Previous Table of Contents Next


Protocol and cryptographic techniques will also be developed to support the key management requirements of the Network Layer security. The key management will be specified as an Application Layer protocol, independent of the lower layer security protocol, and will initially support public key-based techniques. Flexibility in the protocol will allow eventual support of Key Distribution Center (KDC), such as Kerberos, and manual distribution approaches.

The IPSEC WG has been responsible for the publication of several RFCs:

  1825: Security Architecture for the Internet Protocol.
  1826: IP Authentication Header.
  1827: IP Encapsulating Security Payload.
  1829: The ESP DES-CBC Transform.
  1828: IP Authentication using Keyed MD5.

In addition, the IPSEC WG has published several Internet-Drafts including The Photuris Session Key Management Protocol, Internet Security Association and Key Management Protocol (ISAKMP), Simple Key-Management For Internet Protocols (SKIP), ICMP Security Failures Messages, X.509 Encoding of Diffie-Hellman Public Values, Encoding of an Unsigned Diffie-Hellman Public Value, Certificate Discovery Protocol, and SKIP Algorithm Discovery Protocol. Additional work for 1996 and 1997 includes definition and interoperability testing of the ESP and AH, and the definition and testing of the Internet Key Management Protocol (IKMP).

One-Time Password Authentication Working Group

The goal of the One-Time Password Authentication (OTP) Working Group is to prepare an Internet standard for one-time passwords. The basis for the group’s effort will be the technology in the Bellcore S/KEY system and related interoperable packages (e.g., logdaemon). The bulk of the work of this WG is currently taking place.

Privacy-Enhanced Electronic Mail Working Group

The work of the Privacy-Enhanced Electronic Mail (PEM) Working Group is an outgrowth of the work performed by the IETF’s Privacy and Security Research Group (PSRG). At the heart of the Privacy Enhanced Mail (PEM) specification is a set of procedures for transforming RFC 822 (Simple Mail Transfer Protocol) messages in such a way as to provide integrity, data origin authenticity, and, optionally, confidentiality. PEM may be employed with either symmetric or asymmetric cryptographic key distribution mechanisms. Because the asymmetric (i.e., public-key) mechanisms are better suited to the large-scale, heterogeneously administered environment characteristic of the Internet, only those mechanisms have been standardized to date. The standard form adopted by PEM is largely a profile of the ITU-T X.509 (Directory Authentication Framework) recommendation.

PEM and related specifications are described in several RFCs written by members of this working group:

  1319: The MD2 Message-Digest Algorithm.
  1320: The MD4 Message-Digest Algorithm.
  1321: The MD5 Message-Digest Algorithm.
  1421: Privacy Enhancement for Internet Electronic Mail: Part I: Message Encryption and Authentication Procedures.
  1422: Privacy Enhancement for Internet Electronic Mail: Part II: Certificate-Based Key Management.
  1423: Privacy Enhancement for Internet Electronic Mail: Part III: Algorithms, Modes, and Identifiers.
  1424: Privacy Enhancement for Internet Electronic Mail: Part IV: Key Certification and Related Services.
  1847: Security Multiparts for MIME: Multipart/Signed and Multipart/ Encrypted.
  1848: MIME Object Security Services.

Future work will include PEM compression.

Public-Key Infrastructure (X.509) Working Group

Many Internet protocols and applications employ public-key technology for security purposes and require a public-key infrastructure (PKI) to manage public keys securely for widely distributed users or systems. ITU-T Rec. X.509 constitutes a widely accepted basis for such an infrastructure by defining data formats and procedures related to the distribution of public keys through certificates digitally signed by Certification Authorities (CAs). RFC 1422 specified the basis of an X.509-based PKI, targeted primarily at satisfying the needs of PEM. Since RFC 1422 was issued, application requirements for an Internet PKI have broadened tremendously, and the capabilities of X.509 have advanced with the development of standards defining the X.509 version 3 certificate and version 2 Certificate Revocation List (CRL).

The charter of the Public-Key Infrastructure (X.509) (PKIX) Working Group is to develop Internet standards needed to support an X.509-based PKI. The goal of this PKI is to facilitate the use of X.509 certificates in multiple applications that use the Internet and to promote interoperability between different implementations choosing to use X.509 certificates. The resulting PKI is intended to provide a framework that supports a range of trust or hierarchy environments and a range of usage environments.

Candidate applications to be served by this PKI include, but are not limited to, PEM, GSS-API mechanisms, IP Security protocols, Internet payment protocols, and World Wide Web (WWW) protocols. The work of this group does not preclude use of noninfrastructural public-key distribution techniques or of non-X.509 PKIs by such applications. The PKIX WG also coordinates with the IETF White Pages (X.500/WHOIS&43;&43;) project.

The PKIX WG will focus on tailoring and profiling the features available in the X.509 v3 certificate to match more closely the requirements and characteristics of the Internet environment. Other topics to be addressed may include:

  Alternatives for CA-to-CA certification links and structures, including guidelines for constraints.
  Revocation alternatives, including profiling of X.509 v2 CRL extensions.
  Certificate and CRL distribution options (X.500-based, non-X.500-based).
  Guidelines for policy definition and registration.
  Administrative protocols and procedures, including certificate generation, revocation notification, cross-certification, and key-pair updating.
  Naming and name forms (i.e., how entities are identified).
  Generation of client key pairs by the PKI.

Web Transaction Security Working Group

The goal of the Web Transaction Security (WTS) Working Group is to develop requirements and a specification for the provision of security services to World Wide Web transactions using the HyperText Transfer Protocol (HTTP). This work is proceeding in parallel to, and independently of, the development of nonsecurity features by the HTTP Working Group (IETF Applications Area).

The WTS WG’s current goal is to prepare an HTTP Security Requirements Specification and an HTTP Security Protocol Specification. Two Internet-Drafts have been published to date: the Secure HyperText Transfer Protocol (SHTTP) and a specification for the use of the GSS-API for Web Security. Both will eventually be forwarded for publication as RFCs.

CONTACTING THE INTERNET SOCIETY AND IETF

The addresses and telephone numbers for the Internet Society, the IETF, and other groups are:

Internet Society

12020 Sunrise Valley Drive, Suite 210
Reston VA 22091
(703) 648 9888 (voice)
(800) 468 9507 (voice, U.S. only)
(703) 648 9887 (fax)
info@isoc.org
ftp://ftp.isoc.org/
gopher://info.isoc.org/11/isoc
http://www.isoc.org

IETF Secretariat

c/o Corporation for National Research Initiatives
1895 Preston White Drive, Suite 100
Reston VA 22091
(703) 620 8990 (voice)
(703) 758-5913 (fax)
ietf-secretariat@cnri.reston.va.us
http://ietf.cnri.reston.va.us/
IAB information: http://www.iab.org/iab/iab.html
IANA information: http://www.iana.org/iana/
IESG information: http://www.ietf.cnri.reston.va.us/iesg.html


Previous Table of Contents Next

Copyright © CRC Press LLC