1 / 14

Resource Certificate Provisioning Protocol

Resource Certificate Provisioning Protocol. Geoff Huston IETF 70 December 2007. Problem Statement. How to automate the process of certificate issuance such that the issued certificate accurately tracks the current resource allocation status Avoid situations where

Download Presentation

Resource Certificate Provisioning Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Resource Certificate Provisioning Protocol Geoff Huston IETF 70 December 2007

  2. Problem Statement • How to automate the process of certificate issuance such that the issued certificate accurately tracks the current resource allocation status • Avoid situations where • the issued certificate “overclaims” resources • The issued certificate “underclaims” resources

  3. Scenario Certificate Issuer Internet Registry Issues Resource Certificates Allocates / Assigns Addresses Resource Holder Certificate Subject

  4. Scenario Certificate Issuer Internet Registry Issues Resource Certificates Allocates / Assigns Addresses Resource Certificate Provisioning Protocol Resource Holder Certificate Subject

  5. Protocol Characteristics • Simple Client / Server protocol using a request / response interaction over a secure reliable channel HTTPS POST Client Server HTTPS RESPONSE

  6. Protocol Payload • Cryptographic Message Syntax (CMS) • SignedData object type • Include Signing Time in the CMS wrapper • Include CMS signing cert in the CMS wrapper • XML Data Objects • Carried as CMS payload

  7. XML Message Structure <?xml version="1.0" encoding="UTF-8"?> <messagexmlns="http://www.apnic.net/specs/rescerts/up-down/" version="1" sender="sender name" recipient = "recipient name" type="message type"> [payload] </message>

  8. Messages • Query • Issue • Revoke

  9. Query Message • Request: type=“list” • Response: • List of Resource “classes” • List of allocated / assigned Number Resources within this class • Issued certificate(s) for this class

  10. Issue Message • Request: type=“issue” • Payload: Resource “class” name PKCS#10 Certificate Request • Response: • Payload: Issued certificate

  11. Revoke Message • Request: type=“revoke” • Payload: Resource “class” name Subject’s public key • Response: • Payload: confirmation of revocation

  12. Error Responses • Error status returned when the request could not be performed

  13. Protocol Specification • Current (unsubmitted) draft is: http://www.potaroo.net/drafts/draft-ietf-sidr-rescerts-provisioning-00.html

  14. Next Steps • Adoption of the specification of this provisioning protocol as a SIDR WG Document?

More Related