IETF Logo Mail Archive

Re: [pkix] Derived Credentials. Was: Simple Certificate Enrollment Protocol (SCEP)

Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 12 November 2014 09:25 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E33E1A1B98 for <pkix@ietfa.amsl.com>; Wed, 12 Nov 2014 01:25:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bhr3yAZg5YD2 for <pkix@ietfa.amsl.com>; Wed, 12 Nov 2014 01:25:33 -0800 (PST)
Received: from mail-wg0-x22e.google.com (mail-wg0-x22e.google.com [IPv6:2a00:1450:400c:c00::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D8281A1AA6 for <pkix@ietf.org>; Wed, 12 Nov 2014 01:25:33 -0800 (PST)
Received: by mail-wg0-f46.google.com with SMTP id x13so13876605wgg.19 for <pkix@ietf.org>; Wed, 12 Nov 2014 01:25:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=vrrydLgzcZxGo2RhpivwWlyW5I+hSeqaK4Pz84WUfxs=; b=PdJ9G29SDwB3QlkdxR9y/zBimmdiOE013lvNfuoKjgLt3JNL6ET8qROBi6ZiHK3r6q TlUMrVsy9VAW4fBoeqTSPjiLbo6RgxiD6om8VT5HR5f1APl28tjtm1Lpt8BCekir3DFu Ju34GCWwsuQw/tmJqzGgDmLwwzolkI6283u1zAEJX/Ze3fTrNL3OHY/DrKaJ7lDoLeOh utNDMW/s1EJ39QQFDH4MyAub61kRDHrlkTqF6mhQsIHzRsEdMTxsEM5KcmYsS2hpvudp flKtwnSGtiofZHYxVUneWT0UpMLt2p+XetCACnW5rAh5w7c6vMhPMnwWpqG+H8t03jK4 ukKQ==
X-Received: by 10.180.9.169 with SMTP id a9mr48422711wib.7.1415784331830; Wed, 12 Nov 2014 01:25:31 -0800 (PST)
Received: from [192.168.1.79] (13.118.176.95.rev.sfr.net. [95.176.118.13]) by mx.google.com with ESMTPSA id v6sm1169670wjz.40.2014.11.12.01.25.30 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 12 Nov 2014 01:25:31 -0800 (PST)
Message-ID: <54632785.8080702@gmail.com>
Date: Wed, 12 Nov 2014 10:25:25 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "Max Pritikin (pritikin)" <pritikin@cisco.com>
References: <9A043F3CF02CD34C8E74AC1594475C739B9DB295@uxcn10-5.UoA.auckland.ac.nz> <D941FEB2-CC8D-4D9C-9496-F7C28B5E0C41@cisco.com> <54616B61.7000307@gmail.com> <703810FB-F786-4D7C-98EF-0DC6080CBEFB@cisco.com> <5462754A.4010802@gmail.com>, <5462DEE0.4010105@gmail.com> <DFD1E49C-A351-4763-A03C-5BD0F118E8CD@cisco.com>
In-Reply-To: <DFD1E49C-A351-4763-A03C-5BD0F118E8CD@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/b4pmRSHELbV7F4AB8kXwtexjBKc
Cc: "Dr. Massimiliano Pala" <massimiliano.pala@gmail.com>, "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Derived Credentials. Was: Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Nov 2014 09:25:35 -0000

On 2014-11-12 10:03, Max Pritikin (pritikin) wrote:
> Anders - both of these requirements can be met by these protocols.

AFAICT, end-to-end security with respect to the *key-container* is outside of all
PKIX enrollment protocols.  No CMS (Card Management System) use CMP, SCEP, EST
directly, they use other protocols for actual token provisioning/initialization.

The latter obviously doesn't work for derived credentials since these typically
are 100% on-line provisioned.  Such schemes (entirely proprietary of course...)
are widely deployed in the EU for usage by consumers.

Anders

>
> - max
>
>> On Nov 11, 2014, at 6:15 PM, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:
>>
>> http://defensesystems.com/articles/2014/11/10/comment-can-derived-credentials-replace-cacs.aspx
>>
>> A problem with current protocols including CMC, SCEP and EST is that they
>> don't support enrollment of two-factor credentials[1] and secure key-storage[2]
>> such as (indirectly) required by the US government.
>>
>> Anders
>>
>> 1] Key + PIN
>> 2] Through key-container attestations
>>
>> _______________________________________________
>> pkix mailing list
>> pkix@ietf.org
>> https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email