A new IETF working group has been formed in the Security Area. For additional information, please contact the Area Directors or the WG Chairs. Profiling Use of PKI in IPSEC (pki4ipsec) ----------------------------------------- Current Status: Active Working Group Chair(s): Trevor Freeman <trevorf@microsoft.com> Gregory Lebovitz <gregory@netscreen.com> Security Area Director(s): Russell Housley <housley@vigilsec.com> Steven Bellovin <smb@research.att.com> Security Area Advisor: Russell Housley <housley@vigilsec.com> Mailing Lists: General Discussion: pki4ipsec@icsalabs.com To Subscribe: http://honor.icsalabs.com/mailman/listinfo/pki4ipsec In Body: (un)subscribe Archive: http://honor.icsalabs.com/mailman/listinfo/pki4ipsec Description of Working Group: IPsec has been standardized for over 5 years, and the use of X.509 certificates have been specified within the IPsec standards for the same time. However, very few IPsec deployments use certificates. One reason is the lack of a clear description of how X.509 certificates should be used with IPsec. Another is the lack of a simple, scalable, and clearly specified way for IPsec systems to obtain certificates and perform other certificate lifecycle operations with PKI systems. THE WG WILL DELIVER: 1) A standards-track document that gives specific instructions on how X.509 certificates should be handled with respect to the IKEv1 and IKEv2 protocols. This document will include a certificate profile, addressing which fields in the certificate should have which values and how those values should be handled. This effort is the WG's primary priority. 2) An informational document identifying and describing requirements for a profile of a certificate management protocol to handle PKI enrolment as well as certificate lifecycle interactions between IPsec VPN systems and PKI systems. Enrolment is defined as certificate request and retrieval. Certificate lifecycle interactions is defined as certificate renewals/changes, evocation, validation, and repository lookups. These requirements will be designed so that they meet the needs of enterprise scale IPsec VPN deployments. Once the above to items enter WG last call, we will begin work on: 3) A standards-track document describing a detailed profile of the CMC (Certificate Management Messages over CMS protocol, RFC 2797 at this writing) that meets the requirements laid out in the requirements document. Profile documents for other enrolment and/or management protocols may also be created. SCOPE The working group will focus on the needs of enterprise scale IPsec VPN deployments. Gateway-to-gateway access (tunnel and transport mode) and end-user remote access to a gateway (either tunnel or transport mode) are both in scope. NON-GOALS User-to-user IPsec connections will be considered, but are not explicitly in scope. We will consider the requirements for this scenario only until doing so significantly slows the progress of the explicitly scoped items, at which point it will be dropped. Specification of communications between an IPsec administrative function and IPsec systems is explicitly out of scope. Purely PKI to PKI issues will not be addressed. Cross-certification will not be addressed. Long term non-repudiation will also not be addressed. Goals and Milestones: Jan 2004 Post Certificate Profile and Use in IKE as an Internet Draft Feb 2004 Post Management Protocol Profile Requirements as I-D Apr 2004 Submit Certificate Profile and Use in IKE as WG last call Apr 2004 Rev Requirements for management protocol profile as needed May 2004 Submit Requirements for Management Protocol Profile as WG last call Jun 2004 Submit Certificate Profile and Use to IESG, Proposed Standard Jun 2004 WG decision on other Enrolment/Management protocols to profile Jul 2004 Submit Requirements for Management protocol Profile to IESG, Informational Jul 2004 Post CMC for IPsec VPN Profile as Internet Draft Jul 2004 Post other enrolment/management profiles as I-D Sep 2004 Rev CMC for IPsec VPN profile as needed Sep 2004 Rev other enrolment/management profiles as needed Nov 2004 CMC for IPsec VPN profile to WG last call Nov 2004 other enrolment/management profiles to WG last call Jan 2005 Submit CMC for IPsec VPN Profile to IESG, Proposed Standard Jan 2005 Submit other Profiles for enrolment/management to IESG, Proposed Standard Feb 2005 Re-charter or close
