IETF Logo Mail Archive

Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)

Paul Hoffman <paul.hoffman@vpnc.org> Tue, 14 October 2014 15:22 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9244A1A88D0 for <pkix@ietfa.amsl.com>; Tue, 14 Oct 2014 08:22:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.647
X-Spam-Level:
X-Spam-Status: No, score=-3.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nU4CW66Q5xPq for <pkix@ietfa.amsl.com>; Tue, 14 Oct 2014 08:21:59 -0700 (PDT)
Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBAC41A88F0 for <pkix@ietf.org>; Tue, 14 Oct 2014 08:21:58 -0700 (PDT)
Received: from [10.0.0.122] (rrcs-67-52-105-34.west.biz.rr.com [67.52.105.34]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id s9EFLON5007311 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 14 Oct 2014 08:21:26 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host rrcs-67-52-105-34.west.biz.rr.com [67.52.105.34] claimed to be [10.0.0.122]
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <001001cfe7a0$52f31640$f8d942c0$@x500.eu>
Date: Tue, 14 Oct 2014 08:21:23 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <10AA61E0-BC44-4515-822D-8C9885C9D7EE@vpnc.org>
References: <9A043F3CF02CD34C8E74AC1594475C739B9CAF27@uxcn10-tdc05.UoA.auckland.ac.nz> <001001cfe7a0$52f31640$f8d942c0$@x500.eu>
To: Erik Andersen <era@x500.eu>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/uOnblvRoInphinR7zqmjCGsKlr0
Cc: PKIX <pkix@ietf.org>, WG15@iectc57.org, Carsten Strunge <CAS@energinet.dk>, Søren Peter Nielsen <soren.peter.nielsen@gmail.com>
Subject: Re: [pkix] Simple Certificate Enrollment Protocol (SCEP)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Oct 2014 15:22:02 -0000

On Oct 14, 2014, at 4:16 AM, Erik Andersen <era@x500.eu> wrote:

> Thanks for your quick answer.

Which, unfortunately, was wrong. SCEP's lack of standardization was not because PKIX had their own protocols: it was because it was a quick hack by Cisco for one scenario (IPsec certs) and people kept pointing out flaws that were only slowly fixed. That is, Cisco never wanted SCEP to be standardized because doing so would mean that they had to change their SCEP code to match the standardized version.

> The smart grid security folks want to use SCEP as normative reference in
> their specification.

Which SCEP? The on-the-wire protocol changed from draft to draft, and I believe that the final draft does not match Cisco's implementation. If you point at one draft, you will have terrible interoperability, and what interoperability you get will be to a flawed protocol. See below.


On Oct 14, 2014, at 7:09 AM, Stephen Kent <kent@bbn.com> wrote:

> Cisco developed and promoted SCEP without submitting it to the IETF, to compete
> with the cert management protocols that other vendors were developing. This
> end run of IETF process was not well received. I had first hand knowledge
> of how Cisco pushed SCEP because I served as CT for CyberTrust, a Web PKI
> CA, during this time.

Cisco consistently published drafts of SCEP without "submitting it to the IETF" because Cisco and Cisco's competitors didn't want to deal with having to change their codebases. This is a perfectly acceptable practice in the IETF, even though you doesn't like it in this case. Just to be clear: many of Cisco's competitors in the IPsec market were quite happy that Cisco bothered to document their proprietary protocol so that they could at least be bug compatible with Cisco. IIRC, there were at least four separate SCEP implementations at the last large IPsec Bakeoff that worked well with each other.

> Several later Cisco staff approached the IETF asking that SCEP be published as an RFC.
> They agreed that it could be labelled Historic.

There was also a discussion of labeling it Informational, because that was a more accurate description: it was a vendor-proprietary solution that was being documented so other vendors could interoperate if they wanted to, even though the solution was kinda sucky.

> (It did not offer alg agility, a
> feature that we required of all security protocols by that time.)

It did not offer a lot of stuff that a good cert enrollment protocol should offer; that wasn't the point.

> We were told
> that Cisco just wanted a stable reference for it, nothing more, and that they agreed
> it should be replaced with a more modern protocol.

Yes.

> So, Tim Polk and I re-wrote the seriously-flawed I-D that they had been repeatedly
> published (to keep it alive) as an individual submission.  We got very close to a
> reasonable version that could be published as Historic. Then, during lunch at an
> IETF meeting, a different Cisco staff member showed up to discuss the status of SCEP.
> At this lunch meeting he noted that the reason Cisco wanted an RFC number for SCEP
> (irrespective of the status)  was to be able to cite it in a submission to 3GPP!
> Apparently, this staff member had not been instructed to lie about their real intent.
> That  ended the discussion  of SCEP as an RFC.

Nice word, "lie". It indicates that everyone at Cisco has the same intent, and they are all instructed in what to say in public. Anyone working with the Cisco IPsec team at the time knows that such an assertion is demonstrably false, even though it makes for good drama here.

> Subsequently, another Cisco staff member came forward wanting to pursue a replacement
> for SCEP, with up-to-date features and and a broader focus.

This too is inaccurate because he wasn't "another" Cisco staff member, he was the one who had be stuck with maintaining SCEP in its waning years. He had first-hand understanding of where SCEP sucked and what to do about it.

> This proposal went
> through numerous revisions and received input from several sources. It became EST and
> it was issued as an RFC from PKIX.

If the "smart grid security folks" want to reference a well-written certificate enrollment protocol, they should stay the heck away from SCEP and point to EST.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email