Re: [pkix] Considerations about the need to resume PKIX work

Anders Rundgren <> Thu, 20 July 2017 12:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8D037129B43 for <>; Thu, 20 Jul 2017 05:15:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cFx-s4uYHGcN for <>; Thu, 20 Jul 2017 05:15:26 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c0c::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1B850129468 for <>; Thu, 20 Jul 2017 05:15:26 -0700 (PDT)
Received: by with SMTP id f21so13535351wrf.5 for <>; Thu, 20 Jul 2017 05:15:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=RIykXbmrkXsnaBrJFO0nJQ7OoZQxGGRv85/XDyAOmJU=; b=hKwPjJIgSl3qEnCcINddP+Icshxx1Jezrl2A6mYH5ZzwsMBiOIhLj+I14uRQ+9Ua/l BFxBqsf9O+Im3BerKXhcLz/JK9jMwFZYo979+oXi+AIHS12AZG8Glq1kz8LCnEOlhq8t X/eu2I1LuqB169tR+KyHxGhUPFwXev+GvDmvoCoAtceOPaoX4r9Ouo6DRseCjFxfz/pP 7xvzgGa/Y9lfq6hbKzfv8I7CzPsgp77qsitue8HBV4gs7uONj6XSpAEYS4lWr5zhvQS6 1McDkrUKPPXrQNBFna/9SPWioN6gHEGLsRmjslOhaWiQ4QBtU4MktuDr8vzQewUjENiO RHqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=RIykXbmrkXsnaBrJFO0nJQ7OoZQxGGRv85/XDyAOmJU=; b=qdf/J7ypD5T79nFl6Y8VphHSTvKA/oCFfW60RFAq6i/sYRYOebuywRmy0QoVa5PVuw 2KzOSj+C7TBMAlVONWqCF+7IYEUZh1i0q9oQL+YkWe7lBjFAYQVa1ReA+PGuCVY+/MK+ AE5EVDBKIfp0yvAI8YtzTGihWxq+22DcePwkE/Y2bkjz0RYp56n9amavxJFKL1dud+zG 4mc9NgjQq5qjpCZPWIDmqrI64VF9U9D72jIlatc4INN62Uq2oa133+sfZeydqg4fqnlY nyOnYwgtQFOCBRtGA2Ze/86gnHCrJJ75nKwMeB1WP7YGXIm1NBtrtQntwd3XSVkzgseu Kgsg==
X-Gm-Message-State: AIVw113baQQsuijfQ65v3gim0zy1U08ChtLTf9HlwTuQsjimxufnne/b UqdUMAEXMzYcPnFr
X-Received: by with SMTP id f47mr3375727wrf.250.1500552924452; Thu, 20 Jul 2017 05:15:24 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id o131sm2534738wmd.26.2017. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Jul 2017 05:15:23 -0700 (PDT)
To: "Dr. Pala" <>, PKIX <>
References: <>
From: Anders Rundgren <>
Message-ID: <>
Date: Thu, 20 Jul 2017 14:15:21 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [pkix] Considerations about the need to resume PKIX work
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Jul 2017 12:15:27 -0000


If we stick to the problem with outdated crypto algorithms, the only reasonable solution is updating keys (and software...) when needed.  The latter is worked on in the IETF TEEP WG.

Regarding the state of PKI, none of the PKIX enrollment protocols support MFA or key attestations.  In fact, the entire PKIX WG were *against* such ideas (when raised by me) when EST was on the "drawing board". FIDO alliance products (of course) have this as a core facility.