Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 29 October 2014 16:19 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AA261A1AE8 for <pkix@ietfa.amsl.com>; Wed, 29 Oct 2014 09:19:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ScF6TiX3VKF3 for <pkix@ietfa.amsl.com>; Wed, 29 Oct 2014 09:19:45 -0700 (PDT)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7F191A1ADE for <pkix@ietf.org>; Wed, 29 Oct 2014 09:19:44 -0700 (PDT)
Received: by mail-wi0-f170.google.com with SMTP id q5so1976629wiv.5 for <pkix@ietf.org>; Wed, 29 Oct 2014 09:19:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=VN2y23GMz84R7Lk0HOKXcgagiSYcid2IIrJH4GG2lYk=; b=yImoUqeUxF9VKOkWx4kkBd7ctKfdksPzezFgw3ZHnPfsrV9ObB24KFTHkZJo+jHbyY yj1hlJG3L6/8M8SUA70Sd+8+grez9pMY8rgFy4v5tQc9XiUin56AKNvndaE29N0iZdSV hn6k5ZsnxLiLSy6yvfd1w1jbTLnGznhTfyZytT28VUfUJdggj/ZG9nEtDFYEbLhBerNC GENc7WByTjP/gd1wd7JJ3qTo0Hoo4HL1W8vGroYKeC/F8ZbNXcxULtdYQQHcVuY9Iozj gWBUPikxC9gITYWPCxwyStApk0ub8APXASfR53yjj7c31maP24uDDgWoJHLhkn886PpV yfhw==
X-Received: by 10.180.184.129 with SMTP id eu1mr36614160wic.69.1414599583283; Wed, 29 Oct 2014 09:19:43 -0700 (PDT)
Received: from [192.168.1.79] (222.118.176.95.rev.sfr.net. [95.176.118.222]) by mx.google.com with ESMTPSA id o1sm5673988wja.25.2014.10.29.09.19.42 for <pkix@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 29 Oct 2014 09:19:42 -0700 (PDT)
Message-ID: <5451138E.4000208@gmail.com>
Date: Wed, 29 Oct 2014 17:19:26 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "pkix@ietf.org" <pkix@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9DB295@uxcn10-5.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C739B9DB295@uxcn10-5.UoA.auckland.ac.nz>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/0-FMi4RMxg0wd6ujJwcDIt1vizE
Subject: Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 16:19:47 -0000
The only thing that could eventually replace SCEP for "devices" including BYOD, would be a protocol that builds on embedded attestation keys like the FIDO/Google U2F scheme. Such a scheme could completely eliminate the reliance on enrollment passwords. For browsers-based enrollment none of the PKIX-protocols make any sense since the former effectively is server-driven. I.e. it is the server that asks the client (platform) to generate a key-pair according to the server's specification. Related: http://www.w3.org/2012/webcrypto/webcrypto-next-workshop/ -Anders On 2014-10-29 14:35, Peter Gutmann wrote: > I've spent the time since the last exchange of messages on this thread talking > to various SCEP users over their requirements. It turns out that the figure > I'd previously posted, of half a billion SCEP devices in active use, was > rather an underestimate. SCEP seems to be pretty much the universal device- > provisioning protocol for non-PC/laptop devices, including mobile phones, > SCADA devices, gaming machines, ATMs, firewalls, and so on. It's also been > described to me as the standard BYOD provisioning protocol, its use for this > being so widespread that Server 2012 even added new, extra capabilities for > dealing with BYOD use via SCEP (Windows Server 2008 and 2012 are pretty much > the standard server implementations for dealing with this sort of thing). As > one person told me, "if a device speaks anything, it'll speak SCEP". > > So, no matter how much Cisco would like to forget about it, it's extremely > widely used, and there's no sign that this is going to change in the future. > To paraphrase something someone said many years ago about IBM, "SCEP isn't the > competition, it's the environment". > > To that end I'd like to request that the SCEP authors give me (or someone else > who cares about it, e.g. one of the JSCEP folks) change control over the > document so that we can finally get this published. I submitted a list of > changes for the current doc ages ago but things seem to have stalled since > then (the changes were minor things that have come up in real-world usage, > clarifications to the doc, places where ~15-year-old remnants still exist next > to current ones, and just a general cleanup of the neglect that it's had for > the last decade or so, it still talks about MD5 and single DES for example, > but doesn't mention that newfangled AES thing that everyone's talking about). > > Given that it's been more or less abandoned by Cisco, I'd like to finish the > editing for it and finally get it published as an RFC so that the vast number > of devices out there using it, and that will use it in the future, have a > fixed standard that they can refer back to. > > Peter. > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix >
- [pkix] Simple Certificate Enrollment Protocol (SC… Erik Andersen
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Michael Jenkins
- Re: [pkix] Simple Certificate Enrollment Protocol… Erik Andersen
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Miller, Timothy J.
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- [pkix] SCEP Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Miller, Timothy J.
- Re: [pkix] Simple Certificate Enrollment Protocol… Jeffrey Walton
- Re: [pkix] Simple Certificate Enrollment Protocol… Paul Hoffman
- Re: [pkix] Simple Certificate Enrollment Protocol… Sill, Alan
- Re: [pkix] Simple Certificate Enrollment Protocol… Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Melinda Shore
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Paul Hoffman
- Re: [pkix] Simple Certificate Enrollment Protocol… Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Jeffrey Walton
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Dr. Massimiliano Pala
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Simple Certificate Enrollment Protocol… Dr. Massimiliano Pala
- [pkix] Derived Credentials. Was: Simple Certifica… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Max Pritikin (pritikin)
- [pkix] New Microsoft Enrollment system. Was: Simp… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Johannes Merkle
- Re: [pkix] Derived Credentials. Was: Simple Certi… Johannes Merkle
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren