rfc-editor | 11 Aug 02:49 2007

RFC 4945 on The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX


A new Request for Comments is now available in online RFC libraries.

        
        RFC 4945

        Title:      The Internet IP Security PKI 
                    Profile of IKEv1/ISAKMP, IKEv2, and PKIX 
        Author:     B. Korver
        Status:     Standards Track
        Date:       August 2007
        Mailbox:    briank <at> networkresonance.com
        Pages:      43
        Characters: 101495
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-ietf-pki4ipsec-ikecert-profile-12.txt

        URL:        http://www.rfc-editor.org/rfc/rfc4945.txt

The Internet Key Exchange (IKE) and Public Key Infrastructure for X.509
(PKIX) certificate profile both provide frameworks that must be
profiled for use in a given application.  This document provides a
profile of IKE and PKIX that defines the requirements for using PKI
technology in the context of IKE/IPsec.  The document complements
protocol specifications such as IKEv1 and IKEv2, which assume the
existence of public key certificates and related keying materials,
but which do not address PKI issues explicitly.  This document
addresses those issues.  The intended audience is implementers of PKI
for IPsec.  [STANDARDS TRACK]
(Continue reading)

The IESG | 30 Mar 21:50 2007
Picon

WG Action: Conclusion of Profiling Use of PKI in IPSEC (pki4ipsec)

The Profiling Use of PKI in IPSEC WG (pki4ipsec) in the Security Area has
concluded.

The IESG contact persons are Russ Housley, Tim Polk, and Sam Hartman.

The mailing list will be closed.

The PKI4IPsec WG was chartered to work on three documents.

1) A standards-track document that gives specific instructions on
how X.509 certificates should be handled with respect to the
IKEv1 and IKEv2 protocols.

2) An informational document identifying and describing requirements
for a profile of a certificate management protocol to handle PKI
enrollment as well as certificate lifecycle interactions between
IPsec VPN systems and PKI systems.

3) A standards-track document describing a detailed profile of the
CMC (Certificate Management Messages over CMS protocol, RFC 2797)
that meets the requirements laid out in the requirements document.

The first two documents are complete, but there is no interest in
development of the third document. The PKI4IPsec WG is being closed
without this work ever getting started.

Thanks to all who participated, especially the WG Chairs and document
editors.

_______________________________________________
(Continue reading)

The IESG | 27 Mar 22:24 2007
Picon

Protocol Action: 'The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX' to Proposed Standard

The IESG has approved the following document:

- 'The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX '
   <draft-ietf-pki4ipsec-ikecert-profile-12.txt> as a Proposed Standard

This document is the product of the Profiling Use of PKI in IPSEC Working 
Group. 

The IESG contact persons are Russ Housley and Sam Hartman.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-pki4ipsec-ikecert-profile-12.txt

Technical Summary

  This document specifies a profile for the use of Certificates for
  identification in the IKEv1 and IKEv2 protocols.  These protocols say
  very little about the certificates, and a fair amount of industry
  practice has built up around bake-offs and interop events over the
  last 8 years.  This profile captures the best of those practices.  It
  is targeted to two main audiences: implementors who are building
  interoperable products, and deployers who need to know how to
  configure the systems.  The profile also provides guidance to the PKI
  community about the needs of the IPsec VPN application.

Working Group Summary

  The initial draft came from IPsec WG, and was completed in the
  PKI4IPsec WG.  An issue tracker was used to make sure that all issues
  were addressed.  The PKI4IPsec WG has strong consensus that this
(Continue reading)

Gregory M. Lebovitz | 21 Mar 16:46 2007
Picon

Fwd: DISCUSS and COMMENT: draft-ietf-pki4ipsec-ikecert-profile

Team,
We are ALMOST done. The mgt requirements document went to RFC (4808). 
And the ikecert-profile-12 is very close. There are a few DISCUSS 
items that Steve Kent aired during the IESG review. Please see those 
below and feel free to respond. Eveyone's input is appreciated. Brian 
will be driving to close this within the next day or so. - Gregory.

>To: iesg <at> ietf.org
>Cc: pki4ipsec-chairs <at> tools.ietf.org
>From: Sam Hartman <hartmans-ietf <at> mit.edu>
>Subject: DISCUSS and COMMENT: draft-ietf-pki4ipsec-ikecert-profile
>
>Discuss:
>This discuss is based significantly on a review from Steve Kent.
>
>-     This section[section 3 ]  also imposes a requirement for an 
>IPsec implementation be
>configured (by default) to check the "outermost" IP source address of incoming
>traffic against the IP address used as the IKE ID, if that form of IKE ID was
>used. This is not a check specified by RFC 2401, and so it is 
>inappropriate for
>a "profile" document. Moreover, this requirement runs counter to the IPsec
>architecture model, which says that only the inner address of a tunnel mode SA
>need be checked against the SPD or SAD entry. A road warrior IPsec
>implementation might  be configured with a certificate asserting an IP address
>and might use that address as an IKE ID, with the intent that this address be
>the INNER address in the tunnel established between the road warrior and an
>enterprise security gateway.  This also seems odd in that Section 2 (Terms and
>Definitions) contains the following definition: "Peer source address: The
>source address in packets from a peer. This address may be different from any
(Continue reading)

Gregory M. Lebovitz | 21 Mar 16:10 2007
Picon

pki4ipsec - wg status

PKI4IPSEC did NOT meet here in Prague.

We have only two documents in all.

draft-ietf-pki4ipsec-ikecert-profile-12.txt -
 was in IESG review and is stuck on some DISCUSS issues that are being addressed by the author. When solution determined, doc will rev and be released as RFC. We will be sure to take the issue and discussion of it to list before moving on, as this is the appropriate process via PROTO.

Requirements for an IPsec Certificate Management Profile - RFC 4809   the cert mgmt protocol profile requirements document has moved to RFC.   does not how up on wg web page; ticket into secretariate to fix. As soon as ike-cert profile goes to RFC, wg will close. Gregory.
<div>
PKI4IPSEC did NOT meet here in Prague.<br><br>
We have only two documents in all.<br><br>
draft-ietf-pki4ipsec-ikecert-profile-12.txt - <br>
&nbsp;was in IESG review and is stuck on some DISCUSS issues that are
being addressed by the author. When solution determined, doc will rev and
be released as RFC. We will be sure to take the issue and discussion of
it to list before moving on, as this is the appropriate process via
PROTO.<br><br>Requirements for an IPsec Certificate Management Profile - RFC 4809
&nbsp; the cert mgmt protocol profile requirements document has moved to
RFC.
&nbsp; does not how up on wg web page; ticket into secretariate to fix.

As soon as ike-cert profile goes to RFC, wg will close.

Gregory.</div>
rfc-editor | 1 Mar 06:07 2007

RFC 4809 on Requirements for an IPsec Certificate Management Profile


A new Request for Comments is now available in online RFC libraries.

        
        RFC 4809

        Title:      Requirements for an IPsec Certificate 
                    Management Profile 
        Author:     C. Bonatti, Ed.,
                    S. Turner, Ed.,
                    G. Lebovitz, Ed.
        Status:     Informational
        Date:       February 2007
        Mailbox:    Bonattic <at> ieca.com, 
                    Turners <at> ieca.com, 
                    gregory.ietf <at> gmail.com
        Pages:      45
        Characters: 98400
        Updates/Obsoletes/SeeAlso:   None

        I-D Tag:    draft-ietf-pki4ipsec-mgmt-profile-rqts-07.txt

        URL:        http://www.rfc-editor.org/rfc/rfc4809.txt

This informational document describes and identifies the requirements
for transactions to handle Public Key Certificate (PKC) lifecycle
transactions between Internet Protocol Security (IPsec) Virtual
Private Network (VPN) Systems using Internet Key Exchange (IKE)
(versions 1 and 2) and Public Key Infrastructure (PKI) Systems.  These
requirements are designed to meet the needs of enterprise-scale IPsec
VPN deployments.  It is intended that a standards track profile of a
management protocol will be created to address many of these
requirements.  This memo provides information for the Internet community.

This document is a product of the Profiling Use of PKI in IPSEC
Working Group of the IETF.

INFORMATIONAL: This memo provides information for the Internet community. 
It does not specify an Internet standard of any kind. Distribution
of this memo is unlimited.

This announcement is sent to the IETF list and the RFC-DIST list.
Requests to be added to or deleted from the IETF distribution list
should be sent to IETF-REQUEST <at> IETF.ORG.  Requests to be
added to or deleted from the RFC-DIST distribution list should
be sent to RFC-DIST-REQUEST <at> RFC-EDITOR.ORG.

Details on obtaining RFCs via FTP or EMAIL may be obtained by sending
an EMAIL message to rfc-info <at> RFC-EDITOR.ORG with the message body 

help: ways_to_get_rfcs. For example:

        To: rfc-info <at> RFC-EDITOR.ORG
        Subject: getting rfcs

        help: ways_to_get_rfcs

Requests for special distribution should be addressed to either the
author of the RFC in question, or to RFC-Manager <at> RFC-EDITOR.ORG.  Unless
specifically noted otherwise on the RFC itself, all RFCs are for
unlimited distribution.

Submissions for Requests for Comments should be sent to
RFC-EDITOR <at> RFC-EDITOR.ORG.  Please consult RFC 2223, Instructions to RFC
Authors, for further information.

The RFC Editor Team
USC/Information Sciences Institute

...

_______________________________________________
IETF-Announce mailing list
IETF-Announce <at> ietf.org
https://www1.ietf.org/mailman/listinfo/ietf-announce

Internet-Drafts | 23 Feb 21:50 2007
Picon

I-D ACTION:draft-ietf-pki4ipsec-ikecert-profile-12.txt

A New Internet-Draft is available from the on-line Internet-Drafts 
directories.
This draft is a work item of the Profiling Use of PKI in IPSEC Working Group of the IETF.

	Title		: The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX
	Author(s)	: B. Korver
	Filename	: draft-ietf-pki4ipsec-ikecert-profile-12.txt
	Pages		: 52
	Date		: 2007-2-23
	
IKE and PKIX certificate profile both provide frameworks that must be
   profiled for use in a given application.  This document provides a
   profile of IKE and PKIX that defines the requirements for using PKI
   technology in the context of IKE/IPsec.  The document complements
   protocol specifications such as IKEv1 and IKEv2, which assume the
   existence of public key certificates and related keying materials,
   but which do not address PKI issues explicitly.  This document
   addresses those issues.  The intended audience is implementors of PKI
   for IPsec.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-pki4ipsec-ikecert-profile-12.txt

To remove yourself from the I-D Announcement list, send a message to 
i-d-announce-request <at> ietf.org with the word unsubscribe in the body of 
the message. 
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce 
to change your subscription settings.

Internet-Drafts are also available by anonymous FTP. Login with the 
username "anonymous" and a password of your e-mail address. After 
logging in, type "cd internet-drafts" and then 
"get draft-ietf-pki4ipsec-ikecert-profile-12.txt".

A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html 
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

Internet-Drafts can also be obtained by e-mail.

Send a message to:
	mailserv <at> ietf.org.
In the body type:
	"FILE /internet-drafts/draft-ietf-pki4ipsec-ikecert-profile-12.txt".
	
NOTE:	The mail server at ietf.org can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
Attachment: message/external-body, 149 bytes
_______________________________________________
I-D-Announce mailing list
I-D-Announce <at> ietf.org
https://www1.ietf.org/mailman/listinfo/i-d-announce
Nomcom06 | 18 Dec 05:52 2006
Picon

Nomcom06: IETF Chair Candidate Feedback

IETF Chair Candidate Feedback

This mail regards the broken link in the earlier mail.  The link in the earlier mail for the feedback tool
should have read:

https://www1.tools.ietf.org/group/nomcom/06/input/

Note the extra "/" between "nomcom" and "06".  This applies to all the solicitation for feedback messages
you may have received.

Thanks in advance for your feedback.

Andrew
Nomcom06 | 18 Dec 04:56 2006
Picon

Nomcom06: IAB Member Candidate Feedback

IAB Member Candidate Feedback

The NomCom solicits your input on the candidates it is reviewing for
the IAB Member position.  It is a requirement
of the NomCom process that lists of candidates reviewed by the NomCom
are to be kept confidential. Therefore, when you receive the list of
candidates for review, you MUST keep it confidential and MUST NOT
share it with anyone else.  The NomCom requests that you provide your
input as soon as possible, for full consideration, please have them in no later than the end of the day,
Tuesday, January 2, 2007.

Your input is a very important aspect of the process through which the
NomCom will make its selections for IETF leadership.  We encourage you
to review the list of candidates you have been asked to comment on and
provide us any input that might help us in our selection.  Please
provide input on as many candidates as you can; input to the effect of
"I'm not familiar with X" is acceptable and useful to the NomCom.

This year, the NomCom is accepting input on candidates through a
web-based tool.  Later in this message, you will find a URL through
which you can provide your input.

You may be asked for input on multiple positions that are under review
by the NomCom.  If you are asked for input on multiple positions, you
will receive separate e-mail requests for each position.  

If you prefer to provide anonymous input, please send it directly to
the NomCom chair, Andrew Lange, andrew.lange <at> alcatel-lucent.com, who
will make your input anonymous before forwarding it to the NomCom.  Any 
input you provide, whether it is provided to the NomCom directly through the web-based tool or
anonymously, will be kept confidential and will not be shared outside the NomCom.

There are names in the lists of candidates for each position who have
declined nomination, which are included in the list to help protect
the confidentiality of actual candidates.  Also, if you are a
candidate for a position, your name will not appear in the list of
candidates for that position.  If you are a candidate for a position,
the NomCom will not accept anonymous input from you about other
candidates for the same position.

The web-based feedback tool gives the NomCom an automated process for
collecting input on the NomCom candidates.  We hope you will find it
more convenient to use as well.  Your input will be encrypted before
it is stored by the feedback tool, and can only be decrypted by the
NomCom.

Some individuals may be candidates for multiple positions.  If you
provide input for such a candidate for one position, the NomCom will
see that input for that candidate associated with each of the
positions.  You may provide additional input for specific positions,
by clicking on the candidate's name in the list of candidates for that
specific position.

The feedback form is available at the following URLs:

  https://www1.tools.ietf.org/group/nomcom06/input/

Please use your tools.ietf.org login with the email address you have been 
invited with.  If you do not have a tools login, you can get one at this URL:

  https://www1.tools.ietf.org/newlogin

Again, the NomCom emphasizes that, if you use the feedback form to
provide input, you MUST keep the list of candidates confidential.

When you access the feedback form, you will see a list of all of the
candidates you have been asked to comment on.  By clicking on a
candidate's name, you will be presented with a text-input form into
which you can type your input.  

Note that, because of the way in which the NomCom collected names and
e-mail addresses for individuals from whom input is solicited, we may
have more than one e-mail address for you and you may receive multiple
requests for feedback on the same position.  We apologize in advance
for any duplicate e-mail you may receive as a part of this feedback
solicitation process.

Thanks in advance for your feedback.

Andrew
Nomcom06 | 18 Dec 05:35 2006
Picon

Nomcom06: IAOC Member Candidate Feedback

IAOC Member Candidate Feedback

The NomCom solicits your input on the candidates it is reviewing for
the IAOC Member position.  It is a requirement
of the NomCom process that lists of candidates reviewed by the NomCom
are to be kept confidential. Therefore, when you receive the list of
candidates for review, you MUST keep it confidential and MUST NOT
share it with anyone else.  The NomCom requests that you provide your
input as soon as possible, for full consideration, please have them in no later than the end of the day,
Tuesday, January 2, 2007.

Your input is a very important aspect of the process through which the
NomCom will make its selections for IETF leadership.  We encourage you
to review the list of candidates you have been asked to comment on and
provide us any input that might help us in our selection.  Please
provide input on as many candidates as you can; input to the effect of
"I'm not familiar with X" is acceptable and useful to the NomCom.

This year, the NomCom is accepting input on candidates through a
web-based tool.  Later in this message, you will find a URL through
which you can provide your input.

You may be asked for input on multiple positions that are under review
by the NomCom.  If you are asked for input on multiple positions, you
will receive separate e-mail requests for each position.  

If you prefer to provide anonymous input, please send it directly to
the NomCom chair, Andrew Lange, andrew.lange <at> alcatel-lucent.com, who
will make your input anonymous before forwarding it to the NomCom.  Any 
input you provide, whether it is provided to the NomCom directly through the web-based tool or
anonymously, will be kept confidential and will not be shared outside the NomCom.

There are names in the lists of candidates for each position who have
declined nomination, which are included in the list to help protect
the confidentiality of actual candidates.  Also, if you are a
candidate for a position, your name will not appear in the list of
candidates for that position.  If you are a candidate for a position,
the NomCom will not accept anonymous input from you about other
candidates for the same position.

The web-based feedback tool gives the NomCom an automated process for
collecting input on the NomCom candidates.  We hope you will find it
more convenient to use as well.  Your input will be encrypted before
it is stored by the feedback tool, and can only be decrypted by the
NomCom.

Some individuals may be candidates for multiple positions.  If you
provide input for such a candidate for one position, the NomCom will
see that input for that candidate associated with each of the
positions.  You may provide additional input for specific positions,
by clicking on the candidate's name in the list of candidates for that
specific position.

The feedback form is available at the following URLs:

  https://www1.tools.ietf.org/group/nomcom06/input/

Please use your tools.ietf.org login with the email address you have been 
invited with.  If you do not have a tools login, you can get one at this URL:

  https://www1.tools.ietf.org/newlogin

Again, the NomCom emphasizes that, if you use the feedback form to
provide input, you MUST keep the list of candidates confidential.

When you access the feedback form, you will see a list of all of the
candidates you have been asked to comment on.  By clicking on a
candidate's name, you will be presented with a text-input form into
which you can type your input.  

Note that, because of the way in which the NomCom collected names and
e-mail addresses for individuals from whom input is solicited, we may
have more than one e-mail address for you and you may receive multiple
requests for feedback on the same position.  We apologize in advance
for any duplicate e-mail you may receive as a part of this feedback
solicitation process.

Thanks in advance for your feedback.

Andrew
Nomcom06 | 18 Dec 04:13 2006
Picon

Nomcom06: Security Area Director Candidate Feedback

Security Area Director Candidate Feedback

The NomCom solicits your input on the candidates it is reviewing for
the Security Area Director position.  It is a requirement
of the NomCom process that lists of candidates reviewed by the NomCom
are to be kept confidential. Therefore, when you receive the list of
candidates for review, you MUST keep it confidential and MUST NOT
share it with anyone else.  The NomCom requests that you provide your
input as soon as possible, for full consideration, please have them in no later than the end of the day,
Tuesday, January 2, 2007.

Your input is a very important aspect of the process through which the
NomCom will make its selections for IETF leadership.  We encourage you
to review the list of candidates you have been asked to comment on and
provide us any input that might help us in our selection.  Please
provide input on as many candidates as you can; input to the effect of
"I'm not familiar with X" is acceptable and useful to the NomCom.

This year, the NomCom is accepting input on candidates through a
web-based tool.  Later in this message, you will find a URL through
which you can provide your input.

You may be asked for input on multiple positions that are under review
by the NomCom.  If you are asked for input on multiple positions, you
will receive separate e-mail requests for each position.  

If you prefer to provide anonymous input, please send it directly to
the NomCom chair, Andrew Lange, andrew.lange <at> alcatel-lucent.com, who
will make your input anonymous before forwarding it to the NomCom.  Any 
input you provide, whether it is provided to the NomCom directly through the web-based tool or
anonymously, will be kept confidential and will not be shared outside the NomCom.

There are names in the lists of candidates for each position who have
declined nomination, which are included in the list to help protect
the confidentiality of actual candidates.  Also, if you are a
candidate for a position, your name will not appear in the list of
candidates for that position.  If you are a candidate for a position,
the NomCom will not accept anonymous input from you about other
candidates for the same position.

The web-based feedback tool gives the NomCom an automated process for
collecting input on the NomCom candidates.  We hope you will find it
more convenient to use as well.  Your input will be encrypted before
it is stored by the feedback tool, and can only be decrypted by the
NomCom.

Some individuals may be candidates for multiple positions.  If you
provide input for such a candidate for one position, the NomCom will
see that input for that candidate associated with each of the
positions.  You may provide additional input for specific positions,
by clicking on the candidate's name in the list of candidates for that
specific position.

The feedback form is available at the following URLs:

  https://www1.tools.ietf.org/group/nomcom06/input/

Please use your tools.ietf.org login with the email address you have been 
invited with.  If you do not have a tools login, you can get one at this URL:

  https://www1.tools.ietf.org/newlogin

Again, the NomCom emphasizes that, if you use the feedback form to
provide input, you MUST keep the list of candidates confidential.

When you access the feedback form, you will see a list of all of the
candidates you have been asked to comment on.  By clicking on a
candidate's name, you will be presented with a text-input form into
which you can type your input.  

Note that, because of the way in which the NomCom collected names and
e-mail addresses for individuals from whom input is solicited, we may
have more than one e-mail address for you and you may receive multiple
requests for feedback on the same position.  We apologize in advance
for any duplicate e-mail you may receive as a part of this feedback
solicitation process.

Thanks in advance for your feedback.

Andrew

Gmane