Simple Certificate Enrollment Protocol
Simple Certificate Enrollment Protocol (SCEP) is an Internet Draft in the Internet Engineering Task Force (IETF). This protocol is used by numerous manufacturers of network equipment and software who are developing simplified means of handling certificates for large-scale implementation to everyday users, as well as being referenced in other industry standards.
The protocol is designed to make the issuing of digital certificates as scalable as possible. The idea is that any standard network user should be able to request their digital certificate electronically and as simply as possible. These processes have usually required intensive input from network administrators, and so have not been suited to large-scale deployments.
The Simple Certificate Enrollment Protocol was the most popular, widely available, and tested certificate enrollment protocol. Although it was widely used, for example by the Cisco IOS operating system, concerns have been raised that it is not able to "strongly authenticate certificate requests made by users or devices".[1] Since exactly the same issues apply to other certificate issue protocols such as Certificate Management Protocol and Certificate Management over CMS it's not clear how real this concern is.
After being effectively abandoned by its original sponsors around 2010, the internet draft describing the protocol was revived in 2015 due to its widespread use in industry and in other standards, updating the algorithms used and correcting numerous issues in the original specification, which had accumulated a considerable amount of detritus over time.
External links
- IETF draft: Simple Certificate Enrolment Protocol
- Slide deck describing SCEP: pkix-3.pdf
References
- US-CERT Vulnerability Note VU#971035, 2012-06-27: Simple Certificate Enrollment Protocol (SCEP) does not strongly authenticate certificate requests