Re: [pkix] some comments on draft-ietf-pkix-est-01
Anders Rundgren <anders.rundgren@telia.com> Tue, 27 March 2012 10:49 UTC
Return-Path: <anders.rundgren@telia.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9525621F8975 for <pkix@ietfa.amsl.com>; Tue, 27 Mar 2012 03:49:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.441
X-Spam-Level:
X-Spam-Status: No, score=-3.441 tagged_above=-999 required=5 tests=[AWL=0.158, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Vux7urfPJUv for <pkix@ietfa.amsl.com>; Tue, 27 Mar 2012 03:49:38 -0700 (PDT)
Received: from smtp-out12.han.skanova.net (smtp-out12.han.skanova.net [195.67.226.212]) by ietfa.amsl.com (Postfix) with ESMTP id A3C6521F896B for <pkix@ietf.org>; Tue, 27 Mar 2012 03:49:37 -0700 (PDT)
Received: from [192.168.0.200] (213.66.133.125) by smtp-out12.han.skanova.net (8.5.133) (authenticated as u36408181) id 4F5CB81D00468D87; Tue, 27 Mar 2012 12:49:34 +0200
Message-ID: <4F719B3D.10101@telia.com>
Date: Tue, 27 Mar 2012 12:49:33 +0200
From: Anders Rundgren <anders.rundgren@telia.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20120312 Thunderbird/11.0
MIME-Version: 1.0
To: Sean Turner <turners@ieca.com>
References: <4F718771.6060906@ieca.com>
In-Reply-To: <4F718771.6060906@ieca.com>
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: pkix@ietf.org
Subject: Re: [pkix] some comments on draft-ietf-pkix-est-01
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2012 10:49:38 -0000
Continuing this thread...
>From the abstract I would be interested in hearing what
"simple Public Key Infrastructure clients"
actually refer to.
"This profile, called Enrollment over Secure Transport (EST),
describes a simple yet functional certificate management protocol"
If you combine all the options, it is not that simple anymore.
Is a client and server assumed to support all the options?
If not, how are they supposed to know which subset that can be used?
Looks like a rather configuration-dependent scheme IMHO.
"K1 "Algorithm agility". The protocol MUST support algorithm agility"
The author's opinion on what that means is flawed. Although supporting
a bunch of TLS ciphers may be interesting, algorithm agility regarding
generated keys is a parameter that most (if not all) issuers care about.
"5.3 Distribution of CA certificates
Before engaging in enrollment operations, clients MUST request trust
anchor information (in the form of certificates) by sending an HTTPS
GET message to the EST base URI with the relative path extension
'/CACerts'"
This mandatory requirement isn't particularly universal. A more
common method is that the user rather gets an option "accepting" the
root of the distributed certificate path. In today's server-centric
world the CA of a *client certificate* often doesn't have any
meaning for the client/user at all.
Anders
PS. By thinking out loud I got an idea for KeyGen2! Add an option
to the install certificate part of the protocol where the issuer may
claim that this root may be of interest to user. By doing that KeyGen2
doesn't have to bother users with (for example) accepting VISA's EMV-root
since this a thing for the merchants/acquirers to care about. DS.
On 2012-03-27 11:25, Sean Turner wrote:
> Just a couple of comments the WG should consider:
>
> Technical:
>
> 1. the /simpleEnroll, /simpleReEnroll, and /serverKeyGen use PKCS#10s
> for the request and return the certificate(s) in a mime media type. In
> many instances, the "normal" query/response for a certificate is a
> PKCS#10 request followed by a PKCS#7 response, where the PKCS#7 is the
> degenerate certs-only message. Does anyone see any benefit in reusing
> the PKCS#10/PKCS#7 model instead of PKCS#10/certificate? Changing it
> would align nicely/exactly with the simple PKI request/response from CMC.
>
> 2. in s5.6.2, just use application/pkcs8 instead of
> application/pkix-privkey.
>
> Not so technical:
>
> 1. appendix D really ought to be in its own document or in part of
> draft-nourse-scep.
>
> spt
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix
>
- [pkix] some comments on draft-ietf-pkix-est-01 Sean Turner
- Re: [pkix] some comments on draft-ietf-pkix-est-01 Anders Rundgren
- Re: [pkix] some comments on draft-ietf-pkix-est-01 Dan Harkins
- Re: [pkix] some comments on draft-ietf-pkix-est-01 Tomas Gustavsson
- Re: [pkix] some comments on draft-ietf-pkix-est-01 Max Pritikin
- [pkix] Multiple CAs from one EST server Re: some … Max Pritikin
- [pkix] Using "CMC Simple PKI Response" rather tha… Max Pritikin
- Re: [pkix] Multiple CAs from one EST server Re: s… Tomas Gustavsson
- Re: [pkix] some comments on draft-ietf-pkix-est-01 Anders Rundgren
- Re: [pkix] Using "CMC Simple PKI Response" rather… Dan Harkins
- Re: [pkix] some comments on draft-ietf-pkix-est-01 Max Pritikin
- Re: [pkix] some comments on draft-ietf-pkix-est-01 Anders Rundgren
- Re: [pkix] some comments on draft-ietf-pkix-est-01 Tomas Gustavsson
- Re: [pkix] some comments on draft-ietf-pkix-est-01 Yoav Nir
- Re: [pkix] some comments on draft-ietf-pkix-est-01 Anders Rundgren
- Re: [pkix] Using "CMC Simple PKI Response" rather… Sean Turner
- Re: [pkix] some comments on draft-ietf-pkix-est-01 Anders Rundgren
- Re: [pkix] some comments on draft-ietf-pkix-est-01 Dan Harkins