Re: [pkix] [lamps] draft-ietf-lamps-lightweight-cmp-profile-01, section 5.4.4
"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Mon, 27 April 2020 06:31 UTC
Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 361B43A0DBA; Sun, 26 Apr 2020 23:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Level:
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.82, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3kl7_QUVGm7X; Sun, 26 Apr 2020 23:31:15 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50048.outbound.protection.outlook.com [40.107.5.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 805433A0DB8; Sun, 26 Apr 2020 23:31:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lRdJSP+0doQ0uffizlZYq3F6+v9MgygmrOwI8XLrN8/IXz+DNIdKm3/sf4VFmHJZbYXN0SqJsvauKLJGqr2CwzDsuLicH4zDjSHDDdyQMtUNFGg4Scx/0kcc4DAKk+XcOv3c1F69pbmOVAs9OmKFkDObdC39Kg7CaVJqCSe4Su2ANhXg6XxoVxh7yS5SpG90T2AhgXn3WZjuzeALe3gEpVXYHVPgj+72p0UcflFriQ8Z2zvP/p2GXpFvkUU83GhA7L19Qe1Yy9s0qpCl/P4C/ytkMeqqninDKHcPk5aC054bFtHJFydUhMpbELmbqy63AA1RvKBdaSJIMCNjwfmf8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y8RrKBdEN2GqhYQPO23XxgYz/GP4bqkzPuY38/FcImI=; b=XFMlo7nbpwxdGRpBsV0AwfyeDUFEHxmRBjiOgaJXAjc/ux+25hxW0vtCFwAW/ZKr0R0FNAxCMVQaaCp2yyzJGw5y2adru4Tz2k23a3TtFx7+Nh16FimUlwWopHK6lYqGI7YXd8kjabid6dRJsfsQGfmo/CBodtRdnwWDPsJTjrcLi9m4laLmA4jJ6DE5ZG0AxUBF2Md3yelifOWlhvMQ31v1aWOiF/zmwOzvvKSm3n/3DI/gvZRHWQcfLTnCduyaBi4LbuAzhVAAgZxchvwdnTyI0gefqrFM0TD/OMORAfCrGfu2PMjKziT74O/XIxJ0KDacx3u3DbvbmRIthCwj1w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y8RrKBdEN2GqhYQPO23XxgYz/GP4bqkzPuY38/FcImI=; b=NMo3LSLgDhcLyTd3BRQV4HIeYRKDX1Zpjxci01rz2l8NpKpwxGtKTcD+qlAzfSpGMReYt+STYJDDfcHM2XUV5TQ9DspFztjTSPQHQpycRHpl7Q/VygHFfXe1Ehk7k9nac93QR4YBOOZsx8Q/Lyj6GpMHLyuH1wnMd4iz5g6Q+Qw=
Received: from AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:e2::32) by AM0PR10MB1922.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:40::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Mon, 27 Apr 2020 06:31:13 +0000
Received: from AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM ([fe80::85a4:2ab:a6b9:e1a3]) by AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM ([fe80::85a4:2ab:a6b9:e1a3%6]) with mapi id 15.20.2937.020; Mon, 27 Apr 2020 06:31:13 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Mohit Sahni <mohit06jan@gmail.com>
CC: LAMPS WG <spasm@ietf.org>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [lamps] draft-ietf-lamps-lightweight-cmp-profile-01, section 5.4.4
Thread-Index: AdYaCB2PEbEcCf1RR1Sfxy7I94Cd0wABPc8AAANHXrAAHb71AABx+vSA
Date: Mon, 27 Apr 2020 06:31:13 +0000
Message-ID: <AM0PR10MB2402BE935D40AB7F8430128FFEAF0@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM>
References: <AM0PR10MB2402704929935043797A8F08FED00@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <CAEpwuw0Y+RiVswt1T+Ge2PcCTNFrNhzUf6q8zRKsFBkWfdZLjw@mail.gmail.com>, <AM0PR10MB240298FCBBB537A5AA1E391AFED00@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <1587771390263.34621@cs.auckland.ac.nz>
In-Reply-To: <1587771390263.34621@cs.auckland.ac.nz>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-document-confidentiality: NotClassified
authentication-results: spf=none (sender IP is ) smtp.mailfrom=hendrik.brockhaus@siemens.com;
x-originating-ip: [165.225.200.151]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 114fec76-540e-468f-54d7-08d7ea7494ee
x-ms-traffictypediagnostic: AM0PR10MB1922:
x-microsoft-antispam-prvs: <AM0PR10MB19220F00047E26BAD8EF5710FEAF0@AM0PR10MB1922.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0386B406AA
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(136003)(39860400002)(346002)(376002)(366004)(9686003)(33656002)(4326008)(966005)(478600001)(83080400001)(71200400001)(2906002)(76116006)(86362001)(55016002)(55236004)(8936002)(5660300002)(64756008)(66446008)(66556008)(66946007)(45080400002)(6506007)(54906003)(110136005)(7696005)(8676002)(186003)(26005)(316002)(52536014)(66476007)(81156014); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: siemens.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gCI1Z+ejmLgA68BuErCdjVxD8hhcj9gUa9px/KLAWtXbERVdDxSEF3NeOTfNWTmPuVOcw7hghbdihUAPwqqNYgRhCxETsw7qTK9PFo5xQmu4gPxMB77z2kWX0vG64qG4f5tDDKnrfB0LONhvB4HFQACf4ukQMmxxDHV4IZ0YSJTidRbJM1ujTV1W3VVdDhCwvefMWNDcZnJM/s2ePBaKf1aXM4czvCtDd/XH26O+bvB0Y+5ury/zU92M8tXNO8FmTl35hdtBgcZSkuqJooeOS0e4d6uGAgvkM9AYdK0jxt0r5ad9IDvwy2fGfsZOMgHqzv17QLretaRtlt0cCHmaCUiRM/OFY86qdt5kr5zK/1Kn5gN1pxE9tFiVWDInYaQTIIrDIsIkDN5CH2ozp36VeeQ7dsq/JsayXyPxlFFIxALqbTCxS7x+EoNonivAN8PObeMtkgk9C9G3Jgo7HBEI5W/X4BunBLt5wcaZNsPSujKt14CWhtTbi8spUQoJf2Ids2yvQDDKLRaYLXxplcjHeg==
x-ms-exchange-antispam-messagedata: r9zQtWGB0yHrVNgojZmvBUdA1nKDHiynd0RqVzc9X7pU2V6FYm8Y81Xwh49GlnEwTzBXf7+Be+c/hQwma86Rhb+z5r+NK9doyn0ODpn9oJnWFbLR7h9zHGXTioN5iXf11B6UPZTSZpR3WPUjN8cBFCy3xgSZ/oZCMM0RvMtmFdpj4GXlFuQR1qSIYuvDYgZrvL8ZXzLi2x2u2pUBCTPMyaIqZAL8gqmoGlNxodC3Nf+WvipGrAuij+lR2q8S6E31HL1AQsliRVsrJWazXbe7E35Fu68kq8wElmrbysBo2DpcL1wu4yV/az2EbvoN2FtLwYvl/6k1KZLOc5HXjYzd33lSmzBvWDhmjAYQWP8DYVWYbj4zlRjcuvKQmAOwfXC+JfF/JRiM+nSVFblKqK8/3ZJXhGAGnBtXqQUjeoJN2IVaFoIgo6NRIm0b81YYIN1xnCPFDFo+VXA5Wnf2x5o5IsvUAbAOWNx7Eo48GQk2EgN2Shxr423QMmLnUy29ul6GBMq01829SaoiU0XWFRdt3Cic84POZEFbZleovwJV/f19ITvW9EdaF8IFBdi7BrQaxQRX/gGqML6NHFAnY6qD0W1rEiM+Xl6oPfCfMkZHan7iGDJ+G5txgZ7SXSoZeP6EBLX5pQ78NNJ0VqyKVSUG+3YrJp/0T2P5n6B6PXRD1JyIqOUD+TBmD6cov1YPwPBc+WBKXDXbHVPdnGvDFl0w3qb9+EuPHm4RKnRFloIz2iCz3CQYnXsll5xR2oox+unwQflg+zeafIqwktIZ0fK4x/KkjRK0itK1JYeNmU152Ly8JyzeVCrSY2j1Il+bNbFV
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 114fec76-540e-468f-54d7-08d7ea7494ee
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Apr 2020 06:31:13.1248 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SSQjhfYYoKbYFG2u+Cu/PwrwRw+7tFwEktxCGg/LBQyEbBLhDwiyb52HwLJ0F2uc2hygv5TGGIM4vXaag5RqYcoYDH87J0KdpccsjMtRvq8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB1922
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/A7kLQ0kKeXQz7GXsnRShET_vaec>
Subject: Re: [pkix] [lamps] draft-ietf-lamps-lightweight-cmp-profile-01, section 5.4.4
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 06:31:19 -0000
> Von: Peter Gutmann <pgut001@cs.auckland.ac.nz> > Gesendet: Samstag, 25. April 2020 01:37 > > I wasn't aware of this work until now, is there any plan to address the large > number of problems in CMP that make it almost impossible to create two > interoperable CMP implementations purely from the spec? Next to the Lightweight CMP Profile there is the Updates CMP draft (https://datatracker.ietf.org/doc/draft-brockhaus-lamps-cmp-updates/). This draft addresses some changes and general clarification on CMP. The scope of the Lightweight CMP Profile draft is to profile the existing protocol to foster interoperable implementations. See section 2 (https://tools.ietf.org/html/draft-ietf-lamps-lightweight-cmp-profile-01#section-2) of the document for more details on the scope. Especially interoperability with existing profile in the industrial space like in ETSI-3GPP and UNISIG is a goal of the profile. See section 2.3 and 2.4. > See for example section 5.2 of: > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.usen > ix.org%2Fconference%2F12th-usenix-security-symposium%2Fplug-and-play-pki- > pki-your-mother-can- > use&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7Cf11d5fbf2 > 10a4e96cce008d7e8a8554f%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7 > C1%7C637233682004627707&sdata=O9VyYVvf9uxPkhAGLEQ3ghAJTw7gZL > 695a744HQ%2BP%2Fs%3D&reserved=0 > Thanks for this link. If you have concrete suggestions on what is worth adding to the CMP Updates or the Lightweight CMP Profile, you are welcome. If possibly complete portions of test are helpful for me. Then your concrete suggestion becomes more clear to me. > (Given how fundamentally broken CMP is, rather than profiling it a far simpler > option than trying to duct-tape it together would be to just redefine it to use > CMS, which would fix most of the problems in one stroke, but I'm not sure if > that's an option). Generally speaking, this is an option if you would drop interoperability with existing implementations in ETCI-3GPP and UNISIG. CMS is definitely a good format for the content of certificate management messages. But currently there are already several approaches (2 RFCs as well as 2 drafts) out there that use CMS. I think, adding another flavor of certificate management will not foster interoperability. Therefore our approach was, to take a protocol that is in industrial use for a long time and profile it to clarify its use and ease interoperable implementations. Any suggestions for further clarification are very welcome. -- Hendrik
- [pkix] draft-ietf-lamps-lightweight-cmp-profile-0… Brockhaus, Hendrik
- Re: [pkix] [lamps] draft-ietf-lamps-lightweight-c… Mohit Sahni
- Re: [pkix] [lamps] draft-ietf-lamps-lightweight-c… Brockhaus, Hendrik
- Re: [pkix] [lamps] draft-ietf-lamps-lightweight-c… Salz, Rich
- Re: [pkix] [lamps] draft-ietf-lamps-lightweight-c… Brockhaus, Hendrik
- Re: [pkix] [lamps] draft-ietf-lamps-lightweight-c… Salz, Rich
- Re: [pkix] [lamps] draft-ietf-lamps-lightweight-c… Peter Gutmann
- Re: [pkix] [lamps] draft-ietf-lamps-lightweight-c… Brockhaus, Hendrik