Profiling Use of PKI in IPSEC (pki4ipse) ---------------------------------------- Charter Last Modified: 2005-04-29 Current Status: Active Working Group Chair(s): Paul Knight Gregory Lebovitz Security Area Director(s): Russ Housley Sam Hartman Security Area Advisor: Russ Housley Mailing Lists: General Discussion:pki4ipsec@icsalabs.com To Subscribe: http://honor.icsalabs.com/mailman/listinfo/pki4ipsec In Body: (un)subscribe Archive: http://honor.icsalabs.com/mailman/listinfo/pki4ipsec Description of Working Group: IPsec has been standardized for over 5 years, and the use of PKI X.509 certificates have been specified within the IPsec standards for the same rime. However, very few IPsec deployments use certificates. One reason is the lack of a certificate profile or description about how the various elements of a PKI ought to be constructed and how the contents ought to be populated for use with IPsec. In addition, the handling of certificates in various IPsec use cases requires better description. The lack of such specifications has yielded PKI systems whose support for IPsec applications is too obscure, complex, and often feature incomplete. Also, support within the IPsec systems for interaction with the PKI is often equally complex and incomplete, leaving deployers without interoperability. Within IPsec VPNs, the PKI supports authentication of peers through digital signatures during security association establishment using IKE. To date, SCEP and "cut-and-paste" techniques are more commonly used to accomplish end entity certificate acquisition for IPsec VPN usage, but are better suited to small VPN deployments, and are out of scope for this solution. A robust certificate management scheme is needed to empower operators in large scale deployment and management efforts. Multiple competing and incomplete protocols for certificate acquisition, renewal and revocation exist today. Deployers struggle to get products that support these technologies to work together nicely in order to accomplish their goals. The protocol and PKI operational usages are considered in order to define a common, single set of methods (which forces interoperability) between PKI systems and IPsec systems for large-scale deployments. The requirements address the entire lifecycle for PKI usage within IPsec transactions: pre-authorization of certificate issuance, enrollment process (certificate request and retrieval), certificate renewals and changes, revocation, validation and repository lookups. They enable an IPsec operator to: - authorize batches of certificate issuances based on locally defined criteria - provision PKI-based user and/or machine identity to IPsec peers, on large scale - set the corresponding gateway and/or client authorization policy for remote access and site-to-site connections - establish automatic renewal for certificates - ensure timely revocation information is available and retrievable Requirements for both the IPsec and the PKI products will be addressed. The goal is to create a set of requirements from which a specification document will be derived. The requirements are carefully designed to achieve security without compromising ease of management and deployment, even where the deployment involves tens of thousands of IPsec users and devices. These requirements will be used to identify a specific protocol that may be leveraged to accomplish such large-scale deployments. Goals and Milestones: Done Post Certificate Profile and Use in IKE as an Internet Draft Done Post Management Protocol Profile Requirements as I-D Done Rev Requirements for management protocol profile as needed Jan 05 Submit Certificate Profile and Use in IKE as WG last call Feb 05 Submit Requirements for Management Protocol Profile as WG last call Mar 05 Submit Certificate Profile and Use to IESG, Proposed Standard Mar 05 WG decision on other Enrolment/Management protocols to profile Mar 05 Submit Requirements for Management protocol Profile to IESG, Informational Apr 05 Post CMC for IPsec VPN Profile as Internet Draft May 05 Post other enrolment/management profiles as I-D Jul 05 Rev CMC for IPsec VPN profile as needed Jul 05 Rev other enrolment/management profiles as needed Sep 05 CMC for IPsec VPN profile to WG last call Oct 05 Other enrolment/management profiles to WG last call Oct 05 Submit CMC for IPsec VPN Profile to IESG, Proposed Standard Nov 05 Submit other Profiles for enrolment/management to IESG, Proposed Standard Dec 05 Re-charter or close Internet-Drafts: Posted Revised I-D Title ------ ------- -------------------------------------------- Jun 04 Apr 05 The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX Aug 04 Dec 04 Requirements for an IPsec Certificate Management Profile Request For Comments: None to date.