Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)

["Max Pritikin (pritikin)" <pritikin@cisco.com>]

On Oct 29, 2014, at 6:35 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:

> I've spent the time since the last exchange of messages on this thread talking
> to various SCEP users over their requirements.  It turns out that the figure
> I'd previously posted, of half a billion SCEP devices in active use, was
> rather an underestimate.  SCEP seems to be pretty much the universal device-
> provisioning protocol for non-PC/laptop devices, including mobile phones,
> SCADA devices, gaming machines, ATMs, firewalls, and so on.  It's also been
> described to me as the standard BYOD provisioning protocol, its use for this
> being so widespread that Server 2012 even added new, extra capabilities for
> dealing with BYOD use via SCEP (Windows Server 2008 and 2012 are pretty much
> the standard server implementations for dealing with this sort of thing).  As
> one person told me, "if a device speaks anything, it'll speak SCEP".
> 
> So, no matter how much Cisco would like to forget about it, it's extremely
> widely used, and there's no sign that this is going to change in the future.
> To paraphrase something someone said many years ago about IBM, "SCEP isn't the
> competition, it's the environment”.

Agreed! We can’t “forget” about it. This is why we paid so much attention to the process flow of SCEP when designing EST to insure minimal pain. 
We also need to be able to move forward to suite-b and better client authentication methods. Thus the reason we had to describe something beyond SCEP (which can’t support these improvements). This led to the specific CMC profile that is EST. 

> 
> To that end I'd like to request that the SCEP authors give me (or someone else
> who cares about it, e.g. one of the JSCEP folks) change control over the
> document so that we can finally get this published.  I submitted a list of
> changes for the current doc ages ago but things seem to have stalled since
> then (the changes were minor things that have come up in real-world usage,
> clarifications to the doc, places where ~15-year-old remnants still exist next
> to current ones, and just a general cleanup of the neglect that it's had for
> the last decade or so, it still talks about MD5 and single DES for example,
> but doesn't mention that newfangled AES thing that everyone's talking about).
> 
> Given that it's been more or less abandoned by Cisco, I'd like to finish the
> editing for it and finally get it published as an RFC so that the vast number
> of devices out there using it, and that will use it in the future, have a
> fixed standard that they can refer back to.

I’ll be at IETF next week. Lets meet with any interested parties and figure out a path forward. 

A question: How is updating "half a billion SCEP devices” to a new version of SCEP any different than updating them to EST or similar?  

- max 

> 
> Peter.