Re: PKIX-CMP

["Peter Williams" <peter@xxxxxxxxxxxx>]

>1) Centralized key generation (i.e., at the CA) is now optional; the
>"basic authenticated scheme" is the only mandatory initialization
>scheme.

Please explain this. What does it mean, and what are the consequences
and the rationale?

What is an initialization scheme?

(Im trying to ask open, non-leading questions; please do not abuse the
questioner
for so asking; assume the list requires tutoring)

------

Here is my understanding, and why Im bothering to comment.

"B8.2 Basic authenticated scheme

The end entity requests a certificate from a CA. When the CA responds
with a message containing a certificate the end entity replies with a
confirmation. All messages are authenticated.

This scheme allows the end entity to request certification of a locally-
generated public key (typically a signature key). The end entity may
also choose to request the centralised generation and certification of
another key pair (typically an encryption key pair).
Certification may only be requested for one locally generated public key
(for more, use separate PKIMessages).

The end entity must support proof-of-possession of the private key
associated with the locally-generated public key.

Preconditions:
1. The end entity can authenticate the CA=92s signature based on out-of-
band means
2. The end entity and the CA share a symmetric MACing key"



And I ask myself (and hopefully it will be answered in response to
my non-leading question) how does one bootstrap the PKIX-CMP?

I.E. How does one obtain satisfaction of the pre-conditions?

Are these non-standard mechanisms shared between particular
entities using one bit of software, and some subsection of the
operational CAs also using that bit of software?



Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Disposition: attachment;
	filename="smime.p7s"

Attachment converted: Lutefisk:smime.p7s 11 (????/----) (0001BE7C)