[pkix] Fwd: [saag] Standard Crypto API + Symmetric Crypto At Rest

Massimiliano Pala <director@openca.org> Wed, 11 November 2015 16:20 UTC

Return-Path: <director@openca.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id E12F31B2B75 for <pkix@ietfa.amsl.com>; Wed, 11 Nov 2015 08:20:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.955
X-Spam-Status: No, score=0.955 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id cfh92MabTDgp for <pkix@ietfa.amsl.com>; Wed, 11 Nov 2015 08:20:51 -0800 (PST)
Received: from server.hackmasters.net (unknown []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00D561B2B76 for <pkix@ietf.org>; Wed, 11 Nov 2015 08:20:50 -0800 (PST)
Received: from mail.openca.org (unknown []) by server.hackmasters.net (Postfix) with ESMTP id C0DE541D15 for <pkix@ietf.org>; Wed, 11 Nov 2015 17:17:21 +0100 (CET)
Received: from iMassi.local (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.openca.org (Postfix) with ESMTPSA id 12B0C1892811 for <pkix@ietf.org>; Wed, 11 Nov 2015 11:17:16 -0500 (EST)
References: <563DFCFB.8090405@openca.org>
To: "pkix@ietf.org" <pkix@ietf.org>
From: Massimiliano Pala <director@openca.org>
Organization: OpenCA Labs
X-Forwarded-Message-Id: <563DFCFB.8090405@openca.org>
Message-ID: <56436A0B.10005@openca.org>
Date: Wed, 11 Nov 2015 11:17:15 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <563DFCFB.8090405@openca.org>
Content-Type: multipart/alternative; boundary="------------070906070607050501030603"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/NBlrYlxy5bFnTKvVvKRCeDLiXzI>
Subject: [pkix] Fwd: [saag] Standard Crypto API + Symmetric Crypto At Rest
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 16:20:58 -0000


I posted this message on the security area ML, but I think it could be 
to forward it here to address (possibly) an interested audience.

Any comments and feedback are welcome (positive and negative alike).


-------- Forwarded Message --------
Subject: 	[saag] Standard Crypto API + Symmetric Crypto At Rest
Date: 	Sat, 7 Nov 2015 22:30:35 +0900
From: 	Massimiliano Pala <director@openca.org>
Organization: 	OpenCA Labs
To: 	saag@ietf.org <saag@ietf.org>

Hi all,

I am not sure this is the right place to write this e-mail, but I hope
is. At the meeting I spoke with several people about an idea I had some
time ago but never landed at IETF. Since I got positive feedback and
suggestion to post the idea to this list to see if others might be
interested, here's the summary e-mail.

The idea is very simple: provide specifications for interfaces to
cryptographic libraries. The basic idea is to provide an API that
different vendors can implement on top of their libraries to provide a
standard interface for applications. If successful, an application could
make use of OpenSSL, MS-CAPI, Cryptlib, or any other crypto library that
provides that interface without having to re-write the crypto-related
code. This allows for portability (wider adoption of crypto-enabled
applications), code/modules re-usability, and the possibility for
applications to switch between vendors (e.g., switching to a better
crypto library or dismissing a library that has shown vulnerabilities).

Although I received positive feedback about the idea (I know, it has be
attempted in the past.. ), I was never able to get the green light to
proceed with a proposal for IETF (unfortunately the answer was always
"we don't do APIs" ... which, actually, it is not true), so I decided to
move forward anyway, since it is a real pain that needs to be solved. If
the IETF will like to pick up the work in the future, great. If not,
we'll solve the problem anyway :D

If you are interested in participating in the effort (e.g., writing
specs, participating in the discussion, provide feedback, or writing
code) please contact me and we'll take it from there. I wrote a couple
of pages today (very quick and dirty work for now.. so.. don't judge!),
but I hope we'll be able to gather momentum and work together on this.
The website is reachable at:


Last but not least - I am starting also another project that targets the
use of SYMMETRIC crypto by providing support for encryption at rest.
This library will provide support for storing encrypted data, signed
(hmac) data, symmetric keys, and symmetric keys bundles (stack of keys)
in such a way that it is simple to use (e.g., dealing with symmetric
crypto is hard for the average developer since not much support, outside
TLS, is provided). By defining a simple high-level API for symmetric
crypto we want to fill the gap and, hopefully, increase the use of
crypto also in those environment where asymmetric is not an option
(e.g., latency constraints). The idea is to actually write a standard
for symmetric crypto ... "at rest".

Also for this project, please contact me directly (I still do not have
pages for this project for various reasons - most importantly I still
have to see if I get to open source what I did for my employer of if we
have to start from scratch) at this e-mail address.

Happy Security Everybody!


P.S.: Other items on the back burner that I would welcome contributions
to are OCSP over DNS (ODIN), Lightweight Revocation Tokens (LIRT), the
PKI Resource Query Protocol (PRQP), Simplified CMC over HTTP, and the
Public Key (Discovery) System (PKS).

saag mailing list