Certificate Discovery Protocol (CDP) (SunScreen SKIP User's Guide, Release 1.1)

SunScreen SKIP User's Guide, Release 1.1

Certificate Discovery Protocol (CDP)

Certificate Discovery Protocol (CDP) greatly simplifies the management of secure communications because it eliminates the manual exchange of certificates. CDP can be used to exchange X.509 or UDH certificates.

What Are the Operation Requirements of CDP?

To work, the hosts on both sides of a communication must support CDP and both users must agree to use it.

Caution -

SunScreen SPF-100 does not support certificate discovery, you cannot use it to communicate between a machine that is running SunScreen SKIP and a SunScreen SPF-100.

If both hosts can use CDP and both users agree to it, then the users merely exchange certificate identifiers and allow CDP to do the work instead of exchanging their public keys. This is a simpler solution than manually exchanging certificates.

As an example, if for X.509 certificates, your certificate number is "0a000100" and another user's public certificate number or master key identifier is "0a000102," you can exchange these numbers and enter them into your respective ACL when you set up your ACL with the other user's host for access.

You can do the same for UDH certificates, namely, by exchanging hash values.

Then, when communication between the two is attempted, even though your SunScreen SKIP program does not have the peer's certificate in its certificate database, your host can request that the certificate be sent automatically from the other host and can put it into its certificate database since it knows the certificate's master key ID.

How Do You Configure CDP?

The only configuration required is to enter the host with which you wish to communicate into your ACL, along with its certificate number or master key ID. If the two hosts attempt to communicate, the fact that there is no corresponding certificate for the key ID in the certificate database automatically activates CDP. If you are communicating to hosts through an encrypting gateway, you must configure the encrypting gateway's IP address as the tunnel address. This alerts SunScreen SKIP to query the gateway for its certificate.

There is a skip.conf file that stores configuration data. You can set its values through the skip_conf command.

More information on the skip_conf command can be found in the man pages.

How Long Are Certificates Cached?

Once the certificates have been transferred and entered into the certificate database of the hosts of the users that wish to communicate, they are cached until they expire or until they are replaced.