
05f3ab18156dd550aa5b3831e47b142c.ppt
- Количество слайдов: 9
CMP Presentation Stephen Farrell Baltimore Technologies
Outline u Provide historical perspective u Highlight major features of the protocol u Provide a status update and expected future direction u Thanks to: – Steve Lloyd and Carlisle Adams who prepared the initial version of these slides
Historical Perspective u u u Discussed within IETF PKIX working group since early 1996 RFC 2510 (March 1999), update in draft stage Editors: – Carlisle Adams (Entrust Technologies) – Stephen Farrell (Baltimore Technologies) u u u Reflects all aspects of comprehensive certificate/key life cycle management Based on earlier experience with EU SESAME Project and Nortel’s (later Entrust’s) SEP Major CMC/CMP kefuffle -> CRMF (RFC 2511)
Certificate/Key Life Cycle Management u u u Key pair generation Certificate creation Key pair distribution to end-entity as required Encryption/decryption key pair backup Encryption/decryption key pair recovery Key update/renewal Certificate revocation Certificate and revocation information retrieval Cross-certification CA Key rollover Certificate/key archival
Noteworthy Features/Options u u u u Accommodates multiple PKI-component variations (i. e. , CA-CA, CA-RA, EE-CA, EE-RA, even EE-RA-RA-CA!) Supports both hierarchical and networked trust models Supports explicit POP when signing keys not available Supports secure, in-band installation of PKI trust anchor Supports generic message structure to convey additional operational aspects/information Supports two-way, three-way and four-way protocol exchanges RFC 2511 (CRMF) common to CMC & CMP
What about Interoperability? u As with any feature rich, flexible protocol, functional subsets are expected to be defined u Minimum interoperability profiles already specified (CMP Appendix B) – CA-TALK list (ICSA driven interop) has been working through this set of operations – Now a PKI Forum activity u Other profiles expected to be defined based on target domain requirements
CMP 2000 (Version 2) – draft-ietf-pkix-rfc 2510 bis-00. txt – Nearing completion (“speak now or…”) – Main differences from RFC 2510: • text is clarified based on experience with CMP interoperability trials and mail list feedback • confirmation for selected certificates added • additional acknowledgement message from CA to EE has been added to trigger EE operation (when req’d) • transport-specific issues removed (due to re-use elsewhere, e. g. TSP, LAAP, …) • POP simplified
Conclusions u. A widening range of PKI vendors are now involved with implementations u CMP supports all facets of comprehensive certificate/key life cycle management u CMP offers maximum flexibility to accommodate different requirements u Transport aspects being re-used elsewhere u Subsets of CMP can be implemented as required (e. g. TSP use of transports/headers)
www. PKIForum. org
05f3ab18156dd550aa5b3831e47b142c.ppt