Re: [pkix] Connected Cars. Upgradable/Replaceable IoT systems. Re: Managing Long-Lived CA certs
Peter Gutmann <pgut001@cs.auckland.ac.nz> Mon, 24 July 2017 13:54 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C9E8131D19 for <pkix@ietfa.amsl.com>; Mon, 24 Jul 2017 06:54:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cJ37SzMpx0Fc for <pkix@ietfa.amsl.com>; Mon, 24 Jul 2017 06:54:28 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7C80131771 for <pkix@ietf.org>; Mon, 24 Jul 2017 06:54:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1500904468; x=1532440468; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=0i1HS2wS19D/LYv2cZ9mK9da511Hu5Uhnv64tIrS6c4=; b=HsQgnwVfT2vQMzmti5bJ4OYHnPBP+BpvoAt+YOATF6qlkoQQGXvW+wj1 0J18phZyQ9wWiu/yEBEHkL13O0vGFaotOT8NYxbV5RHKaoNJ2z6ifsr7Y 2Ekm0oX0ghFiFLlzvPu662EZJvUmjOI0mlDSMoHSu5nPIA/2vbEIpdzXn PkTVy+bad1GYEuvmMsIOwDgwzZjjeffsjHpNsbR4fIgFjigybZBAqpNUM I16dxqSFWttVIHroeU7MEV3EQfBPGk1731V4KqXzTHkyzRpNVeGFvKhwy RwxlsPhNTVv5KWsUSPmQmUldEyR5E6RsTP5Ji2B0Mzc4Kv1QNWWuP7o5m Q==;
X-IronPort-AV: E=Sophos;i="5.40,407,1496059200"; d="scan'208";a="167822678"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.4 - Outgoing - Outgoing
Received: from uxcn13-tdc-c.uoa.auckland.ac.nz ([10.6.3.4]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 25 Jul 2017 01:54:25 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-c.UoA.auckland.ac.nz (10.6.3.4) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 25 Jul 2017 01:54:25 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Tue, 25 Jul 2017 01:54:25 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Robert Moskowitz <rgm-sec@htt-consult.com>, Anders Rundgren <anders.rundgren.net@gmail.com>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] Connected Cars. Upgradable/Replaceable IoT systems. Re: Managing Long-Lived CA certs
Thread-Index: AQHTAd5+6l/jXclsikyPxskxVVbZeqJiMw+AgADQUkc=
Date: Mon, 24 Jul 2017 13:54:24 +0000
Message-ID: <1500904462997.1000@cs.auckland.ac.nz>
References: <467c8936-f6aa-0853-878c-24fc8803c599@openca.org> <001501d2ff0e$00eddfa0$02c99ee0$@x500.eu> <1500348690922.69356@cs.auckland.ac.nz> <27d212b4-c5a6-19d1-2afd-f18adaf21031@nist.gov> <003d01d2ffdd$35d67c70$a1837550$@x500.eu> <d032d03f-6ece-44e1-58b7-e3141f3b8e3d@openca.org> <c66ebeda-21be-93fe-f315-7d1e7f069505@gmail.com> <b474e62e-64d3-5c9f-6dc3-4f96749f5440@free.fr> <f59e8121-7b66-a6bb-2b31-16a1aeaeaf37@gmail.com> <0edcee2d-3dea-bbaa-2cd1-cf3915bfeff7@gmail.com>, <07553cee-882a-74e3-569f-2c501461f2dd@htt-consult.com>
In-Reply-To: <07553cee-882a-74e3-569f-2c501461f2dd@htt-consult.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/oes8mD0lMPXjyGg-5EXwneW94Hs>
Subject: Re: [pkix] Connected Cars. Upgradable/Replaceable IoT systems. Re: Managing Long-Lived CA certs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 13:54:30 -0000
Robert Moskowitz <rgm-sec@htt-consult.com> writes: >The IEEE 1609.2 standard for Vehicle safety messaging has a 'monster' PKI >with certificate management. To put it mildly. Not just a monster PKI, a monster in general. They invented their own gratuitously incompatible way of doing everything possible (message security, certificates, you name it, including a pile of novel security mechanisms never before deployed at any real-world scale). The thing with X.509, CMS, PGP, whatever you want to use is that after about twenty years of public naming and shaming vendors have got at least some of the bits right (but see for example the thread currently running on mozilla- dev about CAs all over the world issuing certs for domain names that can't be validated, in other words that were never checked by the CA before the certs were issued). OTOH the 1609.2 stuff, which goes way beyond what any standard public CA has ever attempted (e.g. SCMS or Secure Credential Management System, which is... no, it's too horrible to go into) will be used in a closed, non-public environment where little if anything will ever be tested or checked for correctness. Until the Black Hat and Defcon presentations start appearing... >I worked on three telematics certificate systems. I got exposed to 1609.2. My response was that there simply wasn't enough money in existence to get me to try and make that thing work. Peter.
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Rob Stradling
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Erik Andersen
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Erik Andersen
- Re: [pkix] Managing Long-Lived CA certs Carl Wallace
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Santosh Chokhani
- Re: [pkix] Managing Long-Lived CA certs Carl Wallace
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Peter Gutmann
- Re: [pkix] Managing Long-Lived CA certs Erik Andersen
- Re: [pkix] Managing Long-Lived CA certs David A. Cooper
- Re: [pkix] Managing Long-Lived CA certs Peter Gutmann
- Re: [pkix] Managing Long-Lived CA certs David A. Cooper
- Re: [pkix] Managing Long-Lived CA certs Peter Gutmann
- Re: [pkix] Managing Long-Lived CA certs Erik Andersen
- Re: [pkix] Managing Long-Lived CA certs swilson
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Anders Rundgren
- Re: [pkix] Managing Long-Lived CA certs Denis
- Re: [pkix] Managing Long-Lived CA certs Carl Wallace
- Re: [pkix] Managing Long-Lived CA certs EG Giessmann
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- Re: [pkix] Managing Long-Lived CA certs Dr. Pala
- [pkix] Upgradable/Replaceable IoT systems. Re: Ma… Anders Rundgren
- [pkix] Connected Cars. Upgradable/Replaceable IoT… Anders Rundgren
- Re: [pkix] Connected Cars. Upgradable/Replaceable… Robert Moskowitz
- Re: [pkix] Connected Cars. Upgradable/Replaceable… Peter Gutmann
- Re: [pkix] Connected Cars. Upgradable/Replaceable… Robert Moskowitz
- Re: [pkix] Connected Cars. Upgradable/Replaceable… Erwann Abalea