IETF Logo Mail Archive

Re: [pkix] Considerations about the need to resume PKIX work

"Dr. Pala" <director@openca.org> Thu, 20 July 2017 12:25 UTC

Return-Path: <director@openca.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E6C812EC30 for <pkix@ietfa.amsl.com>; Thu, 20 Jul 2017 05:25:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.272
X-Spam-Level:
X-Spam-Status: No, score=-0.272 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F7vvHp-NXZx0 for <pkix@ietfa.amsl.com>; Thu, 20 Jul 2017 05:25:02 -0700 (PDT)
Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id 188C5127058 for <pkix@ietf.org>; Thu, 20 Jul 2017 05:25:02 -0700 (PDT)
Received: from dhcp-8e48.meeting.ietf.org (dhcp-8e48.meeting.ietf.org [31.133.142.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id 620D93740FB2 for <pkix@ietf.org>; Thu, 20 Jul 2017 08:25:01 -0400 (EDT)
To: PKIX <pkix@ietf.org>
References: <c989a9f9-8079-2fd7-085f-c4dcde10d080@openca.org> <5ac2abf1-f46a-8c95-9d33-3e20dc60daed@gmail.com>
From: "Dr. Pala" <director@openca.org>
Organization: OpenCA Labs
Message-ID: <5ae70d92-00b2-8072-c28b-b9fd07c0adcf@openca.org>
Date: Thu, 20 Jul 2017 14:24:58 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <5ac2abf1-f46a-8c95-9d33-3e20dc60daed@gmail.com>
Content-Type: multipart/alternative; boundary="------------1D49F266E1FC1D72E848ACC5"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/AQi-y5vqKxJrYvlqq7TWKUedBrs>
Subject: Re: [pkix] Considerations about the need to resume PKIX work
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 12:25:03 -0000

Hi Anders,

Maybe, this time we might have a way in. I would be willing to work on 
it (even outside IETF, if there is no interest) and provide 
implementations in LibPKI. Easy and Secure "Provisioning / Enrollment" 
protocols are at the core for many ecosystems (e.g., IoT, WIFI, etc.). 
For the TEEP - I do not think they are going to address this particular 
issue/issues for what I have seen at the BoF.

Let's talk about this - can you send me pointers you might think are 
useful to start from ?

Cheers,
Max


On 7/20/17 2:15 PM, Anders Rundgren wrote:
> Max,
>
> If we stick to the problem with outdated crypto algorithms, the only 
> reasonable solution is updating keys (and software...) when needed.  
> The latter is worked on in the IETF TEEP WG.
>
> Regarding the state of PKI, none of the PKIX enrollment protocols 
> support MFA or key attestations.  In fact, the entire PKIX WG were 
> *against* such ideas (when raised by me) when EST was on the "drawing 
> board". FIDO alliance products (of course) have this as a core facility.
>
> Anders

-- 
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo

v2.23.0 | Report a Bug | By Email