CMC Status Update

1
CMC Status Update

• Jim Schaad
• August Cellars Winery

2
Issues To Be Addressed

• CRMF is sufficient deprecate PKCS10?
• Identity Proof Issues
• Request for major restructuring of draft
• Capture changes since RFC 2797
• Clarification on Encryption key used for signing
  from NIST update to SP800-56A

3
CRMF is sufficient deprecate PKCS10?

• Currently Server MUST process PKCS 10
• Client MAY produce PKCS 10 for full request
• Clients MAY do simple request (PKCS 10)
• Russ Housely suggests deprecate all PKCS 10
• Simplifies the protocol substantially
• Intent to move all PKCS 10 to an appendix

4
Identity Proof

• Guidance for minimum size of shared secrets
• Add text to match hash size?
• Add new Identity Proof which is not SHA-1 based
• Add new control which allows for specification of
  hash algorithm

5
Clarification on Encryption key used for signing

• NIST Update SP800-56A
• Recommendation for Pair-Wise Key Establishment
  Schemes Using Discrete Logarithm Cryptography.
• Now allows Encryption Key to be used for signing
  certificate request
• Does not allow signing for revocation request
• Need to determine if this is a currently
  undocumented algorithm/method or not