[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ptr to doc on "how end-entity authenticates cert_req to CA"

To: ietf-pkix@xxxxxxx
Subject: Re: Ptr to doc on "how end-entity authenticates cert_req to CA"
From: Keith Brady <keith@xxxxxxxxxxxx>
Date: Thu, 22 Jul 1999 23:15:08 +0100

 "Bill" == Bill Doster <billdo@umich.edu> writes:

Bill> After looking through all the IETF PKIX drafts, I'm still in the
Bill> dark as to what information is provided by the end-entity to
Bill> authenticate itself as the entity named in the cert req (as opposed
Bill> to demonstrating possession of the cert's associated private key).

Have a look at Bob Moskowitz's summary of the CMP interop workshops
"draft-moskowitz-cmpinterop". 

Basically, we assume (following the commentary in 2510) that the CA/RA has
agreed a passphrase and reference ID with the requester. The requester
then submits an IR containing it's signature key (and usual POP) MAC'ed
under the passphrase with the signer_kid set to the reference ID. The
CA/RA may choose to ignore the requesters dname choice and use one that
was previously agreed. The requester can trust the response and contained
cert path (if any) since it is MAC'ed by the CA/RA.

The requester signs all subsequent CR's with their signing key.

cheers,

Keith

Prev by Date: RE: CRL Checking Text
Next by Date: Re: CRL Checking Text
Previous by thread: Ptr to doc on "how end-entity authenticates cert_req to CA"
Next by thread: Re: Ptr to doc on "how end-entity authenticates cert_req to CA"
Index(es):
- Date
- Thread