At 6:29 AM 2/1/95, Sead Muftic wrote:
Steve and Jeff:
We are about to install and put in operation our COST PCA
supporting Low Level Assurance Certification Policy.
Within our internal implementation, we believe,
it is fully compliant with the RFC 1422. However, as you know,
in order to run PCA, we also need cooperation with IPRA,
as described in RFC 1422.
So, would you please be so kind and inform us how are currently IPRA
functions implemented, in particular:
1.) What is the procedure for certification of PCAs ?
Technically you send me your PCA certificate as a self-signed certificate.
I then compute the MD2 (or MD5) message digest of the certificate. I need
to compare what I compute to what you compute, and we need to do this
communication in some secure way. Probably the best way for us to proceed
is for you to generate the self-sign certificate and send it to me (I
believe the format is described in RFC1424, whatever the "FORMS" rfc number
is). We can then compare MD2 digests via e-mail (which is not secure, but
will be a good first pass). After we agree on the digest (i.e., we are
using the same digest and both have software which agrees on the
calculation) then you can write the digest down on paper with some
appropriate assertion that you represent the COST Low Level Assurance PCA
and have that notarized and postal mailed to me.
Note: We have yet to register a PCA without person to person contact so I
don't know excatly what your assertion should say. I have CC'd Vint Cerf on
this message, perhaps he can help here (as I only technical operate the
IPRA under the direction of the Internet Society (ISOC). Vint needs to
speak for the ISOC).
2.) How can we file our Security Policy with IPRA
(as required in section 3.4.2.1) ?
Because the IPRA is still operating in "test" mode, we have not required
Policies to be filed. As yet we do not have a procedure in place for you to
do so. However, it is encouraging to see that you have a Policy ready, so
when we have our procedure in place you should be already to use it.
3.) Are there any fees to IPRA ?
Today (during "test") there are no fees to have a certificate signed by the
IPRA. Whether or not this will change in the future is up to the ISOC.
4.) How IPRA ensures the uniqueness of DNs
(section 3.4.2.2) ?
A mechanism to do this was never put in place (because there are so few
PCAs now). However as more join the hierarchy and the chance for collision
among registered CAs becomes a concern we will need to do something. I
believe a mailing list exists for PCA operators to discuss how to do this
as well as other inter-PCA issues [the list may have ceased to exist, in
which case we need to recreate it].
5.) How is maintenance and distribution of CRLs performed
by IPRA (section 3.4.2.5) ?
Mail containing CRLs and CRL-REQUEST message can be sent to
crl-service(_at_)mit(_dot_)edu which directly connects to a CRL database.
-Jeff
P.S. I'll be in Stockholm in July for the IETF meeting. Look forward to
seeing you then!