Simple Certificate Enrollment Protocol (SCEP)
Simple
Certificate Enrollment Protocol (SCEP)
Developed by a Cisco, Verisign, Entrust, Microsoft,
Netscape, and Sun Microsystems initiative, Simple Certificate Enrollment
Protocol (SCEP) provides a standard way of managing the certificate lifecycle.
This initiative is important for furthering open development for certificate
handling protocols that can help ensure interoperability with devices from many
vendors.
SCEP provides the following two authentication methods:
Manual Mode
In the Manual mode, the entity that submits the request is
required to wait until the CA operator can verify its identity, using any
reliable out-of-band method. An MD5 hash “fingerprint” generated by and included
in the PKCS10 must be compared out-of-band between the SCEP clients and CAs (or
RAs, if appropriate) to enable verification.
Preshared Secret Mode
With a preshared secret method, the CA server distributes a
shared secret to the end entity, which can then be used to associate an
enrollment request uniquely with the end entity. To maintain the integrity of
the method, the distribution of the shared secret must be private, allowing only
the end entity to know the secret.
Challenge Passwords
When an enrollment request is initiated, the end entity is
asked to provide a challenge password. With the preshared
secret method, the end entity must type in the distributed secret as the
password. With the manual authentication method, the
challenge password is also required because the server might challenge an end
entity for a password before any certificate can be revoked. Eventually, the
challenge password is included as a PKCS#10 attribute and is sent to the CA
server as encrypted data. The PKCS#7 envelope protects the privacy of the
challenge password using DES encryption.
610 times read
|
|
|
Did you enjoy this article?
(total 0 votes)
|
Sections
Comments (0 posted)
Syndication
