IETF Logo Mail Archive

Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)

"Miller, Timothy J." <tmiller@mitre.org> Tue, 14 October 2014 14:26 UTC

Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 838BF1A8791 for <pkix@ietfa.amsl.com>; Tue, 14 Oct 2014 07:26:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.686
X-Spam-Level:
X-Spam-Status: No, score=-2.686 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.786] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SbCu0WBs570R for <pkix@ietfa.amsl.com>; Tue, 14 Oct 2014 07:26:00 -0700 (PDT)
Received: from smtpvbsrv1.mitre.org (smtpvbsrv1.mitre.org [198.49.146.234]) by ietfa.amsl.com (Postfix) with ESMTP id 032451A8881 for <pkix@ietf.org>; Tue, 14 Oct 2014 07:25:59 -0700 (PDT)
Received: from smtpvbsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 1C97172E191; Tue, 14 Oct 2014 10:25:59 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpvbsrv1.mitre.org (Postfix) with ESMTP id 1410C72E185; Tue, 14 Oct 2014 10:25:59 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.195]) by IMCCAS01.MITRE.ORG ([129.83.29.68]) with mapi id 14.03.0174.001; Tue, 14 Oct 2014 10:25:58 -0400
From: "Miller, Timothy J." <tmiller@mitre.org>
To: 'Peter Gutmann' <pgut001@cs.auckland.ac.nz>, IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] Simple Certificate Enrollment Protocol (SCEP)
Thread-Index: Ac/ntFpMb1Xr+ImVQUWYJscmK+kLJwAAoD8g
Date: Tue, 14 Oct 2014 14:25:57 +0000
Message-ID: <195DB2510AAA004391F58E28FCE21200461CF342@IMCMBX01.MITRE.ORG>
References: <9A043F3CF02CD34C8E74AC1594475C739B9CB38D@uxcn10-tdc05.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C739B9CB38D@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.140.19.249]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/_bUfohIM8QUeFLYBr6JvFuzfDUc
Subject: Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 14:26:01 -0000

>None of those are really cert-enrolment protocols though...

Well, PCAS is explicitly an enrollment protocol--you send a public key, you get back a certificate--as are Microsoft's ICEnroll and the WS-Trust based enrollment protocol (Certificate Enrollment Web Services) in Server 2k8r2.  

While it's true that KMIP explicitly disclaims enrollment, it nevertheless has the features you need for enrollment and can be (mis?)used that way.  Similarly so with XKMS.  Besides, it's funnier when you include them.  :)

>I've read that before and found it a bit silly, it basically says "issuing a
>certificate containing a verbatim copy of what the client asks for ('give me a
>certificate that makes me a CA, and issued for google.com') can result in
>unexpected rights amplification".  Well, duh.

IMHO the key point from CSS's discussion is that the SCEP authenticator doesn't actually bind to the identity to be requested or to the requestor, so you can enroll a different device than the one the RA thinks you're enrolling, or you can pass the authenticator along to an otherwise unauthorized person (or both).  This isn't a concern in a closed environment as long as you have either physical control of the devices enrolled, trusted and accountable "sponsors" acting on behalf of the non-person Subscriber, or (ideally) both.  Unfortunately in the general non-person Subscriber use case there's a scalability requirement that incentivizes over-automation and reduces accountability and control--and that opens up a hole in SCEP you can drive a truck through.   (Cue Anders again.  :)

Naturally human Subscribers can attempt the same shenanigans but there are at least the pretense of checks in those systems.  

-- T

v2.23.0 | Report a Bug | By Email