[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: PKIX-CMP

To: "'ietf-pkix@xxxxxxxxxx'" <ietf-pkix@xxxxxxxxxx>, "'Peter Williams'" <peter@xxxxxxxxxxxx>
Subject: RE: PKIX-CMP
From: Carlisle Adams <carlisle.adams@xxxxxxxxxxx>
Date: Wed, 17 Sep 1997 16:07:24 -0400

Hi Peter,

>----------
>From: 	Peter Williams[SMTP:peter@verisign.com]
>Sent: 	Wednesday, September 17, 1997 2:28 PM
>To: 	Carlisle Adams; ietf-pkix@tandem.com
>Subject: 	Re: PKIX-CMP
>
><<File: smime.p7s>>
>
>>1) Centralized key generation (i.e., at the CA) is now optional; the
>>"basic authenticated scheme" is the only mandatory initialization
>>scheme.
>
>Please explain this. What does it mean, and what are the consequences
>and the rationale?
>
>What is an initialization scheme?

Re-read Section 1.3 item 3.1, Section 2.2.1.1, Section 2.2.1.2, and
Section 2.2.2.2 (they're all short) and see if this helps.  If not, ask
again.  All we're saying is that out-of-band means are used to bootstrap
the process.



>Preconditions:
>1. The end entity can authenticate the CA=92s signature based on out-of-
>band means
>2. The end entity and the CA share a symmetric MACing key"
>
>And I ask myself (and hopefully it will be answered in response to
>my non-leading question) how does one bootstrap the PKIX-CMP?
>
>I.E. How does one obtain satisfaction of the pre-conditions?
>
>Are these non-standard mechanisms shared between particular
>entities using one bit of software, and some subsection of the
>operational CAs also using that bit of software?

"Out-of-band" simply means out of band.  That is, information is passed
between the EE (that wants to join the PKI) and the PKI entity (CA or
RA) in a way not specified in this document.  It might be a physical
visit; it might be physical mail; it might be a telephone call; it might
be e-mail; it might be a guy in a trenchcoat with a briefcase handcuffed
to his wrist.  [Whatever policy dictates.]  As long as that information
exchange is separate from the PKIX-CMP protocols, and is "trustable" by
both sides, that's fine.

Part of that out-of-band information might be the CA's public key (to
satisfy precondition 1).  Alternatively, the out-of-band information
might only be secret information (a password) from which each side can
derive a MACing key using PasswordBasedMac (this satisfies precondition
2, and when this key is used to protect the CMP initialization messages,
then the CA can send its public key in the response, which satisfies
precondition 1).

I guess I'm not sure which part of all this you're questioning or not
understanding...


--------------------------------------------
Carlisle Adams
Entrust Technologies
cadams@entrust.com
--------------------------------------------

Prev by Date: Re: PKIX-CMP
Next by Date: I-D ACTION:draft-ietf-pkix-ipki3cmp-04.txt
Previous by thread: Re: PKIX-CMP
Next by thread: RE: PKIX-CMP
Index(es):
- Date
- Thread