Re: [pkix] Derived Credentials. Was: Simple Certificate Enrollment Protocol (SCEP)
Anders Rundgren <anders.rundgren.net@gmail.com> Thu, 13 November 2014 21:49 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D6A31ADC03 for <pkix@ietfa.amsl.com>; Thu, 13 Nov 2014 13:49:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tr6Pkrgc_HJ6 for <pkix@ietfa.amsl.com>; Thu, 13 Nov 2014 13:49:22 -0800 (PST)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B25A1ADBCC for <pkix@ietf.org>; Thu, 13 Nov 2014 13:49:22 -0800 (PST)
Received: by mail-wi0-f177.google.com with SMTP id l15so944379wiw.10 for <pkix@ietf.org>; Thu, 13 Nov 2014 13:49:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=meJ233qZZ07LUGYqSbh2Xc7xRbtKx/UyF04iBxmPMfY=; b=kPbe10gul8RWILSLl0KFq+gdpGVbyDLY8hZP9pFvDOtSo2SzA4eG6NnhBoZN7KJ71F ZFbDCjmbTjZsy9vANzHrYhMcYiXhEoEZHTT9ptL0maedU+6r8HGQp9BRbDACmk+lqoYI X+YnkadTt5ZhbYv7uf0jytZMmVmQCQi6UpbaMjDzqzBwe/UckdUK5LqmDDYreOc630M8 S6e49utTMeaW16+Eu/5nFyoTngDSfMpCLhiy3sESb4wMZA0Kn0cW2/WwfoTGXIrJopME 6ubCMK1MNiur5s8R/yWQwU2kjTPn+EvuC5KsjpZA0tBJMTBCBa2ILVobY2QuKxoGqPNU LsPg==
X-Received: by 10.180.20.201 with SMTP id p9mr1825436wie.67.1415915360871; Thu, 13 Nov 2014 13:49:20 -0800 (PST)
Received: from [192.168.1.79] (13.118.176.95.rev.sfr.net. [95.176.118.13]) by mx.google.com with ESMTPSA id s10sm31371168wjw.29.2014.11.13.13.49.19 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 13 Nov 2014 13:49:20 -0800 (PST)
Message-ID: <54652759.50609@gmail.com>
Date: Thu, 13 Nov 2014 22:49:13 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, IETF PKIX <pkix@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9EC113@uxcn10-tdc05.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C739B9EC113@uxcn10-tdc05.UoA.auckland.ac.nz>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/KPW6tk8iC7fCA2jrLPmSKlr4fuY
Subject: Re: [pkix] Derived Credentials. Was: Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2014 21:49:24 -0000
On 2014-11-13 21:14, Peter Gutmann wrote: > Johannes Merkle <johannes.merkle@secunet.com> writes: >> Anders Rundgren wrote on 12.11.2014 10:25: >>> On 2014-11-12 10:03, Max Pritikin (pritikin) wrote: >>>> Anders - both of these requirements can be met by these protocols. >>> >>> AFAICT, end-to-end security with respect to the *key-container* is outside of all >>> PKIX enrollment protocols. No CMS (Card Management System) use CMP, SCEP, EST >>> directly, they use other protocols for actual token provisioning/initialization. >> >> This is not correct. I have participated in the implementation of two Card >> Management Systems that use CMP for smart card initialization and >> provisioning. Both are operative, the first one managing over 8 million cards, >> the second one over 60.000. > > Same here, for HSMs. Peter, I'm not sure what you want to prove with this statement. That PKIX protocols indeed are relevant for Derived Credentials? They are not, PKIX protocols do not provide a proof that a key actually is stored/generated in the designated/authenticated key-container. In addition, PKIX protocols do not support PIN-provisioning which is a prerequisite for emulating CAC/PIV/eID etc. Since you are mentioning HSMs, are you aware of the fact that these usually quite expensive units can't even perform *automated* secure key renewals. You sign the renewal with the old key, right? But how do you know the origin of the new key-pair? Yeah, we trust the machine the HSM is connected to, but why bother HSMs then? Something is obviously wrong here. Google got it right in U2F. Anders > > Peter. > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix >
- Re: [pkix] Derived Credentials. Was: Simple Certi… Peter Gutmann
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren