[Acme] PKIX "standards" Re: Proposed ACME Charter Language

Anders Rundgren <anders.rundgren.net@gmail.com> Mon, 11 May 2015 06:32 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE9E51A1B0D for <acme@ietfa.amsl.com>; Sun, 10 May 2015 23:32:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 634-JaJi7NJD for <acme@ietfa.amsl.com>; Sun, 10 May 2015 23:32:38 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6654C1A0381 for <acme@ietf.org>; Sun, 10 May 2015 23:32:38 -0700 (PDT)
Received: by wizk4 with SMTP id k4so92479354wiz.1 for <acme@ietf.org>; Sun, 10 May 2015 23:32:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=g5cZ3RIx1+pEMBySh75RWlnf+UjSHd/RaPXj5/WULQw=; b=f6MazKSjUN/SncGsjLDY5RzoYkKDt1F8ZfdYfVIhdY3PkrvbOnpB/BZ8PjX0qkg3mz DzJd85VGfjwxBncjz1dhl/9PTUDm5XEXZg26nSUfqQbtc+75n9Si5/ElzcqCS0j7w2E9 j7lB+dvotMlHCtnTImsfPMJTtKbPNeGQE9GWf2PftCsLd3UzdYBJpo4LXMAzVot7yxcn wqNddMsbGwycmxVympP/uSPxHc7Rxrfrag3XfFhTV04eZ6FkgLFrtdQ3JwoAnlEsdyNH PIe83Ff4b298GJGUZQaTsPzzpUK4pDJ9GuvWItRpQsgbceYiGQDz1DZH1WhzWxlImnDl 7KdA==
X-Received: by 10.180.85.9 with SMTP id d9mr16856347wiz.28.1431325957175; Sun, 10 May 2015 23:32:37 -0700 (PDT)
Received: from [192.168.1.79] (4.197.130.77.rev.sfr.net. [77.130.197.4]) by mx.google.com with ESMTPSA id fa8sm11623447wib.14.2015.05.10.23.32.35 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 May 2015 23:32:36 -0700 (PDT)
Message-ID: <55504CF9.4020301@gmail.com>
Date: Mon, 11 May 2015 08:32:25 +0200
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: "Dr. Pala" <director@openca.org>
References: <6A9C3116-8CC9-472C-8AA8-F555D060834C@vigilsec.com> <55351EAB.1060905@cs.tcd.ie> <E81896AA-245F-48B7-9B38-86AC30D2F82A@vigilsec.com> <553523E4.2090808@cs.tcd.ie> <84718B26-1DA3-4D46-8B6F-B615806229D7@vigilsec.com> <CABcZeBOy2yBEMGMxcDy=E3fvc+OF1sZfvOV7twJHAvKqtrxtLg@mail.gmail.com> <D7F0C45A-B514-41A2-A220-5B6601BE582F@openca.org>
In-Reply-To: <D7F0C45A-B514-41A2-A220-5B6601BE582F@openca.org>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/TFijXQajYXcE9snA-pu-iobeMlY>
Cc: IETF ACME <acme@ietf.org>
Subject: [Acme] PKIX "standards" Re: Proposed ACME Charter Language
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 May 2015 06:32:41 -0000

On 2015-05-02 18:53, Dr. Pala wrote:
> Hi ACME,
>
> I just want to point out that it might be the case that the people who are supposed to "argue" about this might not even be aware of the work done in this WG. After reading the charter, it seems to me that the work should have been taken to the PKIX WG.
>
> I also think it would be a good idea to define where and why existing protocols do not work - this is usually a good practice that allow people on focusing on what is the real and documented need and avoid throwing out the baby together with the bathwater. This also goes into the direction of better understanding what part of the work will overlap with existing documents.
>
> On this note, it is still not clear to me is if it is the intention of ACME to deprecate the PKIX work, RFCs, and data formats today in use for certificate management ? Since the charter scope is left pretty much undefined on what will be covered, I think this is a legitimate concern/question...

Isn't SCEP actually the most successful protocol for distributed certification?
But SCEP is not a PKIX protocol.

Another problem is that Android, iOS and Windows have entirely different certificate enrollment support.

That is, apart from PKCS #10, PKIX haven't succeeded creating real standards for certificate enrollment which IMO means that there's nothing to build on except maybe PKCS #10.  I noted this problem more than 10 years ago but there were no interest in fixing it.  Now it is too late.

Anders


>
> Cheers,
> Max
>
>
> On Apr 25, 2015, at 4:05 PM, Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote:
>
>>
>>
>> On Mon, Apr 20, 2015 at 9:11 AM, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
>>
>>     Stephen:
>>
>>     If that paragraph were removed, would you be happier with the charter?  If so, consider it gone.  I'm willing to assume that an attempt to replace things that people are using will meet with vigorous discussion.
>>
>>
>> I would suggest we do as you propose and remove this text. I think there will
>> be plenty of occasion for people in the WG to argue about using existing stuff
>> versus building anew.
>>
>> -Ekr
>>
>>
>>     Russ
>>
>>
>>     On Apr 20, 2015, at 12:05 PM, Stephen Farrell wrote:
>>
>>     >
>>     >
>>     > On 20/04/15 16:57, Russ Housley wrote:
>>     >> Stephen:
>>     >>
>>     >> I did not see the ACME effort as trying to throw everything out.
>>     >
>>     > If it is not used, then I don't think we're throwing it out:-)
>>     >
>>     >> Rather, throw out the parts that have been an impediment to the kind
>>     >> of automation proposed by ACME, but document the shortcoming.
>>     >
>>     > Sorry, I'm still not getting it. I don't see any need for ACME
>>     > to document why CMP etc failed or what was wrong with CMP that
>>     > may have caused it to fail. And the same for CMC etc. BTW by
>>     > "fail" here I mean: not used by the major deployed PKIs on the
>>     > public Internet.
>>     >
>>     > I also see no need at all to even try to re-use ASN.1 PDU
>>     > structures that are defined in CRMF etc.
>>     >
>>     > I do think that ACME ought learn from the past of course, and
>>     > am confident that there will be enough participants involved
>>     > who have that history for that to not be problematic.
>>     >
>>     > But I do not think ACME ought be required to re-use any ASN.1
>>     > PDU definitions from any previous RFCs on this topic.
>>     >
>>     > Do we agree or disagree on that last? (I'm trying to get to
>>     > quite specific meanings for "duplicate.")
>>     >
>>     > Cheers,
>>     > S.
>>     >
>>     >
>>     >
>>     >>
>>     >> Russ
>>     >>
>>     >> On Apr 20, 2015, at 11:43 AM, Stephen Farrell wrote:
>>     >>
>>     >>>
>>     >>> Hi Russ,
>>     >>>
>>     >>> This bit puzzles me a lot, other bits puzzle me a little:-)
>>     >>>
>>     >>> On 20/04/15 16:23, Russ Housley wrote:
>>     >>>> The ACME WG will not duplicate work from previous IETF
>>     >>>> certificate management efforts.
>>     >>>
>>     >>> If accepted, that would seem to me to nullify the entire effort.
>>     >>> Can you explain why I'm reading it wrong?
>>     >>>
>>     >>> ACME absolutely will duplicate work from previous IETF certificate
>>     >>> management efforts that have failed to get traction over the last
>>     >>> decade and a half. That is entirely fine IMO and needs no explicit
>>     >>> justification whatsoever since we have 15 years of crystal clear
>>     >>> non-use, outside of niche environments. (It is true that what is
>>     >>> now considered a niche was not so considered back then.)
>>     >>>
>>     >>> In fact I believe anyone who claims such duplication is a problem
>>     >>> should be the one to provide evidence for that by documenting
>>     >>> exactly why and at what scale.
>>     >>>
>>     >>> It is just not credible for us to pretend that CMC, CMP, or EST are
>>     >>> widely used for certificate management on the public Internet. If
>>     >>> I'm wrong there I would really love to see the evidence but absent
>>     >>> such, duplicating bits of functionality present in current RFCs
>>     >>> that are not at all widely used is what is needed for this effort
>>     >>> and needs to be encouraged.
>>     >>>
>>     >>> I think we really ought bottom out on this aspect before chartering
>>     >>> - it'd be dumb of us to charter an ACME WG that has to fight all
>>     >>> the CRMF battles over again, or the ASN.1 vs. whatever issues. So I
>>     >>> hope lots of voices chime in and say what they think.
>>     >>>
>>     >>> S.
>>     >>>
>>     >>> _______________________________________________ Acme mailing list
>>     >>> Acme@ietf.org <mailto:Acme@ietf.org> https://www.ietf.org/mailman/listinfo/acme
>>     >>
>>     >>
>>     >>
>>
>>     _______________________________________________
>>     Acme mailing list
>>     Acme@ietf.org <mailto:Acme@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/acme
>>
>>
>> _______________________________________________
>> Acme mailing list
>> Acme@ietf.org <mailto:Acme@ietf.org>
>> https://www.ietf.org/mailman/listinfo/acme
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme