Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
"Miller, Timothy J." <tmiller@mitre.org> Tue, 14 October 2014 14:26 UTC
Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 838BF1A8791 for <pkix@ietfa.amsl.com>; Tue, 14 Oct 2014 07:26:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.686
X-Spam-Level:
X-Spam-Status: No, score=-2.686 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.786] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SbCu0WBs570R for <pkix@ietfa.amsl.com>; Tue, 14 Oct 2014 07:26:00 -0700 (PDT)
Received: from smtpvbsrv1.mitre.org (smtpvbsrv1.mitre.org [198.49.146.234]) by ietfa.amsl.com (Postfix) with ESMTP id 032451A8881 for <pkix@ietf.org>; Tue, 14 Oct 2014 07:25:59 -0700 (PDT)
Received: from smtpvbsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1C97172E191; Tue, 14 Oct 2014 10:25:59 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpvbsrv1.mitre.org (Postfix) with ESMTP id 1410C72E185; Tue, 14 Oct 2014 10:25:59 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.195]) by IMCCAS01.MITRE.ORG ([129.83.29.68]) with mapi id 14.03.0174.001; Tue, 14 Oct 2014 10:25:58 -0400
From: "Miller, Timothy J." <tmiller@mitre.org>
To: 'Peter Gutmann' <pgut001@cs.auckland.ac.nz>, IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] Simple Certificate Enrollment Protocol (SCEP)
Thread-Index: Ac/ntFpMb1Xr+ImVQUWYJscmK+kLJwAAoD8g
Date: Tue, 14 Oct 2014 14:25:57 +0000
Message-ID: <195DB2510AAA004391F58E28FCE21200461CF342@IMCMBX01.MITRE.ORG>
References: <9A043F3CF02CD34C8E74AC1594475C739B9CB38D@uxcn10-tdc05.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C739B9CB38D@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.140.19.249]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/_bUfohIM8QUeFLYBr6JvFuzfDUc
Subject: Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 14:26:01 -0000
>None of those are really cert-enrolment protocols though... Well, PCAS is explicitly an enrollment protocol--you send a public key, you get back a certificate--as are Microsoft's ICEnroll and the WS-Trust based enrollment protocol (Certificate Enrollment Web Services) in Server 2k8r2. While it's true that KMIP explicitly disclaims enrollment, it nevertheless has the features you need for enrollment and can be (mis?)used that way. Similarly so with XKMS. Besides, it's funnier when you include them. :) >I've read that before and found it a bit silly, it basically says "issuing a >certificate containing a verbatim copy of what the client asks for ('give me a >certificate that makes me a CA, and issued for google.com') can result in >unexpected rights amplification". Well, duh. IMHO the key point from CSS's discussion is that the SCEP authenticator doesn't actually bind to the identity to be requested or to the requestor, so you can enroll a different device than the one the RA thinks you're enrolling, or you can pass the authenticator along to an otherwise unauthorized person (or both). This isn't a concern in a closed environment as long as you have either physical control of the devices enrolled, trusted and accountable "sponsors" acting on behalf of the non-person Subscriber, or (ideally) both. Unfortunately in the general non-person Subscriber use case there's a scalability requirement that incentivizes over-automation and reduces accountability and control--and that opens up a hole in SCEP you can drive a truck through. (Cue Anders again. :) Naturally human Subscribers can attempt the same shenanigans but there are at least the pretense of checks in those systems. -- T
- [pkix] Simple Certificate Enrollment Protocol (SC… Erik Andersen
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Michael Jenkins
- Re: [pkix] Simple Certificate Enrollment Protocol… Erik Andersen
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Miller, Timothy J.
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- [pkix] SCEP Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Miller, Timothy J.
- Re: [pkix] Simple Certificate Enrollment Protocol… Jeffrey Walton
- Re: [pkix] Simple Certificate Enrollment Protocol… Paul Hoffman
- Re: [pkix] Simple Certificate Enrollment Protocol… Sill, Alan
- Re: [pkix] Simple Certificate Enrollment Protocol… Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Melinda Shore
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Paul Hoffman
- Re: [pkix] Simple Certificate Enrollment Protocol… Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Jeffrey Walton
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Dr. Massimiliano Pala
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Simple Certificate Enrollment Protocol… Dr. Massimiliano Pala
- [pkix] Derived Credentials. Was: Simple Certifica… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Max Pritikin (pritikin)
- [pkix] New Microsoft Enrollment system. Was: Simp… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Johannes Merkle
- Re: [pkix] Derived Credentials. Was: Simple Certi… Johannes Merkle
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren