Re: [KEYPROV] FW: New Version Notification - draft-ietf-keyprov-dskpp-12.txt
<andrea.doherty@rsa.com> Mon, 30 August 2010 12:28 UTC
Return-Path: <andrea.doherty@rsa.com>
X-Original-To: keyprov@core3.amsl.com
Delivered-To: keyprov@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E9A6C3A6818 for <keyprov@core3.amsl.com>; Mon, 30 Aug 2010 05:28:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.136
X-Spam-Level:
X-Spam-Status: No, score=-6.136 tagged_above=-999 required=5 tests=[AWL=0.463, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wFWzwS2sMgzq for <keyprov@core3.amsl.com>; Mon, 30 Aug 2010 05:28:51 -0700 (PDT)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by core3.amsl.com (Postfix) with ESMTP id B540A3A680A for <keyprov@ietf.org>; Mon, 30 Aug 2010 05:28:51 -0700 (PDT)
Received: from hop04-l1d11-si03.isus.emc.com (HOP04-L1D11-SI03.isus.emc.com [10.254.111.23]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id o7UCTLkN022516 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 30 Aug 2010 08:29:21 -0400
Received: from mailhub.lss.emc.com (mailhub.lss.emc.com [10.254.221.253]) by hop04-l1d11-si03.isus.emc.com (RSA Interceptor); Mon, 30 Aug 2010 08:29:12 -0400
Received: from corpussmtp4.corp.emc.com (corpussmtp4.corp.emc.com [10.254.169.197]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id o7UCTCbA022112; Mon, 30 Aug 2010 08:29:12 -0400
Received: from CORPUSMX10B.corp.emc.com ([128.221.14.92]) by corpussmtp4.corp.emc.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 30 Aug 2010 08:29:11 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 30 Aug 2010 08:29:09 -0400
Message-ID: <9ED76AB595E4944BB33D8998DE448D110A8A4DF8@CORPUSMX10B.corp.emc.com>
In-Reply-To: <4C7B57E7.9050905@telia.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [KEYPROV] FW: New Version Notification - draft-ietf-keyprov-dskpp-12.txt
thread-index: ActIEY7v5qRyWQYXQFOIMLYvTCkgDAALOnHw
References: <9ED76AB595E4944BB33D8998DE448D110A8A4DB7@CORPUSMX10B.corp.emc.com> <4C7B57E7.9050905@telia.com>
From: andrea.doherty@rsa.com
To: keyprov@ietf.org
X-OriginalArrivalTime: 30 Aug 2010 12:29:11.0776 (UTC) FILETIME=[F3546E00:01CB483E]
X-EMM-MHVC: 1
X-EMM-MFVC: 1
Subject: Re: [KEYPROV] FW: New Version Notification - draft-ietf-keyprov-dskpp-12.txt
X-BeenThere: keyprov@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Provisioning of Symmetric Keys \(keyprov\)" <keyprov.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyprov>
List-Post: <mailto:keyprov@ietf.org>
List-Help: <mailto:keyprov-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2010 12:28:53 -0000
All, At this stage, I propose that we have two options for addressing Ander's comment below: 1. Remove Section A.7 2. Defer addressing this for the next version of DSKPP Thoughts? Andrea -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren@telia.com] Sent: Monday, August 30, 2010 3:04 AM To: Doherty, Andrea Cc: keyprov@ietf.org Subject: Re: [KEYPROV] FW: New Version Notification - draft-ietf-keyprov-dskpp-12.txt A.7 "Application Protocol Data Units, or APDUs) are encrypted with a pre-issued card manufacturer's key and sent directly to the smart card chip, allowing secure post- issuance in-the-field provisioning" Andrea, this is *still* inappropriate for the DSKPP I-D because the only E2ES schemes I have heard about (GP/ETSI SCPxx and SKS/KG2) are fairly different to DSKPP since they build on having a *session* with the container, and using "rolling MACs" for maintaining integrity in a multi-stage provisioning/update operation. To achieve E2ES the container and protocol *must* be 1-2-1 on "APDU" level. PKCS #11, CryptoAPI, and JCE do not support E2ES provisioning so this feature is really quite distinct to just having a known key in the container which any crypto-APIs can support. I.e. E2ES is not an DSKPP "implementation option", it is a description of how *other* (more or less competing) schemes have addressed provisioning. Microsoft supports E2ES in their ILM (Identity Lifecycle Manager) since 2007 so it is not just a(nother) crazy idea by your former college :-) The RSA division probably needs to begin dealing with E2ES in order to keep up with the rest of the token-provisioning world. If you take the step to 32-bit processors you may even be able to add transaction-based operation which is the next logical step after E2ES. /Anders Doherty, et al. Expires March 2, 2011 [Page 76] Internet-Draft DSKPP August 2010 issuance in-the-field provisioning. andrea.doherty@rsa.com wrote: > > -----Original Message----- > From: Internet-Draft@ietf.org [mailto:Internet-Draft@ietf.org] > Sent: Sunday, August 29, 2010 11:15 PM > To: keyprov-chairs@tools.ietf.org; draft-ietf-keyprov-dskpp@tools.ietf.org; tim.polk@nist.gov; alexey.melnikov@isode.com; stpeter@stpeter.im > Subject: New Version Notification - draft-ietf-keyprov-dskpp-12.txt > > New version (-12) has been submitted for draft-ietf-keyprov-dskpp-12.txt. > http://www.ietf.org/internet-drafts/draft-ietf-keyprov-dskpp-12.txt > > > Diff from previous version: > http://tools.ietf.org/rfcdiff?url2=draft-ietf-keyprov-dskpp-12 > > IETF Secretariat. > > _______________________________________________ > KEYPROV mailing list > KEYPROV@ietf.org > https://www.ietf.org/mailman/listinfo/keyprov >
- [KEYPROV] FW: New Version Notification - draft-ie… andrea.doherty
- Re: [KEYPROV] FW: New Version Notification - draf… Anders Rundgren
- Re: [KEYPROV] FW: New Version Notification - draf… andrea.doherty