Re: [saag] Comment added to draft-gutmann-scep history
Peter Gutmann <pgut001@cs.auckland.ac.nz> Sat, 14 July 2018 03:07 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3362D130E97; Fri, 13 Jul 2018 20:07:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fITPdDpHa3K5; Fri, 13 Jul 2018 20:07:55 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F23B7130DD8; Fri, 13 Jul 2018 20:07:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1531537675; x=1563073675; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=lj1ltJ257v92wureoECYF0yEp5bKWvXPyu65aQci3hA=; b=QDLl/PW8RVrXcfk5jvFsbaERn8p3NLYmFZYhxhgq0SEi97SFDHOy/Hir AhhWYO6b69Gn4CdajXnpibyEDJabBe7l7BqH6SM5Sy57OEI8IPQCab3Sn lmW+oSD4b+3a6cTDt0HIUHsY6ZmNYXKJfAE0oaRjyInMn9S8MiB3nJtKz Jm9Ek7TmGhU6H4Dpvh5kkPITI+5cW0lMVyfmpJsI8OFpBCHqoD81xM9Pn Ygb+PdCp+wA56ovwCcY7kKUGSrz8fNFGt1FFyXL0GKDSBGbdZlkrLFCCH WDqo1eDZIoKVesTrbLNQ+4ZYIVLbby0JmBOQvORe5RVWO3Ws5GBgmGYl8 A==;
X-IronPort-AV: E=Sophos;i="5.51,350,1526299200"; d="scan'208";a="21125198"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.2 - Outgoing - Outgoing
Received: from smtp.uoa.auckland.ac.nz (HELO uxcn13-tdc-a.UoA.auckland.ac.nz) ([10.6.3.2]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 14 Jul 2018 15:07:49 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-a.UoA.auckland.ac.nz (10.6.3.22) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sat, 14 Jul 2018 15:07:42 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Sat, 14 Jul 2018 15:07:42 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Alexey Melnikov <alexey.melnikov@isode.com>, "draft-gutmann-scep@ietf.org" <draft-gutmann-scep@ietf.org>, "carl@redhoundsoftware.com" <carl@redhoundsoftware.com>
CC: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] Comment added to draft-gutmann-scep history
Thread-Index: AQHTx0JalykNlRFNLEeHWmw80fOk66PxVi1qgCgcEDyAL8YogIBEQ8VngAE0nSA=
Date: Sat, 14 Jul 2018 03:07:42 +0000
Message-ID: <1531537625942.57273@cs.auckland.ac.nz>
References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz>, <bcb96609-a4fd-faf6-cf07-12b9f1fe7df0@isode.com>, <1531471734017.88813@cs.auckland.ac.nz>
In-Reply-To: <1531471734017.88813@cs.auckland.ac.nz>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/EdeWTmJN3BfgX_xpV9Obbu3DaPU>
Subject: Re: [saag] Comment added to draft-gutmann-scep history
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jul 2018 03:07:58 -0000
I wrote: >I could perhaps add a note somewhere at the start saying that SCEP, like any >number of other PKI protocols, uses HTTP as a universal substrate, and that >you shouldn't expect that doing something HTTP-ish like setting a Content- >type will actually have any effect? A reference to RFC 3205/BCP 56 should >probably accompany that. How about this: -- Snip -- Like many other Internet protocols, SCEP uses HTTP as a universal substrate, for more on the implications of this see <xref target="BCP56">BCP 56</xref>. While SCEP messages are carried over HTTP transport, neither the client nor the server is likely to be a conventional HTTP-speaking web server or client, providing only the minimum functionality required for HTTP transport, see the "HTTP Considerations" section of <xref target="RFC6712">RFC 6712</xref> for more on this. Implementations SHOULD NOT use complex HTTP mechanisms such as chunked encoding, Expect/Continue, HTTP redirects, and similar facilities. To guard against establishing an erroneous connection to any of the myriad other devices and services that speak HTTP, SCEP servers MAY choose to respond to non-SCEP requests, for example a GET from a web browser, with an HTML diagnostic message notifying the client that they're talking to the wrong server or service. Similarly, clients MAY check for an HTML response from the server and report a configuration error, for example that the client is connecting to the wrong server or port on a server. -- Snip -- The latter is particularly useful, my code has been doing that for quite some time to deal with "the client/server is broken, it's not getting certificates". The problem invariably is that they've specified the wrong server name/IP address, or forgotten to specify a port so the default 80 is used, or there's a proxy in the way that redirects the connection to a web server on 80 rather than a SCEP server on 80, or something similar. Maybe we need an updated BCP 56 that provides info on the general use of HTTP as a substrate and how to deal with it that every other HTTP-as-substrate- using RFC can refer to (no, I'm not volunteering to write it :-). Peter.
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Max Pritikin (pritikin)
- Re: [saag] Comment added to draft-gutmann-scep hi… Alexey Melnikov
- Re: [saag] Comment added to draft-gutmann-scep hi… Alexey Melnikov
- Re: [saag] Comment added to draft-gutmann-scep hi… Max Pritikin (pritikin)
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Benjamin Kaduk
- Re: [saag] Comment added to draft-gutmann-scep hi… Patrick McManus
- Re: [saag] [FORGED] Re: Comment added to draft-gu… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Patrick McManus
- Re: [saag] Comment added to draft-gutmann-scep hi… Alexey Melnikov
- Re: [saag] Comment added to draft-gutmann-scep hi… Alexey Melnikov
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Alexey Melnikov
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann
- Re: [saag] Comment added to draft-gutmann-scep hi… Alexey Melnikov
- Re: [saag] Comment added to draft-gutmann-scep hi… Peter Gutmann