Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
Anders Rundgren <anders.rundgren.net@gmail.com> Tue, 11 November 2014 04:41 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09DBE1AD50F for <pkix@ietfa.amsl.com>; Mon, 10 Nov 2014 20:41:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Klt3ENwoKk-T for <pkix@ietfa.amsl.com>; Mon, 10 Nov 2014 20:41:50 -0800 (PST)
Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 338C41AD512 for <pkix@ietf.org>; Mon, 10 Nov 2014 20:41:50 -0800 (PST)
Received: by mail-wg0-f42.google.com with SMTP id k14so10543763wgh.15 for <pkix@ietf.org>; Mon, 10 Nov 2014 20:41:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=LFZvPLjAImUUUuUJvZN7zwt3aVdVXY403xElqvUjVLs=; b=XWtCvODAL7fZ8QwtEEYtzTG5Xm3OSn/LINybNEPVX1Qqtfq8CtqQhTN8bgeDTnl59O APHjGxIjFjb2k5D/tu7P8iCe51LmWtklnvOJyMbEkLLs+wTN/e+cllOEfFhluVL1dueJ AYNjbbJtmNCNE2KVrgruj6Dn6zzVGoV7ddqy55QvNOBSmMn4PARTGfBcUBEx4P0xsfe9 z/JZrm1Qq2fhaSEmTEIf/DZBTl3VGF22YPjZDiD1oFopk8NDpCFml96zN9nyck+w5/K9 +jsMz6P9tsubztmenVoVc2WQ9eA+Iragk8UQKnhpDh4+TexdTWJIViGaE4fGRznLCKKI DsDA==
X-Received: by 10.194.77.4 with SMTP id o4mr50562056wjw.41.1415680908762; Mon, 10 Nov 2014 20:41:48 -0800 (PST)
Received: from [192.168.1.79] (13.118.176.95.rev.sfr.net. [95.176.118.13]) by mx.google.com with ESMTPSA id cm18sm1964176wjb.25.2014.11.10.20.41.47 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 10 Nov 2014 20:41:48 -0800 (PST)
Message-ID: <54619388.9000001@gmail.com>
Date: Tue, 11 Nov 2014 05:41:44 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: "Dr. Massimiliano Pala" <massimiliano.pala@gmail.com>, pkix@ietf.org
References: <9A043F3CF02CD34C8E74AC1594475C739B9DB295@uxcn10-5.UoA.auckland.ac.nz> <D941FEB2-CC8D-4D9C-9496-F7C28B5E0C41@cisco.com> <54616B61.7000307@gmail.com>
In-Reply-To: <54616B61.7000307@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/tsgjR59egmtUOYO3LHWB8NNonxk
Subject: Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 04:41:54 -0000
On 2014-11-11 02:50, Dr. Massimiliano Pala wrote: If we stick to personal computing devices they are de-facto defined by only 3 giant US vendors. They are not interested in even discussing what they see as potentially valuable, particularly not in a public mailing list. Anyway, none of the PKIX protocols support provisioning of two-factor credentials (Key + PIN). This may sound like a minor problem to fix but such a scheme requires the protocol having the key-container as the true end-point rather than the client/P11. The same is valid for key attestation. For IoT, like smart meters there are since years back specific solutions based on non-X.509 certificates. When the work with EST started it was taken for granted that ASN.1, PKCS #10 etc. would be a requirement. However, it seems that JSON have taken ASN.1's role for new developments also in IETF, here thinking of the JOSE suite. Anders > Hi all, > > I read the thread for a while. I actually do remember that there was a > presentation for SCEP and a request for that to be adopted as a working > item in this group that was refused based on the fact that we already > have IETF protocols for that. > > If this argument till stands, than any work on this item (or its > successor) should be informational and not WG. > However, I think it would be useful to resume a conversation about the > status of enrollment protocols - in particular, if the current PKIX WG > sponsored RFC are not used in the real world (maybe too complex or too > many options?) maybe we should address the issue and work on an > easier-to-deploy solution..??? After all, what is the use of a standard > if nobody uses it in the real world? If that is the case, I think we > need to be humble and admit the limits of the current standards and > design a pattern to move forward. > > It could also be that we like the status quo and leave things as they > are today - if the majority of people are happy with what we have today. > Can we have a poll about "is there a need to review/amend/simplify PKIX > work for certificate enrollment" ? > > Max Pritikin: I would be interested to meet and talk, can you please > include me in the discussion/meetings about this? > > Last consideration: Although I am not the WG chair, and it is not my > role, I would like to keep the discussion in check. I have the > impression that the topic is somewhat overloaded with non-technical > aspects and I hope we can, instead, focus on technical aspects and on > what is needed rather than on how this was handled in the past. > > Cheers, > Max > > >> On Nov 7, 2014, at 1:03 PM, Max Pritikin (pritikin) <pritikin@cisco.com> wrote: >> >> >>> On Oct 29, 2014, at 6:35 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: >>> >>> I've spent the time since the last exchange of messages on this thread talking >>> to various SCEP users over their requirements. It turns out that the figure >>> I'd previously posted, of half a billion SCEP devices in active use, was >>> rather an underestimate. SCEP seems to be pretty much the universal device- >>> provisioning protocol for non-PC/laptop devices, including mobile phones, >>> SCADA devices, gaming machines, ATMs, firewalls, and so on. It's also been >>> described to me as the standard BYOD provisioning protocol, its use for this >>> being so widespread that Server 2012 even added new, extra capabilities for >>> dealing with BYOD use via SCEP (Windows Server 2008 and 2012 are pretty much >>> the standard server implementations for dealing with this sort of thing). As >>> one person told me, "if a device speaks anything, it'll speak SCEP". >>> >>> So, no matter how much Cisco would like to forget about it, it's extremely >>> widely used, and there's no sign that this is going to change in the future. >>> To paraphrase something someone said many years ago about IBM, "SCEP isn't the >>> competition, it's the environment”. >> >> Agreed! We can’t “forget” about it. This is why we paid so much attention to the process flow of SCEP when designing EST to insure minimal pain. >> We also need to be able to move forward to suite-b and better client authentication methods. Thus the reason we had to describe something beyond SCEP (which can’t support these improvements). This led to the specific CMC profile that is EST. >> >>> >>> To that end I'd like to request that the SCEP authors give me (or someone else >>> who cares about it, e.g. one of the JSCEP folks) change control over the >>> document so that we can finally get this published. I submitted a list of >>> changes for the current doc ages ago but things seem to have stalled since >>> then (the changes were minor things that have come up in real-world usage, >>> clarifications to the doc, places where ~15-year-old remnants still exist next >>> to current ones, and just a general cleanup of the neglect that it's had for >>> the last decade or so, it still talks about MD5 and single DES for example, >>> but doesn't mention that newfangled AES thing that everyone's talking about). >>> >>> Given that it's been more or less abandoned by Cisco, I'd like to finish the >>> editing for it and finally get it published as an RFC so that the vast number >>> of devices out there using it, and that will use it in the future, have a >>> fixed standard that they can refer back to. >> >> I’ll be at IETF next week. Lets meet with any interested parties and figure out a path forward. >> >> A question: How is updating "half a billion SCEP devices” to a new version of SCEP any different than updating them to EST or similar? >> >> - max >> >>> >>> Peter. >> >> _______________________________________________ >> pkix mailing list >> pkix@ietf.org >> https://www.ietf.org/mailman/listinfo/pkix > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix >
- [pkix] Simple Certificate Enrollment Protocol (SC… Erik Andersen
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Michael Jenkins
- Re: [pkix] Simple Certificate Enrollment Protocol… Erik Andersen
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Miller, Timothy J.
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- [pkix] SCEP Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Miller, Timothy J.
- Re: [pkix] Simple Certificate Enrollment Protocol… Jeffrey Walton
- Re: [pkix] Simple Certificate Enrollment Protocol… Paul Hoffman
- Re: [pkix] Simple Certificate Enrollment Protocol… Sill, Alan
- Re: [pkix] Simple Certificate Enrollment Protocol… Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Melinda Shore
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Paul Hoffman
- Re: [pkix] Simple Certificate Enrollment Protocol… Stephen Kent
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Jeffrey Walton
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Dr. Massimiliano Pala
- Re: [pkix] Simple Certificate Enrollment Protocol… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Simple Certificate Enrollment Protocol… Dr. Massimiliano Pala
- [pkix] Derived Credentials. Was: Simple Certifica… Anders Rundgren
- Re: [pkix] Simple Certificate Enrollment Protocol… Peter Gutmann
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Simple Certificate Enrollment Protocol… Max Pritikin (pritikin)
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Max Pritikin (pritikin)
- [pkix] New Microsoft Enrollment system. Was: Simp… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Johannes Merkle
- Re: [pkix] Derived Credentials. Was: Simple Certi… Johannes Merkle
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren
- Re: [pkix] Derived Credentials. Was: Simple Certi… Anders Rundgren