Volker, Thank you for your comments.
You say that you have seen several vendors not supporting the first two points. Are you referring to web browsers or servers? Servers generally don't need to support roots and root stores, but I will add a question about multitier support to the Server survey. If you were referring to non-browser SSL clients, remember that the charter for this group is to document browsers/OSes, and not necessarily non-browser SSL clients like devices. "Support of PKCS#10 creation" - I added a question specifically about support for this standard. Thanks. "Allow parallel existence of at least two unique key pairs for a dedicated certificate subject during renewal phases..." I haven't heard any cases of this. Do you know of any web servers that don't support this? "Support of an automatic renewal mechanism (e.g. SCEP)" - I know SCEP is commonly used in devices (and iPhones) but I've never heard of web servers using it. Have you? I'm sorry, but I don't understand your last point about relying parties. Are you saying that there are some web servers that "implement direct trust for authorization"? Can you please elaborate? Thanks, -Rick From: wpkops [mailto:wpkops-boun...@ietf.org] On Behalf Of Volker Simon Sent: Tuesday, December 03, 2013 12:54 AM To: wpkops@ietf.org Subject: Re: [wpkops] Early draft of vendor questionnaire Classification: Public Hello together, apart from Rick's mentioned points in the document I have the following ones: - Support of a multitier CA architecture in general (e.g. root - intermediate - end entity certificate) - Root rollover support i.e. more than one valid Root CA. -->I have seen several vendors not supporting these points. - Support of PKCS#10 creation (key generation on hosting machine side). Allow parallel existence of at least two unique key pairs for a dedicated certificate subject during renewal phases. (one for the still valid certificate and one for a queued PKCS#10 for the same subject). - Support of an automatic renewal mechanism (e.g. SCEP) As a relying party: - Clear distinguishment between authentication and authorization. --> Many vendors still implement direct trust for authorization which does not give any PKI benefit. This could be done e.g. through the usage of a pattern match of the certificate subject. Mit freundlichen Grüßen / Kind regards, Volker Simon ____________________________________________________ [cid:image001.gif@01CEF018.EAE09070] Volker Simon Assistant Vice President | Lead Technical Specialist | CISM Deutsche Bank AG Global Technology Alfred-Herrhausen-Allee 16-24, 65760 Eschborn, Germany Tel. +49(69)910-65335 Mobile +49 1731656228 Email volker.si...@db.com<mailto:volker.si...@db.com> Visit us: https://dbpki.tools.intranet.db.com [cid:image002.gif@01CEF018.EAE09070] From: wpkops [mailto:wpkops-boun...@ietf.org] On Behalf Of Rick Andrews Sent: Mittwoch, 27. November 2013 01:27 To: wpkops@ietf.org Subject: [wpkops] Early draft of vendor questionnaire Folks, Here's a very early draft, started by Tim with updates from David and me. I've turned on Track Changes; please feel free to add edits and comments. I'm sure there's many more questions we can ask. Please pile 'em on. -Rick --- Informationen (einschließlich Pflichtangaben) zu einzelnen, innerhalb der EU tätigen Gesellschaften und Zweigniederlassungen des Konzerns Deutsche Bank finden Sie unter http://www.deutsche-bank.de/de/content/pflichtangaben.htm. Diese E-Mail enthält vertrauliche und/ oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. Please refer to http://www.db.com/en/content/eu_disclosures.htm for information (including mandatory corporate particulars) on selected Deutsche Bank branches and group companies registered or incorporated in the European Union. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
<<inline: image001.gif>>
<<inline: image002.gif>>
_______________________________________________ wpkops mailing list wpkops@ietf.org https://www.ietf.org/mailman/listinfo/wpkops