Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
Peter Gutmann <pgut001@cs.auckland.ac.nz> Tue, 14 October 2014 11:30 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 716F41A86EE for <pkix@ietfa.amsl.com>; Tue, 14 Oct 2014 04:30:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.986
X-Spam-Level:
X-Spam-Status: No, score=-4.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oNRS90EINjEL for <pkix@ietfa.amsl.com>; Tue, 14 Oct 2014 04:30:17 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 516C11A854B for <pkix@ietf.org>; Tue, 14 Oct 2014 04:30:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1413286217; x=1444822217; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=ab4DvkQGKdThFulrKndyszZVKYzqmXDzN4QymnFaQQc=; b=ZtrJvcuXiBduTYbSxcvVjmvWnnjvEJ0MAVnNoOew5g8N1YNmCZI30YpQ hZhsFHXYuhtG0UuOt5hAEsRPyu18SyDjeY0uci+HmHDrgGiyfp2dQ+x1c jFOVpf69gP0AoOp8KEZq1LwaEhpj9YjgHvCJbXmc9JMnAlVY0QZdO6EV9 M=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="283044729"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.125 - Outgoing - Outgoing
Received: from uxchange10-fe3.uoa.auckland.ac.nz ([130.216.4.125]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 15 Oct 2014 00:30:15 +1300
Received: from UXCN10-TDC05.UoA.auckland.ac.nz ([169.254.9.70]) by uxchange10-fe3.UoA.auckland.ac.nz ([130.216.4.125]) with mapi id 14.03.0174.001; Wed, 15 Oct 2014 00:30:15 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: IETF PKIX <pkix@ietf.org>
Thread-Topic: [pkix] Simple Certificate Enrollment Protocol (SCEP)
Thread-Index: Ac/nojkd8b5ky4bsTai8zHCjpqK+hw==
Date: Tue, 14 Oct 2014 11:30:14 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C739B9CAFF4@uxcn10-tdc05.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/kwIyVgeq4x-iGBtSTRf4DX8KuQQ
Cc: "WG15@iectc57.org" <WG15@iectc57.org>, "CAS@energinet.dk" <CAS@energinet.dk>, "soren.peter.nielsen@gmail.com" <soren.peter.nielsen@gmail.com>
Subject: Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 11:30:19 -0000
Erik Andersen <era@x500.eu> writes: >The smart grid security folks want to use SCEP as normative reference in >their specification. It's already being used in a variety of SCADA applications (and is required in some SCADA standards), so they're in good company there. >In the current state of SCEP, this is probably against the rules of IEC. It >might be desirable to progress SCEP to a more official status. That could be >within PKIX as an RFC or as an ITU-T Recommendation to be progressed very >quickly. The latter might require some consent from Cisco. That's going to be tricky, Cisco really wants people to forget about SCEP and move onto EST (thanks to Michael Jenkins for pointing out the name, I was too lazy to Google it :-). I've submitted a bunch of corrections to SCEP (there are some things that were bolted on later that really don't work as specified, or under-specified, in the spec) but haven't been able to get any traction on it. At the moment I don't know what it'd take to get SCEP published as any sort of standard. OTOH as you point out it is a very widely-used de facto standard, while the actual "standards" (CMP, CMC, etc) barely exist and don't interoperate when they do). It's a bit of a COBOL vs. OCaml thing, one is old and clunky and just gets the job done (SCEP), the other is complex and full of esoteric features and only understood by about seven people, three of whom mutter to themselves a lot and aren't allowed near sharp objects because of what they might do with them (CMP/CMC/etc). Peter.
- [pkix] Simple Certificate Enrollment Protocol (SC… Erik Andersen
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Michael Jenkins
- Re: [pkix] Simple Certificate Enrollment Protocol… Erik Andersen
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Miller, Timothy J.
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- [pkix] SCEP Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Miller, Timothy J.
- Re: [pkix] Simple Certificate Enrollment Protocol… Jeffrey Walton
- Re: [pkix] Simple Certificate Enrollment Protocol… Paul Hoffman
- Re: [pkix] Simple Certificate Enrollment Protocol… Sill, Alan
- Re: [pkix] Simple Certificate Enrollment Protocol… Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Melinda Shore
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Paul Hoffman
- Re: [pkix] Simple Certificate Enrollment Protocol… Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Jeffrey Walton
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Dr. Massimiliano Pala
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Simple Certificate Enrollment Protocol… Dr. Massimiliano Pala
- [pkix] Derived Credentials. Was: Simple Certifica… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Max Pritikin (pritikin)
- [pkix] New Microsoft Enrollment system. Was: Simp… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Johannes Merkle
- Re: [pkix] Derived Credentials. Was: Simple Certi… Johannes Merkle
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren