Re: [KEYPROV] FW: New Version Notification - draft-ietf-keyprov-dskpp-12.txt
Anders Rundgren <anders.rundgren@telia.com> Mon, 30 August 2010 07:03 UTC
Return-Path: <anders.rundgren@telia.com>
X-Original-To: keyprov@core3.amsl.com
Delivered-To: keyprov@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7AB333A67A4 for <keyprov@core3.amsl.com>; Mon, 30 Aug 2010 00:03:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.673
X-Spam-Level:
X-Spam-Status: No, score=-1.673 tagged_above=-999 required=5 tests=[AWL=0.576, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Ze+J8eQ8Zl7 for <keyprov@core3.amsl.com>; Mon, 30 Aug 2010 00:03:40 -0700 (PDT)
Received: from mail.primekey.se (walter.primekey.se [195.149.137.136]) by core3.amsl.com (Postfix) with ESMTP id 2FBB83A67B7 for <keyprov@ietf.org>; Mon, 30 Aug 2010 00:03:39 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.primekey.se (Postfix) with ESMTP id 2206BC3D1A; Mon, 30 Aug 2010 09:04:08 +0200 (CEST)
Message-ID: <4C7B57E7.9050905@telia.com>
Date: Mon, 30 Aug 2010 09:04:07 +0200
From: Anders Rundgren <anders.rundgren@telia.com>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: andrea.doherty@rsa.com
References: <9ED76AB595E4944BB33D8998DE448D110A8A4DB7@CORPUSMX10B.corp.emc.com>
In-Reply-To: <9ED76AB595E4944BB33D8998DE448D110A8A4DB7@CORPUSMX10B.corp.emc.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: keyprov@ietf.org
Subject: Re: [KEYPROV] FW: New Version Notification - draft-ietf-keyprov-dskpp-12.txt
X-BeenThere: keyprov@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Provisioning of Symmetric Keys \(keyprov\)" <keyprov.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/keyprov>
List-Post: <mailto:keyprov@ietf.org>
List-Help: <mailto:keyprov-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/keyprov>, <mailto:keyprov-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2010 07:03:41 -0000
A.7
"Application Protocol Data
Units, or APDUs) are encrypted with a pre-issued card manufacturer's
key and sent directly to the smart card chip, allowing secure post-
issuance in-the-field provisioning"
Andrea, this is *still* inappropriate for the DSKPP I-D because the only
E2ES schemes I have heard about (GP/ETSI SCPxx and SKS/KG2) are fairly
different to DSKPP since they build on having a *session* with the
container, and using "rolling MACs" for maintaining integrity in a
multi-stage provisioning/update operation.
To achieve E2ES the container and protocol *must* be 1-2-1 on "APDU"
level. PKCS #11, CryptoAPI, and JCE do not support E2ES provisioning
so this feature is really quite distinct to just having a known key in
the container which any crypto-APIs can support.
I.e. E2ES is not an DSKPP "implementation option", it is a description of
how *other* (more or less competing) schemes have addressed provisioning.
Microsoft supports E2ES in their ILM (Identity Lifecycle Manager) since
2007 so it is not just a(nother) crazy idea by your former college :-)
The RSA division probably needs to begin dealing with E2ES in order to
keep up with the rest of the token-provisioning world.
If you take the step to 32-bit processors you may even be able to add
transaction-based operation which is the next logical step after E2ES.
/Anders
Doherty, et al. Expires March 2, 2011 [Page 76]
Internet-Draft DSKPP August 2010
issuance in-the-field provisioning.
andrea.doherty@rsa.com wrote:
>
> -----Original Message-----
> From: Internet-Draft@ietf.org [mailto:Internet-Draft@ietf.org]
> Sent: Sunday, August 29, 2010 11:15 PM
> To: keyprov-chairs@tools.ietf.org; draft-ietf-keyprov-dskpp@tools.ietf.org; tim.polk@nist.gov; alexey.melnikov@isode.com; stpeter@stpeter.im
> Subject: New Version Notification - draft-ietf-keyprov-dskpp-12.txt
>
> New version (-12) has been submitted for draft-ietf-keyprov-dskpp-12.txt.
> http://www.ietf.org/internet-drafts/draft-ietf-keyprov-dskpp-12.txt
>
>
> Diff from previous version:
> http://tools.ietf.org/rfcdiff?url2=draft-ietf-keyprov-dskpp-12
>
> IETF Secretariat.
>
> _______________________________________________
> KEYPROV mailing list
> KEYPROV@ietf.org
> https://www.ietf.org/mailman/listinfo/keyprov
>
- [KEYPROV] FW: New Version Notification - draft-ie… andrea.doherty
- Re: [KEYPROV] FW: New Version Notification - draf… Anders Rundgren
- Re: [KEYPROV] FW: New Version Notification - draf… andrea.doherty