Re: [Cfrg] considering new topics for CFRG

Sean Turner <> Wed, 08 January 2014 15:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 405B61ADED5 for <>; Wed, 8 Jan 2014 07:29:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.567
X-Spam-Status: No, score=-1.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JHWgZjMSk6uA for <>; Wed, 8 Jan 2014 07:29:48 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 78F5C1ADF5A for <>; Wed, 8 Jan 2014 07:29:48 -0800 (PST)
Received: by (Postfix, from userid 5007) id 2AFA0EF7C2618; Wed, 8 Jan 2014 09:29:39 -0600 (CST)
Received: from ( []) by (Postfix) with ESMTP id 0993BEF7C25C3 for <>; Wed, 8 Jan 2014 09:29:39 -0600 (CST)
Received: from [] (port=54480 helo=[]) by with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.80) (envelope-from <>) id 1W0v4c-0000xg-1Z; Wed, 08 Jan 2014 09:29:38 -0600
Content-Type: multipart/signed; boundary="Apple-Mail=_CC1D7A6E-D5A4-489C-A5E2-F18A717703A3"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Sean Turner <>
In-Reply-To: <>
Date: Wed, 08 Jan 2014 10:29:34 -0500
Message-Id: <>
References: <> <> <> <> <> <> <>
To: Stephen Farrell <>
X-Mailer: Apple Mail (2.1827)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-BWhitelist: no
X-Source-Sender: ([]) []:54480
X-Email-Count: 8
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Cc: David McGrew <>, "" <>
Subject: Re: [Cfrg] considering new topics for CFRG
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jan 2014 15:29:51 -0000

On Jan 08, 2014, at 06:09, Stephen Farrell <> wrote:

> Hi Max,
> On 01/08/2014 02:31 AM, Max Pritikin (pritikin) wrote:
>> With the advent of DICE (DTLS in Constrained Environments), and
>> similar attempts to discuss optimizations, it would seem that any
>> discussion of "next generation" PKI discussions should include
>> discussion on how to optimize the X.509 certificate/chain format.
>> That appears to be missing in this conversation so far.
> True. OTOH, DICE is definitely predicated on DTLS so any
> discussion on cert formats for that would fit into the TLS
> WG discussion on 1.3. I've not however seen that listed on
> any 1.3 wish-list so far so it seems unlikely to me at
> least that DICE will push things along here.
>> I agree that any replacement for our current PKI is going to run into
>> the same complexities. So, rather than assume they don't exist, would
>> it be reasonable to look at how to optimize the existing work?
> I'm not sure. I think that might run the risk of inheriting
> all the warts (e.g. policy mapping, the N-R bit) without
> providing much incentive to change. When we were working on
> RFC3280bis (which became 5280) we did try to do as much of
> that as we could, but very few simplifications turned out
> to be possible. It is fair to say though that a lot of the
> real practical problems had not really bitten folks at
> that stage though, so I guess its possible that the same
> exercise done now might pay off.
>> Some off the cuff examples to frame what I mean: - Define a specific
>> lightweight trust anchor format (yes, we can all use X.509 certs. But
>> what about a canonical smaller format?) - Optimized version of the
>> X.509 cert itself: Perhaps a compressed format similar to the (old,
>> abandoned and incomplete)
>> draft for
>> compressed certs? Perhaps a v4 format that is restructured to provide
>> easier/quicker parsing Or if a non-ASN1 format is truly preferred
>> then such a format could be defined that is can carry the same
>> semantics as the existing PKI (namely, if the problem is ASN1 then we
>> can fix that without also re-inventing all the rest)  Approaching the
>> questions from this angle leads me to ask what _exactly_ the concerns
>> with the current PKI are. Is it the ASN1, the CA infrastructure, the
>> certificate chains, the cruft in each individual certificate, or?
> Personally, I think the main problems with X.509 PKI to date
> have been around (the need for, and absence of widely supported
> standard for) enrollment and (particularly name) constraints
> when there are many CAs. Dealing with ASN.1 is a PITA, but a
> well-known one, so that'd be low down on my list anyway. I
> know you've spent a lot of effort trying to help with the
> enrollment problem with EST and I do hope that works out,
> but we don't know yet.
> Again though, I don't think thrashing out the pros and cons
> of X.509 on this list is a good plan. Better would be for a
> bunch of really-interested parties to go into a huddle and
> come up with a worked out proposal. (But if a bunch of
> semi-interested parties ask for a new list to talk about
> this, I've no problem helping that happen, though wouldn't
> be very hopeful of a useful outcome.)

I’m keeping  list now :)


> S.
>> Thanks,
>> - max
>> On Jan 6, 2014, at 3:39 PM, Stephen Farrell
>> <> wrote:
>>> On 01/06/2014 08:32 PM, Paul Lambert wrote:
>>>>>> This is an intriguing thought, but probably something out of
>>>>>> scope for CFRG.   (Seems more like a PKNG thing if I
>>>>>> understand you right.)
>>>> There was an IETF PKNG that died with no visible results.
>>> That was an IRTF RG. IMO it never had a cadre of researchers nor a
>>> sufficient set of IETF participants who were interested in a
>>> nextgen thing.
>>>> This is an area where the IETF seems either too unfocused or
>>>> mired in existing PKI to make progress.  Hence it's on my wish
>>>> list ... Let me know if you have any suggestion for other viable
>>>> forums in IETF for such a topic.
>>> We have a list where we discussed certificate transparency but 
>>> which has a broader remit. [1] That's discussing whether or not to
>>> start a new CT WG in the IETF at the moment.
>>> There's the wpkops WG for operational issues related to the web
>>> PKI. [2] They could do with help in terms of cycles to do 
>>> already-identified work (not hugely interesting for a 
>>> security/crypto researcher though probably).
>>> The PKIX list [3] is still open, and would be a good place to talk
>>> about any X.509-related PKI stuff. Not so good for non X.509 based
>>> PKI though maybe unless for an approach that's very much
>>> evolutionary and starts from X.509.
>>> And there's the saag list [4] which is for general security topics
>>> if none of the above fit.
>>> So stuff is happening and there are places to discuss and propose
>>> stuff. And Sean and I would be quite happy to try help PKI nextgen
>>> stuff progress in the IETF should there be credible proposals.
>>> However, current PKI is not an easy thing to displace, no matter
>>> how much you dislike parts or all of it. The main reasons IMO are
>>> that replacements are likely to suffer a lot of the same (or
>>> equivalent) complexity since its a complex problem, and that any
>>> credible replacement will take at least a few years to work out and
>>> them 5-10 to get deployed which seems to be beyond the horizon for
>>> researchers (speaking as one who chases funding;-). One could argue
>>> that that's why of all the "large DB of public keys" approaches,
>>> only CT seems to be left standing.
>>> One other thing - listing the problems with the current PKI is not
>>> likely to be a useful place to start. We know those, and any
>>> credible approach would start with a fairly well worked out
>>> proposal, including consideration of that 5-10 year overlap period.
>>> Its not easy;-)
>>> Having said all that though, CT is I think a good proof of concept
>>> that the large-DB-of-public-keys thing could be a runner, and we
>>> have learned a lot about the wrinkles in X.509 based PKI over the
>>> years so there is hope maybe.
>>> S.
>>> PS: For any of [1]-[4] please check the archives before diving in,
>>> or ask someone who might be familiar, which could include me.
>>> [1] [2]
>>> [3]
>>> [4]
>>> _______________________________________________ Cfrg mailing list