draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues - PowerPoint PPT Presentation

About This Presentation
Title:

draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues

Description:

Match to appropriate cert contents for validation of presented ID. PAD ... KU & EKU Handling. Background ... what they do/don't allow to be configured for (E)KU. ... – PowerPoint PPT presentation

Number of Views:74
Avg rating:3.0/5.0
Slides: 13
Provided by: Greg387
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues


1
draft-ietf-ipsec-pki-profile-04.txt(Potentially)
Open Issues
  • Gregory M Lebovitz
  • gregory_at_netscreen.com

2
Overview
  • NAT-T considerations?
  • Certificate Type?
  • PKI Life Cycle Stuff pass in-band?
  • Critical Bit?
  • 2401bis syncing?
  • CDP / AIA ?

3
NAT-T
  • How or Does NAT-T stuff affect us?
  • Owner to write text and own this part of the
    document?

4
Certificate Type?
  • PKIX?
  • Signing?
  • DNSsec signed stuff?
  • PGP?
  • Kerberos?
  • SPKI Certificates?
  • PKIX Attribute Certificates?
  • PROPOSAL
  • PKIX x.509 w/ RSA with SHA-1. DONE.

5
PKI LifeCycle Stuff In-Band?
  • CRLs?
  • Intermediate Certs?
  • Trust Anchors?
  • Other revocation information?

6
LifeCycle Stuff - PROPOSAL
  • Philosophy
  • Put all life cycle stuff in its own bucket, out
    of band of IKE, as a rule. It will be handled in
    charter items 2 and 3
  • Minimize fragmentation and bloat to avoid UDP
    frag (FWs choke on it)
  • Neither v1 nor v2 has adequate expression for
    querying detailed PKI elements, for revocation
    and intermediate certs.
  • Proposal - MUST NOT REQUEST or SEND
  • CRLs
  • Trust Anchors
  • Intermediate Certs
  • other revocation info

7
Critical Bit
  • Issue
  • How do we handle critical extensions, if marked
    critical?
  • Drop or dont drop if you dont understand it
  • Options

8
2401bis Syncing?
  • SPD
  • Matching for cipher suite proposal
  • Pull from IKE_ID, and lookup for SPD match
  • Match to appropriate cert contents for validation
    of presented ID.
  • PAD
  • Use anything else you want in cert or ID to
    lookup authorization, and do AAA

9
CDP / AIA Inclusion?
  • SHOULD?
  • MUST?
  • Not at all?
  • Push to 2 and 3?
  • PROPOSAL
  • SHOULD send, MUST be able to process upon receipt
  • MUST accept certs w/o it

10
KU EKU Handling
  • Background
  • CAs arent flexible enough with what they
    do/dont allow to be configured for (E)KU.
    Therefore, we cant depend on it.
  • PROPOSAL
  • Put whatever you want or nothing, it doesnt
    matter. We will ignore it all together.
  • Receiver Ignore it all together

11
Others?
  • Come to Microphone

12
Lets rev and go to WG last call!
  • gregory_at_netscreen.com
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "draft-ietf-ipsec-pki-profile-04.txt (Potentially) Open Issues" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!