Investigate current PKI standards

[pki-bot]

This issue was migrated from Pagure Issue #528. Originally filed by nkinder (@nkinder) on 2013-03-07 18:09:57:

• Closed as Fixed
• Assigned to awnuk (@awnuk)

---

We should look through a number of the current PKI related RFCs to see if there is functionality we should bring up to date to match the standards. Some specific areas we should look at are:

• SCEP (http://tools.ietf.org/html/draft-nourse-scep-23)
• CRLs (http://tools.ietf.org/html/rfc5280)
• CRMF (http://tools.ietf.org/html/rfc4211)

We also know that there are some specific areas to investigate, like dealing with different subject encodings, so we should focus on the areas where we know we are not up to the latest standard.

The goal is not to add functionality for everything found in the RFCs. We want to make sure our existing functionality and features follow the standards. If there is functionality defined in the standards that we do not have, we should evaluate if there is a strong use-case and need for us to add that functionality. We should file separate tickets for functionality that we need to bring up to date as we do this investigation.

[pki-bot]

Comment from awnuk (@awnuk) at 2013-05-30 00:42:13

Here is a preliminary list of SCEP desired enhancements and fixes grouped in categories:

• SCEP protocol enhancements:
  • Phase 1
    1. Ticket 621 - closed - Add SCEP support for Certificate Access
    2. Ticket 622 - closed - Add SCEP support for CRL Access
  • Phase 2:
    1. Ticket 623 - 10.2 - Add SCEP support for Client Certificate Renewal
  • Phase 3:
    1. Ticket 625 - FUTURE - Add SCEP support for GetNextCACert
    2. Ticket 626 - FUTURE - Add SCEP support for CA Key Rollover
  • Phase 4:
    1. Ticket 627 - FUTURE - Add SCEP support for GetCACaps
• Possible encoding or algorithmic enhancements:
  1. Ticket 442 - 10.1.08 - CA throws exception while processing SCEP PKCSReq message when cert DB is in FIPS mode
  2. Ticket 443 - 10.1.08 - SCEP: Invalid OID in CertRep signerInfo when using SHA-2
  3. Ticket 615 - 10.1.06 - SCEP PKIOperation InvalidBERException
• Functionality enhancements:
  1. Ticket 634 - 10.2 - Add pretty print for SCEP requests and responses
  2. Ticket 444 - 10.1.08 - Utilize database rather than plaintext flat files when utilizing SCEP one-time PIN

[pki-bot]

Comment from awnuk (@awnuk) at 2013-05-31 01:27:03

Here is a preliminary list of CRL desired enhancements and fixes grouped in categories:

• CRL RFC enhancements:
  1. Ticket 636 - FUTURE - Add support for indirect CRLs and Certificate Issuer extension
• CRL scalability and performance:
  1. Ticket 633 - 10.2 - CRL issuing point needs scalability review
  2. Ticket 632 - 10.2 - CRL publishing needs performance review
  3. Ticket 635 - 10.2 - Split crlIssuingPointRecord in sub-records to improve scalability and performance
  4. Ticket 628 - 10.2 - OCSP should support delta CRLs
• CRL issues:
  1. Ticket 574 - 10.1.08 - CRL scheduler may go into the infinite loop
  2. Ticket 573 - 10.1.08 - Higher values of "next update grace period" are adding an extra hour to CRL's NextUpdate
  3. Ticket 572 - 10.1.08 - CRL scheduler adds extra CRL generation at midnight for daily schedules
  4. Ticket 489 - 10.1.08 - CRL updates only after server restart
  5. Ticket 490 - 10.1.08 - Adding CRL Issuing point with empty name
• Functionality enhancements:
  1. Ticket 637 - 10.2 - Automatic management of CRL generation in clones
  2. Ticket 346 - 10.1.08 - Configuration wizard needs to properly configure default CRL issuing point when configuring cloned CA

[pki-bot]

Comment from awnuk (@awnuk) at 2013-06-01 00:05:47

Here is a preliminary list of CRMF desired enhancements and fixes:

• Ticket 638 - 10.1.08 - DRM: key archival request from CRMFPopTool causes nullPointerException when viewing requests
• Ticket 639 - 10.1.08 - Config wizard: adminpanel fails at nsIDOMCrypto.generateCRMFRequest when CS instance name (hence the DN) is long
• Ticket 640 - 10.2 - CMC not able to handle multiple CSRs in one CMC enrollment request
• Ticket 655 - FUTURE- Investigate option of using CMC with IE
• Ticket 659 - FUTURE- Support sMIMECapabilities extensions in certificates (RFC 4262)

[pki-bot]

Comment from nkinder (@nkinder) at 2017-02-27 14:12:04

Metadata Update from @nkinder:

• Issue assigned to awnuk
• Issue set to the milestone: 10.1 - 06/13 (June)