IETF Logo Mail Archive

Re: [pkix] Derived Credentials. Was: Simple Certificate Enrollment Protocol (SCEP)

Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 12 November 2014 18:24 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA22D1A00BA for <pkix@ietfa.amsl.com>; Wed, 12 Nov 2014 10:24:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bDvNYKcGjKN for <pkix@ietfa.amsl.com>; Wed, 12 Nov 2014 10:24:47 -0800 (PST)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F03DF1A9026 for <pkix@ietf.org>; Wed, 12 Nov 2014 10:24:21 -0800 (PST)
Received: by mail-wi0-f174.google.com with SMTP id d1so5842378wiv.7 for <pkix@ietf.org>; Wed, 12 Nov 2014 10:24:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=/aRiUgxRCM9PhBG7NPcVZ1T6FvgVDD4t6m+II/PnNVw=; b=dcQFuY7YgL90Sv1wOz0N4phIrRfOgl/nOOm0wY43jfwqc7T8bAkgxWFB10So8eOO5j FbTK4mNZErQbHkXXbiguzxYHoRDx4mLP8smMgQEDQIOdxZRBYIkZi2KIV+jMOhfZt8ZP oEG4cDVWt4F5T/bm9M9fHsdsBNP3fVkddMDkeYAg9t3oicbc3quDq8JHhaNUCPYLdOVY X13bjkI7UeZi+c0rfbfNrpt/SASeVXzTFPT9MJ8HL7wNIp1MFMRxhVmkIC6ErRx+xDHp QHMg28LNm+47+YHYGTOQl4lJjfX7/6iGikN5ikBtyw8tXru1E2ldZsHve48I0xk42XrG wV2g==
X-Received: by 10.180.126.104 with SMTP id mx8mr2133588wib.21.1415816660786; Wed, 12 Nov 2014 10:24:20 -0800 (PST)
Received: from [192.168.1.79] (13.118.176.95.rev.sfr.net. [95.176.118.13]) by mx.google.com with ESMTPSA id ex2sm22579859wib.19.2014.11.12.10.24.19 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 12 Nov 2014 10:24:20 -0800 (PST)
Message-ID: <5463A5CD.9080307@gmail.com>
Date: Wed, 12 Nov 2014 19:24:13 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Johannes Merkle <johannes.merkle@secunet.com>, "Max Pritikin (pritikin)" <pritikin@cisco.com>
References: <9A043F3CF02CD34C8E74AC1594475C739B9DB295@uxcn10-5.UoA.auckland.ac.nz> <D941FEB2-CC8D-4D9C-9496-F7C28B5E0C41@cisco.com> <54616B61.7000307@gmail.com> <703810FB-F786-4D7C-98EF-0DC6080CBEFB@cisco.com> <5462754A.4010802@gmail.com>, <5462DEE0.4010105@gmail.com> <DFD1E49C-A351-4763-A03C-5BD0F118E8CD@cisco.com> <54632785.8080702@gmail.com> <54639BE9.3020303@secunet.com>
In-Reply-To: <54639BE9.3020303@secunet.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/Mz7aAj2mkrOfhQ46tJKp6-DDOXA
Cc: "Dr. Massimiliano Pala" <massimiliano.pala@gmail.com>, "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Derived Credentials. Was: Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Nov 2014 18:24:51 -0000

On 2014-11-12 18:42, Johannes Merkle wrote:
> Anders Rundgren wrote on 12.11.2014 10:25:
>> On 2014-11-12 10:03, Max Pritikin (pritikin) wrote:
>>> Anders - both of these requirements can be met by these protocols.
>>
>> AFAICT, end-to-end security with respect to the *key-container* is outside of all
>> PKIX enrollment protocols.  No CMS (Card Management System) use CMP, SCEP, EST
>> directly, they use other protocols for actual token provisioning/initialization.
>>
>
> This is not correct. I have participated in the implementation of two Card Management Systems that use CMP for smart
> card initialization and provisioning. Both are operative, the first one managing over 8 million cards, the second one
> over 60.000.
>

You always need a proxy between the card and CMP.  Such a proxy may do things
like card initialization, PIN-assignment etc.  CMP (like all PKIX protocols)
also assume that it is the client (in this case the proxy) that specifies
key algorithms since it is a strict client-server protocol.  I.e. "key agility"
with respect to the issuer (who usually have the policy) is also missing from
the PKIX plot.

Anders

v2.23.0 | Report a Bug | By Email