@techreport{ietf-ipsra-getcert-00,
    number =    {draft-ietf-ipsra-getcert-00},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-ietf-ipsra-getcert/00/},
    author =    {Steven M. Bellovin and Robert Moskowitz},
    title =     {{Client Certificate and Key Retrieval for IKE}},
    pagetotal = 8,
    year =      2000,
    month =     nov,
    day =       16,
    abstract =  {IKE was designed for use with certificates. In a remote access scenario, that implies that clients must possess their own certificates. We leverage off of work already done to fast-start certificate use with IPsec via the Simple Certificate Enrollment Protocol {[}SCEP{]}. We use only parts of SCEP over a client authenticated TLS/HTTP connection to a CA. By using TLS, the client can trust a CA root certificate it receives, without an out-of-band verification and the CA can perform automatic enrollment. We replace the out-of-band client identification process for a certificate enrollment with a legacy authentication, like RADIUS. Further, since the certificates issued here are short-lived, there is no need to support client-based revocation or rekeying. Also, there is typically no need for CRL support.},
}