< draft-friedman-ike-short-term-certs-01.txt   draft-friedman-ike-short-term-certs-02.txt >
Network Working Group A. Friedman Network Working Group A. Friedman
Internet-Draft Technion IIT Internet-Draft Technion IIT
Intended status: Standards Track Y. Sheffer Intended status: Experimental Y. Sheffer
Expires: June 28, 2007 Check Point Ltd. Expires: December 22, 2007 Check Point
A. Shaqed A. Shaqed
December 25, 2006 Correlix, Inc.
June 20, 2007
Short-Term Certificates Short-Term Certificates
draft-friedman-ike-short-term-certs-01 draft-friedman-ike-short-term-certs-02
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 37
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on June 28, 2007. This Internet-Draft will expire on December 22, 2007.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2006). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document describes an extension to IKEv2 that allows an endpoint This document describes an extension to IKEv2 that allows an endpoint
which has authenticated to a gateway to request a short-term which has authenticated to a gateway to request a short-term
credential, possession of which proves the authentication. This credential, possession of which proves the authentication. This
allows it to prove to a security gateway that it was already allows it to prove to a security gateway that it was already
authenticated by another trusted security gateway, thereby allowing authenticated by another trusted security gateway, thereby allowing
the authentication of the endpoint without user intervention. This the authentication of the endpoint without user intervention. This
credential is a certificate issued by the authenticating gateway for credential is a certificate issued by the authenticating gateway for
skipping to change at page 10, line 6 skipping to change at page 10, line 6
implemented to provide this functionality. When such protocols are implemented to provide this functionality. When such protocols are
implemented to provide gateway synchronization, they SHOULD be implemented to provide gateway synchronization, they SHOULD be
properly secured to prevent attacks based on desynchronizing security properly secured to prevent attacks based on desynchronizing security
gateway clocks. gateway clocks.
10. Acknowledgements 10. Acknowledgements
11. References 11. References
11.1. Normative References 11.1. Normative References
[I-D.ietf-pki4ipsec-ikecert-profile]
Korver, B., "The Internet IP Security PKI Profile of
IKEv1/ISAKMP, IKEv2, and PKIX",
draft-ietf-pki4ipsec-ikecert-profile-12 (work in
progress), February 2007.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax
Version 1.5", RFC 2315, March 1998.
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986,
November 2000.
[RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and
Identifiers for the Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 3279, April 2002.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", [RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005. RFC 4306, December 2005.
[RFC4478] Nir, Y., "Repeated Authentication in Internet Key Exchange
(IKEv2) Protocol", RFC 4478, April 2006.
11.2. Informative References 11.2. Informative References
[I-D.ietf-pki4ipsec-ikecert-profile]
Korver, B., "The Internet IP Security PKI Profile of
IKEv1/ISAKMP, IKEv2, and PKIX",
draft-ietf-pki4ipsec-ikecert-profile-11 (work in
progress), September 2006.
[I-D.ohba-preauth-ps] [I-D.ohba-preauth-ps]
Ohba, Y., "EAP Pre-authentication Problem Statement", Ohba, Y., "EAP Pre-authentication Problem Statement",
draft-ohba-preauth-ps-00 (work in progress), October 2006. draft-ohba-preauth-ps-01 (work in progress), March 2007.
[ITU.X501.1993] [ITU.X501.1993]
International Telecommunications Union, "Information International Telecommunications Union, "Information
Technology - Open Systems Interconnection - The Directory: Technology - Open Systems Interconnection - The Directory:
Models", ITU-T Recommendation X.501, ISO Standard 9594-2, Models", ITU-T Recommendation X.501, ISO Standard 9594-2,
1993. 1993.
[PIC] Sheffer, Y., Krawczyk , H., and B. Aboba , "PIC, A Pre-IKE [PIC] Sheffer, Y., Krawczyk , H., and B. Aboba , "PIC, A Pre-IKE
Credential Provisioning Protocol, Internet-draft Credential Provisioning Protocol, Internet-draft
(expired), draft-ietf-ipsra-pic-06.txt", October 2002. (expired), draft-ietf-ipsra-pic-06.txt", October 2002.
[RFC1305] Mills, D., "Network Time Protocol (Version 3) [RFC1305] Mills, D., "Network Time Protocol (Version 3)
Specification, Implementation", RFC 1305, March 1992. Specification, Implementation", RFC 1305, March 1992.
[RFC2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax
Version 1.5", RFC 2315, March 1998.
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986,
November 2000.
[RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet [RFC3280] Housley, R., Polk, W., Ford, W., and D. Solo, "Internet
X.509 Public Key Infrastructure Certificate and X.509 Public Key Infrastructure Certificate and
Certificate Revocation List (CRL) Profile", RFC 3280, Certificate Revocation List (CRL) Profile", RFC 3280,
April 2002. April 2002.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, "Extensible Authentication Protocol (EAP)", Levkowetz, "Extensible Authentication Protocol (EAP)",
RFC 3748, June 2004. RFC 3748, June 2004.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005. Internet Protocol", RFC 4301, December 2005.
[RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 [RFC4330] Mills, D., "Simple Network Time Protocol (SNTP) Version 4
for IPv4, IPv6 and OSI", RFC 4330, January 2006. for IPv4, IPv6 and OSI", RFC 4330, January 2006.
[RFC4478] Nir, Y., "Repeated Authentication in Internet Key Exchange
(IKEv2) Protocol", RFC 4478, April 2006.
Authors' Addresses Authors' Addresses
Arik Friedman Arik Friedman
Technion IIT Technion IIT
Haifa 32000 Haifa 32000
Israel Israel
Email: arikf@cs.technion.ac.il Email: arikf@cs.technion.ac.il
Yaron Sheffer Yaron Sheffer
Check Point Ltd. Check Point Software Technologies Ltd.
Ramat Gan 5 Hasolelim st.
Tel Aviv 67897
Israel Israel
Email: yaronf@checkpoint.com Email: yaronf at checkpoint dot com
Ariel Shaqed (Scolnicov) Ariel Shaqed (Scolnicov)
Tel Aviv Correlix, Inc.
Herzelia Pituah
Israel Israel
Email: ariel.shaqed+ietf@gmail.com Email: ariel.shaqed+ietf@gmail.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The IETF Trust (2006). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
 End of changes. 16 change blocks. 
33 lines changed or deleted 31 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/