Using Cryptographic Message Format (CMS) in PKINIT

[Greg Clark <greg at dascom.com>]

IETF CAT Working Group Folks,

I'd like to propose a extension to PKINIT for discussion.

We have been working on an method of using CMS (PKCS#7) to build
the messages that are sent in the PKINIT flows. The motivation is that
S/MIME is becoming very popular and most PKI vendors supply CMS toolkits
for S/MIME (Entrust, RSA, VDA S/MIME Freeware Lib, etc). 
Interoperability test are in place, some configurations are exportable
and S/MIME is widely deployed.

Basically, a CMS format message would be used to define public key
authentication related messages passed in the PKINIT protocol.  The
messages would mirror the function of the PA-PK-AS-REQ and PA-PK-AS-REP
except in a CMS format.  

We want to consider including a PA-CMS-AS-REQ and PA-CMS-AS-REP as at
least place holders in the PKINIT spec.

We are working on this approach within the DCE community but feel that
the method is also valuable within PKINIT world.

Below I have provided an FTP pointer to an MS-Word document that
provides more detail on the approach.  The document has some DCE
specific issues that are relevant to a current movement to integrate
modern PK support into DCE using PKINIT.

Sections 4, 5 and 6 are most relevant to this discussion.

Please cc any comments to me (greg at dascom.com) as I'm not sure
if my subscription to the cat-ietf mail list worked.

The document is available for anon FTP at: 

ftp://dascom.com/pub/DCE-CMS-10.doc

I'll be at the meeting in LA on Monday if anyone would like to discuss
further.  Thanks for your time.

Best regards,

Greg Clark.
CTO DASCOM Inc.
www.dascom.com