IETF Logo Mail Archive

Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)

"Dr. Massimiliano Pala" <massimiliano.pala@gmail.com> Tue, 11 November 2014 20:45 UTC

Return-Path: <massimiliano.pala@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7956C1A1B3B for <pkix@ietfa.amsl.com>; Tue, 11 Nov 2014 12:45:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001, T_HK_NAME_FM_DR=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Un0-2BSQcVAa for <pkix@ietfa.amsl.com>; Tue, 11 Nov 2014 12:45:04 -0800 (PST)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A490F1A1AC7 for <pkix@ietf.org>; Tue, 11 Nov 2014 12:45:03 -0800 (PST)
Received: by mail-wi0-f173.google.com with SMTP id n3so2877239wiv.6 for <pkix@ietf.org>; Tue, 11 Nov 2014 12:45:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=ICR3zbaxtMmwAct7oC0FuXW7AkE+NWf49td9v7JyxNo=; b=le2ebV1/Z9nukry24jlUx+P/Yr/JEmpdCiCbKrSYjfC+F03YI9ZoB0F5cuzqFeBgIk Cps8C1RJTNIltoRpmqOdscrI+pYY6s9j2PNo/BjK7K3++oC5ywk6VlOc/GGeoBo00WH2 1F8BJaBpdrtvKvy+F0cPCPQn1TewAnuKT4UuvZTi2GfvLDum5QD3p3+eiVf4hAN3O602 /qVkyxrM05iZNwBZu+jX5qnL63EQ8msHsx1YtREHxPxL0phLC59kGoPY55u54ntu/vLc rloGjFPyk0iKtqEiA1CZ8Y7L7GybCzQpOJE3pl/8aRjssaP+jH0o8jBRCitf06Tz62PI bdWQ==
X-Received: by 10.180.73.212 with SMTP id n20mr673740wiv.59.1415738702143; Tue, 11 Nov 2014 12:45:02 -0800 (PST)
Received: from iMassi.local ([2001:67c:1231:998:20d9:da07:ab1d:41b2]) by mx.google.com with ESMTPSA id cv7sm28753956wjc.3.2014.11.11.12.44.59 for <pkix@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 11 Nov 2014 12:45:01 -0800 (PST)
Message-ID: <5462754A.4010802@gmail.com>
Date: Tue, 11 Nov 2014 10:44:58 -1000
From: "Dr. Massimiliano Pala" <massimiliano.pala@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: pkix@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C739B9DB295@uxcn10-5.UoA.auckland.ac.nz> <D941FEB2-CC8D-4D9C-9496-F7C28B5E0C41@cisco.com> <54616B61.7000307@gmail.com> <703810FB-F786-4D7C-98EF-0DC6080CBEFB@cisco.com>
In-Reply-To: <703810FB-F786-4D7C-98EF-0DC6080CBEFB@cisco.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/KiR6RVzpHmNcxAGTJi8brsHJWWY
Subject: Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 20:45:07 -0000

Max,

thanks for the reply. However, I was not blindly proposing new work - my 
proposal was not to start new work but to see if there is the need to 
revisit existing work based on considerations about deployment 
considerations across different domains (i.e., not only network 
appliances) and support for it from Internet CAs.

I take that your position is "no". However, I had the impression you 
were proposing a path forward (quoting: "I’ll be at IETF next week. Lets 
meet with any interested parties and figure out a path forward.")

As said before, if the majority agrees that the status quo is ok, that 
is fine. I had the impression that that was not the case.

Cheers,
Max


On 11/11/14, 10:02 AM, Max Pritikin (pritikin) wrote:
> Hi Max Pala,
>
> Some of the core ideas in the original SCEP draft were included into CMC (notice there is even a Cisco author shared between those two efforts).
>
> Unfortunately CMC lost some of the simplicity and directness of SCEP (e.g. CMC has a complex number of options). The approach didn’t really get traction and SCEP become something of a defacto standard despite its limitations.
>
> Those limitations are significant and as algorithm agility and other protocols have progressed SCEP is looking even more crufty/problematic then ever before.
>
> EST RFC7030 addresses these limitations by profiling CMC back into the simplicity original envisioned while maintaining the necessary functionality and providing a clear path for future extensibility and access to the full CMC feature set. Please take a look at it before suggesting additional work:
> 	http://tools.ietf.org/html/rfc7030
>
> SCEP itself could be turned into a historic RFC purely to clarify that it is *historic* and not a work in progress. I don’t see a compelling reason to repeat this process again.
>
> - max
>
> On Nov 10, 2014, at 3:50 PM, Dr. Massimiliano Pala <massimiliano.pala@gmail.com> wrote:
>
>> Hi all,
>>
>> I read the thread for a while. I actually do remember that there was a presentation for SCEP and a request for that to be adopted as a working item in this group that was refused based on the fact that we already have IETF protocols for that.
>>
>> If this argument till stands, than any work on this item (or its successor) should be informational and not WG.
>> However, I think it would be useful to resume a conversation about the status of enrollment protocols - in particular, if the current PKIX WG sponsored RFC are not used in the real world (maybe too complex or too many options?) maybe we should address the issue and work on an easier-to-deploy solution..??? After all, what is the use of a standard if nobody uses it in the real world? If that is the case, I think we need to be humble and admit the limits of the current standards and design a pattern to move forward.
>>
>> It could also be that we like the status quo and leave things as they are today - if the majority of people are happy with what we have today.
>> Can we have a poll about "is there a need to review/amend/simplify PKIX work for certificate enrollment" ?
>>
>> Max Pritikin: I would be interested to meet and talk, can you please include me in the discussion/meetings about this?
>>
>> Last consideration: Although I am not the WG chair, and it is not my role, I would like to keep the discussion in check. I have the impression that the topic is somewhat overloaded with non-technical aspects and I hope we can, instead, focus on technical aspects and on what is needed rather than on how this was handled in the past.
>>
>> Cheers,
>> Max
>>
>>
>>> On Nov 7, 2014, at 1:03 PM, Max Pritikin (pritikin) <pritikin@cisco.com> wrote:
>>>
>>>
>>>> On Oct 29, 2014, at 6:35 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
>>>>
>>>> I've spent the time since the last exchange of messages on this thread talking
>>>> to various SCEP users over their requirements.  It turns out that the figure
>>>> I'd previously posted, of half a billion SCEP devices in active use, was
>>>> rather an underestimate.  SCEP seems to be pretty much the universal device-
>>>> provisioning protocol for non-PC/laptop devices, including mobile phones,
>>>> SCADA devices, gaming machines, ATMs, firewalls, and so on.  It's also been
>>>> described to me as the standard BYOD provisioning protocol, its use for this
>>>> being so widespread that Server 2012 even added new, extra capabilities for
>>>> dealing with BYOD use via SCEP (Windows Server 2008 and 2012 are pretty much
>>>> the standard server implementations for dealing with this sort of thing).  As
>>>> one person told me, "if a device speaks anything, it'll speak SCEP".
>>>>
>>>> So, no matter how much Cisco would like to forget about it, it's extremely
>>>> widely used, and there's no sign that this is going to change in the future.
>>>> To paraphrase something someone said many years ago about IBM, "SCEP isn't the
>>>> competition, it's the environment”.
>>> Agreed! We can’t “forget” about it. This is why we paid so much attention to the process flow of SCEP when designing EST to insure minimal pain.
>>> We also need to be able to move forward to suite-b and better client authentication methods. Thus the reason we had to describe something beyond SCEP (which can’t support these improvements). This led to the specific CMC profile that is EST.
>>>
>>>> To that end I'd like to request that the SCEP authors give me (or someone else
>>>> who cares about it, e.g. one of the JSCEP folks) change control over the
>>>> document so that we can finally get this published.  I submitted a list of
>>>> changes for the current doc ages ago but things seem to have stalled since
>>>> then (the changes were minor things that have come up in real-world usage,
>>>> clarifications to the doc, places where ~15-year-old remnants still exist next
>>>> to current ones, and just a general cleanup of the neglect that it's had for
>>>> the last decade or so, it still talks about MD5 and single DES for example,
>>>> but doesn't mention that newfangled AES thing that everyone's talking about).
>>>>
>>>> Given that it's been more or less abandoned by Cisco, I'd like to finish the
>>>> editing for it and finally get it published as an RFC so that the vast number
>>>> of devices out there using it, and that will use it in the future, have a
>>>> fixed standard that they can refer back to.
>>> I’ll be at IETF next week. Lets meet with any interested parties and figure out a path forward.
>>>
>>> A question: How is updating "half a billion SCEP devices” to a new version of SCEP any different than updating them to EST or similar?
>>>
>>> - max
>>>
>>>> Peter.
>>> _______________________________________________
>>> pkix mailing list
>>> pkix@ietf.org
>>> https://www.ietf.org/mailman/listinfo/pkix
>> _______________________________________________
>> pkix mailing list
>> pkix@ietf.org
>> https://www.ietf.org/mailman/listinfo/pkix
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email