IETF Logo Mail Archive

Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 29 October 2014 13:35 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88B091A00EA for <pkix@ietfa.amsl.com>; Wed, 29 Oct 2014 06:35:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.51
X-Spam-Level:
X-Spam-Status: No, score=-1.51 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p4E8VACXJrkp for <pkix@ietfa.amsl.com>; Wed, 29 Oct 2014 06:35:44 -0700 (PDT)
Received: from mx2.auckland.ac.nz (mx2.auckland.ac.nz [130.216.125.245]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B29571A00E6 for <pkix@ietf.org>; Wed, 29 Oct 2014 06:35:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=uoa; t=1414589744; x=1446125744; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=WGmMaWP2J8VAXcN3v7Zwr5ZAgOCzHHqdVrqzuA4z0+U=; b=Al1oKBg3DzvOEaqO+D4bJCIaJkO23YwWDqw6RQz/BoK9bB9xlxM4aBxq xucRTzhBGl+ba87p1ac8NyNujUkUjG67x92aAhNjAZNXz52lJ4LJiL0Bf lbYhaPzBL+UcaX1S05qXmzjJAPIcUz1ZiOnfJ3G1hqfC+VBCi3bSYlpAP 8=;
X-IronPort-AV: E=Sophos;i="5.04,630,1406548800"; d="scan'208";a="286444390"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 130.216.4.106 - Outgoing - Outgoing
Received: from uxchange10-fe2.uoa.auckland.ac.nz ([130.216.4.106]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES128-SHA; 30 Oct 2014 02:35:41 +1300
Received: from UXCN10-5.UoA.auckland.ac.nz ([169.254.5.15]) by uxchange10-fe2.UoA.auckland.ac.nz ([169.254.27.86]) with mapi id 14.03.0174.001; Thu, 30 Oct 2014 02:35:41 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "pkix@ietf.org" <pkix@ietf.org>, "pritikin@cisco.com" <pritikin@cisco.com>
Thread-Topic: [pkix] Simple Certificate Enrollment Protocol (SCEP)
Thread-Index: Ac/zfTr7GBrWCtIyTnqyZLG46sIQPw==
Date: Wed, 29 Oct 2014 13:35:40 +0000
Message-ID: <9A043F3CF02CD34C8E74AC1594475C739B9DB295@uxcn10-5.UoA.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/m9CwVi6P0eGJwGcokL0a5I2FFqY
Subject: Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 13:35:49 -0000

I've spent the time since the last exchange of messages on this thread talking
to various SCEP users over their requirements.  It turns out that the figure
I'd previously posted, of half a billion SCEP devices in active use, was
rather an underestimate.  SCEP seems to be pretty much the universal device-
provisioning protocol for non-PC/laptop devices, including mobile phones,
SCADA devices, gaming machines, ATMs, firewalls, and so on.  It's also been
described to me as the standard BYOD provisioning protocol, its use for this
being so widespread that Server 2012 even added new, extra capabilities for
dealing with BYOD use via SCEP (Windows Server 2008 and 2012 are pretty much
the standard server implementations for dealing with this sort of thing).  As
one person told me, "if a device speaks anything, it'll speak SCEP".

So, no matter how much Cisco would like to forget about it, it's extremely
widely used, and there's no sign that this is going to change in the future.
To paraphrase something someone said many years ago about IBM, "SCEP isn't the
competition, it's the environment".

To that end I'd like to request that the SCEP authors give me (or someone else
who cares about it, e.g. one of the JSCEP folks) change control over the
document so that we can finally get this published.  I submitted a list of
changes for the current doc ages ago but things seem to have stalled since
then (the changes were minor things that have come up in real-world usage,
clarifications to the doc, places where ~15-year-old remnants still exist next
to current ones, and just a general cleanup of the neglect that it's had for
the last decade or so, it still talks about MD5 and single DES for example,
but doesn't mention that newfangled AES thing that everyone's talking about).

Given that it's been more or less abandoned by Cisco, I'd like to finish the
editing for it and finally get it published as an RFC so that the vast number
of devices out there using it, and that will use it in the future, have a
fixed standard that they can refer back to.

Peter.

v2.23.0 | Report a Bug | By Email