[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: questions about ipki3cmp-04.txt (fwd)

To: "'Stef Hoeben'" <Stefan.Hoeben@xxxxxxxxxxxxxxxxxxx>
Subject: RE: questions about ipki3cmp-04.txt (fwd)
From: Carlisle Adams <carlisle.adams@xxxxxxxxxxx>
Date: Tue, 30 Sep 1997 10:07:46 -0400
Cc: "'ietf-pkix@xxxxxxxxxx'" <ietf-pkix@xxxxxxxxxx>

Hi Stef,

>----------
>From: 	Stef Hoeben[SMTP:Stefan.Hoeben@esat.kuleuven.ac.be]
>Sent: 	Tuesday, September 30, 1997 3:34 AM
>To: 	ietf-pkix@tandem.com
>Subject: 	questions about ipki3cmp-04.txt (fwd)
>
>Sorry to bother you all, but here are two questions
>about the creation of certs (cmp draft):
>
>* a bit is said about CertReqContent and CertRepContent, 
>but I don't know in which case to use these messages
>and what exactly is the difference with InitReqContent 
>and InitRepContent?

A couple of people have asked this over the past few months so I tried
to be a bit more explicit in this latest draft with the wording in
Appendix B (specifically, B8 and B9).  InitReq / InitRep are intended to
be used when an EE is first getting initialized (i.e., just getting
started in the system and requesting its first certificate), whereas
CertReq / CertRep are intended to be used by EEs that are already
initialized (i.e., they are already in the system and are requesting
subsequent certificates).  Supporting this is the fact that for InitReq
/ InitRep the protectionAlg can only be a MAC (based on a key derived
from shared secret information) and for CertReq / CertRep the
protectionAlg can be a MAC or a signature (since the EE may already have
a valid verification certificate and is presumed to hold a valid copy of
the CA's verification certificate).

Syntactically there is very little difference between the two, except
that InitReq allows the EE to send to the CA a protocol encryption key
(this is to be used to encrypt the private key coming back to the EE, if
centralized key generation was requested and is supported by the CA).

>* for the Centralised scheme (2.2.2.1), the message sent 
>to the user is a CertRepContent or a InitRepContent, right?

Yes (although since the centralized scheme is an initialization scheme,
InitRep is semantically more appropriate).

>Greetings, Stef
>
>PS  I'd like to congratiulate Peter and Carlisle for
>    cheering up this list, I'm always looking forward
>    to reading their discussions.

Thank you, but all the credit really should go to Peter...


--------------------------------------------
Carlisle Adams
Entrust Technologies
cadams@entrust.com
--------------------------------------------

Prev by Date: Re: Certificate Suspension
Next by Date: Re: Comments on [MANDATORY cert discovery capabiity]
Previous by thread: questions about ipki3cmp-04.txt (fwd)
Next by thread: Last Call
Index(es):
- Date
- Thread