Re: [pkix] Considerations about the need to resume PKIX work

"Dr. Pala" <> Thu, 20 July 2017 12:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5E6C812EC30 for <>; Thu, 20 Jul 2017 05:25:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.272
X-Spam-Status: No, score=-0.272 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F7vvHp-NXZx0 for <>; Thu, 20 Jul 2017 05:25:02 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 188C5127058 for <>; Thu, 20 Jul 2017 05:25:02 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 620D93740FB2 for <>; Thu, 20 Jul 2017 08:25:01 -0400 (EDT)
To: PKIX <>
References: <> <>
From: "Dr. Pala" <>
Organization: OpenCA Labs
Message-ID: <>
Date: Thu, 20 Jul 2017 14:24:58 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------1D49F266E1FC1D72E848ACC5"
Content-Language: en-US
Archived-At: <>
Subject: Re: [pkix] Considerations about the need to resume PKIX work
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Jul 2017 12:25:03 -0000

Hi Anders,

Maybe, this time we might have a way in. I would be willing to work on 
it (even outside IETF, if there is no interest) and provide 
implementations in LibPKI. Easy and Secure "Provisioning / Enrollment" 
protocols are at the core for many ecosystems (e.g., IoT, WIFI, etc.). 
For the TEEP - I do not think they are going to address this particular 
issue/issues for what I have seen at the BoF.

Let's talk about this - can you send me pointers you might think are 
useful to start from ?


On 7/20/17 2:15 PM, Anders Rundgren wrote:
> Max,
> If we stick to the problem with outdated crypto algorithms, the only 
> reasonable solution is updating keys (and software...) when needed.  
> The latter is worked on in the IETF TEEP WG.
> Regarding the state of PKI, none of the PKIX enrollment protocols 
> support MFA or key attestations.  In fact, the entire PKIX WG were 
> *against* such ideas (when raised by me) when EST was on the "drawing 
> board". FIDO alliance products (of course) have this as a core facility.
> Anders

Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo