IETF Logo Mail Archive

Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)

Anders Rundgren <anders.rundgren.net@gmail.com> Mon, 10 November 2014 05:27 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB3171A8904 for <pkix@ietfa.amsl.com>; Sun, 9 Nov 2014 21:27:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GrMv8W2NGvWd for <pkix@ietfa.amsl.com>; Sun, 9 Nov 2014 21:27:45 -0800 (PST)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1CF31A8867 for <pkix@ietf.org>; Sun, 9 Nov 2014 21:27:44 -0800 (PST)
Received: by mail-wi0-f179.google.com with SMTP id h11so9287654wiw.12 for <pkix@ietf.org>; Sun, 09 Nov 2014 21:27:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=A80BxCwXzz/UhA8yTnYJw8szVa8BwcHHSehjvU+oTmQ=; b=atcWlzO2q+pXgs2/+bYV+yWywap4+bWP9H0fKDyvD+RW4te9xHyHqls3T+5hCsKqwN nghRaWBqeEWfMO0+pbYUOUZJprpPmQyNW0L1iTib1yMT/NYtRuN1frpBKbBvTu9Tvl96 uLKTDfivsG5g91OghZwxvq9mec6/jENeAfnbpimJURJgOz+ntyd0BCuilCnkAwffKxwe H5JUO+dGBsd3XSWM+xHkCe6T0mNeAyB86UvG04Ky9KlxSpmauAbxSi5i/QKziAJdYCc5 ZJS5TzUAXZdtudi7VMRCMQUHKBQCpwUlwHxCmCsupN25hWZn9ywgTSRxai/s4D/vwFiJ sSNw==
X-Received: by 10.180.78.36 with SMTP id y4mr26703240wiw.52.1415597263522; Sun, 09 Nov 2014 21:27:43 -0800 (PST)
Received: from [192.168.1.79] (13.118.176.95.rev.sfr.net. [95.176.118.13]) by mx.google.com with ESMTPSA id t7sm21709449wjy.24.2014.11.09.21.27.42 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 09 Nov 2014 21:27:43 -0800 (PST)
Message-ID: <54604CCB.7040603@gmail.com>
Date: Mon, 10 Nov 2014 06:27:39 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: noloader@gmail.com
References: <9A043F3CF02CD34C8E74AC1594475C739B9DB295@uxcn10-5.UoA.auckland.ac.nz> <5451138E.4000208@gmail.com> <CAH8yC8n0Qz0dt+_XWCPedpNhfkEZkfMEUz84LQvUfnns2c=5TA@mail.gmail.com>
In-Reply-To: <CAH8yC8n0Qz0dt+_XWCPedpNhfkEZkfMEUz84LQvUfnns2c=5TA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/VPmnb-EeP_swV4iBv5jEOadeT3M
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 05:27:46 -0000

On 2014-11-10 03:47, Jeffrey Walton wrote:
> On Wed, Oct 29, 2014 at 12:19 PM, Anders Rundgren
> <anders.rundgren.net@gmail.com> wrote:
>> The only thing that could eventually replace SCEP for "devices" including
>> BYOD, would be a protocol that builds on embedded attestation keys like the
>> FIDO/Google U2F scheme.  Such a scheme could completely eliminate the
>> reliance on enrollment passwords.
> Attestation key pairs are shared across devices by a vendor to provide
> anonymity (cf.,
> https://fidoalliance.org/specs/fido-u2f-overview-v1.0-rd-20141008.pdf,
> page 9). I don't think one of SCEP's design goals is anonymity (but
> its been a while since I looked at it and NDES).
>
> Rather, I'm pretty sure its the opposite: during provisioning, the
> SCEP admin wants to know who/what is being provisioned. In this case,
> the anonymity provided by the attestation key pairs is probably
> unwanted; and the uniqueness provided by a challenge password is
> probably desired.


You are absolutely right.  Enrolling certificates to anonymous routers etc.
would be the opposite to what you want.

The problem with PKIX protocols is that they don't provide mechanisms
for attesting keys.  BTW, I suggested this years ago.

>
> I wonder how long before the attestation key pairs start showing up in
> Little Black Box (https://code.google.com/p/littleblackbox/).
>

v2.23.0 | Report a Bug | By Email