IETF Logo Mail Archive

Re: [pkix] EST-02 smart card question

Max Pritikin <pritikin@cisco.com> Fri, 19 August 2011 21:23 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2B0611E80D3 for <pkix@ietfa.amsl.com>; Fri, 19 Aug 2011 14:23:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BjG7TnKLw4Or for <pkix@ietfa.amsl.com>; Fri, 19 Aug 2011 14:23:32 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id C0BB211E80B9 for <pkix@ietf.org>; Fri, 19 Aug 2011 14:23:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pritikin@cisco.com; l=7495; q=dns/txt; s=iport; t=1313789070; x=1314998670; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=42mARWkZpu6BUYaLUdWmx+xvWnnublqIkecSUPN5pUg=; b=iJvhktSkDym4lUYHYSivVC4g/QzyL46jVSteBO+hG4LTfVVYxW+Sh8bS 5oDcdBy4YTOnPGXga/xRsdfqRfpfaLUuQdVpLwzaCRE0bZ0wKPidli3Pi XUh5OxzHkfkomA8XUFkbKpwZi1wgS1EqIKvTW+oIE5rB/AfCvI1Z7b8pP k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EACLTTk6rRDoI/2dsb2JhbAA4CagOd4FAAQEBAQIBEgEnLgMFCQULCxguVwYnBweHT5l7AZ5ugyiCQV8Eh2CLM4UMjAg
X-IronPort-AV: E=Sophos;i="4.68,252,1312156800"; d="scan'208";a="14821023"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by rcdn-iport-5.cisco.com with ESMTP; 19 Aug 2011 21:24:29 +0000
Received: from [10.21.71.56] ([10.21.71.56]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p7JLOSjl020468; Fri, 19 Aug 2011 21:24:28 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Max Pritikin <pritikin@cisco.com>
In-Reply-To: <4E4EC8D5.3040108@telia.com>
Date: Fri, 19 Aug 2011 15:24:34 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <3575CED2-B3F7-4120-B5D2-7A9790EEB95C@cisco.com>
References: <4E4E05AA.2090105@telia.com> <B60F689B-D09B-467C-B6B9-F39D1C148654@cisco.com> <4E4EB362.5090903@telia.com> <9FBD2B22-A2A2-4DEB-BAB8-17E02D6AC0E9@cisco.com> <4E4EC8D5.3040108@telia.com>
To: Anders Rundgren <anders.rundgren@telia.com>
X-Mailer: Apple Mail (2.1084)
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] EST-02 smart card question
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2011 21:23:40 -0000

On Aug 19, 2011, at 2:34 PM, Anders Rundgren wrote:

> On 2011-08-19 21:55, Max Pritikin wrote:
> 
>> I'm wondering if your underlying concern is how the CA server can determine
>> that the key is actually on the smartcard. Is this correct? Is this your concern?
> 
> Well, my #1 concern is how you can create a smart card enrollment system that
> allows you to buy an empty card, insert it, go to a CA with a browser, authenticate (in
> some way) and then get certificates provisioned including things like issuer-defined
> PIN-codes etc.

We are of course assuming that the browser/client supports EST and the smartcard itself. In which case I see no major impediment to what you describe. At most I see an issue with the distribution of policy (e.g. "issuer-defined PIN-codes") but I'm sure we can discuss appropriate methods for that.

Apparently I see the world like this:

EST Server (e.g. CA) => EST protocol => EST Client (e.g. Browser) => Smartcard

In my prototype I've focussed on the use of a general purpose web server as the server interface and am very interested in Browser support for the client. The flexibility of the browser UI as a client is of course as compelling here as it is for so many other  solutions. Still to some extent we are only defining the EST protocol so it would be extremely helpful if we could focus this conversation on protocol requirements. 

What is it about this model you've described that requires something different in the protocol? And what differences are you looking for?


> As it appears you indeed need a smart card expert and tons of proprietary software.
> Existing middleware like PKCS #11 does not support on-line provisioning so basically
> the whole thing is toast unless you go far outside of the protocol.  This is probably
> unacceptable to you and PKIX, which to some extent explains why there is a virtual
> army of companies writing smart card middleware [primarily] for governments.
> 
> My take on this, is creating a complete system where all interfaces are defined:
> 
>                   CA => Browser => Protocol => Middleware => Container

You appear to use a different ordering than I do and I'm not understanding your proposed stack. Are you proposing that the protocol is run on the local client and communicates between the web browser and some middleware/driver for the smartcard? I'm not seeing how that perspective helps us.

- max

> Yes, there are User interfaces as well in layer 2-4.
> 
> Although this may look very "cardish", the design is actually targeting smart
> key-stores including enhanced "soft tokens".
> 
> Will this be a "standard"?  I leave that to the market to decide :-)
> 
> Anders
> 
>> On Aug 19, 2011, at 1:02 PM, Anders Rundgren wrote:
>> 
>>> Max,
>>> You skipped the core of subject line.  
>> My apologies. I was unaware that you had hidden your question in the subject line and that the body of your message was extraneous. :)
>> 
>>> How is smart card enrollment supported by EST?
>> Obviously EST depends on existing cryptographic primitives which are be provided by common smartcard APIs. As such it is trivial to show that a keypair contained on a smartcard can be used in an EST exchange. As an expert in this area I suspect you are very familiar with these APIs and their capabilities so my assumption is that you have a different concern. 
>> 
>> I'm wondering if your underlying concern is how the CA server can determine that the key is actually on the smartcard. Is this correct? Is this your concern?
>> 
>> If email as a communication medium isn't working for this conversation I'd be happy to host a webex conference call with any interested attendees. Or I'd be happy to unicast my phone number to you for an offline conversation. 
>> 
>> - max
>> 
>>> Since EST-02 does not mention words like Browser, Middleware, and Tokens it is hard to believe that these items have gotten much consideration during the design.  This is nothing to get hung about
>>> because it applies to all PKIX enrollment schemes.
>>> 
>>> However, as a person involved in smart card deployments, I don't see the point hoping that somebody else will take care of the mess created by leaving half of the enrollment infrastructure undefined.
>>> 
>>> Anders
>>> 
>>> On 2011-08-19 19:28, Max Pritikin wrote:
>>>> Response inline,
>>>> 
>>>> On Aug 19, 2011, at 12:41 AM, Anders Rundgren wrote:
>>>> 
>>>>> Lets say you run a small Windows-only enterprise using the latest server and client versions.
>>>>> 
>>>>> Now, assume that you want to use smart cards instead of passwords.
>>>>> 
>>>>> Oops! You also need to purchase a $25 000 Forefront Identity Manager and then hire a really pricey smart card consultant who       knows all about drivers and cards.  Only government agencies would ever considering buying into that.
>>>>> 
>>>>> How does EST relate to this scenario?
>>>> This doesn't strike me as a technical discussion -- Microsoft's licensing/pricing policy is not based on technical protocol details. I don't work for Microsoft and am not in a good position to hypothesize about their business decisions nor do I think this is this the appropriate forum for that discussion. 
>>>> 
>>>> We could have an interesting discussion about the role of a consistent message from the standards community in driving interoperability amongst vendors. But that isn't technical in nature either.
>>>> 
>>>> The best I can offer is the observation that Microsoft's current offerings include a undocumented(?) profile of CMC combined with a non-RFC5273 related transport. Additionally Microsoft's new work includes a newer MS-WSTEP SOAP based enrollment protocol which is interesting but is also proprietary and includes dependencies on SOAP, WS-Security and WS-Trust that I think is overkill. Similarly VerSign has a web services api which is consistent with Microsoft's ideas but is not interoperable.  
>>>> 
>>>> Broadly, I argue that EST provides clarify regarding the existing CMC and CMC Transport options in a way that meets the requirements exposed by those non-standards based implementations and drives interoperability. I would like to work more closely with both Microsoft and Versign on their recent efforts in this area and have appreciated the conversations I've had with them about these technologies. Their input has been valuable in forming my personal opinions which helped shape the EST drafts. (Albeit with continued gaps regarding the SOAP/WS stack).  
>>>> 
>>>> I continue to hope that EST helps drive greater interoperability which I believe will address some of your non-technical concerns. I believe that our focus, in this forum, is to move the IETF PKIX standards forward. It is interesting to compare and understand our efforts in regards to proprietary solutions from various vendors -- and I strongly believe in working together as a community -- but ultimately some product teams are going to explore their own non-standards based solutions and we can't let ourselves be too distracted by that. 
>>>> 
>>>> - max
>>>> 
>>>>> Anders
>>>>> 
>> 
>

v2.46.0 | Report a Bug | By Email | System Status