IETF Logo Mail Archive

Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)

Anders Rundgren <anders.rundgren.net@gmail.com> Tue, 14 October 2014 11:47 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E91D1A86FF for <pkix@ietfa.amsl.com>; Tue, 14 Oct 2014 04:47:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LO5mYHu46L6V for <pkix@ietfa.amsl.com>; Tue, 14 Oct 2014 04:47:25 -0700 (PDT)
Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D44A1A86FA for <pkix@ietf.org>; Tue, 14 Oct 2014 04:47:25 -0700 (PDT)
Received: by mail-wg0-f41.google.com with SMTP id b13so10751360wgh.12 for <pkix@ietf.org>; Tue, 14 Oct 2014 04:47:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=QjNOTBy+ss0ugfWWGZ8mvGMsEKnsCkx0PRuc2WZLhik=; b=hNVCBmrf9mJR5SI1EkBQD+0OVDDaZ0/HmwIOsBgOVTHKS05oDHxQd9t7d1x/ksBa+Q q3I4hMmJKFMrH/hRX8NADS/g7gIqjbA5yOrskhmO5w6vgLV30GVtja4D12fpgArlBa2z MVunxajtmY9TTQMXdcg6Z88eaGXv65gGkUJGQMDugbmCBGwB2RiBjRj1WCIB2TwnIw5E L3R4vgoN2Mlwd6sHt0pMuMdolnG8EuVubthQHcVrseCHqLTAZ1TkhUA1V5wWyhSYowW4 +J0158dqXUuaSvtCa+BrVP1n3yo2RQwZchLBPnmRBFMRNJkjt6dy1wJC/5JHwo00RVfp c9Pw==
X-Received: by 10.180.102.135 with SMTP id fo7mr4941515wib.79.1413287244236; Tue, 14 Oct 2014 04:47:24 -0700 (PDT)
Received: from [192.168.1.79] (222.118.176.95.rev.sfr.net. [95.176.118.222]) by mx.google.com with ESMTPSA id k2sm15437305wiz.18.2014.10.14.04.47.23 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 14 Oct 2014 04:47:23 -0700 (PDT)
Message-ID: <543D0D46.6020708@gmail.com>
Date: Tue, 14 Oct 2014 13:47:18 +0200
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Erik Andersen <era@x500.eu>, PKIX <pkix@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9CAF27@uxcn10-tdc05.UoA.auckland.ac.nz> <001001cfe7a0$52f31640$f8d942c0$@x500.eu>
In-Reply-To: <001001cfe7a0$52f31640$f8d942c0$@x500.eu>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/G6rHtHdlGj-yd5wEozk8bq9BKME
Cc: WG15@iectc57.org, Carsten Strunge <CAS@energinet.dk>, Søren Peter Nielsen <soren.peter.nielsen@gmail.com>
Subject: Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 11:47:27 -0000

On 2014-10-14 13:16, Erik Andersen wrote:
> Hi Peter,
>
> Thanks for your quick answer.
>
> The smart grid security folks want to use SCEP as normative reference in
> their specification. In the current state of SCEP, this is probably against
> the rules of IEC. It might be desirable to progress SCEP to a more official
> status. That could be within PKIX as an RFC or as an ITU-T Recommendation to
> be progressed very quickly. The latter might require some consent from
> Cisco.

Unfortunately none of the PKIX enrollment protocols support
E2ES (end-to-end security) so they are fairly useless for
large-scale applications, including IoT.  FIDO alliance have
(with Google's help) produced new protocols that support E2ES.

E2ES in this context means that the key-container attests
its identity/authenticity as a part of the protocol.

Anders

>
> Regard,
>
> Erik
>
> -----Oprindelig meddelelse-----
> Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Peter Gutmann
> Sendt: 14. oktober 2014 12:18
> Til: IETF PKIX
> Emne: Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
>
> Erik Andersen <era@x500.eu> writes:
>> Simple Certificate Enrollment Protocol (SCEP) (
>> http://www.iec.ch/members_experts/refdocs/iec/isoiec-dir2%7Bed6.0%7Den.
>> pdf) appears to be widely used and implemented although it is specified
>> in an old, expired Internet draft from 2011 that was never issued as an
>> RFC.
>>
>> Why was it never issued as an RFC and why should it not be on the
>> standards track?
>
> Because it wasn't invented by PKIX.  PKIX have their own two protocols, CMP
> and CMC, both of which have practically nonexistent support, and even less
> interoperability.  SCEP was invented by Cisco but they're trying to disown
> it in favour of another new protocol they've dreamed up with (you guessed
> it) practically nonexistent support and interoperability.
>
> Peter.
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>

v2.23.0 | Report a Bug | By Email