Re: I-D Action:draft-ietf-pkix-tamp-01.txt
max pritikin <pritikin@cisco.com> Thu, 05 March 2009 17:56 UTC
Return-Path: <owner-ietf-pkix@mail.imc.org>
X-Original-To: ietfarch-pkix-archive@core3.amsl.com
Delivered-To: ietfarch-pkix-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D606B28C4CE for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 5 Mar 2009 09:56:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uE6mXiyd7SQk for <ietfarch-pkix-archive@core3.amsl.com>; Thu, 5 Mar 2009 09:56:22 -0800 (PST)
Received: from balder-227.proper.com (properopus-pt.tunnel.tserv3.fmt2.ipv6.he.net [IPv6:2001:470:1f04:392::2]) by core3.amsl.com (Postfix) with ESMTP id 3362728C3BF for <pkix-archive@ietf.org>; Thu, 5 Mar 2009 09:56:20 -0800 (PST)
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n25HUwCo028088 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 5 Mar 2009 10:30:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n25HUwPx028087; Thu, 5 Mar 2009 10:30:58 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from sj-iport-5.cisco.com (sj-iport-5.cisco.com [171.68.10.87]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n25HUlEl028070 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=FAIL) for <ietf-pkix@imc.org>; Thu, 5 Mar 2009 10:30:57 -0700 (MST) (envelope-from pritikin@cisco.com)
X-IronPort-AV: E=Sophos; i="4.38,308,1233532800"; d="scan'208,217"; a="66101184"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-5.cisco.com with ESMTP; 05 Mar 2009 17:30:47 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n25HUlXg007902; Thu, 5 Mar 2009 09:30:47 -0800
Received: from [10.0.1.195] (stealth-10-32-244-66.cisco.com [10.32.244.66]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id n25HUkop022894; Thu, 5 Mar 2009 17:30:46 GMT
Cc: i-d-announce@ietf.org, ietf-pkix@imc.org
Message-Id: <C2C2D82D-A666-4E4A-9022-35BD2012B81D@cisco.com>
From: max pritikin <pritikin@cisco.com>
To: Internet-Drafts@ietf.org
In-Reply-To: <20090304161502.90A2328C1A4@core3.amsl.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-32-269006191"
Mime-Version: 1.0 (Apple Message framework v930.3)
Subject: Re: I-D Action:draft-ietf-pkix-tamp-01.txt
Date: Thu, 05 Mar 2009 11:30:43 -0600
References: <20090304161502.90A2328C1A4@core3.amsl.com>
X-Mailer: Apple Mail (2.930.3)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=16993; t=1236274247; x=1237138247; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=pritikin@cisco.com; z=From:=20max=20pritikin=20<pritikin@cisco.com> |Subject:=20Re=3A=20I-D=20Action=3Adraft-ietf-pkix-tamp-01. txt=20 |Sender:=20; bh=F7Yg0k6ANS9nXeCZK6E5VqlVG3Om3nSofyaiERFiy4g=; b=Z8DAFk1sQfh9tgrelkvqAZx5mgZTLa4t8P4kSlwWKp4Z6TANmg9r71IUZg Pqn8U6TSmwB7BgPzhj7/4DRY+c2U9vbfJR/QtZMFnX+YiEpfAGIDJkKeinmu ua0BrviTUuXBokOS7yGUYF/b56MP/2uo4oTXOvpJcKLlhb+fYeX7E=;
Authentication-Results: sj-dkim-1; header.From=pritikin@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
The following questions concern the [TAMP], [TAF] and [TAMR] drafts
(versions indicated below). I've been reading these documents to see
how they line-up or conflict with the IEEE 802.1AR (Device Identity)
draft that I am the editor for. This perspective colors my comments.
Broadly IEEE 802.1AR concerns itself with the shipping of a device
complete with an X.509 certificate issued by the manufacturer. This
may be accompanied by the manufacturer's certificate chain. Storage
and use of associated private key material are within the module.
802.1AR defines mechanisms for insertion and management of additional
identity certificates issued by a local CA.
In this context I think the 802.1AR module is loosely analogous to a
'trust anchor store' as described in [TAMR, Section 1] combined with
the Cryptographic Module discussed in [TAMP, Section 1.3.1]. The 'TA
manager' would use the 802.1AR defined service interface to interact
with the module; and of course no 802.1AR limitations are made that
prohibit additional service interface functionalities specific to TAMP
(or any other management application) are defined.
The use of local CA issued certificates within 802.1AR appears
consistent with the 'identity trust anchors'. The manufacturer
installed certificate and certificate chain on the other hand could be
described as some combination of the 'apex', 'management' and even
'identity' trust anchors depending on future use. This is where my
questions about these drafts arise. I'm like to know more about how
you envision pre-installed credentials being catagorized.
On the subject of categorization reading these document has raised the
following questions for me:
The latest [TAF] document appear to move away from specifically
categorizing Apex, Management and Identity trust anchors. I agree with
this change. The [TAMP] draft still indicates these three types though
and I no longer see how they are distinguished. I do see that [TAMP,
Section 1.3.2] indicates that:
o The trust anchor store MUST support the secure storage of exactly
one apex trust anchor. The trust anchor store SHOULD support the
secure storage of at least one additional trust anchor.
but not how it is identified as the Apex. Or as a management trust
anchor, or identity trust anchor. Is it expected that this information
would be encoded into the TAF extensions field[s]? For example TAMP
would specify a specific extension with these types indicated?
(I continue to be unsure how to relate this to the 802.1AR concepts of
an 'initial device identity' installed during manufacturing vs a
'local device identity' installed later. But if these types are TAMP
specific vs TAF specific perhaps that is less of a concern.)
I like the idea of a TAF which can store information specific to
particular applications, various management protocols such as CMS, and
other things moving forward. TAMP apparently then specifies specific
authorizations and their meanings but this doesn't limit or impact
other uses? And importantly this type of construct results in a TAF
which may be either Apex, Management, or Identity or any combination
thereof including new types in the future?
This line of thought leads to some reflection on the [TAMP] discussion
illustrated by Figure 4-1 might be even further refined. I appreciate
the update from "Crypto Module" to "Trust Anchor Store" -- or maybe
even a combination of the two of them (this echoes my comment above
about how the 802.1AR module sounds like a combination of both of
these elements). Perhaps my confusion is that in my mind a Trust
Anchor Manager is communicating via TAMP with a TAMP service which is
then accessing the Trust Anchor Store. A picture is worth a thousand
words:
(my apologies if mail messes this up)
+---------+ +----------+
| | | |
| | | |
| | | |
| | TAMP | |
| Trust |<---->| TAMP |
| Anchor | | Process | OS & Application
| Manager | | | Service Interface
| | | | +----------+
| | | |<---->|TAFs in a |
| | | | |Crypto |
| | | | |Module |
| | | | |& Store |
+---------+ +----------+ +----------+
I haven't seen a discussion that the "OS & Application Service
Interface" as being in scope. Drawing the diagram like this clarifies
my impression that the TAF might be used by other applications and
that those applications might benefit from the TAF standardization.
Given the recent changes to [TAF] I suspect things are moving in this
direction?
Thanks for any clarifications,
- Max Pritikin
referenced documents:
[TAF] draft-ietf-pkix-ta-format-01
[TAMP] draft-ietf-pkix-tamp-01
[TAMR] draft-ietf-pkix-ta-mgmt-reqs-02
On Mar 4, 2009, at 10:15 AM, Internet-Drafts@ietf.org wrote:
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Public-Key Infrastructure (X.509)
> Working Group of the IETF.
>
>
> Title : Trust Anchor Management Protocol (TAMP)
> Author(s) : R. Housley, et al.
> Filename : draft-ietf-pkix-tamp-01.txt
> Pages : 84
> Date : 2009-03-04
>
> This document describes a transport independent protocol for the
> management of trust anchors and community identifiers stored in a
> trust anchor store. The protocol makes use of the Cryptographic
> Message Syntax (CMS), and a digital signature is used to provide
> integrity protection and data origin authentication. The protocol
> can be used to manage trust anchor stores containing trust anchors
> represented as Certificate, TBSCertificate or TrustAnchorInfo
> objects.
>
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-tamp-01.txt
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
> <mime-attachment>
- I-D Action:draft-ietf-pkix-tamp-01.txt Internet-Drafts
- Re: I-D Action:draft-ietf-pkix-tamp-01.txt max pritikin
- RE: I-D Action:draft-ietf-pkix-tamp-01.txt Carl Wallace
- RE: I-D Action:draft-ietf-pkix-tamp-01.txt Santosh Chokhani