210 likes | 224 Views
CMC and PKI4IPSEC. Jim Schaad. Requirements Issues. What does MAY really mean What does SHOULD really mean Requirements on Admin <-> Peer Requirements on structure Remove requirements in PROFILE doc. How CMC wants to do this. Use standard request/response messages
E N D
CMC and PKI4IPSEC Jim Schaad
Requirements Issues • What does MAY really mean • What does SHOULD really mean • Requirements on Admin <-> Peer • Requirements on structure • Remove requirements in PROFILE doc
How CMC wants to do this • Use standard request/response messages • Use Transaction ID and nonces • Use Pending
Pretty Picture REPOSITORY ----- CA | | | ----------------- RA --- Admin | | | ----------------- Peer -----------
Basic Enroll Process • Establish Authorization • Distribute Authorization • Generate Public Key • Request Cert • Get Cert • Get trust anchor(s)
Admin Authorization Process • Create Template • Request Authorizations • Get Authorizations Back • Distribute Authorizations
Template Creation • Out Of Band negotiation • Template • Fixed portion • Restrictions • Control Items • Variable Portions • Substitution • if - then - else • types • General Name • UTF8 String • Time • Extension • Other? • Who can authorize
Request Authorizations • Use CMC Request Body with new control • For n items provide • template id • variable portion tokens • Timeout • must not match any current authorization • comparison rules • Binary or intelligent • (ä has multiple encodings) • should collision in current message error for both? • should collision with existing item error for both? • Re-request authorization?
Get Authorizations Back • Use CMC Response Message • for n items return • Auth token – PrintableString (ASCII) • Auth Passphrase – PrintableString (ASCII) • success/failure – error codes • Optional - token strings & id ? • requirement PKI may alter parameters and return to admin for check §3.2.5
Distribute Authorization • Data to be distributed • Authentication Token • Passphrase • Name of entity to talk to • Optional Items • Trust anchor information • Restrictions • Key Type, Key Length,…
Authorization Cancel • CMC Request/Response Pair w/ new controls • Authorization is identify by token • allow for bulk revoke or just singles? • May be signed by admin (SignedData) or use MAC by passphrase possessor (AuthData) • Race conditions between issuing a cert and cancel • Cancel of an issued Certificate • return either success or consumed (with cert identifier) • Query if authorization is still current?
EE Request Structure SignedData identify key by SKI • id-cct-PKIData encap content • Controls • id-cmc-identification - auth token • id-cmc-identityProof - derived from passphrase • id-cmc-transactionID - random number • id-cmc-senderNonce - random number • CRMF CertRequest • certReqID - fixed value ok • subject name cn=<Auth Token> • Public Key • SKI Extension with possibly fixed value. • Other extensions as required
EE Response Structure • SignedData by CA or RA • id-cct-PKIResponse encap content • Controls • id-cmc-statusInfoExt • id-cmc-authData • CMS objects • AuthData MAC by passphrase • id-cct-PKIResopnse encap content • Controls • id-cmc-trustRoots • Cert Bag - all certs including issued cert & root
Error Responses • Error responses are sent signed or unsigned? (depends on error value?) • Add new set of error codes specific to the new controls • Number of errors depends on granularity
Update, Renewal & Rekey • Update • New cert - different content - same/different key • Renewal • New cert - same content - same key • Rekey • New cert - same content - different key
Renewal & Rekey • (EE generates new request w/ new key if needed) • Specify with original authorization or policy • Update later • keep state in RA database assoicated with Issuer/Serial# • renewal vs rekey vs dead • time to start renewal • query admin
Update • In RA database w issuer/serial keep • token strings for update cert • allow for update of token strings by admin from cert id • OR • query admin • OR • Requires re-auth from Admin • Requires new auth token & passphrase • Requires re-enrollment from EE
CMC Requirements • trans id • nonces • auth data from CMS for ee revoke • signed data using sig key
Unmet Criteria • Must specify the “type” of enrollment • Update, Renewal, Rekey, Original
Open Issues • In-line Authorization • Should Peers be able to specify non Public Key information • PKI Generation of keys -- bad idea? • Queue and Manually Approve • Advice to admin on all events
Open Issues • Time out/race conditions • Use Pending from RA on an instant basis • Minimize network attack time • Requires some careful thought on error states and database information. • Admin Enrollment on behalf of a peer • Key generation on peer • Key geneneration on admin