[pkix] Fwd: [saag] Standard Crypto API + Symmetric Crypto At Rest
Massimiliano Pala <director@openca.org> Wed, 11 November 2015 16:20 UTC
Return-Path: <director@openca.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E12F31B2B75 for <pkix@ietfa.amsl.com>; Wed, 11 Nov 2015 08:20:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.955
X-Spam-Level:
X-Spam-Status: No, score=0.955 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cfh92MabTDgp for <pkix@ietfa.amsl.com>; Wed, 11 Nov 2015 08:20:51 -0800 (PST)
Received: from server.hackmasters.net (unknown [217.133.36.163]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00D561B2B76 for <pkix@ietf.org>; Wed, 11 Nov 2015 08:20:50 -0800 (PST)
Received: from mail.openca.org (unknown [192.168.101.1]) by server.hackmasters.net (Postfix) with ESMTP id C0DE541D15 for <pkix@ietf.org>; Wed, 11 Nov 2015 17:17:21 +0100 (CET)
Received: from iMassi.local (unknown [65.115.226.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.openca.org (Postfix) with ESMTPSA id 12B0C1892811 for <pkix@ietf.org>; Wed, 11 Nov 2015 11:17:16 -0500 (EST)
References: <563DFCFB.8090405@openca.org>
To: "pkix@ietf.org" <pkix@ietf.org>
From: Massimiliano Pala <director@openca.org>
Organization: OpenCA Labs
X-Forwarded-Message-Id: <563DFCFB.8090405@openca.org>
Message-ID: <56436A0B.10005@openca.org>
Date: Wed, 11 Nov 2015 11:17:15 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <563DFCFB.8090405@openca.org>
Content-Type: multipart/alternative; boundary="------------070906070607050501030603"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/NBlrYlxy5bFnTKvVvKRCeDLiXzI>
Subject: [pkix] Fwd: [saag] Standard Crypto API + Symmetric Crypto At Rest
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 16:20:58 -0000
Hi PKIX, I posted this message on the security area ML, but I think it could be useful to forward it here to address (possibly) an interested audience. Any comments and feedback are welcome (positive and negative alike). Cheers, Max -------- Forwarded Message -------- Subject: [saag] Standard Crypto API + Symmetric Crypto At Rest Date: Sat, 7 Nov 2015 22:30:35 +0900 From: Massimiliano Pala <director@openca.org> Organization: OpenCA Labs To: saag@ietf.org <saag@ietf.org> Hi all, I am not sure this is the right place to write this e-mail, but I hope is. At the meeting I spoke with several people about an idea I had some time ago but never landed at IETF. Since I got positive feedback and suggestion to post the idea to this list to see if others might be interested, here's the summary e-mail. The idea is very simple: provide specifications for interfaces to cryptographic libraries. The basic idea is to provide an API that different vendors can implement on top of their libraries to provide a standard interface for applications. If successful, an application could make use of OpenSSL, MS-CAPI, Cryptlib, or any other crypto library that provides that interface without having to re-write the crypto-related code. This allows for portability (wider adoption of crypto-enabled applications), code/modules re-usability, and the possibility for applications to switch between vendors (e.g., switching to a better crypto library or dismissing a library that has shown vulnerabilities). Although I received positive feedback about the idea (I know, it has be attempted in the past.. ), I was never able to get the green light to proceed with a proposal for IETF (unfortunately the answer was always "we don't do APIs" ... which, actually, it is not true), so I decided to move forward anyway, since it is a real pain that needs to be solved. If the IETF will like to pick up the work in the future, great. If not, we'll solve the problem anyway :D If you are interested in participating in the effort (e.g., writing specs, participating in the discussion, provide feedback, or writing code) please contact me and we'll take it from there. I wrote a couple of pages today (very quick and dirty work for now.. so.. don't judge!), but I hope we'll be able to gather momentum and work together on this. The website is reachable at: http://cryptoapi.openca.org/ Last but not least - I am starting also another project that targets the use of SYMMETRIC crypto by providing support for encryption at rest. This library will provide support for storing encrypted data, signed (hmac) data, symmetric keys, and symmetric keys bundles (stack of keys) in such a way that it is simple to use (e.g., dealing with symmetric crypto is hard for the average developer since not much support, outside TLS, is provided). By defining a simple high-level API for symmetric crypto we want to fill the gap and, hopefully, increase the use of crypto also in those environment where asymmetric is not an option (e.g., latency constraints). The idea is to actually write a standard for symmetric crypto ... "at rest". Also for this project, please contact me directly (I still do not have pages for this project for various reasons - most importantly I still have to see if I get to open source what I did for my employer of if we have to start from scratch) at this e-mail address. Happy Security Everybody! Cheers, Max P.S.: Other items on the back burner that I would welcome contributions to are OCSP over DNS (ODIN), Lightweight Revocation Tokens (LIRT), the PKI Resource Query Protocol (PRQP), Simplified CMC over HTTP, and the Public Key (Discovery) System (PKS). _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag
- [pkix] Fwd: [saag] Standard Crypto API + Symmetri… Massimiliano Pala
- Re: [pkix] Fwd: [saag] Standard Crypto API + Symm… Anders Rundgren