PKC
Click on the red underlined text to get to the source
...
This document describes and identifies the requirements for
transactions to handle PKC lifecycle transactions between [IPsec] VPN ...
... requirements for Public Key Certificate
(PKC) lifecycle transactions between different VPN System and PKI
System ...
... PKI-enabled VPN System: authorization (of PKC issuance),
generation (public-private key pair and PKC request ...
... PKC issuance),
generation (public-private key pair and PKC request), enrollment (PKC
request, PKC response, and confirmation), maintenance (rekey ...
... generation (public-private key pair and PKC request), enrollment (PKC
request, PKC response, and confirmation), maintenance (rekey, renew,
...
... private key pair and PKC request), enrollment (PKC
request, PKC response, and confirmation), maintenance (rekey, renew,
update ...
... - Use a VPN Administration function (Admin), which is introduced in
this document, to manage PKC authorization and possibly act as
the sole interface for the VPN System ...
... PKI System.
- Authorize individual or batches of PKC issuances based on a pre-
agreed template (i.e., both types of authorization requests refer
...
... connections.
- Establish policies for automatic PKC rekeys, renewals, and
updates.
...
...
The scenario for PKC cross-certification will not be addressed.
...
... PKI System, or simply PKI, is the set of functions needed to
authorize, issue, and manage PKCs. PKI System is defined in more
detail in Section 2.2.
...
... The Admin is the VPN System function that interacts with the PKI
System to establish PKC provisioning for the VPN connections. See
Section 2.1.2 for more details.
...
... end entity is the entity or subject that is identified in a PKC.
The end entity is the one entity ...
... entity that will finally use a private key
associated with a PKC to digitally sign data. In this document, an
IPsec Peer is certainly an end entity ...
... end entity. Note that end entities can have different
PKCs for different purposes (e.g., signature vs. key exchange,
...
... Admin-functions vs. Peer-functions).
PKC Rekey
The routine procedure for replacement of a PKC with a new PKC ...
... PKC Rekey
The routine procedure for replacement of a PKC with a new PKC with a
new public key ...
... PKC Rekey
The routine procedure for replacement of a PKC with a new PKC with a
new public key for the same subject ...
... PKC Renewal
The acquisition of a new PKC with the same public key due to the
expiration of an existing PKC ...
... PKC with the same public key due to the
expiration of an existing PKC. Renewal occurs prior to the
expiration of the existing PKC to avoid any connection ...
... expiration of an existing PKC. Renewal occurs prior to the
expiration of the existing PKC to avoid any connection outages. A
renewal process can rely on the existing key pair ...
... authentication for the new enrollment.
PKC Update
A special case of a renewal-like occurrence where a PKC needs to be
...
... PKC Update
A special case of a renewal-like occurrence where a PKC needs to be
changed prior to expiration due to some change in its subject's
...
... subject has possession of the private
key associated with the public key requested for a PKC.
Certificate Authority ...
... PKI System that is trusted by one or more users to
create and sign PKCs. It is important to note that the CA is
responsible for the PKCs ...
... PKCs. It is important to note that the CA is
responsible for the PKCs during their whole lifetime, not just for
issuing them.
...
... Internet-accessible server in a PKI System that stores and makes
available for retrieval PKCs and Certificate Revocation Lists (CRLs).
...
... CRL is a CA-signed, timestamped list identifying revoked PKCs and
made freely available in a repository. Peers retrieve the CRL to
...
... made freely available in a repository. Peers retrieve the CRL to
verify that a PKC being presented to them as the identity in an IKE
...
... CDP)
The CDP is a PKC extension that identifies the location from which
end entities should retrieve CRLs ...
... information and services for the issuer of the PKC in which the
extension appears. Information and services may include on-line ...
... algorithms, key lengths, lifecycle
options, and PKC fields) for groups of IPsec Peers. The Admin also
...
... IPsec Peers. The Admin also
authorizes PKC issuance and can act as the Peer's PKI System
interface ...
... [FRAME] for use in a VPN System. The PKC's characteristics and
contents are a function of the CP. In VPN ...
... authorization for end entity PKCs by sending the parameters and
contents for individual PKCs or batches of PKCs ...
... end entity PKCs by sending the parameters and
contents for individual PKCs or batches of PKCs based on a pre-
agreed template (i.e., both types of authorization ...
... PKCs by sending the parameters and
contents for individual PKCs or batches of PKCs based on a pre-
agreed template (i.e., both types of authorization requests refer
...
... authorization tokens that will authorize
Peers to request a PKC.
- It will deliver instructions to the IPsec Peers ...
... IPsec Peers, and the Peers
will carry out those instructions (e.g., Admin passes Peer
information necessary to generate keys and PKC request).
...
... This framework assumes that all components of the VPN obtain PKCs
from a single PKI community. An IPsec Peer ...
... from a single PKI community. An IPsec Peer can accept a PKC from a
Peer that is from a CA outside of the PKI ...
... PKI community, but the auto
provision and life cycle management for such a PKC or its trust
anchor PKC fall out of scope.
...
... PKI System contains a mechanism for handling Admin's
authorization requests and PKC enrollments. This mechanism is
referred to as the Registration Authority (RA ...
... RA). The PKI System
contains a Repository for Peers to retrieve each other's PKCs and
revocation information. Last, the PKI System ...
... requirements document, as shown in Figure 3.
Therefore, it is sensible to consider the steps necessary to set up,
use, and manage PKCs for one Peer to establish an association with
another Peer.
...
... [G] = Generation: Public key, private key, and PKC request
[E] = Enrollment: Sending PKC request, verifying PKC ...
... private key, and PKC request
[E] = Enrollment: Sending PKC request, verifying PKC response, and
confirming PKC ...
... PKC request
[E] = Enrollment: Sending PKC request, verifying PKC response, and
confirming PKC response
...
... message data integrity because the
responses (i.e., PKCs and CRLs) are already digitally signed.
Whether [R] transactions ...
... PKC Profile for PKI Interaction ...
... management profile) are the same so that one PKC could be used for
both transaction sets. If the profiles ...
... transaction sets. If the profiles are inconsistent, then
different PKCs (and perhaps different processing requirements) might
be required. However, the authors urge that progress continue on
...
... be required. However, the authors urge that progress continue on
other aspects of this standardization effort regardless of the status
of efforts to achieve PKC profile consensus.
...
...
PKCs MUST support identifying (i.e., naming) Peers and Admins. The
following name forms MUST be supported:
...
...
PKCs MUST support indicating the purposes for which the key (i.e.,
digital signature) can be used. Further, PKCs ...
... PKCs MUST support indicating the purposes for which the key (i.e.,
digital signature) can be used. Further, PKCs MUST always indicate
that relying parties (i.e., Peers) need to understand the indication.
...
... PKCs MUST indicate the location of CRL such that any Peer who holds
the PKC locally will know exactly where to go and how to request the
CRL.
...
... authentication, and integrity. PKCs for authorization of the Admin
can be initialized through an out-of-band ...
... PKC enrollment request, or the
authorization and the PKC enrollment request can be presented to the
PKI at the same time. Both of these authorization ...
... 1) Authorization Request [A]. Admin sends a list of identities and
PKC contents for the PKI System to authorize enrollment. See
Section 3.2.4.
...
... authorization tokens to be
used for the enrollment of each PKC (1). Response may indicate
success, failure, or errors for any particular authorization. See
...
... Specifying Fields within the PKC ...
...
The Admin authorizes individual PKCs or batches of PKC issuances
based on a pre-agreed template. This template is agreed by the VPN ...
...
The Admin authorizes individual PKCs or batches of PKC issuances
based on a pre-agreed template. This template is agreed by the VPN
...
...
The Admin can send the PKI System the set of PKC contents that it
wants the PKI to issue to a group ...
... IPsec Peers. In other words, it
tells the PKI System, "if you see a PKC request that looks like this,
from this person, process it and issue the PKC."
...
... PKI System, "if you see a PKC request that looks like this,
from this person, process it and issue the PKC."
Requirements ...
... VPN Operator and PKI Operator pre-agree on a template, they
MUST also agree on the local policy regarding PKC renewal and PKC
update. These are:
...
... PKI Operator pre-agree on a template, they
MUST also agree on the local policy regarding PKC renewal and PKC
update. These are:
- Admin MUST specify if automatic renewals are allowed, that is,
...
... the Admin authorizes the PKI to process a future renewal for the
specified Peer PKC.
- Admin MUST specify if PKC update ...
... PKC.
- Admin MUST specify if PKC update is allowed, that is, the Admin
authorizes the PKI to accept a future request for a new PKC ...
... PKC update is allowed, that is, the Admin
authorizes the PKI to accept a future request for a new PKC with
changes to non-key-related fields.
...
... changes to non-key-related fields.
If a PKC renewal is authorized, the Admin MUST further specify:
- Who can renew, that is, can only the Admin send a renewal request
...
... PKI, or either.
- How long before the PKC expiration date the PKI will accept and
process a renewal (i.e., N% of validity ...
... after which renewal is permitted).
If a PKC update is authorized, the Admin MUST further specify:
- The aspects of non-key-related fields that are changeable.
...
...
- The entity that can send the PKC Update request, that is, only
the Admin, only the Peer, or either.
...
... the Admin, only the Peer, or either.
- How long before the PKC expiration date the PKI will accept and
process an update ...
...
A new authorization by the Admin is REQUIRED for PKC rekey. No
parameters of prior authorizations need be considered.
...
... authorization token. If such a
validation period is set, any PKC requests using the authorization ID
and one-time authorization token ...
...
Note that if the PKI has already issued a PKC associated with an
authorization, then cancellation of the authorization ...
... authorization request SHOULD be refused by the PKI. Once a
PKC has been issued it MUST be revoked in accordance with Section
3.6.
...
... authorization success. This will allow the Admin to
perform an "operational test" to verify that the issued PKCs will
meet its requirements. If the Admin determines that the modified
...
... authorization request from the Admin, the PKI
MUST be able to reply YES to those individual PKC authorizations that
it has satisfied and NO or FAILED for those requests that cannot be
...
... PKI settings
between the time the authorization is granted and the PKC request
occurs, and what to do about the discrepancy.
...
... received at the Admin, the next step is to generate public and
private key pairs and to construct PKC requests using those key
pairs. The key generations can occur at one of three places,
depending on local requirements ...
... IPsec Peer, at the Admin, or
at the PKI. The PKC request can come from either the IPsec Peer, a
combination of the Peer and the Admin, or not at all.
...
... ASN.1
aware" to support generating and digitally signing the PKC request.
+--------------+ +-----------------------+
...
... one-time authorization token, and any other parameters needed by
the Peer to generate the PKC request, including key type and size.
2) Generation [G]. Peer receives authorization ...
... authorization token, and any parameters. Peer generates key pair
and constructs PKC request.
Steps prior to these can be found in Section 3.2. The next step,
...
... requirement for the Peer to be ASN.1 aware because it
does not have to construct or digitally sign the PKC request. The
drawback is that the key pair does need to be provided to the Admin.
...
... key pair to Admin.
4) Generation [G]. Admin constructs and digitally signs PKC request.
Steps prior to these can be found in Section 3.2. The next step,
...
... key recovery
requirements, where the same PKCs are used for other functions in
addition to IPsec, and key recovery ...
... Figure 7. Generation Interactions:
Admin Generates Key Pair and Constructs PKC Request
1) Generation [G]. Admin generates key pair ...
...
1) Generation [G]. Admin generates key pair, constructs PKC request,
and digitally signs PKC request.
...
... key pair, constructs PKC request,
and digitally signs PKC request.
Steps prior to these can be found in Section 3.2. The next step,
...
... authorizations steps are still of value even
though the Admin is also performing the key generation. The PKC
template, Subject fields, SubjectAltName ...
...
administration, where Operator 1 is the only one allowed to have the
Admin function pre-authorize PKCs, but Operator 2 is the one doing
batch enrollments and VPN device configurations.
...
... PKI generate
key pairs and PKCs. This is, in all likelihood, the easiest way to
deploy PKCs, though it sacrifices some security ...
... key pairs and PKCs. This is, in all likelihood, the easiest way to
deploy PKCs, though it sacrifices some security since both the CA and
...
... key escrow is required, this may be acceptable. The Admin
effectively acts as a proxy for the Peer in the PKC enrollment
process.
...
... be provided for each transaction in the key generation and PKC
request construction process. Providing such error codes will
greatly aid interoperability ...
... Error conditions MUST be communicated to the Admin regardless of who
generated the key or PKC request.
...
... elements labeled in Figure 3.
Regardless of where the keys were generated and the PKC request
constructed, an enrollment process will need to occur to request that
the PKI ...
... constructed, an enrollment process will need to occur to request that
the PKI issue a PKC and the corresponding PKC be returned.
...
... the PKI issue a PKC and the corresponding PKC be returned.
The protocol MUST be exactly the same regardless of whether the
...
...
Manual approval of PKC enrollments is too time consuming for large
scale implementations, and is therefore not required.
...
... VPN-PKI Interaction Steps:
IPsec Peer Generates Keys and PKC Request,
Enrolls Directly with PKI
...
...
1) Enrollment Request [E]. The IPsec Peer sends PKC requests to the
PKI, providing the generated public key ...
... 2) Enrollment Response [E]. The PKI responds to the enrollment
request, providing either the new PKC that was generated or a
suitable error indication.
...
...
3) Enrollment Confirmation [E]. Peer positively acknowledges receipt
of new PKC back to the Admin.
4) Enrollment Confirmation Receipt [E]. PKI ...
... In this case, the IPsec Peer has generated the key pair and the PKC
request, but does not enroll directly to the PKI System. Instead, it
automatically sends its request to the Admin, and the Admin redirects
...
... the enrollment comes from, as long as it is a valid enrollment. Once
the Admin receives the PKC response, it automatically forwards it to
the IPsec Peer.
...
... Opaque Transaction [E]. The IPsec Peer requests a PKC from the
Admin, providing the generated public key.
...
... 3) Enrollment Response [E]. The PKI responds to the enrollment
request, providing either the new PKC that was generated or a
suitable error indication.
...
... Opaque Transaction [E]. Peer positively acknowledges receipt of
new PKC back to the Admin.
6) Enrollment Confirmation [E]. Admin forwards enrollment
...
... In this case, the IPsec Peer has generated the key pair, but the PKC
request is constructed and signed by the Admin. The PKI System does
not care where the enrollment comes from, as long as it is a valid ...
... not care where the enrollment comes from, as long as it is a valid
enrollment. Once the Admin retrieves the PKC, it then automatically
forwards it to the IPsec Peer along with the key pair ...
... IPsec Peer Generates Keys, Admin Constructs and
Signs PKC Request, Enrolls through Admin
1) Enrollment Request [E]. The Admin requests a PKC ...
... PKC Request, Enrolls through Admin
1) Enrollment Request [E]. The Admin requests a PKC from the PKI,
providing the generated public key ...
... 2) Enrollment Response [E]. The PKI responds to the enrollment
request, providing either the new PKC that was generated or a
suitable error indication.
...
... Opaque Transaction [E]. Peer positively acknowledges receipt of
new PKC back to the Admin.
5) Enrollment Confirmation [E]. Admin forwards enrollment
...
...
In this case, the Admin generates the key pair, PKC request, and
digitally signs the PKC request. The PKI System ...
... key pair, PKC request, and
digitally signs the PKC request. The PKI System does not care where
the enrollment comes from, as long as it is a valid ...
... the enrollment comes from, as long as it is a valid enrollment. Once
the Admin retrieves the PKC, it then automatically forwards it to the
IPsec Peer along with the key pair ...
... Figure 12. VPN-PKI Interaction Steps:
Admin Generates Keys and PKC Request, and Enrolls Directly
with PKI
...
... PKI
1) Enrollment Request [E]. The Admin requests a PKC from the PKI,
providing the generated public key ...
... 2) Enrollment Response [E]. The PKI responds to the enrollment
request, providing either the new PKC that was generated or a
suitable error indication.
...
... Opaque Transaction [E]. Peer positively acknowledges receipt of
new PKC back to the Admin.
5) Enrollment Confirmation [E]. Admin forwards enrollment
...
... IPsec Peer through the
Admin, the final product of a key pair and PKC. Again, the mechanism
for the Peer to Admin communication is opaque.
...
... PKI responds to the authorization
request sent, providing either the new PKC and public-private key
pair that were generated or a suitable error indication.
...
... Opaque Transaction [E]. Peer positively acknowledge receipt of
new PKC back to the Admin.
4) Enrollment Confirmation [E]. Admin forwards enrollment
...
... Any time a new PKC is issued by the PKI, a confirmation of PKC
receipt MUST be sent back to the PKI by the Peer or the Admin
...
... Operationally, the Peer MUST send a confirmation to the PKI verifying
that it has received the PKC, loaded it, and can use it effectively
in an IKE exchange. This requirement ...
...
- The PKI does not publish the new PKC in the repository for others
until that PKC is able to be used effectively by the Peer, and
...
... PKI does not publish the new PKC in the repository for others
until that PKC is able to be used effectively by the Peer, and
- A revocation ...
...
- A revocation may be invoked if the PKC is not received and
operational within an allowable window of time.
...
... confirmation, thus signaling to the Peer that it may proceed using
this PKC in IKE connections. The PKI ...
... PKI MUST complete all the
processing necessary to enable the Peer's operational use of the new
PKC (for example, writing the PKC to the repository) before sending
the confirmation acknowledgement. The Peer MUST NOT begin using the
...
... processing necessary to enable the Peer's operational use of the new
PKC (for example, writing the PKC to the repository) before sending
the confirmation acknowledgement. The Peer MUST NOT begin using the
PKC ...
... PKC to the repository) before sending
the confirmation acknowledgement. The Peer MUST NOT begin using the
PKC until the PKI's confirmation acknowledgement has been received.
...
... receive it.
- The Requestor (Admin or Peer) received the PKC, but could not
process it due to incorrect contents, or other PKC-construction-
...
... - The Requestor (Admin or Peer) received the PKC, but could not
process it due to incorrect contents, or other PKC-construction-
related problem.
...
...
If a failure occurs after the PKI sends the PKC and before the Peer
receives it, then the Peer MUST re-request with the same
authorization ...
...
Once the PKI has issued a PKC for the end entity Peer, the Peer MUST
be able to either contact the PKI ...
... PKC Rekeys, Renewals, and Updates ...
...
Rekeys, renewals, and updates are variants of a PKC enrollment
request scenario with unique operational and management requirements ...
... PKC rekey replaces an end entity's PKC with a new PKC that has
a new public key for the same SubjectName ...
... - A PKC renewal replaces an end entity's PKC with the same public
key for the same SubjectName and SubjectAlternativeName contents
...
... public
key for the same SubjectName and SubjectAlternativeName contents
as an existing PKC before that PKC expires.
...
... SubjectName and SubjectAlternativeName contents
as an existing PKC before that PKC expires.
- A PKC update ...
...
- A PKC update is defined as a new PKC issuance with the same
public key for an altered SubjectName ...
... SubjectName or SubjectAlternativeName
before expiration of the end entity's current PKC.
When sending rekey ...
... rekey, renew, or update requests, the entire contents of
the PKC request needs to be sent to the PKI, not just the changed
elements ...
... rekey, renew, and update requests MUST be signed by the private
key of the old PKC. This will allow the PKI to verify the identity
...
... of the requestor, and ensure that an attacker does not submit a
request and receive a PKC with another end entity's identity.
...
... identity.
Whether or not a new key is used for the new PKC in a renew or update
scenario is a matter of local security policy ...
... renew request must be signed by both the old
key -- to prove the right to make the request -- and the new key --
to use for the new PKC.
The new PKC ...
... update will be
retrieved in-band, using the same mechanism as a new PKC request.
For the duration of time after a rekey ...
... processed and before PKI has received confirmation of the Peer's
successful receipt of the new PKC, both PKCs (the old and the new)
for the end entity ...
... PKI has received confirmation of the Peer's
successful receipt of the new PKC, both PKCs (the old and the new)
for the end entity will be valid ...
... continue with uninterrupted IKE connections with the previous PKC
while the rekey, renewal, or update ...
... update occurs, the question now exists
for the PKI of what to do about the old PKC. If the old PKC is to be
made unusable, the PKI ...
... for the PKI of what to do about the old PKC. If the old PKC is to be
made unusable, the PKI will need to add it to the revocation ...
... removed from the repository; however this should only occur once all
connections that used the old PKC have expired. The decision about
if the old PKC should be made unusable is determined by local policy.
...
... connections that used the old PKC have expired. The decision about
if the old PKC should be made unusable is determined by local policy.
Either the PKI or the Admin MUST specify this parameter during the
...
... PKI receives the end entity
Peer's confirmation (of receipt of the PKC) until when the old PKC is
made unusable.
...
... end entity
Peer's confirmation (of receipt of the PKC) until when the old PKC is
made unusable.
...
... key pair to be destroyed as soon as possible. Deletion can
occur once all connections that used the old PKC have expired.
If a PKC ...
... PKC have expired.
If a PKC has been revoked, it MUST NOT be allowed a rekey, renewal,
or update ...
... Scenarios for rekey are omitted as they use the same scenarios used
in the original PKC enrollment from Sections 3.2, 3.3, and 3.4.
...
... - Requestor: End entity Peer, Admin, or either.
- Period: How soon before PKC expiry.
- Time: Length of time before making the old PKC unusable.
...
... - Period: How soon before PKC expiry.
- Time: Length of time before making the old PKC unusable.
If any of these conditions are not met, the PKI ...
...
Scenarios for renewal are omitted as they use the same scenarios used
in the original PKC enrollment from Sections 3.2, 3.3, and 3.4.
...
...
An update to the contents of a PKC will be necessary when details
about an end entity Peer's identity ...
... end entity Peer's identity change, but the Operator does not
want to generate a new PKC from scratch, requiring a whole new
authorization. For example, a gateway ...
...
- Once the update is completed, and the new PKC is confirmed, the
old PKC should cease to be usable, as its contents no longer
...
... update is completed, and the new PKC is confirmed, the
old PKC should cease to be usable, as its contents no longer
accurately describe the subject.
...
... Subject and SubjectAltName that are changeable.
- Time: Length of time before making the old PKC unusable.
If any of these conditions are not met, the PKI ...
... authorization, one can be made from Admin to the PKI at any time
during the PKC's valid life. When such an update is desired, Admin
...
... Scenarios for update are omitted as they use the same scenarios used
in the original PKC enrollment from Sections 3.2, 3.3, and 3.4.
...
... the PKI MUST also issue a revocation on the original PKC before
sending the confirmation response.
...
...
The Peer MUST be able to initiate revocation for its own PKC. In
this case the revocation request MUST be signed by the Peer's current
...
... revocation request MUST be signed by the Peer's current
key pair for the PKC it wishes to revoke. Whether the actual
revocation request transaction ...
...
The Admin MUST be able to initiate revocation for any PKC issued
under a template it controls. The Admin will identify itself to the
PKI ...
... under a template it controls. The Admin will identify itself to the
PKI by use of its own PKC; it MUST sign any revocation request to the
PKI ...
... PKI with the private key from its own PKC. The PKI MUST have the
ability to configure Admin(s) with revocation ...
... revocation authority, as
identified by its PKC. Any PKC authorizations must specify if said
PKC ...
... authority, as
identified by its PKC. Any PKC authorizations must specify if said
PKC may be revoked by the Admin (see Section 3.2.3.2 for more
...
... PKC. Any PKC authorizations must specify if said
PKC may be revoked by the Admin (see Section 3.2.3.2 for more
details).
...
... - AFTER RENEW, BEFORE EXPIRATION: The PKI MUST be responsible for
the PKC revocation during a renew transaction. PKI ...
... transaction. PKI MUST revoke
the PKC after receiving the confirm notification from the Peer,
...
... notification from the Peer,
and before sending the confirm-ack to the Peer. The Peer MUST
NOT revoke its own PKC in this case.
- AFTER UPDATE ...
... UPDATE, BEFORE EXPIRATION: The PKI MUST be responsible for
the PKC revocation during an update transaction ...
... transaction. PKI MUST revoke
the PKC after receiving the confirm notification from the Peer,
...
... notification from the Peer,
and before sending the confirm-ack to the Peer. The Peer MUST
NOT revoke its own PKC in this case.
...
... method MAY be supported.
The complete hierarchical PKC chain (except the trust anchor) MUST be
able to be searched in their respective repositories. The
...
... able to be searched in their respective repositories. The
information to accomplish these searches MUST be adequately
communicated in the PKCs sent during the IKE transaction.
...
... transaction.
All PKCs must be retrievable through a single protocol. The final
specification will identify one protocol as a "MUST", others MAY be
...
... repository on a specific ID element that was given to it in a
standard PKC field.
Other considerations include:
...
...
PKCs MAY have extendedKeyusage to help identify the proper PKC for
IPsec, though the default behavior is to not use them (see 3.1.5.3).
...
... the mandatory repository access protocol at the time of starting up
so they can perform the PKC lookups.
...
... Trust Anchor PKC Acquisition ...
...
(a) Peer can get the root PKC via its secure communication with
Admin. This requires the Peer to know less about interaction
with the PKI ...
... identity verification based on the fields
of the PKC and parameters applicable to the VPN Security Association.
...
... VPN Security Association.
The fields of the PKC used for verification MAY include either the
X.500 Distinguished Name ...
... certification path, as per RFC 3280prop. The contents
necessary in the PKC to allow this will be enumerated in the profile
document.
...
... certification path
itself; however, Admin MUST be able to supply Peers with the trust
anchor and any chaining PKCs necessary. The Admin MAY ensure the
template uses the AIA extension in PKCs ...
... PKCs necessary. The Admin MAY ensure the
template uses the AIA extension in PKCs as a means of facilitating
path validation.
...
... PKI System MUST provide a mechanism whereby Peers can check the
revocation status of PKCs that are presented to it for IKE identity.
...
... be specified by the final specification.
All PKCs used in IKE MUST have cRLDistributionPoint and
authorityInfoAccess fields populated with valid ...
... valid URLs. This will
allow all recipients of the PKC to know immediately how revocation is
to be accomplished, and where to find the revocation ...
... or in a demo environment. If revocation checking is OFF, the
implementation MUST proceed to use the PKC as valid identity in the
...
...
If the revocation of a PKC is used as the only means of deactivation
of access authorization for the Peer (or user), then the speed of
...