IETF Logo Mail Archive

Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)

"Max Pritikin (pritikin)" <pritikin@cisco.com> Tue, 11 November 2014 20:02 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FF401A90EA for <pkix@ietfa.amsl.com>; Tue, 11 Nov 2014 12:02:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.095
X-Spam-Level:
X-Spam-Status: No, score=-15.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afnwX3tVg9cv for <pkix@ietfa.amsl.com>; Tue, 11 Nov 2014 12:02:44 -0800 (PST)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFAD41A9074 for <pkix@ietf.org>; Tue, 11 Nov 2014 12:02:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6481; q=dns/txt; s=iport; t=1415736159; x=1416945759; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=sJ4va33eoc2Jk9svQFlQuEFMnMidd9tySh3PC+pTQ5c=; b=UohBsCuvphuK6zMj8SJ3dTal+yH2yH5l99tYHuiulHw6Qt2A5L53B43C uRXg3X7JVHl2igpVt+DgejJgZxKkcXeFkWrUOoWGOp3yrVKK5IIbJJU3Y tUaPd45JS4wfq4y61Txwu3QT0b72UT69MrVirVlbi8ROUcim4KsYavZVS 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhMFAFJqYlStJV2Z/2dsb2JhbABcgw5UWQTMGgqHTwKBGhYBAQEBAX2EAgEBAQMBAQEBawsFCwIBCBguIQYLFwENAQEEDgUbiBEDCQkNyEMNhm4BAQEBAQEBAQEBAQEBAQEBAQEBAQEXjluBTDozB4MtgR4FhG2NRIRThEtEghKBNBIrgxKDMoc6hnGCBByBWmyBSIEDAQEB
X-IronPort-AV: E=Sophos;i="5.07,362,1413244800"; d="scan'208";a="371311674"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-6.cisco.com with ESMTP; 11 Nov 2014 20:02:38 +0000
Received: from xhc-rcd-x10.cisco.com (xhc-rcd-x10.cisco.com [173.37.183.84]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id sABK2bQt031248 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 11 Nov 2014 20:02:37 GMT
Received: from xmb-rcd-x03.cisco.com ([169.254.7.19]) by xhc-rcd-x10.cisco.com ([173.37.183.84]) with mapi id 14.03.0195.001; Tue, 11 Nov 2014 14:02:37 -0600
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: "Dr. Massimiliano Pala" <massimiliano.pala@gmail.com>
Thread-Topic: [pkix] Simple Certificate Enrollment Protocol (SCEP)
Thread-Index: Ac/zfTr7GBrWCtIyTnqyZLG46sIQPwHlCDOAAJyy0oAAJiUuAA==
Date: Tue, 11 Nov 2014 20:02:36 +0000
Message-ID: <703810FB-F786-4D7C-98EF-0DC6080CBEFB@cisco.com>
References: <9A043F3CF02CD34C8E74AC1594475C739B9DB295@uxcn10-5.UoA.auckland.ac.nz> <D941FEB2-CC8D-4D9C-9496-F7C28B5E0C41@cisco.com> <54616B61.7000307@gmail.com>
In-Reply-To: <54616B61.7000307@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.99.64]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <B5233D4DE2110E43AF56D55FDAA94945@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/Y7gXaXHTbEidrzunlPUnaLuPgOI
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 20:02:46 -0000

Hi Max Pala, 

Some of the core ideas in the original SCEP draft were included into CMC (notice there is even a Cisco author shared between those two efforts). 

Unfortunately CMC lost some of the simplicity and directness of SCEP (e.g. CMC has a complex number of options). The approach didn’t really get traction and SCEP become something of a defacto standard despite its limitations. 

Those limitations are significant and as algorithm agility and other protocols have progressed SCEP is looking even more crufty/problematic then ever before. 

EST RFC7030 addresses these limitations by profiling CMC back into the simplicity original envisioned while maintaining the necessary functionality and providing a clear path for future extensibility and access to the full CMC feature set. Please take a look at it before suggesting additional work:
	http://tools.ietf.org/html/rfc7030

SCEP itself could be turned into a historic RFC purely to clarify that it is *historic* and not a work in progress. I don’t see a compelling reason to repeat this process again. 

- max

On Nov 10, 2014, at 3:50 PM, Dr. Massimiliano Pala <massimiliano.pala@gmail.com> wrote:

> Hi all,
> 
> I read the thread for a while. I actually do remember that there was a presentation for SCEP and a request for that to be adopted as a working item in this group that was refused based on the fact that we already have IETF protocols for that.
> 
> If this argument till stands, than any work on this item (or its successor) should be informational and not WG.
> However, I think it would be useful to resume a conversation about the status of enrollment protocols - in particular, if the current PKIX WG sponsored RFC are not used in the real world (maybe too complex or too many options?) maybe we should address the issue and work on an easier-to-deploy solution..??? After all, what is the use of a standard if nobody uses it in the real world? If that is the case, I think we need to be humble and admit the limits of the current standards and design a pattern to move forward.
> 
> It could also be that we like the status quo and leave things as they are today - if the majority of people are happy with what we have today.
> Can we have a poll about "is there a need to review/amend/simplify PKIX work for certificate enrollment" ?
> 
> Max Pritikin: I would be interested to meet and talk, can you please include me in the discussion/meetings about this?
> 
> Last consideration: Although I am not the WG chair, and it is not my role, I would like to keep the discussion in check. I have the impression that the topic is somewhat overloaded with non-technical aspects and I hope we can, instead, focus on technical aspects and on what is needed rather than on how this was handled in the past.
> 
> Cheers,
> Max
> 
> 
>> On Nov 7, 2014, at 1:03 PM, Max Pritikin (pritikin) <pritikin@cisco.com> wrote:
>> 
>> 
>>> On Oct 29, 2014, at 6:35 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
>>> 
>>> I've spent the time since the last exchange of messages on this thread talking
>>> to various SCEP users over their requirements.  It turns out that the figure
>>> I'd previously posted, of half a billion SCEP devices in active use, was
>>> rather an underestimate.  SCEP seems to be pretty much the universal device-
>>> provisioning protocol for non-PC/laptop devices, including mobile phones,
>>> SCADA devices, gaming machines, ATMs, firewalls, and so on.  It's also been
>>> described to me as the standard BYOD provisioning protocol, its use for this
>>> being so widespread that Server 2012 even added new, extra capabilities for
>>> dealing with BYOD use via SCEP (Windows Server 2008 and 2012 are pretty much
>>> the standard server implementations for dealing with this sort of thing).  As
>>> one person told me, "if a device speaks anything, it'll speak SCEP".
>>> 
>>> So, no matter how much Cisco would like to forget about it, it's extremely
>>> widely used, and there's no sign that this is going to change in the future.
>>> To paraphrase something someone said many years ago about IBM, "SCEP isn't the
>>> competition, it's the environment”.
>> 
>> Agreed! We can’t “forget” about it. This is why we paid so much attention to the process flow of SCEP when designing EST to insure minimal pain.
>> We also need to be able to move forward to suite-b and better client authentication methods. Thus the reason we had to describe something beyond SCEP (which can’t support these improvements). This led to the specific CMC profile that is EST.
>> 
>>> 
>>> To that end I'd like to request that the SCEP authors give me (or someone else
>>> who cares about it, e.g. one of the JSCEP folks) change control over the
>>> document so that we can finally get this published.  I submitted a list of
>>> changes for the current doc ages ago but things seem to have stalled since
>>> then (the changes were minor things that have come up in real-world usage,
>>> clarifications to the doc, places where ~15-year-old remnants still exist next
>>> to current ones, and just a general cleanup of the neglect that it's had for
>>> the last decade or so, it still talks about MD5 and single DES for example,
>>> but doesn't mention that newfangled AES thing that everyone's talking about).
>>> 
>>> Given that it's been more or less abandoned by Cisco, I'd like to finish the
>>> editing for it and finally get it published as an RFC so that the vast number
>>> of devices out there using it, and that will use it in the future, have a
>>> fixed standard that they can refer back to.
>> 
>> I’ll be at IETF next week. Lets meet with any interested parties and figure out a path forward.
>> 
>> A question: How is updating "half a billion SCEP devices” to a new version of SCEP any different than updating them to EST or similar?
>> 
>> - max
>> 
>>> 
>>> Peter.
>> 
>> _______________________________________________
>> pkix mailing list
>> pkix@ietf.org
>> https://www.ietf.org/mailman/listinfo/pkix
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email