA6KmxFp072706; Mon, 6 Nov 2006 13:48:59 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA6KmxFQ072703; Mon, 6 Nov 2006 13:48:59 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from zrtps0kn.nortel.com (zrtps0kn.nortel.com [47.140.192.55]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA6Kmvep072689 for ; Mon, 6 Nov 2006 13:48:58 -0700 (MST) (envelope-from RCHARLET@nortel.com) Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com [47.103.123.73]) by zrtps0kn.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id kA6KmoB00905 for ; Mon, 6 Nov 2006 15:48:50 -0500 (EST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: question on interop with entrust server Date: Mon, 6 Nov 2006 14:48:49 -0600 Message-ID: <7E49849DDCBEAA489C65292E8B8AE7E813FCE1BF@zrc2hxm2.corp.nortel.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: question on interop with entrust server Thread-Index: AccB5PXvYmsJFM4cQMuMVg8y3j2ZdQ== From: "Ricky Charlet" To: Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA6Kmwep072692 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Howdy, My group is building a new scep client. We have successfully interoperated against microsoft but are having a difficult time interoperating with entrust. The entrust server seems not to be able to decrypt our PKCS7. But the log message is very vague. I'm hoping an Entrust VPN enrollment server person is reading this and can contact me directly to work out some interop testing. --- Ricky Charlet W: 408.754.1733 rcharlet@nortel.com --- _ ( ) ASCII ribbon campaign X - against HTML email / \ From owner-scep Mon Nov 6 18:04:56 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA714udE000261; Mon, 6 Nov 2006 18:04:56 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA714unr000260; Mon, 6 Nov 2006 18:04:56 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from zrtps0kp.nortel.com (zrtps0kp.nortel.com [47.140.192.56]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA714s1N000240 for ; Mon, 6 Nov 2006 18:04:55 -0700 (MST) (envelope-from RCHARLET@nortel.com) Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com [47.103.123.73]) by zrtps0kp.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id kA714la21327 for ; Mon, 6 Nov 2006 20:04:47 -0500 (EST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: question on interop with entrust server Date: Mon, 6 Nov 2006 19:04:46 -0600 Message-ID: <7E49849DDCBEAA489C65292E8B8AE7E813FCE634@zrc2hxm2.corp.nortel.com> In-Reply-To: <7E49849DDCBEAA489C65292E8B8AE7E813FCE1BF@zrc2hxm2.corp.nortel.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: question on interop with entrust server Thread-Index: AccB5PXvYmsJFM4cQMuMVg8y3j2ZdQAI7fSA From: "Ricky Charlet" To: "Ricky Charlet" , Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA714t1N000255 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: After a bit more reading.... --- Ricky Charlet W: 408.754.1733 rcharlet@nortel.com --- _ ( ) ASCII ribbon campaign X - against HTML email / \ > -----Original Message----- > From: owner-scep@mail.vpnc.org > [mailto:owner-scep@mail.vpnc.org] On Behalf Of Charlet, Ricky > (HLYER:0000) > Sent: Monday, November 06, 2006 12:49 PM > To: scep@vpnc.org > Subject: question on interop with entrust server > > > Howdy, > > My group is building a new scep client. We have > successfully interoperated against microsoft but are having a > difficult time interoperating with entrust. The entrust > server seems not to be able to decrypt our PKCS7. But the log > message is very vague. > > I'm hoping an Entrust VPN enrollment server person is > reading this and can contact me directly to work out some > interop testing. > > > --- > Ricky Charlet > W: 408.754.1733 > rcharlet@nortel.com > --- _ > ( ) ASCII ribbon campaign > X - against HTML email > / \ > > From owner-scep Mon Nov 6 18:26:10 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA71QA3r002624; Mon, 6 Nov 2006 18:26:10 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA71QAxD002623; Mon, 6 Nov 2006 18:26:10 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-3.cisco.com (sj-iport-3-in.cisco.com [171.71.176.72]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA71Q9Jh002612 for ; Mon, 6 Nov 2006 18:26:09 -0700 (MST) (envelope-from pritikin@cisco.com) Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-3.cisco.com with ESMTP; 06 Nov 2006 17:26:03 -0800 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAAABFvT0WrR7PEh2dsb2JhbACMSgEBAQgOKg X-IronPort-AV: i="4.09,393,1157353200"; d="scan'208"; a="448457778:sNHT26530580" Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-4.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id kA71Q3nQ019304; Mon, 6 Nov 2006 17:26:03 -0800 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id kA71Q3W4000262; Mon, 6 Nov 2006 17:26:03 -0800 (PST) Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Nov 2006 17:26:03 -0800 Received: from [192.168.2.109] ([10.21.122.91]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Nov 2006 17:26:03 -0800 In-Reply-To: <7E49849DDCBEAA489C65292E8B8AE7E813FCE634@zrc2hxm2.corp.nortel.com> References: <7E49849DDCBEAA489C65292E8B8AE7E813FCE634@zrc2hxm2.corp.nortel.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Cc: Content-Transfer-Encoding: 7bit From: Max Pritikin Subject: Re: question on interop with entrust server Date: Mon, 6 Nov 2006 17:26:01 -0800 To: Ricky Charlet X-Mailer: Apple Mail (2.752.3) X-OriginalArrivalTime: 07 Nov 2006 01:26:03.0052 (UTC) FILETIME=[B062F6C0:01C7020B] DKIM-Signature: a=rsa-sha1; q=dns; l=1355; t=1162862763; x=1163726763; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pritikin@cisco.com; z=From:Max=20Pritikin=20 |Subject:Re=3A=20question=20on=20interop=20with=20entrust=20server; X=v=3Dcisco.com=3B=20h=3D7UuzHhTdPuxusP2a2aRB3lbErpo=3D; b=JkhyM3c6/xxRRy8kLwEwBPpOKMXPJ3C4rwVcEfPKrYgH6citwDf+Z/8doyJ7P1n19rpI37bS smPdvrGiAotPQOkg0931hEqG8OwhY9UwI9EJhY88oB3Pkgd0qhKOq2x6; Authentication-Results: sj-dkim-4.cisco.com; header.From=pritikin@cisco.com; dkim=pass ( sig from cisco.com verified; ); Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: "After a bit more reading..." Then what? :) Are you having trouble with the entrust CA decrypting the pkcs7 or is it trouble parsing the pkcs7? Does your client work against a different CA server? - max On Nov 6, 2006, at 5:04 PM, Ricky Charlet wrote: > > After a bit more reading.... > > > --- > Ricky Charlet > W: 408.754.1733 > rcharlet@nortel.com > --- _ > ( ) ASCII ribbon campaign > X - against HTML email > / \ > >> -----Original Message----- >> From: owner-scep@mail.vpnc.org >> [mailto:owner-scep@mail.vpnc.org] On Behalf Of Charlet, Ricky >> (HLYER:0000) >> Sent: Monday, November 06, 2006 12:49 PM >> To: scep@vpnc.org >> Subject: question on interop with entrust server >> >> >> Howdy, >> >> My group is building a new scep client. We have >> successfully interoperated against microsoft but are having a >> difficult time interoperating with entrust. The entrust >> server seems not to be able to decrypt our PKCS7. But the log >> message is very vague. >> >> I'm hoping an Entrust VPN enrollment server person is >> reading this and can contact me directly to work out some >> interop testing. >> >> >> --- >> Ricky Charlet >> W: 408.754.1733 >> rcharlet@nortel.com >> --- _ >> ( ) ASCII ribbon campaign >> X - against HTML email >> / \ >> >> From owner-scep Tue Nov 7 10:17:24 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7HHO2v036143; Tue, 7 Nov 2006 10:17:24 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA7HHOng036142; Tue, 7 Nov 2006 10:17:24 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from zrtps0kn.nortel.com (zrtps0kn.nortel.com [47.140.192.55]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7HHMGj036132 for ; Tue, 7 Nov 2006 10:17:23 -0700 (MST) (envelope-from RCHARLET@nortel.com) Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com [47.103.123.73]) by zrtps0kn.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id kA7HHDZ28324; Tue, 7 Nov 2006 12:17:13 -0500 (EST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: question on interop with entrust server Date: Tue, 7 Nov 2006 11:17:10 -0600 Message-ID: <7E49849DDCBEAA489C65292E8B8AE7E814032FE4@zrc2hxm2.corp.nortel.com> In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: question on interop with entrust server Thread-Index: AccCC7Poeq1Rgx08QyqKXjowFj0uUQAhFY/g From: "Ricky Charlet" To: "Max Pritikin" Cc: Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA7HHNGj036137 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Max, I don't have a clear enough view into the entrust server operation to firmly answer your quesetion. But I strongly suspect it is a proble with decryption. The specific error message I get from the entrust logs says "[-00151 The signature verification failed.] Failure during unprotect of signed data" The signature verification failure is irrelevant. I know this from 1) the standards don't require it, and 2) a successful enrollment from a cisco router gets a similar log entry about sig-verification failure, but the proceeds onward. The relevant part of that log message above seems to be "Failure during unprotect of signed data" --- Ricky Charlet W: 408.754.1733 rcharlet@nortel.com --- _ ( ) ASCII ribbon campaign X - against HTML email / \ > -----Original Message----- > From: Max Pritikin [mailto:pritikin@cisco.com] > Sent: Monday, November 06, 2006 5:26 PM > To: Charlet, Ricky (HLYER:0000) > Cc: scep@vpnc.org > Subject: Re: question on interop with entrust server > > > "After a bit more reading..." Then what? :) > > Are you having trouble with the entrust CA decrypting the > pkcs7 or is it trouble parsing the pkcs7? Does your client > work against a different CA server? > > - max > > On Nov 6, 2006, at 5:04 PM, Ricky Charlet wrote: > > > > > After a bit more reading.... > > > > > > --- > > Ricky Charlet > > W: 408.754.1733 > > rcharlet@nortel.com > > --- _ > > ( ) ASCII ribbon campaign > > X - against HTML email > > / \ > > > >> -----Original Message----- > >> From: owner-scep@mail.vpnc.org > >> [mailto:owner-scep@mail.vpnc.org] On Behalf Of Charlet, Ricky > >> (HLYER:0000) > >> Sent: Monday, November 06, 2006 12:49 PM > >> To: scep@vpnc.org > >> Subject: question on interop with entrust server > >> > >> > >> Howdy, > >> > >> My group is building a new scep client. We have successfully > >> interoperated against microsoft but are having a difficult time > >> interoperating with entrust. The entrust server seems not > to be able > >> to decrypt our PKCS7. But the log message is very vague. > >> > >> I'm hoping an Entrust VPN enrollment server person is > reading this > >> and can contact me directly to work out some interop testing. > >> > >> > >> --- > >> Ricky Charlet > >> W: 408.754.1733 > >> rcharlet@nortel.com > >> --- _ > >> ( ) ASCII ribbon campaign > >> X - against HTML email > >> / \ > >> > >> > From owner-scep Tue Nov 7 13:16:11 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7KGBRh058397; Tue, 7 Nov 2006 13:16:11 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA7KGBrJ058396; Tue, 7 Nov 2006 13:16:11 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from zrtps0kp.nortel.com (zrtps0kp.nortel.com [47.140.192.56]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7KG9Vj058387 for ; Tue, 7 Nov 2006 13:16:10 -0700 (MST) (envelope-from RCHARLET@nortel.com) Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com [47.103.123.73]) by zrtps0kp.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id kA7KFsq28312; Tue, 7 Nov 2006 15:15:55 -0500 (EST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Q: draft 6 of draft-nourse-scep Date: Tue, 7 Nov 2006 14:15:53 -0600 Message-ID: <7E49849DDCBEAA489C65292E8B8AE7E814033369@zrc2hxm2.corp.nortel.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Q: draft 6 of draft-nourse-scep Thread-Index: AccCqYbiJmX0uwtPRdKffHOfb9mtXg== From: "Ricky Charlet" To: , Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA7KGAVj058391 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Howdy, I'm trying to build an scep client to interoperate with a particular entrust implementation. I'm growing suspicious that the entrust side is not following draft 13. We can get sscep (the open/bsd client) to interoperate with entrust (VPN Enrollment server 7.0). And the sscep client claims it was implemented on draft 6 of draft-nourse-scep. Do you still have a draft-6 around you could send me? The particular problem I'm having is in getting the entrust side to decrypt our request. Have changes been made in the area of how an auto-enrollment, RA deployment should encrypt the pkcs10 and content key between draft-6 and draft-13? --- Ricky Charlet W: 408.754.1733 rcharlet@nortel.com --- _ ( ) ASCII ribbon campaign X - against HTML email / \ From owner-scep Tue Nov 7 13:17:19 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7KHJeN058503; Tue, 7 Nov 2006 13:17:19 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA7KHJjI058502; Tue, 7 Nov 2006 13:17:19 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-1.cisco.com (sj-iport-1-in.cisco.com [171.71.176.70]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7KHIgp058482 for ; Tue, 7 Nov 2006 13:17:18 -0700 (MST) (envelope-from pritikin@cisco.com) Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-1.cisco.com with ESMTP; 07 Nov 2006 12:17:13 -0800 X-IronPort-AV: i="4.09,397,1157353200"; d="scan'208"; a="755247624:sNHT49272248" Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id kA7KHD4c030392; Tue, 7 Nov 2006 12:17:13 -0800 Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id kA7KHCW4029211; Tue, 7 Nov 2006 12:17:12 -0800 (PST) Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 7 Nov 2006 12:17:12 -0800 Received: from [128.107.177.235] ([128.107.177.235]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 7 Nov 2006 12:17:12 -0800 In-Reply-To: <7E49849DDCBEAA489C65292E8B8AE7E814032FE4@zrc2hxm2.corp.nortel.com> References: <7E49849DDCBEAA489C65292E8B8AE7E814032FE4@zrc2hxm2.corp.nortel.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <6DFD688B-E7B1-4CD6-A73F-68EF1E4E6CD5@cisco.com> Cc: Content-Transfer-Encoding: 7bit From: Max Pritikin Subject: Re: question on interop with entrust server Date: Tue, 7 Nov 2006 12:17:08 -0800 To: "Ricky Charlet" X-Mailer: Apple Mail (2.752.3) X-OriginalArrivalTime: 07 Nov 2006 20:17:12.0310 (UTC) FILETIME=[B59DE160:01C702A9] DKIM-Signature: a=rsa-sha1; q=dns; l=2822; t=1162930633; x=1163794633; c=relaxed/simple; s=sjdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pritikin@cisco.com; z=From:Max=20Pritikin=20 |Subject:Re=3A=20question=20on=20interop=20with=20entrust=20server; X=v=3Dcisco.com=3B=20h=3D7UuzHhTdPuxusP2a2aRB3lbErpo=3D; b=ELcM2NN1jDbqovkSaVJtmJD4qDUY3N5J7iSoyo5/f4dEsA45FA+yM/JSGhHwBFxTWEqGSg01 si75YGz0faD+4zzJX5bm0016BLWvEiAedfQNbFiS9pgOk7oHC7mkdwQT; Authentication-Results: sj-dkim-1.cisco.com; header.From=pritikin@cisco.com; dkim=pass ( sig from cisco.com verified; ); Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Well, again voicing my complete lack of knowledge about entrust internals... Is this against a CA or an RA? And is there a difference in the behavior you are seeing? - max On Nov 7, 2006, at 9:17 AM, Ricky Charlet wrote: > Hi Max, > > I don't have a clear enough view into the entrust server > operation to firmly answer your quesetion. But I strongly suspect > it is > a proble with decryption. The specific error message I get from the > entrust logs says > > "[-00151 The signature verification failed.] Failure during > unprotect of > signed data" > > The signature verification failure is irrelevant. I know this > from 1) the standards don't require it, and 2) a successful enrollment > from a cisco router gets a similar log entry about sig-verification > failure, but the proceeds onward. > > The relevant part of that log message above seems to be "Failure > during unprotect of signed data" > > > --- > Ricky Charlet > W: 408.754.1733 > rcharlet@nortel.com > --- _ > ( ) ASCII ribbon campaign > X - against HTML email > / \ > >> -----Original Message----- >> From: Max Pritikin [mailto:pritikin@cisco.com] >> Sent: Monday, November 06, 2006 5:26 PM >> To: Charlet, Ricky (HLYER:0000) >> Cc: scep@vpnc.org >> Subject: Re: question on interop with entrust server >> >> >> "After a bit more reading..." Then what? :) >> >> Are you having trouble with the entrust CA decrypting the >> pkcs7 or is it trouble parsing the pkcs7? Does your client >> work against a different CA server? >> >> - max >> >> On Nov 6, 2006, at 5:04 PM, Ricky Charlet wrote: >> >>> >>> After a bit more reading.... >>> >>> >>> --- >>> Ricky Charlet >>> W: 408.754.1733 >>> rcharlet@nortel.com >>> --- _ >>> ( ) ASCII ribbon campaign >>> X - against HTML email >>> / \ >>> >>>> -----Original Message----- >>>> From: owner-scep@mail.vpnc.org >>>> [mailto:owner-scep@mail.vpnc.org] On Behalf Of Charlet, Ricky >>>> (HLYER:0000) >>>> Sent: Monday, November 06, 2006 12:49 PM >>>> To: scep@vpnc.org >>>> Subject: question on interop with entrust server >>>> >>>> >>>> Howdy, >>>> >>>> My group is building a new scep client. We have successfully >>>> interoperated against microsoft but are having a difficult time >>>> interoperating with entrust. The entrust server seems not >> to be able >>>> to decrypt our PKCS7. But the log message is very vague. >>>> >>>> I'm hoping an Entrust VPN enrollment server person is >> reading this >>>> and can contact me directly to work out some interop testing. >>>> >>>> >>>> --- >>>> Ricky Charlet >>>> W: 408.754.1733 >>>> rcharlet@nortel.com >>>> --- _ >>>> ( ) ASCII ribbon campaign >>>> X - against HTML email >>>> / \ >>>> >>>> >> From owner-scep Tue Nov 7 13:25:24 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7KPNgX059058; Tue, 7 Nov 2006 13:25:23 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA7KPNwd059057; Tue, 7 Nov 2006 13:25:23 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from zcars04f.nortel.com (zcars04f.nortel.com [47.129.242.57]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7KPLXA059022 for ; Tue, 7 Nov 2006 13:25:22 -0700 (MST) (envelope-from RCHARLET@nortel.com) Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com [47.103.123.73]) by zcars04f.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id kA7KOn604043; Tue, 7 Nov 2006 15:24:49 -0500 (EST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: question on interop with entrust server Date: Tue, 7 Nov 2006 14:24:22 -0600 Message-ID: <7E49849DDCBEAA489C65292E8B8AE7E8140333A1@zrc2hxm2.corp.nortel.com> In-Reply-To: <6DFD688B-E7B1-4CD6-A73F-68EF1E4E6CD5@cisco.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: question on interop with entrust server Thread-Index: AccCqdnR43faP5KAT72zTxOQIFzh8QAACn/g From: "Ricky Charlet" To: "Max Pritikin" Cc: Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA7KPNXA059052 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Max, I think we just had some emails cross in transit. My new email on the thread "draft 6 of draft-nourse-scep" should speak to your question. But, I'll also reply here. The entrust server is a CA+RA. I receive both CA cert and RA cert during my authentication step. I store both. When I get to my enrollment step, we des-encrypt the pkcs10 with a new content key, rsa-encrypt the content key with the RA-cert-pub-key, and attache the encrypted content key to the pkcs7 recepient info. I don't know if the entrust server is failing to decrypt the content key or failing to decrypt the pkcs10. --- Ricky Charlet W: 408.754.1733 rcharlet@nortel.com --- _ ( ) ASCII ribbon campaign X - against HTML email / \ > -----Original Message----- > From: Max Pritikin [mailto:pritikin@cisco.com] > Sent: Tuesday, November 07, 2006 12:17 PM > To: Charlet, Ricky (HLYER:0000) > Cc: scep@vpnc.org > Subject: Re: question on interop with entrust server > > > Well, again voicing my complete lack of knowledge about > entrust internals... > > Is this against a CA or an RA? And is there a difference in > the behavior you are seeing? > > - max > > On Nov 7, 2006, at 9:17 AM, Ricky Charlet wrote: > > > Hi Max, > > > > I don't have a clear enough view into the entrust > server operation to > > firmly answer your quesetion. But I strongly suspect it is a proble > > with decryption. The specific error message I get from the entrust > > logs says > > > > "[-00151 The signature verification failed.] Failure during > unprotect > > of signed data" > > > > The signature verification failure is irrelevant. I > know this from 1) > > the standards don't require it, and 2) a successful > enrollment from a > > cisco router gets a similar log entry about > sig-verification failure, > > but the proceeds onward. > > > > The relevant part of that log message above seems to be > "Failure > > during unprotect of signed data" > > > > > > --- > > Ricky Charlet > > W: 408.754.1733 > > rcharlet@nortel.com > > --- _ > > ( ) ASCII ribbon campaign > > X - against HTML email > > / \ > > > >> -----Original Message----- > >> From: Max Pritikin [mailto:pritikin@cisco.com] > >> Sent: Monday, November 06, 2006 5:26 PM > >> To: Charlet, Ricky (HLYER:0000) > >> Cc: scep@vpnc.org > >> Subject: Re: question on interop with entrust server > >> > >> > >> "After a bit more reading..." Then what? :) > >> > >> Are you having trouble with the entrust CA decrypting the > >> pkcs7 or is it trouble parsing the pkcs7? Does your client work > >> against a different CA server? > >> > >> - max > >> > >> On Nov 6, 2006, at 5:04 PM, Ricky Charlet wrote: > >> > >>> > >>> After a bit more reading.... > >>> > >>> > >>> --- > >>> Ricky Charlet > >>> W: 408.754.1733 > >>> rcharlet@nortel.com > >>> --- _ > >>> ( ) ASCII ribbon campaign > >>> X - against HTML email > >>> / \ > >>> > >>>> -----Original Message----- > >>>> From: owner-scep@mail.vpnc.org > >>>> [mailto:owner-scep@mail.vpnc.org] On Behalf Of Charlet, Ricky > >>>> (HLYER:0000) > >>>> Sent: Monday, November 06, 2006 12:49 PM > >>>> To: scep@vpnc.org > >>>> Subject: question on interop with entrust server > >>>> > >>>> > >>>> Howdy, > >>>> > >>>> My group is building a new scep client. We have successfully > >>>> interoperated against microsoft but are having a difficult time > >>>> interoperating with entrust. The entrust server seems not > >> to be able > >>>> to decrypt our PKCS7. But the log message is very vague. > >>>> > >>>> I'm hoping an Entrust VPN enrollment server person is > >> reading this > >>>> and can contact me directly to work out some interop testing. > >>>> > >>>> > >>>> --- > >>>> Ricky Charlet > >>>> W: 408.754.1733 > >>>> rcharlet@nortel.com > >>>> --- _ > >>>> ( ) ASCII ribbon campaign > >>>> X - against HTML email > >>>> / \ > >>>> > >>>> > >> > From owner-scep Wed Nov 8 00:42:29 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA87gTHa014566; Wed, 8 Nov 2006 00:42:29 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA87gTJp014565; Wed, 8 Nov 2006 00:42:29 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-1.cisco.com (sj-iport-1-in.cisco.com [171.71.176.70]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA87gRmR014550 for ; Wed, 8 Nov 2006 00:42:28 -0700 (MST) (envelope-from pritikin@cisco.com) Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 07 Nov 2006 23:42:22 -0800 X-IronPort-AV: i="4.09,400,1157353200"; d="scan'208"; a="755318007:sNHT53970492" Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id kA87gM1H029461; Tue, 7 Nov 2006 23:42:22 -0800 Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id kA87gMW4001959; Tue, 7 Nov 2006 23:42:22 -0800 (PST) Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 7 Nov 2006 23:42:22 -0800 Received: from [192.168.2.109] ([10.21.121.117]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 7 Nov 2006 23:42:21 -0800 In-Reply-To: <7E49849DDCBEAA489C65292E8B8AE7E8140333A1@zrc2hxm2.corp.nortel.com> References: <7E49849DDCBEAA489C65292E8B8AE7E8140333A1@zrc2hxm2.corp.nortel.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Cc: Content-Transfer-Encoding: 7bit From: Max Pritikin Subject: Re: question on interop with entrust server Date: Tue, 7 Nov 2006 23:42:16 -0800 To: Ricky Charlet X-Mailer: Apple Mail (2.752.3) X-OriginalArrivalTime: 08 Nov 2006 07:42:21.0906 (UTC) FILETIME=[6CD86B20:01C70309] DKIM-Signature: a=rsa-sha1; q=dns; l=5077; t=1162971742; x=1163835742; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pritikin@cisco.com; z=From:Max=20Pritikin=20 |Subject:Re=3A=20question=20on=20interop=20with=20entrust=20server; X=v=3Dcisco.com=3B=20h=3D7UuzHhTdPuxusP2a2aRB3lbErpo=3D; b=Kzppd6Oe8JsY5daZ9DVudzrJi/T9BUZ7DBFQQrL5mEMjMOToixn2Z9RjfZ700VDDrJA2gEJr C8Q8bmHsXx+0DyWU/iUNM8f7Rc/Uv5/NXMcCfCNhu8kaOttq8/rdjTbP; Authentication-Results: sj-dkim-3.cisco.com; header.From=pritikin@cisco.com; dkim=pass ( sig from cisco.com verified; ); Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hmm. Repeating my refrain about not knowing anything... but recently we had an internal discussion where we noted that: > IOS structures its SCEP requests differently to the Authority > depending > if its a CA or an RA. One of those differences is in the > extensionRequest attribute. Here is the behavior: > > CA > ---- > Uses the Verisign OID for extensionRequest - 2.16.840.1.113733.1.9.8 > ExtensionRequest is encoded as an Octet String > > RA > ----- > Uses pkcs #9 OID for extensionRequest - 1.2.840.113549.1.9.14 > ExtensionRequest is encoded as a T61 String With the reasons for this being historical, uninteresting, and not obvious from the present. The result though is that if the extensionRequest attribute sent to the entrust RA is encoded as an Octet string (which works for CAs!) it will fail. I wonder if you're running into something like this? - max On Nov 7, 2006, at 12:24 PM, Ricky Charlet wrote: > Hi Max, > > I think we just had some emails cross in transit. My new email > on the thread > "draft 6 of draft-nourse-scep" should speak to your question. > > > But, I'll also reply here. The entrust server is a CA+RA. I > receive both CA cert and RA cert during my authentication step. I > store > both. When I get to my enrollment step, we des-encrypt the pkcs10 > with a > new content key, rsa-encrypt the content key with the RA-cert-pub-key, > and attache the encrypted content key to the pkcs7 recepient info. > > I don't know if the entrust server is failing to decrypt the > content key or failing to decrypt the pkcs10. > > --- > Ricky Charlet > W: 408.754.1733 > rcharlet@nortel.com > --- _ > ( ) ASCII ribbon campaign > X - against HTML email > / \ > >> -----Original Message----- >> From: Max Pritikin [mailto:pritikin@cisco.com] >> Sent: Tuesday, November 07, 2006 12:17 PM >> To: Charlet, Ricky (HLYER:0000) >> Cc: scep@vpnc.org >> Subject: Re: question on interop with entrust server >> >> >> Well, again voicing my complete lack of knowledge about >> entrust internals... >> >> Is this against a CA or an RA? And is there a difference in >> the behavior you are seeing? >> >> - max >> >> On Nov 7, 2006, at 9:17 AM, Ricky Charlet wrote: >> >>> Hi Max, >>> >>> I don't have a clear enough view into the entrust >> server operation to >>> firmly answer your quesetion. But I strongly suspect it is a proble >>> with decryption. The specific error message I get from the entrust >>> logs says >>> >>> "[-00151 The signature verification failed.] Failure during >> unprotect >>> of signed data" >>> >>> The signature verification failure is irrelevant. I >> know this from 1) >>> the standards don't require it, and 2) a successful >> enrollment from a >>> cisco router gets a similar log entry about >> sig-verification failure, >>> but the proceeds onward. >>> >>> The relevant part of that log message above seems to be >> "Failure >>> during unprotect of signed data" >>> >>> >>> --- >>> Ricky Charlet >>> W: 408.754.1733 >>> rcharlet@nortel.com >>> --- _ >>> ( ) ASCII ribbon campaign >>> X - against HTML email >>> / \ >>> >>>> -----Original Message----- >>>> From: Max Pritikin [mailto:pritikin@cisco.com] >>>> Sent: Monday, November 06, 2006 5:26 PM >>>> To: Charlet, Ricky (HLYER:0000) >>>> Cc: scep@vpnc.org >>>> Subject: Re: question on interop with entrust server >>>> >>>> >>>> "After a bit more reading..." Then what? :) >>>> >>>> Are you having trouble with the entrust CA decrypting the >>>> pkcs7 or is it trouble parsing the pkcs7? Does your client work >>>> against a different CA server? >>>> >>>> - max >>>> >>>> On Nov 6, 2006, at 5:04 PM, Ricky Charlet wrote: >>>> >>>>> >>>>> After a bit more reading.... >>>>> >>>>> >>>>> --- >>>>> Ricky Charlet >>>>> W: 408.754.1733 >>>>> rcharlet@nortel.com >>>>> --- _ >>>>> ( ) ASCII ribbon campaign >>>>> X - against HTML email >>>>> / \ >>>>> >>>>>> -----Original Message----- >>>>>> From: owner-scep@mail.vpnc.org >>>>>> [mailto:owner-scep@mail.vpnc.org] On Behalf Of Charlet, Ricky >>>>>> (HLYER:0000) >>>>>> Sent: Monday, November 06, 2006 12:49 PM >>>>>> To: scep@vpnc.org >>>>>> Subject: question on interop with entrust server >>>>>> >>>>>> >>>>>> Howdy, >>>>>> >>>>>> My group is building a new scep client. We have successfully >>>>>> interoperated against microsoft but are having a difficult time >>>>>> interoperating with entrust. The entrust server seems not >>>> to be able >>>>>> to decrypt our PKCS7. But the log message is very vague. >>>>>> >>>>>> I'm hoping an Entrust VPN enrollment server person is >>>> reading this >>>>>> and can contact me directly to work out some interop testing. >>>>>> >>>>>> >>>>>> --- >>>>>> Ricky Charlet >>>>>> W: 408.754.1733 >>>>>> rcharlet@nortel.com >>>>>> --- _ >>>>>> ( ) ASCII ribbon campaign >>>>>> X - against HTML email >>>>>> / \ >>>>>> >>>>>> >>>> >> From owner-scep Sun Feb 17 09:04:30 2008 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m1HG4UHr012122 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 17 Feb 2008 09:04:30 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m1HG4UPj012121; Sun, 17 Feb 2008 09:04:30 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from skutsje.san.webweaving.org (skutsje.san.webweaving.org [209.132.96.45]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m1HG4TRP012113 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 17 Feb 2008 09:04:30 -0700 (MST) (envelope-from dirkx@webweaving.org) Received: from [10.11.0.121] (5356CA0A.cable.casema.nl [83.86.202.10]) (authenticated bits=0) by skutsje.san.webweaving.org (8.12.9/8.12.9) with ESMTP id m1HG4Q2Q034391 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Sun, 17 Feb 2008 08:04:29 -0800 (PST) (envelope-from dirkx@webweaving.org) Message-Id: From: Dirk-Willem van Gulik To: scep@vpnc.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Subject: Initial Date: Sun, 17 Feb 2008 17:04:26 +0100 X-Mailer: Apple Mail (2.919.2) Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Apologies if this is is a very obvious question - but I've certainly missed it reading through the document. With respect to: > 2.2.1.2 Required Information A requester is required to have the > following information configured before starting any PKI operations: > 1. the certificate authority IP address or fully-qualified domain > name, > 2. the certificate authority HTTP CGI script path, and the HTTP > proxy information in case there is no direct Internet connection to > the server, > 3. If CRLs are being published by the CA to an LDAP directory > server, and there is a CRL Distribution Point containing only an X. > 500 directory name, then the client will need to know the LDAP > server fully-qualified domain name or IP address. CRL Distribution > Points are discussed in more detail in RFC 2459. How does a client learn '1' and '3' in the wild. For '3' we have clear extensions in the very first x509 cert's you'd encounter, say during a 802.1X signon, when you talk to the server* -- but in what extension is 1 passed ? And secondly - how does one learn those when the x509 of the first port of call (say some Radius server doing EAP) is different from above ? Thanks, Dw *: who in the TLS exchange will flash its own cert and the chain up. From owner-scep Wed Feb 20 01:32:37 2008 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m1K8Wb8o069677 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 20 Feb 2008 01:32:37 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m1K8WbMU069676; Wed, 20 Feb 2008 01:32:37 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from skutsje.san.webweaving.org (skutsje.san.webweaving.org [209.132.96.45]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m1K8WaOK069669 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 20 Feb 2008 01:32:37 -0700 (MST) (envelope-from dirkx@webweaving.org) Received: from dyn-210.leiden.webweaving.org (5356CA0A.cable.casema.nl [83.86.202.10]) (authenticated bits=0) by skutsje.san.webweaving.org (8.12.9/8.12.9) with ESMTP id m1K8WQ2Q006101 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 20 Feb 2008 00:32:29 -0800 (PST) (envelope-from dirkx@webweaving.org) Cc: scep@vpnc.org Message-Id: <1CA06A0F-45FE-4159-A93D-5E5692D9351B@webweaving.org> From: Dirk-Willem van Gulik To: Tomas Gustavsson In-Reply-To: <47BBD724.9060502@primekey.se> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Subject: Re: Initial Date: Wed, 20 Feb 2008 09:32:25 +0100 References: <47BBD724.9060502@primekey.se> X-Mailer: Apple Mail (2.919.2) Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Feb 20, 2008, at 8:30 AM, Tomas Gustavsson wrote: > For number 3, I would guess that that ip-adress is also part of the > initial manual configuration of the device. Ok - I'll take apart the vendor code and see what it is they do. As I suspect they take some field from the x509 of the TLS cert during the EAP exchange.- This is clever as this is where that server is provided to the client as part of the 802.1X exchange. Which means that the client does not have to have any configuration at all - and can be brought into the field without any a-priori configuration. While on that topic - I noticed that MacOSX started to have a similar function: http://it.ucmerced.edu/docs/guides/wireless/wireless_mac_leopard.cfm but have not seen this in operation. Has anyone ? Dw From owner-scep Thu May 8 02:45:07 2008 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m489j6aQ012672 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 May 2008 02:45:06 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m489j6Ro012671; Thu, 8 May 2008 02:45:06 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from mail.cynops.de (cynops.de [82.149.225.69]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m489j59T012640 for ; Thu, 8 May 2008 02:45:06 -0700 (MST) (envelope-from ak-ml2006@cynops.de) Received: from cy10loc.cynops.de (cy10loc [172.16.0.10]) by mail.cynops.de (Postfix) with ESMTP id 6EF486D2A3 for ; Thu, 8 May 2008 11:45:03 +0200 (CEST) Received: from localhost (unknown [172.16.0.6]) by cy10loc.cynops.de (Postfix) with ESMTP id 65FB1C80B4 for ; Thu, 8 May 2008 11:45:02 +0200 (CEST) Date: Thu, 8 May 2008 11:44:57 +0200 From: Alexander Klink To: scep@vpnc.org Subject: Cisco and automatic renewal (signature with old certificate) Message-ID: <20080508.c450c30ebd32c69d9ae80ddafaf2d640@cynops.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.13 (2006-08-11) Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I've been subscribed to this mailing list for about two years now and haven't seen any traffic at all - let's see if someone else is actually subscribed. I am with the OpenXPKI project, we're building an open source PKI which includes an SCEP server. I was wondering if it is possible at all to use the automatic renewal (signature with the existing certificate) feature which was introduced in later versions of the draft (and is implemented for example in CertNanny, another open source project) with Cisco routers? From the documentation, I'd have guessed that this is what is used when the 'regnerate' option is specified to generate a new key (it looks like if this is not specified, the router uses the old key and in turn the old transaction ID, which in our case leads to returning the old certificate ...?), but it looks like the request is self-signed with the new key ... BTW, if anyone is interested in SCEP client testing against OpenXPKI, I guess I could set up a public test SCEP server ... Cheers, Alex -- D