Academic Commons


Client Certificate and Key Retrieval for IKE

Bellovin, Steven Michael; Moskowitz, Robert G.

IKE was designed for use with certificates. In a remote access scenario, that implies that clients must possess their own certificates. We leverage off of work already done to fast-start certificate use with IPsec via the Simple Certificate Enrollment Protocol [SCEP]. We use only parts of SCEP over a client authenticated TLS/HTTP connection to a CA. By using TLS, the client can trust a CA root certificate it receives, without an out-of-band verification and the CA can perform automatic enrollment. We replace the out-of-band client identification process for a certificate enrollment with a legacy authentication, like RADIUS. Further, since the certificates issued here are short-lived, there is no need to support client-based revocation or rekeying. Also, there is typically no need for CRL support.



  • thumnail for draft-ietf-ipsra-getcert-00.txt.pdf draft-ietf-ipsra-getcert-00.txt.pdf application/pdf 21 KB Download File

More About This Work

Academic Units
Computer Science
Internet Engineering Task Force
Published Here
June 30, 2010
Academic Commons provides global access to research and scholarship produced at Columbia University, Barnard College, Teachers College, Union Theological Seminary and Jewish Theological Seminary. Academic Commons is managed by the Columbia University Libraries.