IETF Logo Mail Archive

Re: [pkix] Proposal for working on PKIX revocation open issues

Anders Rundgren <anders.rundgren.net@gmail.com> Sat, 15 November 2014 08:05 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 471DB1A1BEA for <pkix@ietfa.amsl.com>; Sat, 15 Nov 2014 00:05:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 440XNR_BUB2x for <pkix@ietfa.amsl.com>; Sat, 15 Nov 2014 00:05:03 -0800 (PST)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B74B1A1BB7 for <pkix@ietf.org>; Sat, 15 Nov 2014 00:05:03 -0800 (PST)
Received: by mail-wi0-f178.google.com with SMTP id bs8so4732896wib.5 for <pkix@ietf.org>; Sat, 15 Nov 2014 00:05:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=9viUX0pSs1R97OVyfwE2CPYrin50oEf408We2jNmwMQ=; b=UnWZrCUtty2SMqjKuxhFTmRWHL3KtDDy320c5btroGCS5sM6nZYBx5Wmsb9nBS/ZKf cNFvXrGvx0v2a5kFNnrfiEhpp6q3XC7LDe0pEkJGTLZUXgGwocPALlUZME0cRvNMTEop 2/cruIQHdEHEgy8/pIUtTF9gwB/2xqiWE7GVITqxR4FXD3sFQVtj2iZS8t7m5toh6J7J YYD2Lu459mqSO95ycMcXWURkNdU3d4pCgx8Iyj5k7Z1ESwxugH/BUznVrvTb6pOH0/gN 0TFXtFAiwrocQw5ix8ikzKo1fkut4mOBcmzn+azM0PCzWfgJ3htZ65yVMLJCT9Oav49s YtDw==
X-Received: by 10.180.11.65 with SMTP id o1mr14558590wib.22.1416038702081; Sat, 15 Nov 2014 00:05:02 -0800 (PST)
Received: from [192.168.1.79] (13.118.176.95.rev.sfr.net. [95.176.118.13]) by mx.google.com with ESMTPSA id ek9sm6204224wib.21.2014.11.15.00.05.00 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 15 Nov 2014 00:05:01 -0800 (PST)
Message-ID: <5467092A.3040107@gmail.com>
Date: Sat, 15 Nov 2014 09:04:58 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Massimiliano Pala <massimiliano.pala@gmail.com>
References: <5466AF87.2050307@gmail.com> <5466D73B.4000900@gmail.com> <8C0EDB94-79FC-4885-B0D8-7169FE5F0610@gmail.com>
In-Reply-To: <8C0EDB94-79FC-4885-B0D8-7169FE5F0610@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/a_3hgTf6v992tneap4FeRxiIGwE
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Proposal for working on PKIX revocation open issues
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Nov 2014 08:05:09 -0000

On 2014-11-15 08:55, Massimiliano Pala wrote:
> Hi Anders,
>
> thanks for the reply. The scope of this proposal was restricted on purpose to see if we gather consensus on a specific area:  revocation, therefore I am limiting my reply to that area to allow the conversation to be focused. Maybe your proposal could be future work for some other pkix-related wg, but it is not in scope with this proposal.
>
> For the HTTP comment, I respectfully disagree. There are many areas where applications use authentication and confidentiality but do not talk HTTP. However, even if they do, they are not browsers and requirements and their capabilities might be different. However, as I see it, this work will be orthogonal to the application protocol.
>
> For the question about client authentication, the only thing that I see missing today is the possibility, for clients, to present their own revocation information (i.e. being able to staple OCSPD responses for the presented certificate) [RFC 6961 only defines client requests for certificate status]. This would provide the server side with the possibility to request/require the client to provide information about their certificate chains.

Good, this was what I proposed in another posting.

The only real problem I know of here is that many commercial client PKIs do not "publish" revocation information, they only make it available for paying RPs which excludes clients from the plot.

Anders

>
> I think this might have the positive effects for client-side certificate authentication and, ultimately, deployment.
>
> Cheers,
> Max
>
>
>> On Nov 14, 2014, at 8:31 PM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>
>>> On 2014-11-15 02:42, Dr. Massimiliano Pala wrote:
>>> Dear PKIX Enthusiasts,
>> Thanx :-)
>>
>> Just for my curiosity, have the OpenCA team implemented EST?
>>
>> If not, I think this highlights the core problem which is adoption of standards.
>> Microsoft, Intel, et. al. spent *hundreds of millions of dollars* on standardization
>> of TPMs only to find that the bulk of the mobile device market (their competitors...)
>> had taken another, more agile path.
>>
>> Since HTTP seems to the lowest common denominator for all networked
>> devices, it looks like that you will run into serious adoption issues.
>>
>> I must admit that I don't understand what problem you want to solve
>> in the context of *client authentication*.  The client's ability
>> to gather revocation information abouts its own keys?  That's hardly
>> a problem worth solving.  It sounds like a W3C proposal that I once saw
>> which was about introducing an API at the client-side for revoking your
>> own certificate(s).
>>
>> As you can see the remains of the PKIX WG still don't want to discuss
>> requirements like imposed by "Derived Credentials" which actually is
>> a core PKI application that eventually will be used by everybody.
>>
>> Anders
>>
>>> Although great work has been done in the past... 20 years.. (?) on
>>> providing very good protocols in the PKIX work, I think that we all
>>> agree that we still have some unresolved issues. In particular, the
>>> revocation is still a hot topic (especially for online environments)
>>> could use improvement over the current status of things. In particular,
>>> by looking at current specifications, some work is needed to address
>>> concerns especially in non-web environments.
>>>
>>> For example, current specifications about OCSP stapling do not address
>>> the case of client authentication (which is a widespread use case
>>> outside the web environment) or, again, defining some new transport
>>> protocols for delivering OCSP responses which might reduce operational
>>> costs for revocation service providers.
>>>
>>> After proposing the idea to Stephen Farrell and Kathleen Moriarty, we
>>> would like to know if there might be interests in participating in
>>> updating the status of the current revocation mechanisms for PKIX. This
>>> said, the scope of the work I am proposing is very limited. Specifically:
>>>
>>> (a) Defining new transport protocols for revocation information
>>> availability (e.g., OCSP over DNS or OCSP over LDAP)
>>> (b) (Possibly) defining a more lightweight revocation mechanisms (e.g.
>>> Lightweight Revocation Tokens)
>>> (c) (Possibly) helping other working groups to revise and update how
>>> revocation information are provided (e.g., the client authentication case)
>>> (d) (Possibly) introducing privacy consideration when it comes to
>>> revocation checking
>>>
>>> Because of these considerations, I am proposing to start a conversation
>>> - for now, Stephen and Kathleen suggested we use (or "abuse") the "The
>>> Right Key" mailing list to see if there might be enough interest in the
>>> work from implementers to address these issues. I know that we (OpenCA)
>>> are interested in implementing these features, and we would like that
>>> the work would be standardized.
>>>
>>> At minimal, I would like (a) to happen. This could be achieved in 6
>>> months (and we might not even need to meet). (b) and (c) are also
>>> desirable in order to provide better support for non-browsers and small
>>> devices (AFAIK, some work might be relevant for DICE). (d) is something
>>> that we should, I think, all be mindful and at least some considerations
>>> should be provided. The scope of the work, however, will be limited to
>>> revocation.
>>>
>>> Please, if you are interested and would like to start the discussion,
>>> post your opinion on therightkey@ietf.org - also, please, circulate this
>>> proposal to anybody who might be interested in collaborating on this issue.
>>>
>>> Please also note that we did decide not to use the pkix@ietf.org mailing
>>> list because we thought therightkey@ietf.org might provide a more active
>>> pool of implementors.
>>>
>>> Looking forward to receive all your inputs and start working on the topics.
>>>
>>> Cheers,
>>> Max
>>>
>>>
>>> _______________________________________________
>>> pkix mailing list
>>> pkix@ietf.org
>>> https://www.ietf.org/mailman/listinfo/pkix

v2.30.2 | Report a Bug | By Email | System Status