(introduction) Re: [ietf-enroll] Charter
Trevor Freeman
trevorf at windows.microsoft.com
Wed May 21 13:57:15 EDT 2003
Max,
I don't expect the enrolment to use a different transport to the
pre-provioning. In many scenarios we are trying to work with restricted
connectivity for security reasons. Using another transport enlarges the
attack surface. I don't want to poke any more holes than is absolutely
necessary and at this stage we only need one hole.
Trevor
-----Original Message-----
From: Max Pritikin [mailto:pritikin at cisco.com]
Sent: Monday, May 19, 2003 12:41 PM
To: Alper Yegin
Cc: Trevor Freeman; jimsch at exmsft.com; IETF-Enroll
Subject: Re: (introduction) Re: [ietf-enroll] Charter
One of the primary requirements for CMC, CMP, and XKMS seems to be
transport independence. So likely any of them.
Although I feel that the enrollment doesn't need to go over the same
transport as the introduction (pre-enrollment exchange of provisioning
and credentail information). In fact I rather expect that it is better
for the enrollment to go over an independant transport. This to better
handle the likely scenarios where introduction is handled through 3rd
party provisioning services, hardware tokens, store & forward
mechanisms, etc that don't have the appropriate realtime behavior for
the actual enrollment mechanisms. (At least not if you want said
enrollment to occur without user assistance).
- max
On Mon, 2003-05-19 at 11:47, Alper Yegin wrote:
> Hello,
>
> > What we don't have is a universal provisioning framework which
covers a
> > variety of credential types. That said since the existing enrolment
> > protocols are transport independent, once a decision is made to for
> > example to enrol for a certificate, that we could use an existing
> > mechanism to do so.
>
> Which protocols are you referring to as "existing enrollment
protocols"?
>
> Thanks.
>
> Alper
>
>
More information about the ietf-enroll
mailing list