Credentials Provisioning Workshop IETF 55

Credentials Provisioning Workshop
IETF 55, Atlanta Georgia
Sunday, November 17, 2002 1800 - 2200

Presentations

Agenda
Workshop Introduction
The Enrollment Problem, Scenarios and Overview
AAA Provisioning
RADIUS Kickstart
WLAN Certificate Extensions
WLAN Certificate hierarchy
TLS Certificate Profile
IPsec Certificate Profile
DOCSIS Certificate Usage
Certificate Enrollment Overview
Introduction to XKMS
What's Wrong With PIC?
Transport Issues

Agenda

1. Introduction: Why care about credential enrollment? - Russ Housley (10 minutes)

2. Enrollment scenario overview (35 minutes)

Device provisioning - Jesse Walker
AAA provisioning with certificates - Bernard Aboba
RADIUS provisioning - Bob Moskowitz
Requirements summary - Jesse Walker

3. Discussion on proposed scope/primary mechanism (25 minutes)

Outside scope: Headless devices with no secure storage for certs
Provisioning for which credentials - (certificates, symmetric keys, username-password, etc.)
What is the authorization model?

4. Certificate Profiles (20 minutes)

802.11 Certificate Profile - Russ Housley
WLAN certificate hierarchy and TLS Certificate Profiles - Thomas Hardjono, Verisign
IPsec Certificate Profile – Tim Polk

Related discussion topics (25 minutes)

How are authorization rights conveyed after authentication?
Attribute certificate use? Relationship to certificate profiles?
Should generic IPsec, TLS and S/MIME certificates have subcategories for specific usage?

Break (10 minutes)

5. Certificate enrollment protocols overview (35 minutes)

What’s already out there: SCEP, CMC, CMP, PKCS10 - Russ Housley
XKMS summary - Thomas Hardjono
DOCSIS and PacketCable Enrollment - Greg Nakanishi, Motorola
What’s wrong with PIC (Bernard Aboba)
Lessons learned summary – Russ Housley

Related discussion topics (30 minutes)

Life cycle considerations
- Is a common bootstrap certificate profile needed?
- Updates: are they needed, and how to handle?
- Revocation: is it needed, and how to handle?
Should an existing enrollment protocol be modified, or a new one developed?

6. Underlying authentication protocol (15 minutes)

Transport requirements summary, Jesse Walker

Discussion

Are there other requirements?
Does EAP satisfy these requirements?

7. Next steps (30 minutes)

What can we do with what we have?
What's missing?
Can existing protocols be adapted? fixed?
Is new work needed?

BIN list

Credential enrollment use models