From owner-scep Fri Feb 11 04:07:27 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id EAA11770 for scep-bks; Fri, 11 Feb 2000 04:07:27 -0800 (PST) Received: from aunt15.ausys.se (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id EAA11766 for ; Fri, 11 Feb 2000 04:07:26 -0800 (PST) Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id ; Fri, 11 Feb 2000 13:09:51 +0100 Message-ID: <41ACC8CF2BF1D011AEDD00805F31E54C035D352D@aunt15.ausys.se> From: Magnus Hessel To: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: RA-certificates and KeyUsage, BasicConstrains etc. Date: Fri, 11 Feb 2000 13:09:50 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: I observe strange behavour when using my 1700 router with IOS 12.0.5T router software. Q1: A: Can I have a single RA certificate or has it got to be one for encryption and one for signature? B: If yes on A, what certificate data are required to be set? Q2: If I use multiple RA certificates, which keyusage MUST and MUST NOT be set for encryption and signature respectively. My observation is that if keyencipherment is set but not digitalsignature, then the certificate is considered an RA certificate. Where can I get more information about required CA and RA certificate profiles? Best Regards/ Magnus Hessel Software Engineer -It's nice to be important, but it's more important to be nice. iD2 Technologies -an Ericsson associate Liljeholmsv. 14, P.O Box 44055, 100 73 Stockholm, Sweden Phone: + 46 8 775 52 67 Fax:+46 8 726 79 12, E-mail: magnus.hessel@iD2tech.com http://www.id2tech.com > iD2 - Securing the Internet economy > > > From owner-scep Tue Feb 22 07:14:16 2000 Received: (from majordomo@localhost) by ns.secondary.com (8.9.3/8.9.3) id HAA10937 for scep-bks; Tue, 22 Feb 2000 07:14:16 -0800 (PST) Received: from host5.janus.sec.nl (IDENT:root@host5.janus.sec.nl [192.87.0.22]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA10932 for ; Tue, 22 Feb 2000 07:14:14 -0800 (PST) Received: from sec.nl (host2.janus.sec.nl [192.87.0.19]) by host5.janus.sec.nl (8.8.7/8.8.7) with ESMTP id QAA01846; Tue, 22 Feb 2000 16:19:08 +0100 Message-ID: <38B2A8EB.51D46D2B@sec.nl> Date: Tue, 22 Feb 2000 16:19:07 +0100 From: Janus Liebregts Organization: SURFnet ExpertiseCentrum bv X-Mailer: Mozilla 4.61 [en] (Win95; U) X-Accept-Language: nl,en MIME-Version: 1.0 To: "scep@vpnc.org" , "scep-interest@external.cisco.com" Subject: SCEP OpenSSL implementation Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms9D412A0ADABE32A8275E1B19" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a cryptographically signed message in MIME format. --------------ms9D412A0ADABE32A8275E1B19 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi sceptics, we are planning to implement SCEP on our OpenSSL-based CA. I'm sure some-one else has done this job or parts of this job before. If not, we are willing to post our (open-source) implementation. We as the dutch academic and higher education ISP, have an operational X.509 and LDAP infrastructure and are experimenting to integrate IPsec, X.509 and LDAP. regards, Janus Liebregts SURFnet ExpertiseCentrum bv The Netherlands http://www.sec.nl/persons/janus --------------ms9D412A0ADABE32A8275E1B19 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIJxgYJKoZIhvcNAQcCoIIJtzCCCbMCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC B9gwggQ5MIIDIaADAgECAgEKMA0GCSqGSIb3DQEBBQUAMFcxCzAJBgNVBAYTAk5MMRAwDgYD VQQKEwdTVVJGbmV0MRIwEAYDVQQDEwlPZmZpY2UtQ0ExIjAgBgkqhkiG9w0BCQEWE2NhLWFk bWluQHN1cmZuZXQubmwwHhcNMDAwMTE0MTM1NzM0WhcNMDAwNDAxMDAwMDAwWjB/MQswCQYD VQQGEwJOTDEkMCIGA1UEChMbU1VSRm5ldCBFeHBlcnRpc2VDZW50cnVtIGJ2MQkwBwYDVQQL EwAxGDAWBgNVBAMTD0phbnVzIExpZWJyZWd0czElMCMGCSqGSIb3DQEJARYWSmFudXMuTGll YnJlZ3RzQHNlYy5ubDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA8rDj3Whow1k2rPoy XFr42JLSPW9L57t2W7gdLwtjHjPQTfMUwBq2GROdFxFb1lCNkKrMwLIBPPDzxG2fQa3FlBpR qh2Mg/spgLhRgbGZ8q6TpGEin4tOWuysFjJlSCC3h+9OJsg1StdLZ4elEWHPtRV+JtJMpBy6 hmBkJ4yyc+sCAwEAAaOCAWowggFmMBEGCWCGSAGG+EIBAQQEAwIFoDALBgNVHQ8EBAMCBeAw HQYDVR0OBBYEFHkkyiecUhKDSgoi2uOJWkyxrGGdMIGrBgNVHSMEgaMwgaChgYqkgYcwgYQx CzAJBgNVBAYTAk5MMRAwDgYDVQQKEwdTVVJGbmV0MR4wHAYDVQQLExVodHRwOi8vcGtpLnN1 cmZuZXQubmwxHDAaBgNVBAMTE1NVUkZuZXQgUENBIFJvb3QgQ0ExJTAjBgkqhkiG9w0BCQEW FlNVUkZuZXQtUENBQFNVUkZuZXQubmyCEQDCq6cDAAAY2AAAAAUAAAAIMDgGCWCGSAGG+EIB AgQrFilodHRwczovL2NyZWNoZS53aW5kLnN1cmZuZXQubmwvb2ZmaWNlLWNhLzA9BglghkgB hvhCAQgEMBYuaHR0cHM6Ly9jcmVjaGUud2luZC5zdXJmbmV0Lm5sL29mZmljZS1DUFMuaHRt bDANBgkqhkiG9w0BAQUFAAOCAQEAhka6RgEM7bMovfcGAt+P+vfm0nNCg42mUteAsqh2BEo6 qAgvwRbcXzESki85hYHGcuCWUDh8hjWzeUqyNnX1zWFmO45j9KJg+aSC16A8pQCzlghAE+yx LP3FraYpR+5NcOWQDZwuvsPsEIeRfYOEswC5uTBE6gQust6+NBKdb5vvG4s0Dcf98IgRod8U ySeTJCStwIgrg3ag27IXbfyLlUzMycxHVNd/ytgosSKLYtb+cY6uwk/UltB6tMoDRJOBEsEG H0ZW1FynWxU4eov72haU4tjM7zeloh1O0aVlIjmAwaki9XyQdWwpA0Oadva5zLoknQmwWJC+ h+wrV2m53jCCA5cwggJ/oAMCAQICEQDCq6cDAAAY2AAAAAUAAAAIMA0GCSqGSIb3DQEBBQUA MIGEMQswCQYDVQQGEwJOTDEQMA4GA1UEChMHU1VSRm5ldDEeMBwGA1UECxMVaHR0cDovL3Br aS5zdXJmbmV0Lm5sMRwwGgYDVQQDExNTVVJGbmV0IFBDQSBSb290IENBMSUwIwYJKoZIhvcN AQkBFhZTVVJGbmV0LVBDQUBTVVJGbmV0Lm5sMB4XDTk5MTEyNTE2MjUyOFoXDTAyMTEyNDE2 MjUyOFowVzELMAkGA1UEBhMCTkwxEDAOBgNVBAoTB1NVUkZuZXQxEjAQBgNVBAMTCU9mZmlj ZS1DQTEiMCAGCSqGSIb3DQEJARYTY2EtYWRtaW5Ac3VyZm5ldC5ubDCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBALOwcNZSpOQ3BXQ8cVlFzRR71LnZb6ofGIh7drJUVcY9PyoP sVzsBYwBKGXOEEEH0LWPCaJri6Zzb5PmKnYRGTkV/xRTXxh62rbC8Qy1tzhFqQVouOf+4wXg GUaHlOQj6xGJantRgWqs/yPtcyghW/Urs8lhjnS/6LgPMtWTzp32ifa4Np18iF68SODStYd4 SqFkNYPAWVSEa/NqXG1GKJtwxryUsNSGEweku06fNIF8OiyT+2o33GdrxOn7/JgvdzBpjH16 PF9hP/Lz+Vj35TSDlk4NpYhdGLy5LJZIb7DQMAimLjAxjIWdOV38Y3Q6t7cfNoYku+mH/+BR uj8+PXkCAwEAAaMwMC4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAYYwEQYJYIZIAYb4QgEB BAQDAgAHMA0GCSqGSIb3DQEBBQUAA4IBAQBdwRb0fgGMmNq9EYBeK5LRhUWhAib4nxYa3CX8 0Gm+r8b9HnVXDQaEYSw9wCRaGqpxwpiTP6RItN6mKC6wOSaa8rp3cfcaMkfyApGAIrrEUlGX CNmObBfHnBfI9Qwywxwty90LCl0Rd4A6j3BRS7ORSbB+L/hsUIgHHgh6zmDG92BUkqPP/Ycc lI17BtsplygDh+kiL4VLBJIAU1+ALZFNat2jO5fZCXGIQ2Z90tOx8YT04f1J5O8mkIPXefsB kQBMiP3TBo6RUqk6FxO5VJMNDQ2SrWmH1aNlt3tG1lpOyV2hayGCz8f8Yd5csU3nAXC6+c7b jOLAcRX8C3U9d/XDMYIBtjCCAbICAQEwXDBXMQswCQYDVQQGEwJOTDEQMA4GA1UEChMHU1VS Rm5ldDESMBAGA1UEAxMJT2ZmaWNlLUNBMSIwIAYJKoZIhvcNAQkBFhNjYS1hZG1pbkBzdXJm bmV0Lm5sAgEKMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq hkiG9w0BCQUxDxcNMDAwMjIyMTUxOTA3WjAjBgkqhkiG9w0BCQQxFgQUVFhyMjGQrchuBfpj ZnazIYps+AUwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAw BwYFKw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAE gYCsdXqADwIQmIuxSdS/nXElnjLMRberrO1TcVJShfo8v2fuPWHB/FFZdjH5LmAQVf9RJpCS uvih7MEekQB7j3DMO04Xw8i39vaYTZlSKe9490FEYqNYiL17N/dac4BtsQLFObQTp5oMOMPe E85xiqGUOCJEkW8CLClZXM7CfJijhQ== --------------ms9D412A0ADABE32A8275E1B19-- From owner-scep Fri May 5 08:16:20 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id IAA11518 for scep-bks; Fri, 5 May 2000 08:16:20 -0700 (PDT) Received: from sothmxs01.entrust.com (gatekeeper.entrust.com [204.101.128.170]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA11514 for ; Fri, 5 May 2000 08:16:19 -0700 (PDT) Received: by sothmxs01.entrust.com with Internet Mail Service (5.5.2650.21) id ; Fri, 5 May 2000 11:16:02 -0400 Message-ID: <01E1D01C12D7D211AFC70090273D20B1038D668D@sothmxs06.entrust.com> From: Marek Buchler To: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: Question on the Test Plan for IOS and CA Server Interoperability Date: Fri, 5 May 2000 09:46:37 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, CERT_ENROL_09 in revision 1.4 of the IOS-CA Server interop test plan states that the serial number should be both in the subject DN and in the subject alt name extension. Where is it supposed to go in the subject alt name? None of the name forms in GeneralName (in RFC 2459) seem suitable. Thanks, -Marek Buchler Marek Buchler Software Developer Entrust Technologies (613) 247-2586 Marek.Buchler@entrust.com From owner-scep Tue May 23 03:05:09 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id DAA08667 for scep-bks; Tue, 23 May 2000 03:05:09 -0700 (PDT) Received: from host5.janus.sec.nl (IDENT:root@host5.janus.sec.nl [192.87.0.22]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id DAA08663 for ; Tue, 23 May 2000 03:05:07 -0700 (PDT) Received: from surfnet.nl (host2.janus.sec.nl [192.87.0.19]) by host5.janus.sec.nl (8.8.7/8.8.7) with ESMTP id KAA02072; Tue, 23 May 2000 10:52:22 +0200 Message-ID: <392A59E7.582DFC82@surfnet.nl> Date: Tue, 23 May 2000 12:13:59 +0200 From: Janus Liebregts Organization: SURFnet bv X-Mailer: Mozilla 4.61 [en] (Win95; U) X-Accept-Language: en,nl MIME-Version: 1.0 To: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: CA-products supporting SCEP Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, is anyone aware of CA-products supporting SCEP? the only product I have thus far is Baltimore: http://www.baltimore.com/pkiworld/vpn/cisco.html Xcert anounced that the Sentry 4.1 release with SCEP-support was sceduled mid-2000 and ofcourse Verisign supports SCEP when using their service. regards, Janus Liebregts SURFnet The Netherlands From owner-scep Tue May 23 07:40:24 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA15647 for scep-bks; Tue, 23 May 2000 07:40:24 -0700 (PDT) Received: from pita.cisco.com (pita.cisco.com [171.71.68.13]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA15642 for ; Tue, 23 May 2000 07:40:23 -0700 (PDT) Received: from georgelake ([10.19.197.125]) by pita.cisco.com (8.8.8-Cisco List Logging/8.8.8) with SMTP id HAA00888; Tue, 23 May 2000 07:46:21 -0700 (PDT) Message-ID: <005e01bfc4c5$a3b8c560$7dc5130a@cisco.com> From: "George Lake" To: "Janus Liebregts" , , References: <392A59E7.582DFC82@surfnet.nl> Subject: Re: CA-products supporting SCEP Date: Tue, 23 May 2000 07:46:06 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Janus, Microsoft, Netscape, Verisign, Entrust, and Netscape currently support SCEP. -George ----- Original Message ----- From: Janus Liebregts To: ; Sent: Tuesday, May 23, 2000 3:13 AM Subject: CA-products supporting SCEP > Hi, > > is anyone aware of CA-products supporting SCEP? > > the only product I have thus far is Baltimore: > http://www.baltimore.com/pkiworld/vpn/cisco.html > > Xcert anounced that the Sentry 4.1 release with SCEP-support was > sceduled mid-2000 > > and ofcourse Verisign supports SCEP when using their service. > > regards, > Janus Liebregts > SURFnet > The Netherlands > > From owner-scep Tue May 23 07:44:33 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id HAA15724 for scep-bks; Tue, 23 May 2000 07:44:33 -0700 (PDT) Received: from sigma.cisco.com (sigma.cisco.com [171.69.63.142]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id HAA15719 for ; Tue, 23 May 2000 07:44:32 -0700 (PDT) Received: from jeremys7020 (ch2-dhcp136-178.cisco.com [161.44.136.178]) by sigma.cisco.com (8.8.8-Cisco List Logging/8.8.8) with SMTP id HAA17116; Tue, 23 May 2000 07:50:56 -0700 (PDT) Message-ID: <001101bfc4c6$bc2eb6d0$b2882ca1@cisco.com> From: "Jeremy Stieglitz" To: "Janus Liebregts" , , References: <392A59E7.582DFC82@surfnet.nl> Subject: Re: CA-products supporting SCEP Date: Tue, 23 May 2000 10:54:02 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Several of the leading PKI vendors already support SCEP in commercially available products. Contact Baltimore, Entrust, Microsoft, Netscape, SSH and VeriSign for more information on their solutions, version numbers, pricings, etc. New vendor support for SCEP is coming all the time. I believe that RSA recently announced Keon 5.5 with SCEP support, as well, Cybertrust, Thawte, Xcert, and others are expected to have SCEP support shortly or do already. If I have missed a PKI vendor with commercially available SCEP, please speak up! thanks, Jeremy Stieglitz. Product Line Manager, Identity Cisco Systems ----- Original Message ----- From: "Janus Liebregts" To: ; Sent: Tuesday, May 23, 2000 6:13 AM Subject: CA-products supporting SCEP > Hi, > > is anyone aware of CA-products supporting SCEP? > > the only product I have thus far is Baltimore: > http://www.baltimore.com/pkiworld/vpn/cisco.html > > Xcert anounced that the Sentry 4.1 release with SCEP-support was > sceduled mid-2000 > > and ofcourse Verisign supports SCEP when using their service. > > regards, > Janus Liebregts > SURFnet > The Netherlands > > From owner-scep Tue May 23 08:17:08 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id IAA16559 for scep-bks; Tue, 23 May 2000 08:17:08 -0700 (PDT) Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.43.88]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id IAA16555 for ; Tue, 23 May 2000 08:17:07 -0700 (PDT) Received: from kahului.cisco.com (kahului.cisco.com [171.71.68.60]) by sj-msg-core-2.cisco.com (8.9.3/8.9.1) with ESMTP id IAA18828; Tue, 23 May 2000 08:20:38 -0700 (PDT) Received: from cisco.com (localhost [127.0.0.1]) by kahului.cisco.com (8.8.8-Cisco List Logging/CISCO.WS.1.2) with ESMTP id IAA29201; Tue, 23 May 2000 08:20:31 -0700 (PDT) Message-ID: <392AA1BE.4AF39571@cisco.com> Date: Tue, 23 May 2000 08:20:31 -0700 From: Mark Robb X-Mailer: Mozilla 4.73 [en] (X11; U; SunOS 5.6 sun4u) X-Accept-Language: en MIME-Version: 1.0 To: Janus Liebregts CC: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: Re: CA-products supporting SCEP References: <392A59E7.582DFC82@surfnet.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Janus Liebregts wrote: > Hi, > > is anyone aware of CA-products supporting SCEP? > > the only product I have thus far is Baltimore: > http://www.baltimore.com/pkiworld/vpn/cisco.html > > Xcert anounced that the Sentry 4.1 release with SCEP-support was > sceduled mid-2000 > > and ofcourse Verisign supports SCEP when using their service. > > regards, > Janus Liebregts > SURFnet > The Netherlands Microsoft Win2000, Entrust, and Netscape CMS 4.1 are all vendor CA products which support SCEP. From owner-scep Tue May 23 10:00:01 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id KAA18575 for scep-bks; Tue, 23 May 2000 10:00:01 -0700 (PDT) Received: from tholian.securitydynamics.com (tholian.securid.com [204.167.112.129]) by ns.secondary.com (8.9.3/8.9.3) with SMTP id JAA18565 for ; Tue, 23 May 2000 09:59:49 -0700 (PDT) Received: from sdtihq24.securitydynamics.com by tholian.securitydynamics.com via smtpd (for mail.vpnc.org [208.184.76.50]) with SMTP; 23 May 2000 17:02:28 UT Received: from exrsa01.rsa.com ([10.81.217.7]) by sdtihq24.securid.com (Pro-8.9.3/Pro-8.9.3) with ESMTP id NAA26406; Tue, 23 May 2000 13:06:32 -0400 (EDT) Received: by exrsa01.rsa.com with Internet Mail Service (5.5.2448.0) id <293KX52M>; Tue, 23 May 2000 10:06:36 -0700 Message-ID: From: "Huynh, Dung" To: "'Mark Robb'" , Janus Liebregts Cc: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: RE: CA-products supporting SCEP Date: Tue, 23 May 2000 10:05:58 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Janus, RSA Keon certificate server v5.5 also support SCEP. Dung Huynh RSA Security Inc. -----Original Message----- From: Mark Robb [mailto:markr@cisco.com] Sent: Tuesday, May 23, 2000 8:21 AM To: Janus Liebregts Cc: 'scep@vpnc.org'; 'scep-interest@external.cisco.com' Subject: Re: CA-products supporting SCEP Janus Liebregts wrote: > Hi, > > is anyone aware of CA-products supporting SCEP? > > the only product I have thus far is Baltimore: > http://www.baltimore.com/pkiworld/vpn/cisco.html > > Xcert anounced that the Sentry 4.1 release with SCEP-support was > sceduled mid-2000 > > and ofcourse Verisign supports SCEP when using their service. > > regards, > Janus Liebregts > SURFnet > The Netherlands Microsoft Win2000, Entrust, and Netscape CMS 4.1 are all vendor CA products which support SCEP. From owner-scep Tue May 23 10:37:46 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id KAA19614 for scep-bks; Tue, 23 May 2000 10:37:46 -0700 (PDT) Received: from e24.nc.us.ibm.com (e24.nc.us.ibm.com [32.97.136.230]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id KAA19610 for ; Tue, 23 May 2000 10:37:44 -0700 (PDT) From: benantar@us.ibm.com Received: from southrelay02.raleigh.ibm.com (southrelay02.raleigh.ibm.com [9.37.3.209]) by e24.nc.us.ibm.com (8.9.3/8.9.3) with ESMTP id NAA22098; Tue, 23 May 2000 13:29:38 -0500 Received: from d54mta03.raleigh.ibm.com (d54mta03.raleigh.ibm.com [9.67.228.35]) by southrelay02.raleigh.ibm.com (8.8.8m3/NCO v4.9) with SMTP id NAA81722; Tue, 23 May 2000 13:42:05 -0400 Received: by d54mta03.raleigh.ibm.com(Lotus SMTP MTA v4.6.5 (863.2 5-20-1999)) id 852568E8.00613A89 ; Tue, 23 May 2000 13:41:59 -0400 X-Lotus-FromDomain: IBMUS To: "Huynh, Dung" cc: "'Mark Robb'" , Janus Liebregts , "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Message-ID: <852568E8.0060B657.00@d54mta03.raleigh.ibm.com> Date: Tue, 23 May 2000 13:36:18 -0400 Subject: RE: CA-products supporting SCEP Mime-Version: 1.0 Content-type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Since we are at it, the upcoming Tivoli PKI 3.2 (3Q00) will support SCEP. Messaoud Benantar Tivoli Systems, Inc. From owner-scep Tue May 23 11:12:04 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id LAA20659 for scep-bks; Tue, 23 May 2000 11:12:04 -0700 (PDT) Received: from pita.cisco.com (pita.cisco.com [171.71.68.13]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id LAA20655 for ; Tue, 23 May 2000 11:12:03 -0700 (PDT) Received: from cowboy-mr.cisco.com (michaelr@michaelr-dsl3.cisco.com [144.254.251.228]) by pita.cisco.com (8.8.8-Cisco List Logging/8.8.8) with ESMTP id LAA05818; Tue, 23 May 2000 11:18:38 -0700 (PDT) Received: (from michaelr@localhost) by cowboy-mr.cisco.com (8.9.3/8.9.0) id LAA00548; Tue, 23 May 2000 11:18:03 -0700 (PDT) From: "Michael Reilly MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14634.52059.293773.54881@cowboy-mr.cisco.com> Date: Tue, 23 May 2000 11:18:03 -0700 (PDT) To: Janus Liebregts Cc: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: Re: CA-products supporting SCEP In-Reply-To: Janus Liebregts's message of 23 May 2000 12:13:59 +0200 References: <392A59E7.582DFC82@surfnet.nl> X-Mailer: VM 6.75 under 21.1 (patch 8) "Bryce Canyon" XEmacs Lucid Reply-To: michaelr@cisco.com Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Janus Liebregt writes - >>is anyone aware of CA-products supporting SCEP? These vendors support SCEP and have have been tested with Cisco routers, the Cisco PIX firewall and the Cisco VPN Client V1.1- (In alphabetical order) Entrust, Microsoft, Netscape, Verisign. We have not tested a Baltimore CA. michael IOS PKI Development Team From owner-scep Wed May 24 00:46:35 2000 Received: by ns.secondary.com (8.9.3/8.9.3) id AAA07020 for scep-bks; Wed, 24 May 2000 00:46:35 -0700 (PDT) Received: from aunt15.ausys.se (void1.ausys.se [62.20.78.253]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id AAA07015 for ; Wed, 24 May 2000 00:46:34 -0700 (PDT) Received: by aunt15.ausys.se with Internet Mail Service (5.5.2650.21) id ; Wed, 24 May 2000 09:53:02 +0200 Message-ID: <41ACC8CF2BF1D011AEDD00805F31E54C0408FFC2@aunt15.ausys.se> From: =?iso-8859-1?Q?Sten_Lannerstr=F6m?= To: Janus Liebregts Cc: "'scep@vpnc.org'" , "'scep-interest@external.cisco.com'" Subject: RE: CA-products supporting SCEP Date: Wed, 24 May 2000 09:53:01 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Dear Janus, The prizeawarded iD2 Certificate Manager also support SCEP. http://www.id2tech.com Best regards, Sten Lannerstrom iD2 Technologies Janus Liebregts wrote: > Hi, > > is anyone aware of CA-products supporting SCEP? > > the only product I have thus far is Baltimore: > http://www.baltimore.com/pkiworld/vpn/cisco.html > > Xcert anounced that the Sentry 4.1 release with SCEP-support was > sceduled mid-2000 > > and ofcourse Verisign supports SCEP when using their service. > > regards, > Janus Liebregts > SURFnet > The Netherlands From owner-scep Thu Mar 15 11:09:43 2001 Received: by above.proper.com (8.9.3/8.9.3) id LAA29451 for scep-bks; Thu, 15 Mar 2001 11:09:43 -0800 (PST) Received: from nebula.x509.com (nebula.x509.com [199.175.150.19]) by above.proper.com (8.9.3/8.9.3) with ESMTP id LAA29445 for ; Thu, 15 Mar 2001 11:09:40 -0800 (PST) Received: from crack.x509.com (crack.x509.com [199.175.150.1]) by nebula.x509.com (8.11.3/XCERT) with ESMTP id f2FJ97l14733; Thu, 15 Mar 2001 11:09:07 -0800 (PST) Received: from rsasecurity.com (mohammad.x509.com [199.175.148.177]) by crack.x509.com (8.11.3/XCERT) with ESMTP id f2FJ97b17227; Thu, 15 Mar 2001 11:09:07 -0800 (PST) Message-ID: <3AB11352.EEF78864@rsasecurity.com> Date: Thu, 15 Mar 2001 11:09:06 -0800 From: Mohammad Ashrafuzzaman Organization: RSA Security Inc. X-Mailer: Mozilla 4.6 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: scep@vpnc.org, scep-interest@external.cisco.com Subject: SCEP client supporting GetCACertChain Content-Type: multipart/mixed; boundary="------------0BC80270F0F961F836A23890" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. --------------0BC80270F0F961F836A23890 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi, Is anyone aware of a SCEP client that supports the GetCACertChain functionality? Thanks, - Mohammad --------------0BC80270F0F961F836A23890 Content-Type: text/x-vcard; charset=us-ascii; name="mohammad.vcf" Content-Transfer-Encoding: 7bit Content-Description: Card for Mohammad Ashrafuzzaman Content-Disposition: attachment; filename="mohammad.vcf" begin:vcard n:Ashrafuzzaman;Mohammad tel;fax:604 640 6220 tel;home:604 526 9364 tel;work:604 640 6210 Ext 255 x-mozilla-html:FALSE url:www.rsasecurity.com org:RSA Security Inc.;Vancouver Development Centre version:2.1 email;internet:mohammad@rsasecurity.com title:Senior Software Development Engineer adr;quoted-printable:;;Suite 300, One Bentall Centre=0D=0A505 Burrard Street;Vancouver;British Columbia;V7X 1M3;Canada fn:Mohammad Ashrafuzzaman end:vcard --------------0BC80270F0F961F836A23890-- From owner-scep Thu Mar 15 15:26:23 2001 Received: by above.proper.com (8.9.3/8.9.3) id PAA15734 for scep-bks; Thu, 15 Mar 2001 15:26:23 -0800 (PST) Received: from thunder.dstc.qut.edu.au (thunder.dstc.qut.edu.au [131.181.71.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA15702 for ; Thu, 15 Mar 2001 15:26:16 -0800 (PST) Received: from dstc.qut.edu.au (garnet.dstc.qut.edu.au [131.181.71.36]) by thunder.dstc.qut.edu.au (8.10.1/8.10.1) with ESMTP id f2FNQBm29922; Fri, 16 Mar 2001 09:26:11 +1000 (EST) Message-Id: <200103152326.f2FNQBm29922@thunder.dstc.qut.edu.au> X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 To: Mohammad Ashrafuzzaman Cc: scep@vpnc.org, scep-interest@external.cisco.com Subject: Re: SCEP client supporting GetCACertChain In-reply-to: Your message of "Thu, 15 Mar 2001 11:09:06 PST." <3AB11352.EEF78864@rsasecurity.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 16 Mar 2001 09:26:11 +1000 From: Dean Povey Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: >Hi, > >Is anyone aware of a SCEP client that supports the GetCACertChain functionalit y? >Thanks, Hi Mohammed, Check out uPKI 1.1b2 (http://security.dstc.com/products/upki), which has a scepclient utility supporting GetCACert and GetCACertChain. -- Dean Povey, | e-m: povey@dstc.edu.au | JCSI: Java Crypto Toolkit Research Scientist | ph: +61 7 3864 5120 | uPKI: C PKI toolkit for embedded Security Unit, DSTC | fax: +61 7 3864 1282 | systems Brisbane, Australia | www: security.dstc.com | Oscar: C++ PKI toolkit From owner-scep Tue Jun 3 08:40:55 2003 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h53FetAF050389 for ; Tue, 3 Jun 2003 08:40:55 -0700 (PDT) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h53Fetur050388 for scep-bks; Tue, 3 Jun 2003 08:40:55 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from seguridata1.seguridata.com ([200.57.34.107]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h53FerAF050363 for ; Tue, 3 Jun 2003 08:40:53 -0700 (PDT) (envelope-from mars@seguridata.com) Received: from MarsXP ([200.67.231.235]) by seguridata1.seguridata.com with Microsoft SMTPSVC(5.0.2195.5329); Tue, 3 Jun 2003 10:42:17 -0500 From: "Miguel Rodriguez" To: "SCEP" Subject: newest SCEP spec Date: Tue, 3 Jun 2003 10:42:12 -0500 Message-ID: <002601c329e6$b34f6e50$a600a8c0@seguridata.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0027_01C329BC.CA796650" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-OriginalArrivalTime: 03 Jun 2003 15:42:17.0156 (UTC) FILETIME=[B6246040:01C329E6] Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_0027_01C329BC.CA796650 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable What is the newest (current) draft specifying SCEP? =20 Thanks, =20 Miguel A. Rodriguez Software Engineer SeguriDATA M=E9xico =20 ------=_NextPart_000_0027_01C329BC.CA796650 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

What is the newest (current) draft specifying = SCEP?

 

Thanks,

 

Miguel A. Rodriguez

Software Engineer

SeguriDATA

=

M=E9xico

 

------=_NextPart_000_0027_01C329BC.CA796650-- From owner-scep Wed Jun 4 14:13:47 2003 Received: from above.proper.com (localhost [127.0.0.1]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54LBHAF056157 for ; Wed, 4 Jun 2003 14:13:47 -0700 (PDT) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.9/8.12.9/Submit) id h54LBHAG056156 for scep-bks; Wed, 4 Jun 2003 14:11:17 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by above.proper.com (8.12.9/8.12.8) with ESMTP id h54L8jAF056057 for ; Wed, 4 Jun 2003 14:11:16 -0700 (PDT) (envelope-from nourse@cisco.com) Received: from cisco.com (pita.cisco.com [171.71.68.13]) by sj-core-1.cisco.com (8.12.9/8.12.6) with ESMTP id h54L8fOo025872 for ; Wed, 4 Jun 2003 14:08:41 -0700 (PDT) Received: from [10.32.244.78] ([10.32.244.78]) by cisco.com (8.8.8-Cisco List Logging/8.8.8) with SMTP id OAA20190 for ; Wed, 4 Jun 2003 14:08:39 -0700 (PDT) X-Authentication-Warning: pita.cisco.com: [10.32.244.78] didn't use HELO protocol Subject: SCEP 07 draft From: Andrew Nourse To: scep@vpnc.org Content-Type: text/plain Message-Id: <1054760897.436.78.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Date: 04 Jun 2003 14:08:17 -0700 Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: A new SCEP draft is up. http://www.ietf.org/internet-drafts/draft-nourse-scep-07.txt Andy Nourse Cisco From owner-scep Fri Feb 20 00:47:53 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1K8lr2T071463; Fri, 20 Feb 2004 00:47:53 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1K8lqTL071461; Fri, 20 Feb 2004 00:47:52 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from web12607.mail.yahoo.com (web12607.mail.yahoo.com [216.136.173.230]) by above.proper.com (8.12.11/8.12.8) with SMTP id i1K8lqQF071452 for ; Fri, 20 Feb 2004 00:47:52 -0800 (PST) (envelope-from aravindforipsec@yahoo.com) Message-ID: <20040220084752.98937.qmail@web12607.mail.yahoo.com> Received: from [202.41.227.188] by web12607.mail.yahoo.com via HTTP; Fri, 20 Feb 2004 08:47:52 GMT Date: Fri, 20 Feb 2004 08:47:52 +0000 (GMT) From: =?iso-8859-1?q?Aravinda=20babu?= Subject: Testing of SCEP client To: scep@vpnc.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1959703051-1077266872=:98501" Content-Transfer-Encoding: 8bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --0-1959703051-1077266872=:98501 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi all, I am new to this mailing list.Recently we added SCEP client functionality in our SOHO firewall/vpn box.So i want to test this SCEP client functionality.I tried with OpenSCEP since 3 weeks.But no result.Is there any other companies provide SCEP server and CA server functionality freely so that i can test my box. Thanks in Advance, Aravind. --------------------------------- Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now --0-1959703051-1077266872=:98501 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit
Hi all,
 
 
          I am new to this mailing list.Recently we added SCEP client functionality in our SOHO firewall/vpn box.So i want to test this SCEP client functionality.I tried with OpenSCEP since 3 weeks.But no result.Is there any other companies provide SCEP server and CA server functionality freely so that i can test my box.
 
Thanks in Advance,
Aravind.

Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now --0-1959703051-1077266872=:98501-- From owner-scep Fri Feb 20 06:53:35 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KErYPn006722; Fri, 20 Feb 2004 06:53:34 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1KErYPr006721; Fri, 20 Feb 2004 06:53:34 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-1.cisco.com (sj-iport-1-in.cisco.com [171.71.176.70]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KErXhJ006714 for ; Fri, 20 Feb 2004 06:53:34 -0800 (PST) (envelope-from kanter@cisco.com) Received: from mira-sjc5-b.cisco.com (IDENT:mirapoint@mira-sjc5-b.cisco.com [171.71.163.14]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id i1KErTuA017418; Fri, 20 Feb 2004 06:53:29 -0800 (PST) Received: from kanter-w2k01.cisco.com ([10.32.224.124]) by mira-sjc5-b.cisco.com (Mirapoint Messaging Server MOS 3.3.6-GR) with SMTP id AQL91822; Fri, 20 Feb 2004 06:53:27 -0800 (PST) Message-Id: <4.3.2.7.2.20040220063728.047ad520@pita.cisco.com> X-Sender: kanter@pita.cisco.com X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 20 Feb 2004 06:53:23 -0800 To: Aravinda babu , scep@vpnc.org From: Howard Kanter Subject: Re: Testing of SCEP client In-Reply-To: <20040220084752.98937.qmail@web12607.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_208181399==_.ALT" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --=====================_208181399==_.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed You can test with Windows 2000 Professional and/or Server, and with Windows 2003 (not sure about XP) It has a CA server, however, you will need to add the SCEP client (mscep.dll) - it's part of the their Resource Toolkit, the setup program is called cepsetup.exe thx At 08:47 AM 2/20/2004 +0000, Aravinda babu wrote: >Hi all, > > > I am new to this mailing list.Recently we added SCEP client > functionality in our SOHO firewall/vpn box.So i want to test this SCEP > client functionality.I tried with OpenSCEP since 3 weeks.But no result.Is > there any other companies provide SCEP server and CA server functionality > freely so that i can test my box. > >Thanks in Advance, >Aravind. > > >Yahoo! >Messenger - Communicate instantly..."Ping" your friends today! >Download >Messenger Now --=====================_208181399==_.ALT Content-Type: text/html; charset="us-ascii" You can test with Windows 2000 Professional and/or Server, and with Windows 2003 (not sure about XP)
It has a CA server, however, you will need to add the SCEP client (mscep.dll) - it's part of the their Resource Toolkit, the setup program is called cepsetup.exe

thx



At 08:47 AM 2/20/2004 +0000, Aravinda babu wrote:
Hi all,
 
 
          I am new to this mailing list.Recently we added SCEP client functionality in our SOHO firewall/vpn box.So i want to test this SCEP client functionality.I tried with OpenSCEP since 3 weeks.But no result.Is there any other companies provide SCEP server and CA server functionality freely so that i can test my box.
 
Thanks in Advance,
Aravind.


Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now
--=====================_208181399==_.ALT-- From owner-scep Fri Feb 20 08:52:32 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KGqWse014493; Fri, 20 Feb 2004 08:52:32 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1KGqW5d014492; Fri, 20 Feb 2004 08:52:32 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from seguridata1.seguridata.com ([200.57.34.107]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KGqVjH014486 for ; Fri, 20 Feb 2004 08:52:31 -0800 (PST) (envelope-from mars@seguridata.com) Received: from MarsXP ([200.67.231.235]) by seguridata1.seguridata.com with Microsoft SMTPSVC(5.0.2195.6713); Fri, 20 Feb 2004 10:53:14 -0600 From: "Miguel Rodriguez" To: "SCEP" Subject: RE: Testing of SCEP client Date: Fri, 20 Feb 2004 10:53:35 -0600 Message-ID: <000f01c3f7d2$20359080$a600a8c0@seguridata.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0010_01C3F79F.D59B2080" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 In-Reply-To: <20040220084752.98937.qmail@web12607.mail.yahoo.com> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-OriginalArrivalTime: 20 Feb 2004 16:53:15.0328 (UTC) FILETIME=[08705C00:01C3F7D2] Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_0010_01C3F79F.D59B2080 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Try using the MS Certificate Server (which is a CA) distributed with the Win 2K server platform. To enable the SCEP server functionality you must run a setup (cepsetup.exe) included in the Win 2K server resource kit CD. This SCEP server is an ISAPI filter that will receive your SCEP requests communicating with the MS Certificate server. Miguel A Rodriguez SeguriData Mexico -----Original Message----- From: owner-scep@mail.vpnc.org [mailto:owner-scep@mail.vpnc.org] On Behalf Of Aravinda babu Sent: Friday, February 20, 2004 2:48 AM To: scep@vpnc.org Subject: Testing of SCEP client Hi all, I am new to this mailing list.Recently we added SCEP client functionality in our SOHO firewall/vpn box.So i want to test this SCEP client functionality.I tried with OpenSCEP since 3 weeks.But no result.Is there any other companies provide SCEP server and CA server functionality freely so that i can test my box. Thanks in Advance, Aravind. _____ Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now ------=_NextPart_000_0010_01C3F79F.D59B2080 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Message
Try=20 using the MS Certificate Server (which is a CA) distributed with the Win = 2K=20 server platform. To enable the SCEP server functionality you must run a = setup=20 (cepsetup.exe) included in the Win 2K server resource kit CD. This = SCEP=20 server is an ISAPI filter that will receive your SCEP=20 requests communicating with the MS Certificate = server.
 
Miguel=20 A Rodriguez
SeguriData
Mexico 
-----Original Message-----
From:=20 owner-scep@mail.vpnc.org [mailto:owner-scep@mail.vpnc.org] On = Behalf Of=20 Aravinda babu
Sent: Friday, February 20, 2004 2:48=20 AM
To: scep@vpnc.org
Subject: Testing of SCEP=20 client

Hi all,
 
 
          I am new = to this=20 mailing list.Recently we added SCEP client functionality in our SOHO=20 firewall/vpn box.So i want to test this SCEP client functionality.I = tried with=20 OpenSCEP since 3 weeks.But no result.Is there any other companies = provide SCEP=20 server and CA server functionality freely so that i can test my = box.
 
Thanks in Advance,
Aravind.

Yahoo!=20 Messenger - Communicate instantly..."Ping" your friends today! = Download=20 Messenger Now ------=_NextPart_000_0010_01C3F79F.D59B2080-- From owner-scep Fri Feb 20 10:16:17 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KIGHw9019091; Fri, 20 Feb 2004 10:16:17 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1KIGGZm019090; Fri, 20 Feb 2004 10:16:16 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from web14203.mail.yahoo.com (web14203.mail.yahoo.com [216.136.172.145]) by above.proper.com (8.12.11/8.12.8) with SMTP id i1KIGFIM019083 for ; Fri, 20 Feb 2004 10:16:16 -0800 (PST) (envelope-from liubinw@yahoo.com) Message-ID: <20040220181619.25959.qmail@web14203.mail.yahoo.com> Received: from [66.46.233.196] by web14203.mail.yahoo.com via HTTP; Fri, 20 Feb 2004 10:16:19 PST Date: Fri, 20 Feb 2004 10:16:19 -0800 (PST) From: bin liu Subject: RE: Testing of SCEP client To: Miguel Rodriguez , SCEP In-Reply-To: <000f01c3f7d2$20359080$a600a8c0@seguridata.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Aravind, You can also try Verisign's 60 day test drive in https://onsite.verisign.com/OSTestDriveMS40ServiceEnrollIPSec.htm, we have just tested our scep client with it and MS CA, as well as OpenSCEP, they are all working fine. Eric Liu Vanguard Management Solution --- Miguel Rodriguez wrote: > Try using the MS Certificate Server (which is a CA) > distributed with the > Win 2K server platform. To enable the SCEP server > functionality you must > run a setup (cepsetup.exe) included in the Win 2K > server resource kit > CD. This SCEP server is an ISAPI filter that will > receive your SCEP > requests communicating with the MS Certificate > server. > > Miguel A Rodriguez > SeguriData > Mexico > > -----Original Message----- > From: owner-scep@mail.vpnc.org > [mailto:owner-scep@mail.vpnc.org] On > Behalf Of Aravinda babu > Sent: Friday, February 20, 2004 2:48 AM > To: scep@vpnc.org > Subject: Testing of SCEP client > > > Hi all, > > > I am new to this mailing list.Recently we > added SCEP client > functionality in our SOHO firewall/vpn box.So i want > to test this SCEP > client functionality.I tried with OpenSCEP since 3 > weeks.But no > result.Is there any other companies provide SCEP > server and CA server > functionality freely so that i can test my box. > > Thanks in Advance, > Aravind. > > > > _____ > > > o.com> Yahoo! Messenger - Communicate > instantly..."Ping" your friends > today! > o.com/download/index.html> Download Messenger Now > > __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools From owner-scep Fri Feb 20 10:49:58 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KInwQc020512; Fri, 20 Feb 2004 10:49:58 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1KInwVD020511; Fri, 20 Feb 2004 10:49:58 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-2.cisco.com (sj-iport-2-in.cisco.com [171.71.176.71]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1KInvnp020502 for ; Fri, 20 Feb 2004 10:49:57 -0800 (PST) (envelope-from michaelr@cisco.com) Received: from sj-core-5.cisco.com (171.71.177.238) by sj-iport-2.cisco.com with ESMTP; 20 Feb 2004 10:59:17 +0000 Received: from franklin.cisco.com (franklin.cisco.com [171.70.156.17]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id i1KInruA006104; Fri, 20 Feb 2004 10:49:54 -0800 (PST) Received: from cisco.com (200@stealth-10-32-244-139.cisco.com [10.32.244.139]) by franklin.cisco.com (8.8.6 (PHNE_17190)/CISCO.SERVER.1.2) with SMTP id KAA29209; Fri, 20 Feb 2004 10:49:52 -0800 (PST) Message-ID: <403656D0.3030801@cisco.com> Date: Fri, 20 Feb 2004 10:49:52 -0800 From: Michael Reilly Organization: Cisco Systems User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6b) Gecko/20040115 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: bin liu CC: Miguel Rodriguez , SCEP Subject: Re: Testing of SCEP client References: <20040220181619.25959.qmail@web14203.mail.yahoo.com> In-Reply-To: <20040220181619.25959.qmail@web14203.mail.yahoo.com> X-Enigmail-Version: 0.83.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: We strongly recommend that you test with at least Microsoft and Verisign CAs. Microsoft uses RA mode and verisign does not. By testing with both you know you code will be able to handle either type of CA. michael bin liu wrote: > Hi Aravind, > You can also try Verisign's 60 day test drive in > https://onsite.verisign.com/OSTestDriveMS40ServiceEnrollIPSec.htm, > we have just tested our scep client with it and MS CA, > as well as OpenSCEP, they are all working fine. > > Eric Liu > Vanguard Management Solution > > --- Miguel Rodriguez wrote: > >>Try using the MS Certificate Server (which is a CA) >>distributed with the >>Win 2K server platform. To enable the SCEP server >>functionality you must >>run a setup (cepsetup.exe) included in the Win 2K >>server resource kit >>CD. This SCEP server is an ISAPI filter that will >>receive your SCEP >>requests communicating with the MS Certificate >>server. >> >>Miguel A Rodriguez >>SeguriData >>Mexico >> >>-----Original Message----- >>From: owner-scep@mail.vpnc.org >>[mailto:owner-scep@mail.vpnc.org] On >>Behalf Of Aravinda babu >>Sent: Friday, February 20, 2004 2:48 AM >>To: scep@vpnc.org >>Subject: Testing of SCEP client >> >> >>Hi all, >> >> >> I am new to this mailing list.Recently we >>added SCEP client >>functionality in our SOHO firewall/vpn box.So i want >>to test this SCEP >>client functionality.I tried with OpenSCEP since 3 >>weeks.But no >>result.Is there any other companies provide SCEP >>server and CA server >>functionality freely so that i can test my box. >> >>Thanks in Advance, >>Aravind. >> >> >> >> _____ >> >> >> > > >>o.com> Yahoo! Messenger - Communicate >>instantly..."Ping" your friends >>today! >> > > >>o.com/download/index.html> Download Messenger Now >> >> > > > > __________________________________ > Do you Yahoo!? > Yahoo! Mail SpamGuard - Read only the mail you want. > http://antispam.yahoo.com/tools -- ---- ---- ---- Michael Reilly michaelr@cisco.com Cisco Systems, Santa Cruz, CA From owner-scep Fri Feb 20 17:45:32 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1L1jW1d043263; Fri, 20 Feb 2004 17:45:32 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1L1jWa6043262; Fri, 20 Feb 2004 17:45:32 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from smtp.cs.auckland.ac.nz (smtp.cs.auckland.ac.nz [130.216.33.151]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1L1jSca043250 for ; Fri, 20 Feb 2004 17:45:31 -0800 (PST) (envelope-from pgut001@cs.auckland.ac.nz) Received: from localhost (csmail.cs.auckland.ac.nz [130.216.33.150]) by smtp.cs.auckland.ac.nz (Postfix) with ESMTP id 2932134017 for ; Sat, 21 Feb 2004 14:43:33 +1300 (NZDT) Received: from 218-101-44-155.paradise.net.nz (218-101-44-155.paradise.net.nz [218.101.44.155]) by mail.cs.auckland.ac.nz (Horde) with HTTP for ; Sat, 21 Feb 2004 14:45:29 +1300 Message-ID: <20040221144529.8kpdlwggg848ok8k@mail.cs.auckland.ac.nz> Date: Sat, 21 Feb 2004 14:45:29 +1300 From: Peter Gutmann To: scep@vpnc.org Subject: Re: Testing of SCEP client MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.0-cvs Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: =?iso-8859-1?q?Aravinda=20babu?= writes: >I am new to this mailing list.Recently we added SCEP client functionality in >our SOHO firewall/vpn box.So i want to test this SCEP client functionality.I >tried with OpenSCEP since 3 weeks.But no result.Is there any other companies >provide SCEP server and CA server functionality freely so that i can test my >box. http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ should do it, it's open-source and does both client and server. (There is one deviation from the SCEP spec, it uses a standard HTTP engine that can't do the (nonstandard) non-idempotent PUT required by SCEP, so you'll have to use HTTP POST rather than PUT to submit requests. I've grumbled about this before, this really should be fixed in the spec since it breaks HTTP proxies and caches). Peter. From owner-scep Mon Feb 23 02:05:19 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1NA5IHd076379; Mon, 23 Feb 2004 02:05:18 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1NA5Igh076378; Mon, 23 Feb 2004 02:05:18 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from span.corp.yahoo.com (web12610.mail.yahoo.com [216.136.173.201]) by above.proper.com (8.12.11/8.12.8) with SMTP id i1NA5IhJ076366 for ; Mon, 23 Feb 2004 02:05:18 -0800 (PST) (envelope-from aravindforipsec@yahoo.com) Message-ID: <20040223100513.65427.qmail@span.corp.yahoo.com> Received: from [202.41.227.188] by web12610.mail.yahoo.com via HTTP; Mon, 23 Feb 2004 10:05:13 GMT Date: Mon, 23 Feb 2004 10:05:13 +0000 (GMT) From: =?iso-8859-1?q?Aravinda=20babu?= Subject: Re: Testing of SCEP client To: scep@vpnc.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1131581997-1077530713=:64833" Content-Transfer-Encoding: 8bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: --0-1131581997-1077530713=:64833 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi all, Thanks for all of your responses. Regards, Aravind. --------------------------------- Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now --0-1131581997-1077530713=:64833 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit
Hi all,
 
  Thanks for all of your responses.
 
Regards,
Aravind.

Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now --0-1131581997-1077530713=:64833-- From owner-scep Wed Feb 25 20:21:45 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.8) with ESMTP id i1Q4Li0o063339; Wed, 25 Feb 2004 20:21:45 -0800 (PST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i1Q4LiaI063338; Wed, 25 Feb 2004 20:21:44 -0800 (PST) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from tiedye.tiedye.com (tiedye.tiedye.com [216.36.81.114]) by above.proper.com (8.12.11/8.12.8) with SMTP id i1Q4LhfS063328 for ; Wed, 25 Feb 2004 20:21:44 -0800 (PST) (envelope-from nourse@tiedye.tiedye.com) Received: from tiedye.tiedye.com (ip-216-36-81-116.dsl.lax.megapath.net [216.36.81.116]) by tiedye.tiedye.com (Postfix) with SMTP id E8A41324 for ; Wed, 25 Feb 2004 20:19:20 -0800 (PST) Message-ID: <403D7459.7010308@tiedye.tiedye.com> Date: Wed, 25 Feb 2004 20:21:45 -0800 From: AndyTiedye User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.5) Gecko/20031013 Thunderbird/0.3 X-Accept-Language: en-us, en MIME-Version: 1.0 To: scep@vpnc.org Subject: POST vs GET X-Enigmail-Version: 0.81.7.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Peter Gutmann <> wrote on Friday, February 20, 2004 5:45 PM: >> > > http://www.cs.auckland.ac.nz/~pgut001/cryptlib/ should do it, it's > open-source and does both client and server. > (There is one deviation from the SCEP spec, it uses a standard HTTP > engine that can't do the (nonstandard) non-idempotent PUT required > by SCEP, so you'll have to use HTTP POST rather than PUT to submit > requests. That would prevent it from working with any existing client or CA server. It is actually a GET, not a PUT. What standard does it violate besides the obvious esthetic ones? >> I've grumbled about this before, this really should be fixed in >> the spec > We are working on a new rev to the SCEP specification, so this might be a good time to talk about it. We can't make the big ugly GETs go away, because that is what all of the installed base uses, and what all of the current CAs expect. If we change the spec to allow POST, how would a client tell if it is talking to a CA that supports it? Should there be a GET that gets the SCEP version number and/or capabilities? >> since it breaks HTTP proxies and caches). > Proxies and caches should be able to handle the fact that web pages don't stay the same forever. Andy Nourse Cisco From owner-scep Thu Jun 3 11:44:01 2004 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i53Ii1ue021594; Thu, 3 Jun 2004 11:44:01 -0700 (PDT) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id i53Ii1dX021593; Thu, 3 Jun 2004 11:44:01 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from seguridata1.seguridata.com ([200.57.34.107]) by above.proper.com (8.12.11/8.12.9) with ESMTP id i53Ii0qh021558 for ; Thu, 3 Jun 2004 11:44:01 -0700 (PDT) (envelope-from mars@seguridata.com) Received: from MarsXP ([200.67.231.235]) by seguridata1.seguridata.com with Microsoft SMTPSVC(5.0.2195.6713); Thu, 3 Jun 2004 13:44:32 -0500 From: "Miguel Rodriguez" To: "SCEP" Subject: CRL number size in Cisco VPN3000 Date: Thu, 3 Jun 2004 13:41:59 -0500 Message-ID: <001e01c4499a$7822bbf0$a600a8c0@seguridata.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001F_01C44970.8F4CB3F0" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Importance: Normal X-OriginalArrivalTime: 03 Jun 2004 18:44:32.0328 (UTC) FILETIME=[CF33B480:01C4499A] Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. ------=_NextPart_000_001F_01C44970.8F4CB3F0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi! Does anyone know if the Cisco VPN3000 can handle version 2 CRLs with 20 byte crl numbers (as mandated by RFC 3280)? Does it have a limitation on the size of the crl number field? Thanks in advance, Miguel A. Rodriguez Software Engineer SeguriDATA Mexico ------=_NextPart_000_001F_01C44970.8F4CB3F0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Message
Hi! = Does anyone know=20 if the Cisco VPN3000 can handle version 2 CRLs with 20 byte crl numbers = (as=20 mandated by RFC 3280)?
 
Does = it have a=20 limitation on the size of the crl number field?
 
Thanks = in=20 advance,
 
Miguel A.=20 Rodriguez
Software=20 Engineer
SeguriDATA
Mexico
------=_NextPart_000_001F_01C44970.8F4CB3F0-- From owner-scep Fri Apr 15 08:20:00 2005 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j3FFK0sl082000; Fri, 15 Apr 2005 08:20:00 -0700 (PDT) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j3FFK0Hb081999; Fri, 15 Apr 2005 08:20:00 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from p62e727.kagwnt01.ap.so-net.ne.jp (p62e727.kagwnt01.ap.so-net.ne.jp [219.98.231.39]) by above.proper.com (8.12.11/8.12.9) with SMTP id j3FFJmKQ081917; Fri, 15 Apr 2005 08:19:51 -0700 (PDT) (envelope-from ASCMCDGALSN@motorcadegm.com) Received: from unknown (HELO speakeasy.net) by speakeasy.net with DES-FWM3-SHA encrypted SMTP for ; Fri, 15 Apr 2005 20:16:22 +0400 Message-Id: Date: Fri, 15 Apr 2005 14:14:22 -0200 From: "Rocco" To: Subject: save with us Tommy Reply-To: MIME-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Swiss pharmacy online warehouse

Valium $69, Levitra $69, Cialis $89
Viagra $69, Tramadol $69, Ambien $109
Phentermine $69, Xanax $99, Soma $59

With each purchase you get:

Home delivery.
Total confidentiality.
F.D.A ApprovedDrugs.


















you skye me barge me you aborigine me chlorinate me you thomistic me u me you bater me opine me you shod me rodeo me you depressible me school me you bing me camino me quit From owner-scep Sun May 8 13:51:10 2005 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j48KpAwT032119; Sun, 8 May 2005 13:51:10 -0700 (PDT) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j48KpAgu032118; Sun, 8 May 2005 13:51:10 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from 208.184.76.50 ([219.95.212.186]) by above.proper.com (8.12.11/8.12.9) with SMTP id j48Komno031962; Sun, 8 May 2005 13:50:52 -0700 (PDT) (envelope-from lhuuwoiatkr@pjkd.com) Received: from unknown (HELO speakeasy.net) by speakeasy.net with DES-REG3-SHA encrypted SMTP for ; Mon, 09 May 2005 00:47:47 +0300 Message-Id: Date: Sun, 08 May 2005 14:46:47 -0700 From: "Darla Pryor" To: Subject: size does matter! Reply-To: MIME-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: mediocre taos obligatory lorelei
Breakthrough in medicine
more info...









neoconservative defecate doomsday solicitude avowal kraut custodian luminous
sulfide legend flood oatmeal grapefruit bit eater susanne
those orkney acrimonious aorta bloodshot endomorphism
no From owner-scep Tue Jul 26 02:16:22 2005 Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j6Q9GMHm020956; Tue, 26 Jul 2005 02:16:22 -0700 (PDT) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j6Q9GMFn020955; Tue, 26 Jul 2005 02:16:22 -0700 (PDT) X-Authentication-Warning: above.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from huawei.com (szxga01-in.huawei.com [61.144.161.53]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j6Q9GJ8o020889 for ; Tue, 26 Jul 2005 02:16:20 -0700 (PDT) (envelope-from vinodn@huawei.com) Received: from huawei.com (szxga01-in [172.24.2.3]) by szxga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0IK800EB29ZKHS@szxga01-in.huawei.com> for scep@vpnc.org; Tue, 26 Jul 2005 17:21:20 +0800 (CST) Received: from szxml02-in ([172.24.1.6]) by szxga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0IK800BHY9ZJWC@szxga01-in.huawei.com> for scep@vpnc.org; Tue, 26 Jul 2005 17:21:19 +0800 (CST) Received: from Vinod2076 ([10.18.8.229]) by szxml02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTPA id <0IK80038YA1LCG@szxml02-in.huawei.com> for scep@vpnc.org; Tue, 26 Jul 2005 17:22:35 +0800 (CST) Date: Tue, 26 Jul 2005 14:46:48 +0530 From: Vinod Duggirala N Subject: Hi - Some basic doubts in SCEP Specification Version 11. To: scep@vpnc.org Reply-to: vinodn@huawei.com Message-id: <000001c591c2$c0cbecc0$e508120a@china.huawei.com> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1506 X-Mailer: Microsoft Outlook, Build 10.0.3416 Content-type: multipart/alternative; boundary="Boundary_(ID_+1vrvnS+FFwVlf9B2ivVWw)" Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multi-part message in MIME format. --Boundary_(ID_+1vrvnS+FFwVlf9B2ivVWw) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Hi, Just now, I have joined in this SCEP group. I have couple of doubts in implementing the SCEP specification. Right now, I am working with the version 11. 1. Other than PKIMessage case, at all places content type has been considered as SIMPLE DATA. Instead of Enveloped or Signed. i.e. {pkcs-7 1} 2. In the content type authenticated attribute also, it is SIMPLE DATA type, even thought the actual content is enveloped or signed. 3. For extension request, pkcs-9-at-extensionRequest OBJECT IDENTIFIER: = {pkcs-9 14}, is already exists. But different ID given for the same id-extensionReq 4. In Appendix F. CA Capabilities, If a CA is not supporting any one of the capabilities. Then is the response should be empty string i.e. "". Some Other Observations: 5. In the section, 5.4.1 GetCRL Message format, It has been used as CertCRL instead of GetCRL 6. In the section, 5.1.1 PKCSReq Message Format, It has been used as pkcsCertRepSigned, instead of pkcsCertReqSigned. Thanks in advance. Thanks & Regards, Duggirala Naga Vinod _____ --Boundary_(ID_+1vrvnS+FFwVlf9B2ivVWw) Content-type: text/html; charset=us-ascii Content-transfer-encoding: 7BIT

Hi,

 

Just now, I have joined in this SCEP group. I have couple of doubts in implementing the SCEP specification. Right now, I am working with the version 11.

 

  1. Other than PKIMessage case, at all places content type has been considered as SIMPLE DATA. Instead of Enveloped or Signed. i.e. {pkcs-7 1}
  2. In the content type authenticated attribute also, it is SIMPLE DATA type, even thought the actual content is enveloped or signed.
  3. For extension request, pkcs-9-at-extensionRequest OBJECT IDENTIFIER: = {pkcs-9 14}, is already exists. But different ID given for the same id-extensionReq  
  4. In Appendix F. CA Capabilities, If a CA is not supporting any one of the capabilities. Then is the response should be empty string i.e. “”.

 

Some Other Observations:

 

  1. In the section, 5.4.1 GetCRL Message format, It has been used as CertCRL instead of GetCRL
  2. In the section, 5.1.1 PKCSReq Message Format, It has been used as pkcsCertRepSigned, instead of pkcsCertReqSigned.

 

Thanks in advance.

 

Thanks & Regards,

Duggirala Naga Vinod

 

--Boundary_(ID_+1vrvnS+FFwVlf9B2ivVWw)-- From owner-scep Mon Nov 6 13:48:59 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA6KmxFp072706; Mon, 6 Nov 2006 13:48:59 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA6KmxFQ072703; Mon, 6 Nov 2006 13:48:59 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from zrtps0kn.nortel.com (zrtps0kn.nortel.com [47.140.192.55]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA6Kmvep072689 for ; Mon, 6 Nov 2006 13:48:58 -0700 (MST) (envelope-from RCHARLET@nortel.com) Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com [47.103.123.73]) by zrtps0kn.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id kA6KmoB00905 for ; Mon, 6 Nov 2006 15:48:50 -0500 (EST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: question on interop with entrust server Date: Mon, 6 Nov 2006 14:48:49 -0600 Message-ID: <7E49849DDCBEAA489C65292E8B8AE7E813FCE1BF@zrc2hxm2.corp.nortel.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: question on interop with entrust server Thread-Index: AccB5PXvYmsJFM4cQMuMVg8y3j2ZdQ== From: "Ricky Charlet" To: Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA6Kmwep072692 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Howdy, My group is building a new scep client. We have successfully interoperated against microsoft but are having a difficult time interoperating with entrust. The entrust server seems not to be able to decrypt our PKCS7. But the log message is very vague. I'm hoping an Entrust VPN enrollment server person is reading this and can contact me directly to work out some interop testing. --- Ricky Charlet W: 408.754.1733 rcharlet@nortel.com --- _ ( ) ASCII ribbon campaign X - against HTML email / \ From owner-scep Mon Nov 6 18:04:56 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA714udE000261; Mon, 6 Nov 2006 18:04:56 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA714unr000260; Mon, 6 Nov 2006 18:04:56 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from zrtps0kp.nortel.com (zrtps0kp.nortel.com [47.140.192.56]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA714s1N000240 for ; Mon, 6 Nov 2006 18:04:55 -0700 (MST) (envelope-from RCHARLET@nortel.com) Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com [47.103.123.73]) by zrtps0kp.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id kA714la21327 for ; Mon, 6 Nov 2006 20:04:47 -0500 (EST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: question on interop with entrust server Date: Mon, 6 Nov 2006 19:04:46 -0600 Message-ID: <7E49849DDCBEAA489C65292E8B8AE7E813FCE634@zrc2hxm2.corp.nortel.com> In-Reply-To: <7E49849DDCBEAA489C65292E8B8AE7E813FCE1BF@zrc2hxm2.corp.nortel.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: question on interop with entrust server Thread-Index: AccB5PXvYmsJFM4cQMuMVg8y3j2ZdQAI7fSA From: "Ricky Charlet" To: "Ricky Charlet" , Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA714t1N000255 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: After a bit more reading.... --- Ricky Charlet W: 408.754.1733 rcharlet@nortel.com --- _ ( ) ASCII ribbon campaign X - against HTML email / \ > -----Original Message----- > From: owner-scep@mail.vpnc.org > [mailto:owner-scep@mail.vpnc.org] On Behalf Of Charlet, Ricky > (HLYER:0000) > Sent: Monday, November 06, 2006 12:49 PM > To: scep@vpnc.org > Subject: question on interop with entrust server > > > Howdy, > > My group is building a new scep client. We have > successfully interoperated against microsoft but are having a > difficult time interoperating with entrust. The entrust > server seems not to be able to decrypt our PKCS7. But the log > message is very vague. > > I'm hoping an Entrust VPN enrollment server person is > reading this and can contact me directly to work out some > interop testing. > > > --- > Ricky Charlet > W: 408.754.1733 > rcharlet@nortel.com > --- _ > ( ) ASCII ribbon campaign > X - against HTML email > / \ > > From owner-scep Mon Nov 6 18:26:10 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA71QA3r002624; Mon, 6 Nov 2006 18:26:10 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA71QAxD002623; Mon, 6 Nov 2006 18:26:10 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-3.cisco.com (sj-iport-3-in.cisco.com [171.71.176.72]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA71Q9Jh002612 for ; Mon, 6 Nov 2006 18:26:09 -0700 (MST) (envelope-from pritikin@cisco.com) Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-3.cisco.com with ESMTP; 06 Nov 2006 17:26:03 -0800 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAAABFvT0WrR7PEh2dsb2JhbACMSgEBAQgOKg X-IronPort-AV: i="4.09,393,1157353200"; d="scan'208"; a="448457778:sNHT26530580" Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-4.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id kA71Q3nQ019304; Mon, 6 Nov 2006 17:26:03 -0800 Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id kA71Q3W4000262; Mon, 6 Nov 2006 17:26:03 -0800 (PST) Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Nov 2006 17:26:03 -0800 Received: from [192.168.2.109] ([10.21.122.91]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 6 Nov 2006 17:26:03 -0800 In-Reply-To: <7E49849DDCBEAA489C65292E8B8AE7E813FCE634@zrc2hxm2.corp.nortel.com> References: <7E49849DDCBEAA489C65292E8B8AE7E813FCE634@zrc2hxm2.corp.nortel.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Cc: Content-Transfer-Encoding: 7bit From: Max Pritikin Subject: Re: question on interop with entrust server Date: Mon, 6 Nov 2006 17:26:01 -0800 To: Ricky Charlet X-Mailer: Apple Mail (2.752.3) X-OriginalArrivalTime: 07 Nov 2006 01:26:03.0052 (UTC) FILETIME=[B062F6C0:01C7020B] DKIM-Signature: a=rsa-sha1; q=dns; l=1355; t=1162862763; x=1163726763; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pritikin@cisco.com; z=From:Max=20Pritikin=20 |Subject:Re=3A=20question=20on=20interop=20with=20entrust=20server; X=v=3Dcisco.com=3B=20h=3D7UuzHhTdPuxusP2a2aRB3lbErpo=3D; b=JkhyM3c6/xxRRy8kLwEwBPpOKMXPJ3C4rwVcEfPKrYgH6citwDf+Z/8doyJ7P1n19rpI37bS smPdvrGiAotPQOkg0931hEqG8OwhY9UwI9EJhY88oB3Pkgd0qhKOq2x6; Authentication-Results: sj-dkim-4.cisco.com; header.From=pritikin@cisco.com; dkim=pass ( sig from cisco.com verified; ); Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: "After a bit more reading..." Then what? :) Are you having trouble with the entrust CA decrypting the pkcs7 or is it trouble parsing the pkcs7? Does your client work against a different CA server? - max On Nov 6, 2006, at 5:04 PM, Ricky Charlet wrote: > > After a bit more reading.... > > > --- > Ricky Charlet > W: 408.754.1733 > rcharlet@nortel.com > --- _ > ( ) ASCII ribbon campaign > X - against HTML email > / \ > >> -----Original Message----- >> From: owner-scep@mail.vpnc.org >> [mailto:owner-scep@mail.vpnc.org] On Behalf Of Charlet, Ricky >> (HLYER:0000) >> Sent: Monday, November 06, 2006 12:49 PM >> To: scep@vpnc.org >> Subject: question on interop with entrust server >> >> >> Howdy, >> >> My group is building a new scep client. We have >> successfully interoperated against microsoft but are having a >> difficult time interoperating with entrust. The entrust >> server seems not to be able to decrypt our PKCS7. But the log >> message is very vague. >> >> I'm hoping an Entrust VPN enrollment server person is >> reading this and can contact me directly to work out some >> interop testing. >> >> >> --- >> Ricky Charlet >> W: 408.754.1733 >> rcharlet@nortel.com >> --- _ >> ( ) ASCII ribbon campaign >> X - against HTML email >> / \ >> >> From owner-scep Tue Nov 7 10:17:24 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7HHO2v036143; Tue, 7 Nov 2006 10:17:24 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA7HHOng036142; Tue, 7 Nov 2006 10:17:24 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from zrtps0kn.nortel.com (zrtps0kn.nortel.com [47.140.192.55]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7HHMGj036132 for ; Tue, 7 Nov 2006 10:17:23 -0700 (MST) (envelope-from RCHARLET@nortel.com) Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com [47.103.123.73]) by zrtps0kn.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id kA7HHDZ28324; Tue, 7 Nov 2006 12:17:13 -0500 (EST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: question on interop with entrust server Date: Tue, 7 Nov 2006 11:17:10 -0600 Message-ID: <7E49849DDCBEAA489C65292E8B8AE7E814032FE4@zrc2hxm2.corp.nortel.com> In-Reply-To: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: question on interop with entrust server Thread-Index: AccCC7Poeq1Rgx08QyqKXjowFj0uUQAhFY/g From: "Ricky Charlet" To: "Max Pritikin" Cc: Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA7HHNGj036137 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Max, I don't have a clear enough view into the entrust server operation to firmly answer your quesetion. But I strongly suspect it is a proble with decryption. The specific error message I get from the entrust logs says "[-00151 The signature verification failed.] Failure during unprotect of signed data" The signature verification failure is irrelevant. I know this from 1) the standards don't require it, and 2) a successful enrollment from a cisco router gets a similar log entry about sig-verification failure, but the proceeds onward. The relevant part of that log message above seems to be "Failure during unprotect of signed data" --- Ricky Charlet W: 408.754.1733 rcharlet@nortel.com --- _ ( ) ASCII ribbon campaign X - against HTML email / \ > -----Original Message----- > From: Max Pritikin [mailto:pritikin@cisco.com] > Sent: Monday, November 06, 2006 5:26 PM > To: Charlet, Ricky (HLYER:0000) > Cc: scep@vpnc.org > Subject: Re: question on interop with entrust server > > > "After a bit more reading..." Then what? :) > > Are you having trouble with the entrust CA decrypting the > pkcs7 or is it trouble parsing the pkcs7? Does your client > work against a different CA server? > > - max > > On Nov 6, 2006, at 5:04 PM, Ricky Charlet wrote: > > > > > After a bit more reading.... > > > > > > --- > > Ricky Charlet > > W: 408.754.1733 > > rcharlet@nortel.com > > --- _ > > ( ) ASCII ribbon campaign > > X - against HTML email > > / \ > > > >> -----Original Message----- > >> From: owner-scep@mail.vpnc.org > >> [mailto:owner-scep@mail.vpnc.org] On Behalf Of Charlet, Ricky > >> (HLYER:0000) > >> Sent: Monday, November 06, 2006 12:49 PM > >> To: scep@vpnc.org > >> Subject: question on interop with entrust server > >> > >> > >> Howdy, > >> > >> My group is building a new scep client. We have successfully > >> interoperated against microsoft but are having a difficult time > >> interoperating with entrust. The entrust server seems not > to be able > >> to decrypt our PKCS7. But the log message is very vague. > >> > >> I'm hoping an Entrust VPN enrollment server person is > reading this > >> and can contact me directly to work out some interop testing. > >> > >> > >> --- > >> Ricky Charlet > >> W: 408.754.1733 > >> rcharlet@nortel.com > >> --- _ > >> ( ) ASCII ribbon campaign > >> X - against HTML email > >> / \ > >> > >> > From owner-scep Tue Nov 7 13:16:11 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7KGBRh058397; Tue, 7 Nov 2006 13:16:11 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA7KGBrJ058396; Tue, 7 Nov 2006 13:16:11 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from zrtps0kp.nortel.com (zrtps0kp.nortel.com [47.140.192.56]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7KG9Vj058387 for ; Tue, 7 Nov 2006 13:16:10 -0700 (MST) (envelope-from RCHARLET@nortel.com) Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com [47.103.123.73]) by zrtps0kp.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id kA7KFsq28312; Tue, 7 Nov 2006 15:15:55 -0500 (EST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Q: draft 6 of draft-nourse-scep Date: Tue, 7 Nov 2006 14:15:53 -0600 Message-ID: <7E49849DDCBEAA489C65292E8B8AE7E814033369@zrc2hxm2.corp.nortel.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Q: draft 6 of draft-nourse-scep Thread-Index: AccCqYbiJmX0uwtPRdKffHOfb9mtXg== From: "Ricky Charlet" To: , Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA7KGAVj058391 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Howdy, I'm trying to build an scep client to interoperate with a particular entrust implementation. I'm growing suspicious that the entrust side is not following draft 13. We can get sscep (the open/bsd client) to interoperate with entrust (VPN Enrollment server 7.0). And the sscep client claims it was implemented on draft 6 of draft-nourse-scep. Do you still have a draft-6 around you could send me? The particular problem I'm having is in getting the entrust side to decrypt our request. Have changes been made in the area of how an auto-enrollment, RA deployment should encrypt the pkcs10 and content key between draft-6 and draft-13? --- Ricky Charlet W: 408.754.1733 rcharlet@nortel.com --- _ ( ) ASCII ribbon campaign X - against HTML email / \ From owner-scep Tue Nov 7 13:17:19 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7KHJeN058503; Tue, 7 Nov 2006 13:17:19 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA7KHJjI058502; Tue, 7 Nov 2006 13:17:19 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-1.cisco.com (sj-iport-1-in.cisco.com [171.71.176.70]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7KHIgp058482 for ; Tue, 7 Nov 2006 13:17:18 -0700 (MST) (envelope-from pritikin@cisco.com) Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-1.cisco.com with ESMTP; 07 Nov 2006 12:17:13 -0800 X-IronPort-AV: i="4.09,397,1157353200"; d="scan'208"; a="755247624:sNHT49272248" Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id kA7KHD4c030392; Tue, 7 Nov 2006 12:17:13 -0800 Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id kA7KHCW4029211; Tue, 7 Nov 2006 12:17:12 -0800 (PST) Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 7 Nov 2006 12:17:12 -0800 Received: from [128.107.177.235] ([128.107.177.235]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 7 Nov 2006 12:17:12 -0800 In-Reply-To: <7E49849DDCBEAA489C65292E8B8AE7E814032FE4@zrc2hxm2.corp.nortel.com> References: <7E49849DDCBEAA489C65292E8B8AE7E814032FE4@zrc2hxm2.corp.nortel.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <6DFD688B-E7B1-4CD6-A73F-68EF1E4E6CD5@cisco.com> Cc: Content-Transfer-Encoding: 7bit From: Max Pritikin Subject: Re: question on interop with entrust server Date: Tue, 7 Nov 2006 12:17:08 -0800 To: "Ricky Charlet" X-Mailer: Apple Mail (2.752.3) X-OriginalArrivalTime: 07 Nov 2006 20:17:12.0310 (UTC) FILETIME=[B59DE160:01C702A9] DKIM-Signature: a=rsa-sha1; q=dns; l=2822; t=1162930633; x=1163794633; c=relaxed/simple; s=sjdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pritikin@cisco.com; z=From:Max=20Pritikin=20 |Subject:Re=3A=20question=20on=20interop=20with=20entrust=20server; X=v=3Dcisco.com=3B=20h=3D7UuzHhTdPuxusP2a2aRB3lbErpo=3D; b=ELcM2NN1jDbqovkSaVJtmJD4qDUY3N5J7iSoyo5/f4dEsA45FA+yM/JSGhHwBFxTWEqGSg01 si75YGz0faD+4zzJX5bm0016BLWvEiAedfQNbFiS9pgOk7oHC7mkdwQT; Authentication-Results: sj-dkim-1.cisco.com; header.From=pritikin@cisco.com; dkim=pass ( sig from cisco.com verified; ); Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Well, again voicing my complete lack of knowledge about entrust internals... Is this against a CA or an RA? And is there a difference in the behavior you are seeing? - max On Nov 7, 2006, at 9:17 AM, Ricky Charlet wrote: > Hi Max, > > I don't have a clear enough view into the entrust server > operation to firmly answer your quesetion. But I strongly suspect > it is > a proble with decryption. The specific error message I get from the > entrust logs says > > "[-00151 The signature verification failed.] Failure during > unprotect of > signed data" > > The signature verification failure is irrelevant. I know this > from 1) the standards don't require it, and 2) a successful enrollment > from a cisco router gets a similar log entry about sig-verification > failure, but the proceeds onward. > > The relevant part of that log message above seems to be "Failure > during unprotect of signed data" > > > --- > Ricky Charlet > W: 408.754.1733 > rcharlet@nortel.com > --- _ > ( ) ASCII ribbon campaign > X - against HTML email > / \ > >> -----Original Message----- >> From: Max Pritikin [mailto:pritikin@cisco.com] >> Sent: Monday, November 06, 2006 5:26 PM >> To: Charlet, Ricky (HLYER:0000) >> Cc: scep@vpnc.org >> Subject: Re: question on interop with entrust server >> >> >> "After a bit more reading..." Then what? :) >> >> Are you having trouble with the entrust CA decrypting the >> pkcs7 or is it trouble parsing the pkcs7? Does your client >> work against a different CA server? >> >> - max >> >> On Nov 6, 2006, at 5:04 PM, Ricky Charlet wrote: >> >>> >>> After a bit more reading.... >>> >>> >>> --- >>> Ricky Charlet >>> W: 408.754.1733 >>> rcharlet@nortel.com >>> --- _ >>> ( ) ASCII ribbon campaign >>> X - against HTML email >>> / \ >>> >>>> -----Original Message----- >>>> From: owner-scep@mail.vpnc.org >>>> [mailto:owner-scep@mail.vpnc.org] On Behalf Of Charlet, Ricky >>>> (HLYER:0000) >>>> Sent: Monday, November 06, 2006 12:49 PM >>>> To: scep@vpnc.org >>>> Subject: question on interop with entrust server >>>> >>>> >>>> Howdy, >>>> >>>> My group is building a new scep client. We have successfully >>>> interoperated against microsoft but are having a difficult time >>>> interoperating with entrust. The entrust server seems not >> to be able >>>> to decrypt our PKCS7. But the log message is very vague. >>>> >>>> I'm hoping an Entrust VPN enrollment server person is >> reading this >>>> and can contact me directly to work out some interop testing. >>>> >>>> >>>> --- >>>> Ricky Charlet >>>> W: 408.754.1733 >>>> rcharlet@nortel.com >>>> --- _ >>>> ( ) ASCII ribbon campaign >>>> X - against HTML email >>>> / \ >>>> >>>> >> From owner-scep Tue Nov 7 13:25:24 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7KPNgX059058; Tue, 7 Nov 2006 13:25:23 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA7KPNwd059057; Tue, 7 Nov 2006 13:25:23 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from zcars04f.nortel.com (zcars04f.nortel.com [47.129.242.57]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA7KPLXA059022 for ; Tue, 7 Nov 2006 13:25:22 -0700 (MST) (envelope-from RCHARLET@nortel.com) Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com [47.103.123.73]) by zcars04f.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id kA7KOn604043; Tue, 7 Nov 2006 15:24:49 -0500 (EST) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: RE: question on interop with entrust server Date: Tue, 7 Nov 2006 14:24:22 -0600 Message-ID: <7E49849DDCBEAA489C65292E8B8AE7E8140333A1@zrc2hxm2.corp.nortel.com> In-Reply-To: <6DFD688B-E7B1-4CD6-A73F-68EF1E4E6CD5@cisco.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: question on interop with entrust server Thread-Index: AccCqdnR43faP5KAT72zTxOQIFzh8QAACn/g From: "Ricky Charlet" To: "Max Pritikin" Cc: Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id kA7KPNXA059052 Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Max, I think we just had some emails cross in transit. My new email on the thread "draft 6 of draft-nourse-scep" should speak to your question. But, I'll also reply here. The entrust server is a CA+RA. I receive both CA cert and RA cert during my authentication step. I store both. When I get to my enrollment step, we des-encrypt the pkcs10 with a new content key, rsa-encrypt the content key with the RA-cert-pub-key, and attache the encrypted content key to the pkcs7 recepient info. I don't know if the entrust server is failing to decrypt the content key or failing to decrypt the pkcs10. --- Ricky Charlet W: 408.754.1733 rcharlet@nortel.com --- _ ( ) ASCII ribbon campaign X - against HTML email / \ > -----Original Message----- > From: Max Pritikin [mailto:pritikin@cisco.com] > Sent: Tuesday, November 07, 2006 12:17 PM > To: Charlet, Ricky (HLYER:0000) > Cc: scep@vpnc.org > Subject: Re: question on interop with entrust server > > > Well, again voicing my complete lack of knowledge about > entrust internals... > > Is this against a CA or an RA? And is there a difference in > the behavior you are seeing? > > - max > > On Nov 7, 2006, at 9:17 AM, Ricky Charlet wrote: > > > Hi Max, > > > > I don't have a clear enough view into the entrust > server operation to > > firmly answer your quesetion. But I strongly suspect it is a proble > > with decryption. The specific error message I get from the entrust > > logs says > > > > "[-00151 The signature verification failed.] Failure during > unprotect > > of signed data" > > > > The signature verification failure is irrelevant. I > know this from 1) > > the standards don't require it, and 2) a successful > enrollment from a > > cisco router gets a similar log entry about > sig-verification failure, > > but the proceeds onward. > > > > The relevant part of that log message above seems to be > "Failure > > during unprotect of signed data" > > > > > > --- > > Ricky Charlet > > W: 408.754.1733 > > rcharlet@nortel.com > > --- _ > > ( ) ASCII ribbon campaign > > X - against HTML email > > / \ > > > >> -----Original Message----- > >> From: Max Pritikin [mailto:pritikin@cisco.com] > >> Sent: Monday, November 06, 2006 5:26 PM > >> To: Charlet, Ricky (HLYER:0000) > >> Cc: scep@vpnc.org > >> Subject: Re: question on interop with entrust server > >> > >> > >> "After a bit more reading..." Then what? :) > >> > >> Are you having trouble with the entrust CA decrypting the > >> pkcs7 or is it trouble parsing the pkcs7? Does your client work > >> against a different CA server? > >> > >> - max > >> > >> On Nov 6, 2006, at 5:04 PM, Ricky Charlet wrote: > >> > >>> > >>> After a bit more reading.... > >>> > >>> > >>> --- > >>> Ricky Charlet > >>> W: 408.754.1733 > >>> rcharlet@nortel.com > >>> --- _ > >>> ( ) ASCII ribbon campaign > >>> X - against HTML email > >>> / \ > >>> > >>>> -----Original Message----- > >>>> From: owner-scep@mail.vpnc.org > >>>> [mailto:owner-scep@mail.vpnc.org] On Behalf Of Charlet, Ricky > >>>> (HLYER:0000) > >>>> Sent: Monday, November 06, 2006 12:49 PM > >>>> To: scep@vpnc.org > >>>> Subject: question on interop with entrust server > >>>> > >>>> > >>>> Howdy, > >>>> > >>>> My group is building a new scep client. We have successfully > >>>> interoperated against microsoft but are having a difficult time > >>>> interoperating with entrust. The entrust server seems not > >> to be able > >>>> to decrypt our PKCS7. But the log message is very vague. > >>>> > >>>> I'm hoping an Entrust VPN enrollment server person is > >> reading this > >>>> and can contact me directly to work out some interop testing. > >>>> > >>>> > >>>> --- > >>>> Ricky Charlet > >>>> W: 408.754.1733 > >>>> rcharlet@nortel.com > >>>> --- _ > >>>> ( ) ASCII ribbon campaign > >>>> X - against HTML email > >>>> / \ > >>>> > >>>> > >> > From owner-scep Wed Nov 8 00:42:29 2006 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA87gTHa014566; Wed, 8 Nov 2006 00:42:29 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kA87gTJp014565; Wed, 8 Nov 2006 00:42:29 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-1.cisco.com (sj-iport-1-in.cisco.com [171.71.176.70]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kA87gRmR014550 for ; Wed, 8 Nov 2006 00:42:28 -0700 (MST) (envelope-from pritikin@cisco.com) Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-1.cisco.com with ESMTP; 07 Nov 2006 23:42:22 -0800 X-IronPort-AV: i="4.09,400,1157353200"; d="scan'208"; a="755318007:sNHT53970492" Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id kA87gM1H029461; Tue, 7 Nov 2006 23:42:22 -0800 Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id kA87gMW4001959; Tue, 7 Nov 2006 23:42:22 -0800 (PST) Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 7 Nov 2006 23:42:22 -0800 Received: from [192.168.2.109] ([10.21.121.117]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 7 Nov 2006 23:42:21 -0800 In-Reply-To: <7E49849DDCBEAA489C65292E8B8AE7E8140333A1@zrc2hxm2.corp.nortel.com> References: <7E49849DDCBEAA489C65292E8B8AE7E8140333A1@zrc2hxm2.corp.nortel.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Cc: Content-Transfer-Encoding: 7bit From: Max Pritikin Subject: Re: question on interop with entrust server Date: Tue, 7 Nov 2006 23:42:16 -0800 To: Ricky Charlet X-Mailer: Apple Mail (2.752.3) X-OriginalArrivalTime: 08 Nov 2006 07:42:21.0906 (UTC) FILETIME=[6CD86B20:01C70309] DKIM-Signature: a=rsa-sha1; q=dns; l=5077; t=1162971742; x=1163835742; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pritikin@cisco.com; z=From:Max=20Pritikin=20 |Subject:Re=3A=20question=20on=20interop=20with=20entrust=20server; X=v=3Dcisco.com=3B=20h=3D7UuzHhTdPuxusP2a2aRB3lbErpo=3D; b=Kzppd6Oe8JsY5daZ9DVudzrJi/T9BUZ7DBFQQrL5mEMjMOToixn2Z9RjfZ700VDDrJA2gEJr C8Q8bmHsXx+0DyWU/iUNM8f7Rc/Uv5/NXMcCfCNhu8kaOttq8/rdjTbP; Authentication-Results: sj-dkim-3.cisco.com; header.From=pritikin@cisco.com; dkim=pass ( sig from cisco.com verified; ); Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hmm. Repeating my refrain about not knowing anything... but recently we had an internal discussion where we noted that: > IOS structures its SCEP requests differently to the Authority > depending > if its a CA or an RA. One of those differences is in the > extensionRequest attribute. Here is the behavior: > > CA > ---- > Uses the Verisign OID for extensionRequest - 2.16.840.1.113733.1.9.8 > ExtensionRequest is encoded as an Octet String > > RA > ----- > Uses pkcs #9 OID for extensionRequest - 1.2.840.113549.1.9.14 > ExtensionRequest is encoded as a T61 String With the reasons for this being historical, uninteresting, and not obvious from the present. The result though is that if the extensionRequest attribute sent to the entrust RA is encoded as an Octet string (which works for CAs!) it will fail. I wonder if you're running into something like this? - max On Nov 7, 2006, at 12:24 PM, Ricky Charlet wrote: > Hi Max, > > I think we just had some emails cross in transit. My new email > on the thread > "draft 6 of draft-nourse-scep" should speak to your question. > > > But, I'll also reply here. The entrust server is a CA+RA. I > receive both CA cert and RA cert during my authentication step. I > store > both. When I get to my enrollment step, we des-encrypt the pkcs10 > with a > new content key, rsa-encrypt the content key with the RA-cert-pub-key, > and attache the encrypted content key to the pkcs7 recepient info. > > I don't know if the entrust server is failing to decrypt the > content key or failing to decrypt the pkcs10. > > --- > Ricky Charlet > W: 408.754.1733 > rcharlet@nortel.com > --- _ > ( ) ASCII ribbon campaign > X - against HTML email > / \ > >> -----Original Message----- >> From: Max Pritikin [mailto:pritikin@cisco.com] >> Sent: Tuesday, November 07, 2006 12:17 PM >> To: Charlet, Ricky (HLYER:0000) >> Cc: scep@vpnc.org >> Subject: Re: question on interop with entrust server >> >> >> Well, again voicing my complete lack of knowledge about >> entrust internals... >> >> Is this against a CA or an RA? And is there a difference in >> the behavior you are seeing? >> >> - max >> >> On Nov 7, 2006, at 9:17 AM, Ricky Charlet wrote: >> >>> Hi Max, >>> >>> I don't have a clear enough view into the entrust >> server operation to >>> firmly answer your quesetion. But I strongly suspect it is a proble >>> with decryption. The specific error message I get from the entrust >>> logs says >>> >>> "[-00151 The signature verification failed.] Failure during >> unprotect >>> of signed data" >>> >>> The signature verification failure is irrelevant. I >> know this from 1) >>> the standards don't require it, and 2) a successful >> enrollment from a >>> cisco router gets a similar log entry about >> sig-verification failure, >>> but the proceeds onward. >>> >>> The relevant part of that log message above seems to be >> "Failure >>> during unprotect of signed data" >>> >>> >>> --- >>> Ricky Charlet >>> W: 408.754.1733 >>> rcharlet@nortel.com >>> --- _ >>> ( ) ASCII ribbon campaign >>> X - against HTML email >>> / \ >>> >>>> -----Original Message----- >>>> From: Max Pritikin [mailto:pritikin@cisco.com] >>>> Sent: Monday, November 06, 2006 5:26 PM >>>> To: Charlet, Ricky (HLYER:0000) >>>> Cc: scep@vpnc.org >>>> Subject: Re: question on interop with entrust server >>>> >>>> >>>> "After a bit more reading..." Then what? :) >>>> >>>> Are you having trouble with the entrust CA decrypting the >>>> pkcs7 or is it trouble parsing the pkcs7? Does your client work >>>> against a different CA server? >>>> >>>> - max >>>> >>>> On Nov 6, 2006, at 5:04 PM, Ricky Charlet wrote: >>>> >>>>> >>>>> After a bit more reading.... >>>>> >>>>> >>>>> --- >>>>> Ricky Charlet >>>>> W: 408.754.1733 >>>>> rcharlet@nortel.com >>>>> --- _ >>>>> ( ) ASCII ribbon campaign >>>>> X - against HTML email >>>>> / \ >>>>> >>>>>> -----Original Message----- >>>>>> From: owner-scep@mail.vpnc.org >>>>>> [mailto:owner-scep@mail.vpnc.org] On Behalf Of Charlet, Ricky >>>>>> (HLYER:0000) >>>>>> Sent: Monday, November 06, 2006 12:49 PM >>>>>> To: scep@vpnc.org >>>>>> Subject: question on interop with entrust server >>>>>> >>>>>> >>>>>> Howdy, >>>>>> >>>>>> My group is building a new scep client. We have successfully >>>>>> interoperated against microsoft but are having a difficult time >>>>>> interoperating with entrust. The entrust server seems not >>>> to be able >>>>>> to decrypt our PKCS7. But the log message is very vague. >>>>>> >>>>>> I'm hoping an Entrust VPN enrollment server person is >>>> reading this >>>>>> and can contact me directly to work out some interop testing. >>>>>> >>>>>> >>>>>> --- >>>>>> Ricky Charlet >>>>>> W: 408.754.1733 >>>>>> rcharlet@nortel.com >>>>>> --- _ >>>>>> ( ) ASCII ribbon campaign >>>>>> X - against HTML email >>>>>> / \ >>>>>> >>>>>> >>>> >> From owner-scep Sun Feb 17 09:04:30 2008 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m1HG4UHr012122 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 17 Feb 2008 09:04:30 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m1HG4UPj012121; Sun, 17 Feb 2008 09:04:30 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from skutsje.san.webweaving.org (skutsje.san.webweaving.org [209.132.96.45]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m1HG4TRP012113 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 17 Feb 2008 09:04:30 -0700 (MST) (envelope-from dirkx@webweaving.org) Received: from [10.11.0.121] (5356CA0A.cable.casema.nl [83.86.202.10]) (authenticated bits=0) by skutsje.san.webweaving.org (8.12.9/8.12.9) with ESMTP id m1HG4Q2Q034391 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Sun, 17 Feb 2008 08:04:29 -0800 (PST) (envelope-from dirkx@webweaving.org) Message-Id: From: Dirk-Willem van Gulik To: scep@vpnc.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Subject: Initial Date: Sun, 17 Feb 2008 17:04:26 +0100 X-Mailer: Apple Mail (2.919.2) Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Apologies if this is is a very obvious question - but I've certainly missed it reading through the document. With respect to: > 2.2.1.2 Required Information A requester is required to have the > following information configured before starting any PKI operations: > 1. the certificate authority IP address or fully-qualified domain > name, > 2. the certificate authority HTTP CGI script path, and the HTTP > proxy information in case there is no direct Internet connection to > the server, > 3. If CRLs are being published by the CA to an LDAP directory > server, and there is a CRL Distribution Point containing only an X. > 500 directory name, then the client will need to know the LDAP > server fully-qualified domain name or IP address. CRL Distribution > Points are discussed in more detail in RFC 2459. How does a client learn '1' and '3' in the wild. For '3' we have clear extensions in the very first x509 cert's you'd encounter, say during a 802.1X signon, when you talk to the server* -- but in what extension is 1 passed ? And secondly - how does one learn those when the x509 of the first port of call (say some Radius server doing EAP) is different from above ? Thanks, Dw *: who in the TLS exchange will flash its own cert and the chain up. From owner-scep Wed Feb 20 01:32:37 2008 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m1K8Wb8o069677 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 20 Feb 2008 01:32:37 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id m1K8WbMU069676; Wed, 20 Feb 2008 01:32:37 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from skutsje.san.webweaving.org (skutsje.san.webweaving.org [209.132.96.45]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id m1K8WaOK069669 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 20 Feb 2008 01:32:37 -0700 (MST) (envelope-from dirkx@webweaving.org) Received: from dyn-210.leiden.webweaving.org (5356CA0A.cable.casema.nl [83.86.202.10]) (authenticated bits=0) by skutsje.san.webweaving.org (8.12.9/8.12.9) with ESMTP id m1K8WQ2Q006101 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 20 Feb 2008 00:32:29 -0800 (PST) (envelope-from dirkx@webweaving.org) Cc: scep@vpnc.org Message-Id: <1CA06A0F-45FE-4159-A93D-5E5692D9351B@webweaving.org> From: Dirk-Willem van Gulik To: Tomas Gustavsson In-Reply-To: <47BBD724.9060502@primekey.se> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Subject: Re: Initial Date: Wed, 20 Feb 2008 09:32:25 +0100 References: <47BBD724.9060502@primekey.se> X-Mailer: Apple Mail (2.919.2) Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Feb 20, 2008, at 8:30 AM, Tomas Gustavsson wrote: > For number 3, I would guess that that ip-adress is also part of the > initial manual configuration of the device. Ok - I'll take apart the vendor code and see what it is they do. As I suspect they take some field from the x509 of the TLS cert during the EAP exchange.- This is clever as this is where that server is provided to the client as part of the 802.1X exchange. Which means that the client does not have to have any configuration at all - and can be brought into the field without any a-priori configuration. While on that topic - I noticed that MacOSX started to have a similar function: http://it.ucmerced.edu/docs/guides/wireless/wireless_mac_leopard.cfm but have not seen this in operation. Has anyone ? Dw From owner-scep Thu May 8 02:45:07 2008 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m489j6aQ012672 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 May 2008 02:45:06 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m489j6Ro012671; Thu, 8 May 2008 02:45:06 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from mail.cynops.de (cynops.de [82.149.225.69]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m489j59T012640 for ; Thu, 8 May 2008 02:45:06 -0700 (MST) (envelope-from ak-ml2006@cynops.de) Received: from cy10loc.cynops.de (cy10loc [172.16.0.10]) by mail.cynops.de (Postfix) with ESMTP id 6EF486D2A3 for ; Thu, 8 May 2008 11:45:03 +0200 (CEST) Received: from localhost (unknown [172.16.0.6]) by cy10loc.cynops.de (Postfix) with ESMTP id 65FB1C80B4 for ; Thu, 8 May 2008 11:45:02 +0200 (CEST) Date: Thu, 8 May 2008 11:44:57 +0200 From: Alexander Klink To: scep@vpnc.org Subject: Cisco and automatic renewal (signature with old certificate) Message-ID: <20080508.c450c30ebd32c69d9ae80ddafaf2d640@cynops.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.5.13 (2006-08-11) Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi, I've been subscribed to this mailing list for about two years now and haven't seen any traffic at all - let's see if someone else is actually subscribed. I am with the OpenXPKI project, we're building an open source PKI which includes an SCEP server. I was wondering if it is possible at all to use the automatic renewal (signature with the existing certificate) feature which was introduced in later versions of the draft (and is implemented for example in CertNanny, another open source project) with Cisco routers? From the documentation, I'd have guessed that this is what is used when the 'regnerate' option is specified to generate a new key (it looks like if this is not specified, the router uses the old key and in turn the old transaction ID, which in our case leads to returning the old certificate ...?), but it looks like the request is self-signed with the new key ... BTW, if anyone is interested in SCEP client testing against OpenXPKI, I guess I could set up a public test SCEP server ... Cheers, Alex -- Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@cynops.de mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de ----------------------------+----------------------+--------------------- HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer: Bad Homburg v. d. Höhe | | Martin Bartosch From owner-scep Thu May 8 07:31:57 2008 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m48EVvro029596 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 May 2008 07:31:57 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m48EVvOu029592; Thu, 8 May 2008 07:31:57 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m48EVpdh029557 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Thu, 8 May 2008 07:31:55 -0700 (MST) (envelope-from pritikin@cisco.com) X-IronPort-AV: E=Sophos;i="4.27,455,1204498800"; d="scan'208";a="8398907" Received: from ams-dkim-1.cisco.com ([144.254.224.138]) by ams-iport-1.cisco.com with ESMTP; 08 May 2008 16:31:51 +0200 Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by ams-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id m48EVpQj024962; Thu, 8 May 2008 16:31:51 +0200 Received: from xbh-ams-332.emea.cisco.com (xbh-ams-332.cisco.com [144.254.231.87]) by ams-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id m48EVpRs016793; Thu, 8 May 2008 14:31:51 GMT Received: from xfe-ams-332.cisco.com ([144.254.231.73]) by xbh-ams-332.emea.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 8 May 2008 16:31:50 +0200 Received: from [10.0.1.200] ([10.32.244.69]) by xfe-ams-332.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 8 May 2008 16:31:49 +0200 Cc: scep@vpnc.org Message-Id: <12D19DE0-B7F8-4303-BE6F-D9B8D8F0B66B@cisco.com> From: max pritikin To: Alexander Klink In-Reply-To: <20080508.c450c30ebd32c69d9ae80ddafaf2d640@cynops.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v919.2) Subject: Re: Cisco and automatic renewal (signature with old certificate) Date: Thu, 8 May 2008 09:31:45 -0500 References: <20080508.c450c30ebd32c69d9ae80ddafaf2d640@cynops.de> X-Mailer: Apple Mail (2.919.2) X-OriginalArrivalTime: 08 May 2008 14:31:50.0518 (UTC) FILETIME=[40D65960:01C8B118] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2033; t=1210257111; x=1211121111; c=relaxed/simple; s=amsdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pritikin@cisco.com; z=From:=20max=20pritikin=20 |Subject:=20Re=3A=20Cisco=20and=20automatic=20renewal=20(si gnature=20with=20old=20certificate) |Sender:=20; bh=uBXDp1U3sLBOHvOVoJVx1S192wiian1BeWMP8aG4LVk=; b=POxHwTYqt+e57zx1ZSaWNwLnk6rYVUp2t5Dp03MW29tcr1W6paTxtm6M00 XY2Zyhu2hv7UB1WztmvHBA7samjnLnalNXfLcf1rZ4iFxgFjmWcfHXq5z0we GTey5lnJMQ; Authentication-Results: ams-dkim-1; header.From=pritikin@cisco.com; dkim=pass ( sig from cisco.com/amsdkim1002 verified; ); Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Yes, this list doesn't get much traffic but we're here. Regenerate will get the router to automatically generate new keys when =20= it reenrolls. Otherwise it would use its current keys -- in effect =20 just getting a new cert/longer lifetime. It sounds like that is =20 working correctly for you. Your problem is a self-signed cert being used to sign the PKCS7? Are you returning "Renewal" in the GetCACaps SCEP response? - max On May 8, 2008, at 4:44 AM, Alexander Klink wrote: > > Hi, > > I've been subscribed to this mailing list for about two years > now and haven't seen any traffic at all - let's see if someone > else is actually subscribed. > > I am with the OpenXPKI project, we're building an open source PKI > which includes an SCEP server. I was wondering if it is possible > at all to use the automatic renewal (signature with the existing > certificate) feature which was introduced in later versions of > the draft (and is implemented for example in CertNanny, another > open source project) with Cisco routers? =46rom the documentation, > I'd have guessed that this is what is used when the 'regnerate' option > is specified to generate a new key (it looks like if this is not > specified, the router uses the old key and in turn the old > transaction ID, which in our case leads to returning the old > certificate ...?), but it looks like the request is self-signed > with the new key ... > > BTW, if anyone is interested in SCEP client testing against OpenXPKI, > I guess I could set up a public test SCEP server ... > > Cheers, > Alex > --=20 > Dipl.-Math. Alexander Klink | IT-Security Engineer | = a.klink@cynops.de > mobile: +49 (0)178 2121703 | Cynops GmbH | = http://www.cynops.de > ----------------------------+----------------------=20 > +--------------------- > HRB 7833, Amtsgericht | USt-Id: DE 213094986 | =20 > Gesch=E4ftsf=FChrer: > Bad Homburg v. d. H=F6he | | Martin =20 > Bartosch > From owner-scep Fri May 9 01:31:55 2008 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m498VtYx073878 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 9 May 2008 01:31:55 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m498VtH8073877; Fri, 9 May 2008 01:31:55 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from mail.cynops.de (cynops.eu [82.149.225.69] (may be forged)) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m498VreB073855 for ; Fri, 9 May 2008 01:31:54 -0700 (MST) (envelope-from ak-ml2006@cynops.de) Received: from cy10loc.cynops.de (cy10loc [172.16.0.10]) by mail.cynops.de (Postfix) with ESMTP id C1EE66D27F for ; Fri, 9 May 2008 10:31:52 +0200 (CEST) Received: from localhost (unknown [172.16.0.6]) by cy10loc.cynops.de (Postfix) with ESMTP id 80767C807B for ; Fri, 9 May 2008 10:31:52 +0200 (CEST) Date: Fri, 9 May 2008 10:31:50 +0200 From: Alexander Klink To: scep@vpnc.org Subject: Re: Cisco and automatic renewal (signature with old certificate) Message-ID: <20080509.0acea7fd3904c686207581a944f7ea0e@cynops.de> References: <20080508.c450c30ebd32c69d9ae80ddafaf2d640@cynops.de> <12D19DE0-B7F8-4303-BE6F-D9B8D8F0B66B@cisco.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <12D19DE0-B7F8-4303-BE6F-D9B8D8F0B66B@cisco.com> User-Agent: Mutt/1.5.13 (2006-08-11) Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi Max, On Thu, May 08, 2008 at 09:31:45AM -0500, max pritikin wrote: > Yes, this list doesn't get much traffic but we're here. Good to know :-) > Regenerate will get the router to automatically generate new keys when > it reenrolls. Otherwise it would use its current keys -- in effect > just getting a new cert/longer lifetime. It sounds like that is > working correctly for you. Sort of. In the latter case, the same transaction ID is being used, because the same public key is used. Now the standard says this is possible, but how do I decide on the CA side whether a given transaction just wants the certificate that has already been issued returned or is actually a new transaction for a renewal with the same key? Looks like the only thing I can do there is some heuristics on when the certificate expires ...? Doesn't feel good to me. > Your problem is a self-signed cert being used to sign the PKCS7? Yes, for the renewal I would assume that the signature is made using the already existing certificate, which in turn could authenticate the device and make the CA auto-issue the new certificate (this was added in later SCEP drafts). > Are you returning "Renewal" in the GetCACaps SCEP response? Unfortunately, we didn't implement GetCACaps (yet) - would that change anything? Cheers, Alex -- Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@cynops.de mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de ----------------------------+----------------------+--------------------- HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer: Bad Homburg v. d. Höhe | | Martin Bartosch From owner-scep Fri May 9 01:42:29 2008 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m498gSB9078595 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 9 May 2008 01:42:28 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m498gSZu078594; Fri, 9 May 2008 01:42:28 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from mail.cynops.de (cynops.de [82.149.225.69]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m498gRuA078574 for ; Fri, 9 May 2008 01:42:28 -0700 (MST) (envelope-from ak-ml2006@cynops.de) Received: from cy10loc.cynops.de (cy10loc [172.16.0.10]) by mail.cynops.de (Postfix) with ESMTP id 4E4736D27F for ; Fri, 9 May 2008 10:42:27 +0200 (CEST) Received: from localhost (unknown [172.16.0.6]) by cy10loc.cynops.de (Postfix) with ESMTP id 1D4E8C80D6 for ; Fri, 9 May 2008 10:42:27 +0200 (CEST) Date: Fri, 9 May 2008 10:42:25 +0200 From: Alexander Klink To: scep@vpnc.org Subject: Re: Cisco and automatic renewal (signature with old certificate) Message-ID: <20080509.67885eb6cf4cb9dd21766c267ab79d84@cynops.de> References: <20080508.c450c30ebd32c69d9ae80ddafaf2d640@cynops.de> <12D19DE0-B7F8-4303-BE6F-D9B8D8F0B66B@cisco.com> <20080509.0acea7fd3904c686207581a944f7ea0e@cynops.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20080509.0acea7fd3904c686207581a944f7ea0e@cynops.de> User-Agent: Mutt/1.5.13 (2006-08-11) Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Hi again, On Fri, May 09, 2008 at 10:31:50AM +0200, Alexander Klink wrote: > > Are you returning "Renewal" in the GetCACaps SCEP response? > > Unfortunately, we didn't implement GetCACaps (yet) - would that change > anything? I just checked my Apache logs and the device we're trying this on (a Cisco 7300 running IOS 12.2(31)SB11) apparently does not send GetCACaps (we updated it during the testing process, though, so maybe it only asks during the trustpoint configuration?) ... - any ideas? Cheers, Alex -- Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@cynops.de mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de ----------------------------+----------------------+--------------------- HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer: Bad Homburg v. d. Höhe | | Martin Bartosch From owner-scep Fri May 9 07:44:52 2008 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m49Eipm7043161 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 9 May 2008 07:44:52 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id m49EipQP043156; Fri, 9 May 2008 07:44:51 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id m49EioPf043146 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Fri, 9 May 2008 07:44:50 -0700 (MST) (envelope-from pritikin@cisco.com) X-IronPort-AV: E=Sophos;i="4.27,460,1204531200"; d="scan'208";a="13040408" Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-4.cisco.com with ESMTP; 09 May 2008 07:44:45 -0700 Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m49EijCj012937; Fri, 9 May 2008 07:44:45 -0700 Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id m49EijPP018043; Fri, 9 May 2008 14:44:45 GMT Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 9 May 2008 07:44:40 -0700 Received: from [10.0.1.200] ([10.32.244.69]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Fri, 9 May 2008 07:44:39 -0700 Cc: scep@vpnc.org, scep-interest@external.cisco.com Message-Id: <7180AF42-915C-428E-A37E-610CA41E8128@cisco.com> From: max pritikin To: Alexander Klink In-Reply-To: <20080509.67885eb6cf4cb9dd21766c267ab79d84@cynops.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v919.2) Subject: Re: Cisco and automatic renewal (signature with old certificate) Date: Fri, 9 May 2008 09:44:38 -0500 References: <20080508.c450c30ebd32c69d9ae80ddafaf2d640@cynops.de> <12D19DE0-B7F8-4303-BE6F-D9B8D8F0B66B@cisco.com> <20080509.0acea7fd3904c686207581a944f7ea0e@cynops.de> <20080509.67885eb6cf4cb9dd21766c267ab79d84@cynops.de> X-Mailer: Apple Mail (2.919.2) X-OriginalArrivalTime: 09 May 2008 14:44:40.0228 (UTC) FILETIME=[36088640:01C8B1E3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1459; t=1210344285; x=1211208285; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pritikin@cisco.com; z=From:=20max=20pritikin=20 |Subject:=20Re=3A=20Cisco=20and=20automatic=20renewal=20(si gnature=20with=20old=20certificate) |Sender:=20; bh=w9L8+jadP6cl+i/lvoC+CngOkJzrefoABQuPMGhFoFw=; b=pgKDJP410KwS3N9HdI73xU6SJt8Zb+eQsvxqvBx1K4QghPidXGHG6xbzOu w8FQLhHG/IR1D1l5c/50dfZ8Ea3xiAQ6CLDxf7LuqR92Jgqhfhhor7mPY0Kj Gt98hh5JFx; Authentication-Results: sj-dkim-2; header.From=pritikin@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; ); Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: 12.2?? Hmm... I think re-enroll using an existing cert went in at =20 12.3(11)T. IIRC some of the renewal, and rollover behavior on IOS clients is =20 triggered automatically by the CAs responses in GetCaps. IIRC GetCACaps is called more than once -- the results are not stored =20= in the config. I don't recall if it happens before all SCEP operations =20= (that would be extreme, no?). - max On May 9, 2008, at 3:42 AM, Alexander Klink wrote: > > Hi again, > > On Fri, May 09, 2008 at 10:31:50AM +0200, Alexander Klink wrote: >>> Are you returning "Renewal" in the GetCACaps SCEP response? >> >> Unfortunately, we didn't implement GetCACaps (yet) - would that =20 >> change >> anything? > > I just checked my Apache logs and the device we're trying this on > (a Cisco 7300 running IOS 12.2(31)SB11) apparently does not send > GetCACaps (we updated it during the testing process, though, so > maybe it only asks during the trustpoint configuration?) ... - any > ideas? > > Cheers, > Alex > --=20 > Dipl.-Math. Alexander Klink | IT-Security Engineer | = a.klink@cynops.de > mobile: +49 (0)178 2121703 | Cynops GmbH | = http://www.cynops.de > ----------------------------+----------------------=20 > +--------------------- > HRB 7833, Amtsgericht | USt-Id: DE 213094986 | =20 > Gesch=E4ftsf=FChrer: > Bad Homburg v. d. H=F6he | | Martin =20 > Bartosch > From owner-scep Thu Sep 24 02:06:39 2009 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n8O96d0t075980 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 24 Sep 2009 02:06:39 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n8O96dvC075979; Thu, 24 Sep 2009 02:06:39 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from nyginimrp10.us.db.com (nyginimrp10.us.db.com [160.83.77.106]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n8O96ZMN075972 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Thu, 24 Sep 2009 02:06:38 -0700 (MST) (envelope-from arkadius.litwinczuk@db.com) Received: from msgr0003.de.db.com (defrwmr031dbk36.de.db.com [10.225.18.102]) by nyginimrp10.us.db.com (8.14.3/8.14.3) with ESMTP id n8O96YkF014378 for ; Thu, 24 Sep 2009 05:06:34 -0400 To: scep@vpnc.org Subject: SCEP draft 19, getNextCA question / bug report MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.5 November 30, 2005 From: Arkadius Litwinczuk X-MIMETrack: S/MIME Sign by Notes Client on Arkadius Litwinczuk/db/dbcom(Release 6.5.5|November 30, 2005) at 24.09.2009 11:06:30, Serialize by Notes Client on Arkadius Litwinczuk/db/dbcom(Release 6.5.5|November 30, 2005) at 24.09.2009 11:06:30, Serialize complete at 24.09.2009 11:06:30, S/MIME Sign failed at 24.09.2009 11:06:30: The cryptographic key was not found, Serialize by Router on MSGR0003/srv/dbsmtp(Release 6.5.5FP2 HF430|July 06, 2007) at 24.09.2009 11:06:34, Serialize complete at 24.09.2009 11:06:34 Message-ID: Date: Thu, 24 Sep 2009 11:06:30 +0200 Content-Type: multipart/alternative; boundary="=_alternative 0032089AC125763B_=" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multipart message in MIME format. --=_alternative 0032089AC125763B_= Content-Type: text/plain; charset="utf-8" content-transfer-encoding: quoted-printable Hello List , I'm a student currently working on the implementation of a automatic=20 root-key roll over for my Diploma work. Implementing the functionality=20 into the open source projects openCA and SSCEP.=20 I wanted to use the SCEP draft 19 "getNextCA" message but I have one=20 problem there, it is ambiguous at :=20 5.2.6.1. GetNextCACert Response The response will have a Content-Type of "application/ x-x509-next-ca-cert". The body of this response consists of a SignedData PKCS#7 [RFC2315], as defined in Section 4.6.1. "Content-Type:application/x-x509-ca-ra-cert\n\n" > GetNextCaCert Example I guess it's an copy and paste error, but should the response Content-Type= =20 be "application/x-x509-next-ca-cert" or a "application/x-x509-ca-ra-cert"=20 ?=20 Also there is no difference if it's only a CA or a CA and RA in the=20 respond I guess. It's a signed PKCS#7, signed by the CA or RA witha=20 degenerate PKCS7 including the next CA /RA certificates. Also since this draft expires on October when will be the new draft=20 available ?=20 Kind regards from Germany,=20 Arkadius Litwinczuk=20 --=20 Informationen (einschlie=C3=9Flich Pflichtangaben) zu einzelnen, innerhalb = der EU t=C3=A4tigen Gesellschaften und Zweigniederlassungen des Konzerns De= utsche Bank finden Sie unter http://www.db.com/de/content/pflichtangaben.ht= m. Diese E-Mail enth=C3=A4lt vertrauliche und/ oder rechtlich gesch=C3=BCtz= te Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Ma= il irrt=C3=BCmlich erhalten haben, informieren Sie bitte sofort den Absende= r und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefu= gte Weitergabe dieser E-Mail ist nicht gestattet. Please refer to http://www.db.com/en/content/eu_disclosures.htm for informa= tion (including mandatory corporate particulars) on selected Deutsche Bank = branches and group companies registered or incorporated in the European Uni= on. This e-mail may contain confidential and/or privileged information. If = you are not the intended recipient (or have received this e-mail in error) = please notify the sender immediately and delete this e-mail. Any unauthoriz= ed copying, disclosure or distribution of the material in this e-mail is st= rictly forbidden. --=_alternative 0032089AC125763B_= Content-Type: text/html; charset="utf-8" content-transfer-encoding: quoted-printable
Hello List ,

I'm a student currently working on t= he implementation of a automatic root-key roll over for my Diploma work. Imple= menting the functionality into the open source projects openCA and SSCEP.
I wanted to use the SCEP draft 19 &n= bsp;"getNextCA" message but I have one problem there, it is ambiguous at :

5.2.6.1.  GetNextCACert Response<= /tt>


  The response will have a Content-Type of "application/
  x-x509-next-ca-cert".

  The body of this response consists of a SignedData PKCS#7 [<= /tt>RFC2315= ],
  as defined in Section 4.6.1.
  "Content-Type:application/x-x509-ca-ra-cert\n\n"
  <BER-encoded SignedData<BER-encoded degenerate PKCS7>><= br>
                          GetNextCaCert Example
I guess it's an copy and paste error, but should the response Content-Type be "application/x-x509-next-ca-ce= rt" or a "application/x-x509-ca-ra-cert" ?
Also there is no difference if it's only a CA or a CA and RA in the respond I guess. It's a signed PKCS#7, signed by the CA or RA witha degenerate PKCS7 including the next CA /RA certificates.

Also since this draft expires on Oct= ober when will be the new draft available ?

Kind regards from Germany,

Arkadius Litwinczuk

--

Informationen (einschlie=C3=9Flich Pflichtangaben) zu einz= elnen, innerhalb der EU t=C3=A4tigen Gesellschaften und Zweigniederlassunge= n des Konzerns Deutsche Bank finden Sie unter ht= tp://www.db.com/de/content/pflichtangaben.htm. = Diese E-Mail enth=C3=A4lt vertrauliche und/ oder rechtlich gesch=C3=BCtzte = Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail = irrt=C3=BCmlich erhalten haben, informieren Sie bitte sofort den Absender u= nd vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte= Weitergabe dieser E-Mail ist nicht gestattet.

Please refer to http://www.db.c= om/en/content/eu_disclosures.htm for informatio= n (including mandatory corporate particulars) on selected Deutsche Bank bra= nches and group companies registered or incorporated in the European Union.= This e-mail may contain confidential and/or privileged information. If you= are not the intended recipient (or have received this e-mail in error) ple= ase notify the sender immediately and delete this e-mail. Any unauthorized = copying, disclosure or distribution of the material in this e-mail is stric= tly forbidden. --=_alternative 0032089AC125763B_=-- From owner-scep Thu Sep 24 08:31:44 2009 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n8OFVi51003983 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 24 Sep 2009 08:31:44 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n8OFViwZ003982; Thu, 24 Sep 2009 08:31:44 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n8OFVbuq003973 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Thu, 24 Sep 2009 08:31:42 -0700 (MST) (envelope-from pritikin@cisco.com) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEABstu0qrR7PD/2dsb2JhbAC/B4hQAY9wBYIkBoFxgV0 X-IronPort-AV: E=Sophos;i="4.44,446,1249257600"; d="scan'208";a="395337854" Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-6.cisco.com with ESMTP; 24 Sep 2009 15:31:28 +0000 Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n8OFVSOu022185; Thu, 24 Sep 2009 08:31:28 -0700 Received: from [10.0.1.4] (stealth-10-32-244-67.cisco.com [10.32.244.67]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id n8OFVSSc017125; Thu, 24 Sep 2009 15:31:28 GMT Cc: scep@vpnc.org, Jan Vilhuber Message-Id: <69F85CA4-35A7-4F8F-84CE-867CC022FE2A@cisco.com> From: max pritikin To: Arkadius Litwinczuk In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v936) Subject: Re: SCEP draft 19, getNextCA question / bug report Date: Thu, 24 Sep 2009 10:31:28 -0500 References: X-Mailer: Apple Mail (2.936) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=3214; t=1253806289; x=1254670289; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pritikin@cisco.com; z=From:=20max=20pritikin=20 |Subject:=20Re=3A=20SCEP=20draft=2019,=20getNextCA=20questi on=20/=20bug=20report=20 |Sender:=20; bh=/byw3eBpjjR7Iq5ixFxQa2g0Xx4sakjDDrPfnl3JHLk=; b=UGACHQ/4v5iYXpUYn6QLw4Na1XjosbX9wmquq4BBsG7p8Ddm/HqBpnBXbc JpZEf9H5wynRStRXISXtZ9h5w4c5+kPA1CTEt0/mpl9nz4RLOFKG0lIJU6Wq T3d1CYu/IO; Authentication-Results: sj-dkim-3; header.From=pritikin@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; ); Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Arkadius, Yes, this is an error and it should be "application/x-x509-next-ca-=20 cert". Note that these two mime types are different with different encodings =20= (they are not interchangeable). I note this since, although =20 "application/x-x509-next-ca-cert" is the correct type, it looks like =20 the IOS implementation expect the erroneous mime type of "application/=20= x-x509-ca-ra-cert". We'd like to see this draft get finalized into RFC form soon. We'll =20 likely update the draft to v20 but hopefully that'll be the last one =20 before it is finalized. -max On Sep 24, 2009, at 4:06 AM, Arkadius Litwinczuk wrote: > > Hello List , > > I'm a student currently working on the implementation of a automatic =20= > root-key roll over for my Diploma work. Implementing the =20 > functionality into the open source projects openCA and SSCEP. > I wanted to use the SCEP draft 19 "getNextCA" message but I have =20 > one problem there, it is ambiguous at : > > 5.2.6.1. GetNextCACert Response > > > The response will have a Content-Type of "application/ > x-x509-next-ca-cert". > > The body of this response consists of a SignedData PKCS#7 [RFC2315], > as defined in Section 4.6.1. > "Content-Type:application/x-x509-ca-ra-cert\n\n" > > > > GetNextCaCert Example > > I guess it's an copy and paste error, but should the response =20 > Content-Type be "application/x-x509-next-ca-cert" or a "application/=20= > x-x509-ca-ra-cert" ? > Also there is no difference if it's only a CA or a CA and RA in the =20= > respond I guess. It's a signed PKCS#7, signed by the CA or RA witha =20= > degenerate PKCS7 including the next CA /RA certificates. > > Also since this draft expires on October when will be the new draft =20= > available ? > > Kind regards from Germany, > > Arkadius Litwinczuk > > --=20 > > Informationen (einschlie=DFlich Pflichtangaben) zu einzelnen, =20 > innerhalb der EU t=E4tigen Gesellschaften und Zweigniederlassungen des = =20 > Konzerns Deutsche Bank finden Sie unter = http://www.db.com/de/content/pflichtangaben.htm=20 > . Diese E-Mail enth=E4lt vertrauliche und/ oder rechtlich gesch=FCtzte = =20 > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese =20= > E-Mail irrt=FCmlich erhalten haben, informieren Sie bitte sofort den =20= > Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren =20 > sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. > > Please refer to http://www.db.com/en/content/eu_disclosures.htm for =20= > information (including mandatory corporate particulars) on selected =20= > Deutsche Bank branches and group companies registered or =20 > incorporated in the European Union. This e-mail may contain =20 > confidential and/or privileged information. If you are not the =20 > intended recipient (or have received this e-mail in error) please =20 > notify the sender immediately and delete this e-mail. Any =20 > unauthorized copying, disclosure or distribution of the material in =20= > this e-mail is strictly forbidden. From owner-scep Wed Oct 7 04:29:34 2009 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n97BTYNB085587 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Oct 2009 04:29:34 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n97BTYZP085586; Wed, 7 Oct 2009 04:29:34 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from nyginimrp10.us.db.com (nyginimrp10.us.db.com [160.83.77.106]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n97BTWF5085576 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Wed, 7 Oct 2009 04:29:33 -0700 (MST) (envelope-from arkadius.litwinczuk@db.com) Received: from msgr0003.de.db.com (defrwmr031dbk36.de.db.com [10.225.18.102]) by nyginimrp10.us.db.com (8.14.3/8.14.3) with ESMTP id n97BTFFT003481 for ; Wed, 7 Oct 2009 07:29:31 -0400 In-Reply-To: <69F85CA4-35A7-4F8F-84CE-867CC022FE2A@cisco.com> To: scep@vpnc.org Subject: one more SCEP draft 19, getNextCA question MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.5 November 30, 2005 From: Arkadius Litwinczuk X-MIMETrack: S/MIME Sign by Notes Client on Arkadius Litwinczuk/db/dbcom(Release 6.5.5|November 30, 2005) at 07.10.2009 13:29:15, Serialize by Notes Client on Arkadius Litwinczuk/db/dbcom(Release 6.5.5|November 30, 2005) at 07.10.2009 13:29:15, Serialize complete at 07.10.2009 13:29:15, S/MIME Sign failed at 07.10.2009 13:29:16: The cryptographic key was not found, Serialize by Router on MSGR0003/srv/dbsmtp(Release 6.5.5FP2 HF430|July 06, 2007) at 07.10.2009 13:29:31, Serialize complete at 07.10.2009 13:29:31 Message-ID: Date: Wed, 7 Oct 2009 13:29:21 +0200 Content-Type: multipart/alternative; boundary="=_alternative 003F1AA8C1257648_=" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multipart message in MIME format. --=_alternative 003F1AA8C1257648_= Content-Type: text/plain; charset="utf-8" content-transfer-encoding: quoted-printable Hi Max,=20 I have an other question regarding the getNextCA operation. We cleared the= =20 MIME type but, the current version also does not specify the SCEP=20 messageType does it ? Is it CertRep so the corresponding decimal 3 ?=20 Also I assume that the response=20 "Content-Type:application/x-x509-next-ca-certt\n\n"=20 > is also a base64 and DER encoded right? Only to clarify sorry if I missed=20 something in the draft describing this.=20 Kind regards,=20 Arkadius=20 --=20 Informationen (einschlie=C3=9Flich Pflichtangaben) zu einzelnen, innerhalb = der EU t=C3=A4tigen Gesellschaften und Zweigniederlassungen des Konzerns De= utsche Bank finden Sie unter http://www.db.com/de/content/pflichtangaben.ht= m. Diese E-Mail enth=C3=A4lt vertrauliche und/ oder rechtlich gesch=C3=BCtz= te Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Ma= il irrt=C3=BCmlich erhalten haben, informieren Sie bitte sofort den Absende= r und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefu= gte Weitergabe dieser E-Mail ist nicht gestattet. Please refer to http://www.db.com/en/content/eu_disclosures.htm for informa= tion (including mandatory corporate particulars) on selected Deutsche Bank = branches and group companies registered or incorporated in the European Uni= on. This e-mail may contain confidential and/or privileged information. If = you are not the intended recipient (or have received this e-mail in error) = please notify the sender immediately and delete this e-mail. Any unauthoriz= ed copying, disclosure or distribution of the material in this e-mail is st= rictly forbidden. --=_alternative 003F1AA8C1257648_= Content-Type: text/html; charset="utf-8" content-transfer-encoding: quoted-printable
Hi Max,

I have an other question regarding t= he getNextCA operation. We cleared the MIME type but, the current version also does not specify the SCEP messageType does it ? Is it CertRep  so the corresponding decimal 3 ?

Also I assume that the response
 "Content-Type:application= /x-x509-next-ca-certt\n\n"  
<BER-encoded SignedData<BER-en= coded degenerate PKCS7>>
is also a base64 and DER encoded rig= ht? Only to clarify sorry if I missed something in the draft describing this.

Kind regards,

Arkadius



--

Informationen (einschlie=C3=9Flich Pflichtangaben) zu einz= elnen, innerhalb der EU t=C3=A4tigen Gesellschaften und Zweigniederlassunge= n des Konzerns Deutsche Bank finden Sie unter ht= tp://www.db.com/de/content/pflichtangaben.htm. = Diese E-Mail enth=C3=A4lt vertrauliche und/ oder rechtlich gesch=C3=BCtzte = Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail = irrt=C3=BCmlich erhalten haben, informieren Sie bitte sofort den Absender u= nd vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte= Weitergabe dieser E-Mail ist nicht gestattet.

Please refer to http://www.db.c= om/en/content/eu_disclosures.htm for informatio= n (including mandatory corporate particulars) on selected Deutsche Bank bra= nches and group companies registered or incorporated in the European Union.= This e-mail may contain confidential and/or privileged information. If you= are not the intended recipient (or have received this e-mail in error) ple= ase notify the sender immediately and delete this e-mail. Any unauthorized = copying, disclosure or distribution of the material in this e-mail is stric= tly forbidden. --=_alternative 003F1AA8C1257648_=-- From owner-scep Wed Oct 7 17:54:17 2009 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n980sHPF036861 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 7 Oct 2009 17:54:17 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n980sHAW036860; Wed, 7 Oct 2009 17:54:17 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n980s59m036849 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Wed, 7 Oct 2009 17:54:16 -0700 (MST) (envelope-from pritikin@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pritikin@cisco.com; l=2709; q=dns/txt; s=sjiport02001; t=1254963256; x=1256172856; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20max=20pritikin=20|Subject: =20Re:=20one=20more=20SCEP=20draft=2019,=20getNextCA=20qu estion|Date:=20Wed,=207=20Oct=202009=2019:42:46=20-0500 |Message-Id:=20|To:=20Arkadius=20Litwinczuk=20|Cc:=20scep@vpnc.org|Mime-Version:=201.0=20(Apple =20Message=20framework=20v936)|Content-Transfer-Encoding: =20quoted-printable|In-Reply-To:=20|References: =20; bh=La7erY/KT+AgAYfoqef9ScLiDL2vQTa7fgJB53c5bnI=; b=dN4S1wpC96YZfyUfV7juV3VBmnjltFOcTrbRgcQhG957xdKBwHpTejM2 pCCew8etpTZ+S2cvq5dO6U7Awar6N3UModT55o6mw+pJdzKkF+jUMDpcq NIHOezXycDjoFQuA19LQg3OjsRhi7ESuWlY9irLMXLrAKojTNe6koi7Xl E=; Authentication-Results: sj-iport-2.cisco.com; dkim=pass (signature verified [TEST]) header.i=pritikin@cisco.com X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEAEPVzEqrR7PD/2dsb2JhbAC/dIhjAY83BoInBoF9 X-IronPort-AV: E=Sophos;i="4.44,522,1249257600"; d="scan'208";a="212286442" Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-2.cisco.com with ESMTP; 08 Oct 2009 00:42:47 +0000 Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id n980glV9027575; Wed, 7 Oct 2009 17:42:47 -0700 Received: from [10.0.1.4] (stealth-10-32-244-67.cisco.com [10.32.244.67]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id n980gkAf026370; Thu, 8 Oct 2009 00:42:46 GMT Cc: scep@vpnc.org Message-Id: From: max pritikin To: Arkadius Litwinczuk In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v936) Subject: Re: one more SCEP draft 19, getNextCA question Date: Wed, 7 Oct 2009 19:42:46 -0500 References: X-Mailer: Apple Mail (2.936) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2709; t=1254962567; x=1255826567; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pritikin@cisco.com; z=From:=20max=20pritikin=20 |Subject:=20Re=3A=20one=20more=20SCEP=20draft=2019,=20getNe xtCA=20question |Sender:=20; bh=La7erY/KT+AgAYfoqef9ScLiDL2vQTa7fgJB53c5bnI=; b=ELnpQApU5l3swhJm2P6PCz36CoI0ecMVc0r45AXp5RA7yqYiVy37rv5g6T kqa7Wu5N0ZVNRww07YFMIekP/WNBmN0TKZhAs/C+2P6eiPCge5LC9/gKm9cQ TqOehg7BVd; Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Arkadius, On Oct 7, 2009, at 6:29 AM, Arkadius Litwinczuk wrote: > > Hi Max, > > I have an other question regarding the getNextCA operation. We =20 > cleared the MIME type but, The current draft text indicates "application/x-x509-next-ca-cert" but =20= the figure erroneously indicated the wrong mime type. I've updated =20 this for the next draft. > the current version also does not specify the SCEP messageType does =20= > it ? Is it CertRep so the corresponding decimal 3 ? Section 5.2.6.1 references the GetNextCACert response definition in =20 section 4.6.1. This in turn clarifies that the response format is =20 equivalent to the CA and RA certificates response which is defined in =20= 5.2.1.1.2 which was introduced in 4.1.1.2. A confusing trail but =20 ultimately accurate (I think). There is no indication of the messageType attribute value being set at =20= all; much like how there is none set for GetCACert. > Also I assume that the response > "Content-Type:application/x-x509-next-ca-certt\n\n" > > > is also a base64 and DER encoded right? Only to clarify sorry if I =20 > missed something in the draft describing this. As with the GetCACert response (section 4.1.1.2) this would be a =20 binary response without the base64 encoding. Does this help answer your questions? - max > > Kind regards, > > Arkadius > > > > --=20 > > Informationen (einschlie=DFlich Pflichtangaben) zu einzelnen, =20 > innerhalb der EU t=E4tigen Gesellschaften und Zweigniederlassungen des = =20 > Konzerns Deutsche Bank finden Sie unter = http://www.db.com/de/content/pflichtangaben.htm=20 > . Diese E-Mail enth=E4lt vertrauliche und/ oder rechtlich gesch=FCtzte = =20 > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese =20= > E-Mail irrt=FCmlich erhalten haben, informieren Sie bitte sofort den =20= > Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren =20 > sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. > > Please refer to http://www.db.com/en/content/eu_disclosures.htm for =20= > information (including mandatory corporate particulars) on selected =20= > Deutsche Bank branches and group companies registered or =20 > incorporated in the European Union. This e-mail may contain =20 > confidential and/or privileged information. If you are not the =20 > intended recipient (or have received this e-mail in error) please =20 > notify the sender immediately and delete this e-mail. Any =20 > unauthorized copying, disclosure or distribution of the material in =20= > this e-mail is strictly forbidden. From owner-scep Wed Oct 14 07:02:54 2009 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n9EE2siP044635 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 Oct 2009 07:02:54 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n9EE2s2u044634; Wed, 14 Oct 2009 07:02:54 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from nyjinimrp9.us.db.com (nyjinimrp9.us.db.com [160.83.90.14]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n9EE2g3W044622 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for ; Wed, 14 Oct 2009 07:02:53 -0700 (MST) (envelope-from arkadius.litwinczuk@db.com) Received: from msgr0003.de.db.com (defrwmr031dbk36.de.db.com [10.225.18.102]) by nyjinimrp9.us.db.com (8.14.3/8.14.3) with ESMTP id n9EE2ex7030036 for ; Wed, 14 Oct 2009 10:02:41 -0400 In-Reply-To: <1A3D2A0F-D28A-466C-8E27-EB42AC492EC8@cisco.com> To: scep@vpnc.org Subject: Antwort: Re: Antwort: Re: one more SCEP draft 19, getNextCA question MIME-Version: 1.0 X-Mailer: Lotus Notes Release 6.5.5 November 30, 2005 From: Arkadius Litwinczuk X-MIMETrack: S/MIME Sign by Notes Client on Arkadius Litwinczuk/db/dbcom(Release 6.5.5|November 30, 2005) at 14.10.2009 16:02:31, Serialize by Notes Client on Arkadius Litwinczuk/db/dbcom(Release 6.5.5|November 30, 2005) at 14.10.2009 16:02:31, Serialize complete at 14.10.2009 16:02:31, S/MIME Sign failed at 14.10.2009 16:02:31: The cryptographic key was not found, Serialize by Router on MSGR0003/srv/dbsmtp(Release 6.5.5FP2 HF430|July 06, 2007) at 14.10.2009 16:02:41, Serialize complete at 14.10.2009 16:02:41 Message-ID: Date: Wed, 14 Oct 2009 16:02:31 +0200 Content-Type: multipart/alternative; boundary="=_alternative 004D22A8C125764F_=" Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: This is a multipart message in MIME format. --=_alternative 004D22A8C125764F_= Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Hi Max,=20 thanks for the quick response. First of all what is "RA Mode" for you? I was thinking about the problem and a nice solution would be a extended=20 key usage attribute that could be used for the SCEP certificate which=20 would indicate that this certificate is actually allowed to sign a=20 getNextCA message. Any thoughts on this ? Now back to the original problem I think the response how it is defined=20 now pointing to the getCA responses is simply wrong. It points to a=20 response that has no signers so it's useless to carry any important data=20 that needs to be protected from manipulation.=20 Because the response needs to be a CertRep or an own response. This=20 response since it's signed data requires a valid SCEP PKCS#7 envelope with= =20 messageType and transactionID and so on and a PKCS#7 with the next CA as=20 the payload. So yes there are the missing fields, but these only need to=20 be defined for a getNextCA response to make it work. There is no need for=20 a Nonce or Transaction ID so they can be simply set to zero. So wouldn't=20 it be the best way to define the missing fields for the getNextCA response= =20 as a valid signed SCEP pkiMessage type?=20 Kind regards,=20 Arkadius=20 max pritikin =20 12.10.2009 20:50 An max pritikin Kopie Arkadius Litwinczuk Thema Re: Antwort: Re: one more SCEP draft 19, getNextCA question=20 Arkadius, fyi- With the clarity of a monday morning I've gone back and looked at our=20 reference implementation and reviewed the document in this area. I=20 think the original text may have been more confusing but more accurate. In particular it is difficult to respond with a CertRep since a=20 CertRep MUST include the following attributes: ? the transactionID attribute copied from the request we=20 are=20 responding to ? a messageType attribute set to CertRep ? a senderNonce attribute ? a recipientNonce attribute copied from the senderNonce=20 from=20the=20 request we are responding to. ? a pkiStatus set to the status of the reply. But a CerReq was not used to initiate this response and thus the=20 transactionID, and senderNonce are unknown. - max On Oct 9, 2009, at 11:34 AM, max pritikin wrote: > > On Oct 8, 2009, at 7:11 AM, Arkadius Litwinczuk wrote: > >> >> Hi Max, >> >> alright I try to clarify my question. In 5.2.1.1.1and 5.2.1.1.2 the=20 >> getCA responses are not in anyway secured, and are also not=20 >> encapsulated in a SCEP pkiMessage, that requires transaction id and=20 >> messageType and so on. > > Agreed. > >> The return message for getNextCA on the other hand has to be signed, > > Agreed. > >> else you could simply accept any certificate as a trusted=20 >> certificate so this can't be right. The whole idea is to have a=20 >> secure manner to get the nextCA certificate to a client, and not=20 >> being required to install it manually. At least that is what I'm=20 >> hopping for. So the response message is in fact different from a=20 >> getCA response or it should be, it has a pkcs#7 envelope with all=20 >> required SCEP fields doesn't it ? > > The response is defined in 4.6.1: > >> The response consists of a SignedData PKCS#7 [RFC2315], signed by=20 >> the current CA (or RA) signing key. >> >> Clients MUST validate the signature on the the SignedData PKCS#7=20 >> [RFC2315] before accepting any of its contents. >> >> The content of the SignedData PKCS#7 [RFC2315] is a degenerate=20 >> certificates-only Signed-data message containing the new CA=20 >> certificate and any new RA certificates, as defined in Section=20 >> 5.2.1.1.2, to be used when the current CA certificate expires. >> > > I neglected to point out this layering in my initial response below. > >> in 3.1.1.2 : >> The messageType attribute specifies the type of operation=20 >> performed by the transaction. This attribute MUST be included in=20 >> all PKI messages. >> >> So in my opinion there should be a messageType defined for=20 >> getNextCA to stay correct, it is a full signed SCEP pkiMessage=20 >> envelope for signed data, in fact the most important data at all. > > It looks like the text of 4.6.1 should directly reference 3.2.2=20 > (CertRep) instead of referencing 5.2.1.1.2. The resulting first=20 > three paragraphs would look like: > "The response consists of a SignedData PKCS#7 [RFC2315], signed by=20 > the current CA (or RA) signing key. > > Clients MUST validate the signature on the the SignedData PKCS#7=20 > [RFC2315] before accepting any of its contents. > > The content of the SignedData PKCS#7 [RFC2315] is a CertRep as=20 > defined in Section 3.2.2, containing the new CA certificate and=20 > optional RA certificates to be used when the current CA certificate=20 > expires." > > I think this is clearer. Does it make sense to you as well? > >> But also I would like to explain a problem or better vulnerability=20 >> at this point. >> In a normal setup you would have the root certificate securely=20 >> distributed (mostly during the setup), the RA certificate this=20 >> would be the SCEP server certificate, would be send as signer=20 >> certificate in the message. The client can verify this certificate=20 >> against the root since it issued it and verifies it's trusted. So=20 >> far so good, but other certificates signed by the same CA are also=20 >> valid. If the attacker has a valid certificate issued by the same=20 >> CA he could spoof the connection, and inject a rogue CA. >> If the setup has a 1st level root CA and lets say 2nd level Server=20 >> CA and user CA, the problem is the same, the RA certificate would=20 >> be most likely issued by the server CA . >> The only way how to really secure this would be to sign the new=20 >> root CA with the old root CA. Or in this case sign the SCEM message=20 >> with the old root CA. This and a little more complex is also=20 >> described in the CMP protocol. >> The problem is now that a root CA should not be used for digital=20 >> signature. Regardless this is only a policy problem and would be=20 >> great if it could be optionally required to sign this nextCA=20 >> message by the old CA. To really have a secure distribution for the=20 >> next root CA. > > I agree and recommend only using RA mode for all SCEP servers. Thus=20 > the RA cert is used instead of the CA cert. See Section 8.2. > > - max > >> >> Let me know your thoughts on this. >> >> Kind regards, >> >> Arkadius >> >> >> >> >> >> >> >> max pritikin >> Gesendet von: owner-scep@mail.vpnc.org >> 08.10.2009 02:42 >> >> An >> Arkadius Litwinczuk >> Kopie >> scep@vpnc.org >> Thema >> Re: one more SCEP draft 19, getNextCA question >> >> >> >> >> >> >> >> Arkadius, >> >> On Oct 7, 2009, at 6:29 AM, Arkadius Litwinczuk wrote: >> >> > >> > Hi Max, >> > >> > I have an other question regarding the getNextCA operation. We >> > cleared the MIME type but, >> >> The current draft text indicates "application/x-x509-next-ca-cert"=20 >> but >> the figure erroneously indicated the wrong mime type. I've updated >> this for the next draft. >> >> > the current version also does not specify the SCEP messageType does >> > it ? Is it CertRep so the corresponding decimal 3 ? >> >> Section 5.2.6.1 references the GetNextCACert response definition in >> section 4.6.1. This in turn clarifies that the response format is >> equivalent to the CA and RA certificates response which is defined in >> 5.2.1.1.2 which was introduced in 4.1.1.2. A confusing trail but >> ultimately accurate (I think). >> >> There is no indication of the messageType attribute value being set=20 >> at >> all; much like how there is none set for GetCACert. >> >> >> > Also I assume that the response >> > "Content-Type:application/x-x509-next-ca-certt\n\n" >> > > >> > is also a base64 and DER encoded right? Only to clarify sorry if I >> > missed something in the draft describing this. >> >> As with the GetCACert response (section 4.1.1.2) this would be a >> binary response without the base64 encoding. >> >> Does this help answer your questions? >> >> - max >> >> > >> > Kind regards, >> > >> > Arkadius >> > >> > >> > >> > -- >> > >> > Informationen (einschlie=DFlich Pflichtangaben) zu einzelnen, >> > innerhalb der EU t=E4tigen Gesellschaften und Zweigniederlassungen=20 >> des >> > Konzerns Deutsche Bank finden Sie unter=20 http://www.db.com/de/content/pflichtangaben.htm >> > . Diese E-Mail enth=E4lt vertrauliche und/ oder rechtlich gesch=FCtzte >> > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese >> > E-Mail irrt=FCmlich erhalten haben, informieren Sie bitte sofort den >> > Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren >> > sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. >> > >> > Please refer to http://www.db.com/en/content/eu_disclosures.htm for >> > information (including mandatory corporate particulars) on selected >> > Deutsche Bank branches and group companies registered or >> > incorporated in the European Union. This e-mail may contain >> > confidential and/or privileged information. If you are not the >> > intended recipient (or have received this e-mail in error) please >> > notify the sender immediately and delete this e-mail. Any >> > unauthorized copying, disclosure or distribution of the material in >> > this e-mail is strictly forbidden. >> >> >> >> --=20 >> >> Informationen (einschlie=DFlich Pflichtangaben) zu einzelnen,=20 >> innerhalb der EU t=E4tigen Gesellschaften und Zweigniederlassungen=20 >> des Konzerns Deutsche Bank finden Sie unter=20 http://www.db.com/de/content/pflichtangaben.htm=20 >> . Diese E-Mail enth=E4lt vertrauliche und/ oder rechtlich gesch=FCtzte=20 >> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese=20 >> E-Mail irrt=FCmlich erhalten haben, informieren Sie bitte sofort den=20 >> Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren=20 >> sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. >> >> Please refer to http://www.db.com/en/content/eu_disclosures.htm for=20 >> information (including mandatory corporate particulars) on selected=20 >> Deutsche Bank branches and group companies registered or=20 >> incorporated in the European Union. This e-mail may contain=20 >> confidential and/or privileged information. If you are not the=20 >> intended recipient (or have received this e-mail in error) please=20 >> notify the sender immediately and delete this e-mail. Any=20 >> unauthorized copying, disclosure or distribution of the material in=20 >> this e-mail is strictly forbidden. > --=20 Informationen (einschlie=DFlich Pflichtangaben) zu einzelnen, innerhalb der= EU t=E4tigen Gesellschaften und Zweigniederlassungen des Konzerns Deutsche= Bank finden Sie unter http://www.db.com/de/content/pflichtangaben.htm. Die= se E-Mail enth=E4lt vertrauliche und/ oder rechtlich gesch=FCtzte Informati= onen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt=FCml= ich erhalten haben, informieren Sie bitte sofort den Absender und vernichte= n Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe = dieser E-Mail ist nicht gestattet. Please refer to http://www.db.com/en/content/eu_disclosures.htm for informa= tion (including mandatory corporate particulars) on selected Deutsche Bank = branches and group companies registered or incorporated in the European Uni= on. This e-mail may contain confidential and/or privileged information. If = you are not the intended recipient (or have received this e-mail in error) = please notify the sender immediately and delete this e-mail. Any unauthoriz= ed copying, disclosure or distribution of the material in this e-mail is st= rictly forbidden. --=_alternative 004D22A8C125764F_= Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable
Hi Max,

thanks for the quick response. First of all what is  "RA Mode" for you?
I was thinking about the problem and a nice solution would be a extended key usage attribute that could be used for the SCEP certificate which would indicate that this certificate is actually allowed to sign a getNextCA message. Any thoughts on this ?

Now back to the original problem I t= hink the response how it is defined now pointing to the getCA responses is simply wrong. It points to a response that has no signers so it's useless to carry any important data that needs to be protected from manipulation.
Because the response needs to be a <= /font>CertRep or an own response. This response since it's signed data requires a valid SCEP PKCS#7 envelope with messageType and transactionID and so on and a PKCS#7 with the next CA as the payload. So yes there are the missing fields, but these only need to be defined for a getNextCA response to make it work. There is no need for a Nonce or Transaction ID so they can be simply set to zero. So wouldn't it be the best way to define the missing fields for the getNextCA response as a valid signed SCEP pkiMessage type?

Kind regards,

Arkadius






max pritikin <prit= ikin@cisco.com>

12.10.2009 20:50

An
max pritikin <pritikin@cisco.com&= gt;
Kopie
Arkadius Litwinczuk <arkadius.lit= winczuk@db.com>
Thema
Re: Antwort: Re: one more SCEP draft 19, getNextCA question




Arkadius,

fyi-
With the clarity of a monday morning I've gone back and looked at our  = ;
reference implementation and reviewed the document in this area. I   think the original text may have been more confusing but more accurate.

In particular it is difficult to respond with a CertRep since a  
CertRep MUST include the following attributes:
                • the transactionID attribute copied from the request we are   responding to
                • a messageType attribute set to CertRep
                • a senderNonce attribute
                • a recipientNonce attribute copied from the senderNonce from the &nb= sp;
request we are responding to.
                • a pkiStatus set to the status of the reply.

But a CerReq was not used to initiate this response and thus the  
transactionID, and senderNonce are unknown.

- max

On Oct 9, 2009, at 11:34 AM, max pritikin wrote:

>
> On Oct 8, 2009, at 7:11 AM, Arkadius Litwinczuk wrote:
>
>>
>> Hi Max,
>>
>> alright I try to clarify my question. In 5.2.1.1.1and 5.2.1.1.2 the  
>> getCA responses are not in anyway secured, and are also not  =
>> encapsulated in a SCEP pkiMessage, that requires transaction id and  
>> messageType and so on.
>
> Agreed.
>
>> The return message for getNextCA on the other hand has to be signe= d,
>
> Agreed.
>
>> else you could simply accept any certificate as a trusted   >> certificate so this can't be right. The whole idea is to have a  
>> secure manner to get the nextCA certificate to a client, and not  
>> being required to install it manually. At least that is what I'm  
>> hopping for.  So the response message is in fact different from=20a  
>> getCA response or it should be, it has a pkcs#7 envelope with all  
>> required SCEP fields doesn't it ?
>
> The response is defined in 4.6.1:
>
>> The response consists of a SignedData PKCS#7 [RFC2315], signed by  
>> the current CA (or RA) signing key.
>>
>> Clients MUST validate the signature on the the SignedData PKCS#7  
>> [RFC2315] before accepting any of its contents.
>>
>> The content of the SignedData PKCS#7 [RFC2315] is a degenerate  
>> certificates-only Signed-data message containing the new CA  =
>> certificate and any new RA certificates, as defined in Section  
>> 5.2.1.1.2, to be used when the current CA certificate expires.
>>
>
> I neglected to point out this layering in my initial response below. >
>> in 3.1.1.2 :
>> The messageType attribute specifies the type of operation   >> performed  by the transaction.  This attribute MUST be included in  
>> all PKI messages.
>>
>> So in my opinion there should be a messageType defined for  <= br> >> getNextCA to stay correct, it is a full signed SCEP pkiMessage  
>> envelope for signed data, in fact the most important data at all.<= br> >
> It looks like the text of 4.6.1 should directly reference 3.2.2  =
> (CertRep) instead of referencing 5.2.1.1.2. The resulting first  =
> three paragraphs would look like:
> "The response consists of a SignedData PKCS#7 [RFC2315], signed by  
> the current CA (or RA) signing key.
>
> Clients MUST validate the signature on the the SignedData PKCS#7  = ;
> [RFC2315] before accepting any of its contents.
>
> The content of the SignedData PKCS#7 [RFC2315] is a CertRep as  <= br> > defined in Section 3.2.2, containing the new CA certificate and  =
> optional RA certificates to be used when the current CA certificate  
> expires."
>
> I think this is clearer. Does it make sense to you as well?
>
>> But also I would like to explain a problem or better vulnerability  
>> at this point.
>> In a normal setup you would have the root certificate securely  
>> distributed (mostly during the setup), the RA certificate this  
>> would be the SCEP server certificate, would be send as signer  
>> certificate in the message. The client can verify this certificate  
>> against the root since it issued it and verifies it's trusted. So  
>> far so good, but other certificates signed by the same CA are also  
>> valid. If the attacker has a valid certificate issued by the same  
>> CA he could spoof the connection, and inject a rogue CA.
>> If the setup has a 1st level root CA and lets say 2nd level Server  
>> CA and user CA, the problem is the same, the RA certificate would  
>> be most likely issued by the server CA .
>> The only way how to really secure this would be to sign the new  
>> root CA with the old root CA. Or in this case sign the SCEM message  
>> with the old root CA. This and a little more complex is also  = ;
>> described in the CMP protocol.
>> The problem is now that a root CA should not be used for digital  
>> signature. Regardless this is only a policy problem and would be  
>> great if it could be optionally required to sign this nextCA  = ;
>> message by the old CA. To really have a secure distribution for the  
>> next root CA.
>
> I agree and recommend only using RA mode for all SCEP servers. Thus  
> the RA cert is used instead of the CA cert. See Section 8.2.
>
> - max
>
>>
>> Let me know your thoughts on this.
>>
>> Kind regards,
>>
>> Arkadius
>>
>>
>>
>>
>>
>>
>>
>> max pritikin <pritikin@cisco.com>
>> Gesendet von: owner-scep@mail.vpnc.org
>> 08.10.2009 02:42
>>
>> An
>> Arkadius Litwinczuk <arkadius.litwinczuk@db.com>
>> Kopie
>> scep@vpnc.org
>> Thema
>> Re: one more SCEP draft 19, getNextCA question
>>
>>
>>
>>
>>
>>
>>
>> Arkadius,
>>
>> On Oct 7, 2009, at 6:29 AM, Arkadius Litwinczuk wrote:
>>
>> >
>> > Hi Max,
>> >
>> > I have an other question regarding the getNextCA operation. We
>> > cleared the MIME type but,
>>
>> The current draft text indicates "application/x-x509-next-ca-= cert"  
>> but
>> the figure erroneously indicated the wrong mime type. I've updated=
>> this for the next draft.
>>
>> > the current version also does not specify the SCEP messageType does
>> > it ? Is it CertRep  so the corresponding decimal 3 ?
>>
>> Section 5.2.6.1 references the GetNextCACert response definition in
>> section 4.6.1. This in turn clarifies that the response format is
>> equivalent to the CA and RA certificates response which is defined in
>> 5.2.1.1.2 which was introduced in 4.1.1.2. A confusing trail but >> ultimately accurate (I think).
>>
>> There is no indication of the messageType attribute value being set  
>> at
>> all; much like how there is none set for GetCACert.
>>
>>
>> > Also I assume that the response
>> >  "Content-Type:application/x-x509-next-ca-certt\n\n= "
>> > <BER-encoded SignedData<BER-encoded degenerate PKCS7>= ;>
>> > is also a base64 and DER encoded right? Only to clarify sorry if I
>> > missed something in the draft describing this.
>>
>> As with the GetCACert response (section 4.1.1.2) this would be a
>> binary response without the base64 encoding.
>>
>> Does this help answer your questions?
>>
>> - max
>>
>> >
>> > Kind regards,
>> >
>> > Arkadius
>> >
>> >
>> >
>> > --
>> >
>> > Informationen (einschlie=DFlich Pflichtangaben) zu einzelnen,=
>> > innerhalb der EU t=E4tigen Gesellschaften und Zweigniederlass= ungen  
>> des
>> > Konzerns Deutsche Bank finden Sie unter http://www.db.com/de/= content/pflichtangaben.htm
>> > . Diese E-Mail enth=E4lt vertrauliche und/ oder rechtlich ges= ch=FCtzte
>> > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
>> > E-Mail irrt=FCmlich erhalten haben, informieren Sie bitte sof= ort den
>> > Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren
>> > sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestat= tet.
>> >
>> > Please refer to http://www.db.com/en/content/eu_disclosures.h= tm for
>> > information (including mandatory corporate particulars) on selected
>> > Deutsche Bank branches and group companies registered or
>> > incorporated in the European Union. This e-mail may contain >> > confidential and/or privileged information. If you are not the
>> > intended recipient (or have received this e-mail in error) please
>> > notify the sender immediately and delete this e-mail. Any
>> > unauthorized copying, disclosure or distribution of the mater= ial in
>> > this e-mail is strictly forbidden.
>>
>>
>>
>> --
>>
>> Informationen (einschlie=DFlich Pflichtangaben) zu einzelnen, &nbs= p;
>> innerhalb der EU t=E4tigen Gesellschaften und Zweigniederlassungen  
>> des Konzerns Deutsche Bank finden Sie unter http://www.db.com/de/c= ontent/pflichtangaben.htm
>> . Diese E-Mail enth=E4lt vertrauliche und/ oder rechtlich gesch=FC= tzte  
>> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese  
>> E-Mail irrt=FCmlich erhalten haben, informieren Sie bitte sofort den  
>> Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren  
>> sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.<= br> >>
>> Please refer to http://www.db.com/en/content/eu_disclosures.htm for  
>> information (including mandatory corporate particulars) on selected  
>> Deutsche Bank branches and group companies registered or  
>> incorporated in the European Union. This e-mail may contain  =
>> confidential and/or privileged information. If you are not the  
>> intended recipient (or have received this e-mail in error) please  
>> notify the sender immediately and delete this e-mail. Any   >> unauthorized copying, disclosure or distribution of the material in  
>> this e-mail is strictly forbidden.
>

--

Informationen (einschlie=DFlich Pflichtangaben) zu einzeln= en, innerhalb der EU t=E4tigen Gesellschaften und Zweigniederlassungen des = Konzerns Deutsche Bank finden Sie unter http://w= ww.db.com/de/content/pflichtangaben.htm. Diese = E-Mail enth=E4lt vertrauliche und/ oder rechtlich gesch=FCtzte Informatione= n. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt=FCmlich= erhalten haben, informieren Sie bitte sofort den Absender und vernichten S= ie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe die= ser E-Mail ist nicht gestattet.

Please refer to http://www.db.c= om/en/content/eu_disclosures.htm for informatio= n (including mandatory corporate particulars) on selected Deutsche Bank bra= nches and group companies registered or incorporated in the European Union.= This e-mail may contain confidential and/or privileged information. If you= are not the intended recipient (or have received this e-mail in error) ple= ase notify the sender immediately and delete this e-mail. Any unauthorized = copying, disclosure or distribution of the material in this e-mail is stric= tly forbidden. --=_alternative 004D22A8C125764F_=-- From owner-scep Wed Oct 14 08:54:36 2009 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n9EFsaHS052206 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 Oct 2009 08:54:36 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n9EFsaYd052205; Wed, 14 Oct 2009 08:54:36 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n9EFsURE052197 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for ; Wed, 14 Oct 2009 08:54:35 -0700 (MST) (envelope-from pritikin@cisco.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pritikin@cisco.com; l=14044; q=dns/txt; s=sjiport05001; t=1255535675; x=1256745275; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20max=20pritikin=20|Subject: =20Re:=20Antwort:=20Re:=20Antwort:=20Re:=20one=20more=20S CEP=20draft=2019,=20getNextCA=20question|Date:=20Wed,=201 4=20Oct=202009=2010:54:27=20-0500|Message-Id:=20<019F5305 -625D-4E50-88C3-E5B38F4EAC76@cisco.com>|To:=20Arkadius=20 Litwinczuk=20|Cc:=20scep@vpnc .org|Mime-Version:=201.0=20(Apple=20Message=20framework =20v936)|Content-Transfer-Encoding:=20quoted-printable |In-Reply-To:=20|References:=20; bh=xYeZDT2KDtlUrVG3+NraRdSWptY0xuZWGP23FyELuZA=; b=XZvqrm3sn3Eew57DkPpz/W9gJDDd5+FjKmGPwiwK5zZClNr2s5O1RV8n 1ZQBcwq8Dvq7ytPx7Qkh8Gy2GhV2J03tvopJ2xllu8e59dSXCfUv3gQjA VOGgHq+r16RRUxOnfVFXdohCm6xGZY+RZbd3KHoomqb3u4zjBNbexfqEG w=; Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApoEAD2R1UqrRN+K/2dsb2JhbADBYZhWgigGEoFuBIFbiTo X-IronPort-AV: E=Sophos;i="4.44,559,1249257600"; d="scan'208";a="98793518" Received: from sj-core-4.cisco.com ([171.68.223.138]) by sj-iport-5.cisco.com with ESMTP; 14 Oct 2009 15:54:28 +0000 Received: from [192.168.1.126] (sjc-vpn5-1093.cisco.com [10.21.92.69]) by sj-core-4.cisco.com (8.13.8/8.14.3) with ESMTP id n9EFsRn1008378; Wed, 14 Oct 2009 15:54:28 GMT Cc: scep@vpnc.org Message-Id: <019F5305-625D-4E50-88C3-E5B38F4EAC76@cisco.com> From: max pritikin To: Arkadius Litwinczuk In-Reply-To: Content-Type: text/plain; charset=WINDOWS-1252; format=flowed; delsp=yes Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Apple Message framework v936) Subject: Re: Antwort: Re: Antwort: Re: one more SCEP draft 19, getNextCA question Date: Wed, 14 Oct 2009 10:54:27 -0500 References: X-Mailer: Apple Mail (2.936) Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: On Oct 14, 2009, at 9:02 AM, Arkadius Litwinczuk wrote: > > Hi Max, > > thanks for the quick response. First of all what is "RA Mode" for =20 > you? When the SCEP server is running in 'ra mode' it uses an RA certificate =20= (see Section 2.1.3). I agree this could be clearer and will look at =20 how to add text about this. > I was thinking about the problem and a nice solution would be a =20 > extended key usage attribute that could be used for the SCEP =20 > certificate which would indicate that this certificate is actually =20 > allowed to sign a getNextCA message. Any thoughts on this ? "Clients MUST verify the authorization of the RA certificates. The =20 authorization mechanism is specified by the CA administrator and is =20 out of scope for this document." I don't think we can specify the exact mechanism for this =20 authorization at this point. I agree that this is a weak point. > Now back to the original problem I think the response how it is =20 > defined now pointing to the getCA responses is simply wrong. It =20 > points to a response that has no signers so it's useless to carry =20 > any important data that needs to be protected from manipulation. > Because the response needs to be a CertRep or an own response. This =20= > response since it's signed data requires a valid SCEP PKCS#7 =20 > envelope with messageType and transactionID and so on and a PKCS#7 =20 > with the next CA as the payload. So yes there are the missing =20 > fields, but these only need to be defined for a getNextCA response =20 > to make it work. There is no need for a Nonce or Transaction ID so =20 > they can be simply set to zero. So wouldn't it be the best way to =20 > define the missing fields for the getNextCA response as a valid =20 > signed SCEP pkiMessage type? 4.6.1 says "The response consists of a SignedData PKCS#7 [RFC2315], =20 signed by the current CA (or RA) signing key. The response consists of =20= a SignedData PKCS#7 [RFC2315], signed by the current CA (or RA) =20 signing key." So this is a signed response. Where "The content of the SignedData PKCS#7 [RFC2315] is a degenerate =20= certificates-only Signed-data message containing ...". So the signed =20 response contains this unsigned degenerate certificates-only data =20 message. There is no need to include transaction attributes; since the =20= "messageType" is known by context, and the pkiStatus is known since =20 'reject' or 'pending' don't make sense in this context. - max > > Kind regards, > > Arkadius > > > > > > > max pritikin > 12.10.2009 20:50 > > An > max pritikin > Kopie > Arkadius Litwinczuk > Thema > Re: Antwort: Re: one more SCEP draft 19, getNextCA question > > > > > > Arkadius, > > fyi- > With the clarity of a monday morning I've gone back and looked at our > reference implementation and reviewed the document in this area. I > think the original text may have been more confusing but more =20 > accurate. > > In particular it is difficult to respond with a CertRep since a > CertRep MUST include the following attributes: > =95 the transactionID attribute copied from the =20 > request we are > responding to > =95 a messageType attribute set to CertRep > =95 a senderNonce attribute > =95 a recipientNonce attribute copied from the =20 > senderNonce from the > request we are responding to. > =95 a pkiStatus set to the status of the reply. > > But a CerReq was not used to initiate this response and thus the > transactionID, and senderNonce are unknown. > > - max > > On Oct 9, 2009, at 11:34 AM, max pritikin wrote: > > > > > On Oct 8, 2009, at 7:11 AM, Arkadius Litwinczuk wrote: > > > >> > >> Hi Max, > >> > >> alright I try to clarify my question. In 5.2.1.1.1and 5.2.1.1.2 the > >> getCA responses are not in anyway secured, and are also not > >> encapsulated in a SCEP pkiMessage, that requires transaction id and > >> messageType and so on. > > > > Agreed. > > > >> The return message for getNextCA on the other hand has to be =20 > signed, > > > > Agreed. > > > >> else you could simply accept any certificate as a trusted > >> certificate so this can't be right. The whole idea is to have a > >> secure manner to get the nextCA certificate to a client, and not > >> being required to install it manually. At least that is what I'm > >> hopping for. So the response message is in fact different from a > >> getCA response or it should be, it has a pkcs#7 envelope with all > >> required SCEP fields doesn't it ? > > > > The response is defined in 4.6.1: > > > >> The response consists of a SignedData PKCS#7 [RFC2315], signed by > >> the current CA (or RA) signing key. > >> > >> Clients MUST validate the signature on the the SignedData PKCS#7 > >> [RFC2315] before accepting any of its contents. > >> > >> The content of the SignedData PKCS#7 [RFC2315] is a degenerate > >> certificates-only Signed-data message containing the new CA > >> certificate and any new RA certificates, as defined in Section > >> 5.2.1.1.2, to be used when the current CA certificate expires. > >> > > > > I neglected to point out this layering in my initial response below. > > > >> in 3.1.1.2 : > >> The messageType attribute specifies the type of operation > >> performed by the transaction. This attribute MUST be included in > >> all PKI messages. > >> > >> So in my opinion there should be a messageType defined for > >> getNextCA to stay correct, it is a full signed SCEP pkiMessage > >> envelope for signed data, in fact the most important data at all. > > > > It looks like the text of 4.6.1 should directly reference 3.2.2 > > (CertRep) instead of referencing 5.2.1.1.2. The resulting first > > three paragraphs would look like: > > "The response consists of a SignedData PKCS#7 [RFC2315], signed by > > the current CA (or RA) signing key. > > > > Clients MUST validate the signature on the the SignedData PKCS#7 > > [RFC2315] before accepting any of its contents. > > > > The content of the SignedData PKCS#7 [RFC2315] is a CertRep as > > defined in Section 3.2.2, containing the new CA certificate and > > optional RA certificates to be used when the current CA certificate > > expires." > > > > I think this is clearer. Does it make sense to you as well? > > > >> But also I would like to explain a problem or better vulnerability > >> at this point. > >> In a normal setup you would have the root certificate securely > >> distributed (mostly during the setup), the RA certificate this > >> would be the SCEP server certificate, would be send as signer > >> certificate in the message. The client can verify this certificate > >> against the root since it issued it and verifies it's trusted. So > >> far so good, but other certificates signed by the same CA are also > >> valid. If the attacker has a valid certificate issued by the same > >> CA he could spoof the connection, and inject a rogue CA. > >> If the setup has a 1st level root CA and lets say 2nd level Server > >> CA and user CA, the problem is the same, the RA certificate would > >> be most likely issued by the server CA . > >> The only way how to really secure this would be to sign the new > >> root CA with the old root CA. Or in this case sign the SCEM message > >> with the old root CA. This and a little more complex is also > >> described in the CMP protocol. > >> The problem is now that a root CA should not be used for digital > >> signature. Regardless this is only a policy problem and would be > >> great if it could be optionally required to sign this nextCA > >> message by the old CA. To really have a secure distribution for the > >> next root CA. > > > > I agree and recommend only using RA mode for all SCEP servers. Thus > > the RA cert is used instead of the CA cert. See Section 8.2. > > > > - max > > > >> > >> Let me know your thoughts on this. > >> > >> Kind regards, > >> > >> Arkadius > >> > >> > >> > >> > >> > >> > >> > >> max pritikin > >> Gesendet von: owner-scep@mail.vpnc.org > >> 08.10.2009 02:42 > >> > >> An > >> Arkadius Litwinczuk > >> Kopie > >> scep@vpnc.org > >> Thema > >> Re: one more SCEP draft 19, getNextCA question > >> > >> > >> > >> > >> > >> > >> > >> Arkadius, > >> > >> On Oct 7, 2009, at 6:29 AM, Arkadius Litwinczuk wrote: > >> > >> > > >> > Hi Max, > >> > > >> > I have an other question regarding the getNextCA operation. We > >> > cleared the MIME type but, > >> > >> The current draft text indicates "application/x-x509-next-ca-cert" > >> but > >> the figure erroneously indicated the wrong mime type. I've updated > >> this for the next draft. > >> > >> > the current version also does not specify the SCEP messageType =20= > does > >> > it ? Is it CertRep so the corresponding decimal 3 ? > >> > >> Section 5.2.6.1 references the GetNextCACert response definition in > >> section 4.6.1. This in turn clarifies that the response format is > >> equivalent to the CA and RA certificates response which is =20 > defined in > >> 5.2.1.1.2 which was introduced in 4.1.1.2. A confusing trail but > >> ultimately accurate (I think). > >> > >> There is no indication of the messageType attribute value being set > >> at > >> all; much like how there is none set for GetCACert. > >> > >> > >> > Also I assume that the response > >> > "Content-Type:application/x-x509-next-ca-certt\n\n" > >> > > > >> > is also a base64 and DER encoded right? Only to clarify sorry =20 > if I > >> > missed something in the draft describing this. > >> > >> As with the GetCACert response (section 4.1.1.2) this would be a > >> binary response without the base64 encoding. > >> > >> Does this help answer your questions? > >> > >> - max > >> > >> > > >> > Kind regards, > >> > > >> > Arkadius > >> > > >> > > >> > > >> > -- > >> > > >> > Informationen (einschlie=DFlich Pflichtangaben) zu einzelnen, > >> > innerhalb der EU t=E4tigen Gesellschaften und = Zweigniederlassungen > >> des > >> > Konzerns Deutsche Bank finden Sie unter = http://www.db.com/de/content/pflichtangaben.htm > >> > . Diese E-Mail enth=E4lt vertrauliche und/ oder rechtlich =20 > gesch=FCtzte > >> > Informationen. Wenn Sie nicht der richtige Adressat sind oder =20 > diese > >> > E-Mail irrt=FCmlich erhalten haben, informieren Sie bitte sofort =20= > den > >> > Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren > >> > sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. > >> > > >> > Please refer to http://www.db.com/en/content/eu_disclosures.htm =20= > for > >> > information (including mandatory corporate particulars) on =20 > selected > >> > Deutsche Bank branches and group companies registered or > >> > incorporated in the European Union. This e-mail may contain > >> > confidential and/or privileged information. If you are not the > >> > intended recipient (or have received this e-mail in error) please > >> > notify the sender immediately and delete this e-mail. Any > >> > unauthorized copying, disclosure or distribution of the =20 > material in > >> > this e-mail is strictly forbidden. > >> > >> > >> > >> -- > >> > >> Informationen (einschlie=DFlich Pflichtangaben) zu einzelnen, > >> innerhalb der EU t=E4tigen Gesellschaften und Zweigniederlassungen > >> des Konzerns Deutsche Bank finden Sie unter = http://www.db.com/de/content/pflichtangaben.htm > >> . Diese E-Mail enth=E4lt vertrauliche und/ oder rechtlich = gesch=FCtzte > >> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese > >> E-Mail irrt=FCmlich erhalten haben, informieren Sie bitte sofort = den > >> Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren > >> sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. > >> > >> Please refer to http://www.db.com/en/content/eu_disclosures.htm for > >> information (including mandatory corporate particulars) on selected > >> Deutsche Bank branches and group companies registered or > >> incorporated in the European Union. This e-mail may contain > >> confidential and/or privileged information. If you are not the > >> intended recipient (or have received this e-mail in error) please > >> notify the sender immediately and delete this e-mail. Any > >> unauthorized copying, disclosure or distribution of the material in > >> this e-mail is strictly forbidden. > > > > > > --=20 > > Informationen (einschlie=DFlich Pflichtangaben) zu einzelnen, =20 > innerhalb der EU t=E4tigen Gesellschaften und Zweigniederlassungen des = =20 > Konzerns Deutsche Bank finden Sie unter = http://www.db.com/de/content/pflichtangaben.htm=20 > . Diese E-Mail enth=E4lt vertrauliche und/ oder rechtlich gesch=FCtzte = =20 > Informationen. Wenn Sie nicht der richtige Adressat sind oder diese =20= > E-Mail irrt=FCmlich erhalten haben, informieren Sie bitte sofort den =20= > Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren =20 > sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. > > Please refer to http://www.db.com/en/content/eu_disclosures.htm for =20= > information (including mandatory corporate particulars) on selected =20= > Deutsche Bank branches and group companies registered or =20 > incorporated in the European Union. This e-mail may contain =20 > confidential and/or privileged information. If you are not the =20 > intended recipient (or have received this e-mail in error) please =20 > notify the sender immediately and delete this e-mail. Any =20 > unauthorized copying, disclosure or distribution of the material in =20= > this e-mail is strictly forbidden. From owner-scep Wed Mar 3 03:51:19 2010 Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id o23ApJ7i093876 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 3 Mar 2010 03:51:19 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id o23ApJ87093875; Wed, 3 Mar 2010 03:51:19 -0700 (MST) (envelope-from owner-scep@mail.vpnc.org) X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-scep@mail.vpnc.org using -f Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id o23ApHf1093869 for ; Wed, 3 Mar 2010 03:51:18 -0700 (MST) (envelope-from david@grant.org.uk) Received: by fg-out-1718.google.com with SMTP id 19so287391fgg.9 for ; Wed, 03 Mar 2010 02:51:16 -0800 (PST) MIME-Version: 1.0 Received: by 10.102.171.21 with SMTP id t21mr5855434mue.53.1267613476157; Wed, 03 Mar 2010 02:51:16 -0800 (PST) From: David Grant Date: Wed, 3 Mar 2010 10:50:56 +0000 Message-ID: Subject: Announcement of jSCEP (Java SCEP Library) To: scep@vpnc.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Sender: owner-scep@mail.vpnc.org Precedence: bulk List-Archive: List-Unsubscribe: List-ID: Dear VPNC List Members, I am please to announce the general availability of release 1.0.0 of a new open source SCEP library for Java, jSCEP [http://goo.gl/ANFN]. The project site and source repository is hosted at Google Code, and from there you can view the project manual, download the api and client libraries, and raise and track issues or new feature requests. For those using Apache Maven for project management, jSCEP is also available from the central Maven repository. =C2=A0The project is in need of a little polish, especially in the documentation. =C2=A0If this is useful to you, please help drive the project forward by providing feedback, either through one of the jSCEP mailing lists, or by creating a new issue. Future plans include providing some sample applications, a test suite for server interoperability, and providing a SCEP servlet adaptor for PKI services. Many thanks, David Grant Project Author