Re: PKI Resource Discovery - Proposal for a new Working Item
"Anders Rundgren" <anders.rundgren@telia.com> Sun, 15 July 2007 05:44 UTC
Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I9wuJ-0002aM-Jy for pkix-archive@lists.ietf.org; Sun, 15 Jul 2007 01:44:35 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I9wuE-0005ZJ-3x for pkix-archive@lists.ietf.org; Sun, 15 Jul 2007 01:44:35 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l6F4u63I041772 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 14 Jul 2007 21:56:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l6F4u65f041771; Sat, 14 Jul 2007 21:56:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from pne-smtpout1-sn2.hy.skanova.net (pne-smtpout1-sn2.hy.skanova.net [81.228.8.83]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l6F4u2av041764 for <ietf-pkix@imc.org>; Sat, 14 Jul 2007 21:56:05 -0700 (MST) (envelope-from anders.rundgren@telia.com)
Received: from arport2v (81.232.45.243) by pne-smtpout1-sn2.hy.skanova.net (7.2.075) (authenticated as u18116613) id 46971B4200057FB7; Sun, 15 Jul 2007 06:56:00 +0200
Message-ID: <008601c7c69c$720de6e0$82c5a8c0@arport2v>
From: Anders Rundgren <anders.rundgren@telia.com>
To: Massimiliano Pala <pala@cs.dartmouth.edu>, pkix <ietf-pkix@imc.org>
References: <46969D31.1000803@cs.dartmouth.edu>
Subject: Re: PKI Resource Discovery - Proposal for a new Working Item
Date: Sun, 15 Jul 2007 06:56:02 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1807
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1896
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f66b12316365a3fe519e75911daf28a8
Hi Max, In case you find that there is limited interest in PRQP, I encourage you to explore other avenues in this space. As the OpenCA Program Manager, I guess you are aware of the fact that on-line provisioning of certificates is not fully standardized? One could consider Xenroll a standard since it is supported by 80% of the browsers used in PCs. However, Xenroll is not supported by more than a tiny faction of mobile browsers. The latter is an interesting target given the 3Bn+ users that will most likely use mobile phones as their primary, always connected Internet channel. Theoretically one could distribute keys in SIM cards, but for practical reasons like operator lock, limited storage, and poor processing capability, TPMs as defined by TrustedComputingGroup looks like a better candidate for the universal mobile "key-ring". Various radio-technologies potentially also open these keys for desktop usage where the phone becomes a "security device" including an integrated PIN-code terminal. Although there is also the [not by MSFT supported] JavaScript method generateCRMFrequest(), it is actually rather primitive compared to Xenroll, since only the latter allows multiple passes which can be quite useful. In fact, IETF's recently launched KEYPROV activity, deals with up to four passes (!) for the provisioning of symmetric keys. I consider the KEYPROV way of doing things superior to Xenroll and generateCRMFrequest, since it does not expose an API, just a pure XML protocol giving a uniform user experience and an easier-to-secure implementation (APIs can be used in many ways, while strictly defined XML schema-based protocols give little room for misusage). =============================================== Anyway, I am currently in a _v_e_r_y_ early stage of addressing this topic and would not mind cooperation with other knowledgeable people. =============================================== Regarding PRQP, I still feel a little bit puzzled regarding the resources it is supposed to discover. A few examples would not hurt. Regards Anders ----- Original Message ----- From: "Massimiliano Pala" <pala@cs.dartmouth.edu> To: "pkix" <ietf-pkix@imc.org> Sent: Thursday, July 12, 2007 23:29 Subject: PKI Resource Discovery - Proposal for a new Working Item Hi all, some times ago I posted a message about a proposal for a PKI Resource Discovery Protocol ( PRQP ), which I finally formalized and submitted as an I-D. Unfortunately, because the deadline was already over, it will not probably published on the ietf archive before the next meeting. Thanks to all of you who actually helped me and provided useful comments. At this point we would like to know if the WG would like to take this as a working item as we really think it could improve the usability and interoperability of PKIs (especially for isolated PKI islands or in environments like Grids). The proposed I-D can also be found here: https://www.openca.org/projects/libprqp/docs/draft-pala-prqp-00.html or here: https://www.openca.org/projects/libprqp/docs/draft-pala-prqp-00.txt I hope there will be time to talk about the proposal at the meeting in Chicago. -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] pala@cs.dartmouth.edu project.manager@openca.org Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883 PKI/Trust - Office 063 Work Phone: +1 (603) 646-9179 --o------------------------------------------------------------------------
- PKI Resource Discovery - Proposal for a new Worki… Massimiliano Pala
- Re: PKI Resource Discovery - Proposal for a new W… Anders Rundgren
- Re: PKI Resource Discovery - Proposal for a new W… Massimiliano Pala
- Re: PKI Resource Discovery - Proposal for a new W… Anders Rundgren
- Re: PKI Resource Discovery - Proposal for a new W… Massimiliano Pala