PIC, A Pre-IKE Credential Provisioning Protocol

Document Type Expired Internet-Draft (ipsra WG)
Authors Bernard Aboba  , Hugo Krawczyk  , Yaron Sheffer 
Last updated 2015-10-14 (latest revision 2004-08-24)
Stream Internet Engineering Task Force (IETF)
Intended RFC status Proposed Standard
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state Expired (IESG: Dead)
Action Holders
Consensus Boilerplate Unknown
Telechat date
Responsible AD Steven Bellovin
IESG note Responsible: undefined
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


This document presents a Pre-IKE Credential (PIC) provisioning protocol. PIC is a method to bootstrap IPsec authentication via an 'Authentication Server' (AS) and user authentication mechanisms such as RADIUS. PIC happens before IKE (the Internet Key Exchange protocol). The client machine communicates with the AS using a key exchange protocol where only the server is authenticated, and the derived keys are used to protect the user authentication. Once the user is authenticated, the client machine obtains credentials from the AS that can be later used to authenticate the client in a standard IKE exchange, with no user intervention. The proposed key exchange is based on ISAKMP (the Internet Security Association and Key Management Protocol), similar to a simplified IKE exchange. Arbitrary user authentication is supported via the use of EAP (the PPP Extensible Authentication Protocol).


Bernard Aboba (bernarda@microsoft.com)
Hugo Krawczyk (hugo@ee.technion.ac.il)
Yaron Sheffer (yaronf@gmx.net)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)