requirement
Click on the red underlined text to get to the source
...
This document describes and identifies the requirements for
transactions to handle PKC lifecycle transactions between [IPsec ...
... IKEv2]) and PKI Systems. This
document contains requirements for a transaction-based approach.
Other models are conceivable, for example, a directory-centric
approach ...
... transaction-based approach.
Other models are conceivable, for example, a directory-centric
approach, but their requirements are beyond the scope of this
document.
...
... IPsec deployments with a common set of transactions. Requirements
for both the IPsec and the PKI ...
... IPsec and the PKI products are discussed. The
requirements are carefully designed to achieve security without
compromising ease of management ...
... IKE exchanges.
These requirements are intended to be used to profile a certificate
management protocol that the VPN System ...
... IPsec standards to
limit the complexity of deployment. Some requirements may require
either a new protocol, or changes or extensions to an existing
...
... VPN Administration and
IPsec Peers. The requirements strive to meet eighty percent of the
market needs for large-scale deployments (i.e., VPNs ...
... tools. The
solution will possibly miss the needs of the highest ten percent of
stringency and the lowest ten percent of convenience requirements.
Use cases will be considered or rejected based upon this eighty
percent rule. The needs of small deployments ...
... Requirements Terminology ...
... VPN System and the PKI System is the key
focus of this requirements document, as shown in Figure 3.
Therefore, it is sensible to consider the steps necessary to set up,
use, and manage PKCs ...
... VPN-PKI Interaction
Requirements for each of the interactions, [A], [G], [E], [L], and
[R], are addressed in Sections 3.2 through 3.6. However, only
requirements ...
... Requirements for each of the interactions, [A], [G], [E], [L], and
[R], are addressed in Sections 3.2 through 3.6. However, only
requirements for [A], [E], [L], and [R] will be addressed by the
certificate management ...
... certificate management profile. Requirements for [I] transactions
are beyond the scope of this document. Additionally, the act of
...
... Requirements ...
... General Requirements ...
... The target profile, to be based on this requirements document, MUST
call for ONE PROTOCOL or ONE USE PROFILE for each main element ...
... interoperability, having multiple competing protocols or
profiles to solve the same requirement should be avoided whenever
possible.
...
... possible.
Meeting some of the requirements may necessitate the creation of a
new protocol or new extension for an existing protocol; however, the
...
...
The Admin MUST be reachable by the Peers. Most implementations will
meet this requirement by ensuring Peers can connect to the Admin from
anywhere on the network or Internet ...
... co-located on
the Peer device itself. Most requirements and scenarios in this
document assume on-line availability of the Admin for the life of the
...
... PKI and Admin. Further availability is required in most
cases, but the extent of this availability is a decision point for
the Operator. Most requirements and scenarios in this document
assume on-line availability of the PKI ...
... profiles are inconsistent, then
different PKCs (and perhaps different processing requirements) might
be required. However, the authors urge that progress continue on
other aspects of this standardization effort regardless of the status
...
... perform an "operational test" to verify that the issued PKCs will
meet its requirements. If the Admin determines that the modified
parameters are unacceptable, then the authorization should be
...
... PKC requests using those key
pairs. The key generations can occur at one of three places,
depending on local requirements: at the IPsec Peer, at the Admin, or
at the PKI ...
... key pair, but
removes the requirement for the Peer to be ASN.1 aware because it
does not have to construct or digitally sign the PKC request ...
... constraints. Another case covers key recovery
requirements, where the same PKCs are used for other functions in
addition to IPsec ...
... key recovery is required (e.g., local data
encryption), therefore key escrow is needed from the Peer. If key
escrow is performed then the exact requirements and procedures for it
are beyond the scope of this document.
...
... PKC, loaded it, and can use it effectively
in an IKE exchange. This requirement exists so that:
- The PKI ...
... PKC enrollment
request scenario with unique operational and management requirements.
- A PKC rekey ...
...
The confirmation handshake requirements are the same as in Sections
3.2, 3.3, and 3.4 except that depending on the Administrative policy
the PKI ...
... listed as "OPTIONAL".
The general requirements for the retrieval protocol include:
- The protocol can be easily firewalled (including Network Address
Translation ...
...
This requirements document does not specify a concrete solution, and
as such has no system-related security considerations per se.
...
... Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. ...