IETF Logo Mail Archive

Re: [saag] Comment added to draft-gutmann-scep history

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 13 July 2018 08:49 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CB8F130E0E; Fri, 13 Jul 2018 01:49:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s_DWaDfgxJpS; Fri, 13 Jul 2018 01:49:36 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C54B130E92; Fri, 13 Jul 2018 01:49:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1531471776; x=1563007776; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=+sr4Rhu8h4WebzGjl0qYvZhBwzbe7xo6vKVclb5BhHw=; b=kDLLpsr+qywBKK3aPdIGXWQSJafOoO8znjpTYJNHbbFNnRr7J+cUM7Uu QxTmmoiKIgoWVJw5xHj41QJW8LP3Qro+rcG5kmOL8X1KH0FhPr53iz5YF JdFv3CBQIjO7Mloq9aHLDM1wPXNs6zE68djQeAnWWIIlTELzPRPlqKzDD XiLgFoNJZZdnZdHgrvnSqCXZXSsOclDDWKvC4dvt5kuu65fdNESWOZ3mO ZZNAm5hbkfHZrSkdqLzMwBDAysgWq/SsJvv6k5aURNy2TBxby1x08A92/ Z37SN9XVcExyq9GYH1O5OOLWrA60EoZsfLKoDcgMTy8/8sYUxyLehyXTS Q==;
X-IronPort-AV: E=Sophos;i="5.51,347,1526299200"; d="scan'208";a="21036736"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.5 - Outgoing - Outgoing
Received: from uxcn13-tdc-d.uoa.auckland.ac.nz ([10.6.3.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 13 Jul 2018 20:49:29 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 13 Jul 2018 20:49:29 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Fri, 13 Jul 2018 20:49:29 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Alexey Melnikov <alexey.melnikov@isode.com>, "draft-gutmann-scep@ietf.org" <draft-gutmann-scep@ietf.org>, "carl@redhoundsoftware.com" <carl@redhoundsoftware.com>
CC: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] Comment added to draft-gutmann-scep history
Thread-Index: AQHTx0JalykNlRFNLEeHWmw80fOk66PxVi1qgCgcEDyAL8YogIBEQ8Vn
Date: Fri, 13 Jul 2018 08:49:28 +0000
Message-ID: <1531471734017.88813@cs.auckland.ac.nz>
References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz>, <bcb96609-a4fd-faf6-cf07-12b9f1fe7df0@isode.com>
In-Reply-To: <bcb96609-a4fd-faf6-cf07-12b9f1fe7df0@isode.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/v6q4yB_K7rYmfro7rUVqkUcyIig>
Subject: Re: [saag] Comment added to draft-gutmann-scep history
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jul 2018 08:49:40 -0000

Alexey Melnikov <alexey.melnikov@isode.com> writes:

>1) I need help with you flagging to me which text was modified in the past
>due to comment. I might agree or disagree with these changes and they might
>be highlighting sections which might need more work anyway.

Ahhh... how much of a list do you want?  There's an awful lot of emails to go
through (maybe two years' worth of comments) to sort it all out, and most of
it is pretty uninteresting.  If you're OK with dealing with it on a case-by-
case basis (e.g. "this particular bit of text was based on comments about X
and Y") that would make it easier.

>If you can convince me that #2 is not an issue, then I suggest adding a note
>to the document saying that it is using a bunch of MIME types that are not
>registered (or have different registered aliases, but used here for historic
>reasons). I am happy to suggest some text.

That would be good, thanks.  Since it's a case of "Types in this tree cannot
be registered", I don't see how they could be registered without renaming
them, which breaks compatibility with all existing implementations, and the
primary goal of the draft was to keep it bits-on-the-wire identical to what's
been in use the entire time (modulo single DES + MD5 vs. AES + SHA-2).

In terms of:

>2) if I have a general Web Server that happens to return different MIME types
>here (because there are other already registered MIME types that mean the same
>thing), is this going to be a problem for SCEP clients?

I don't think so for two reasons, firstly I'm not aware of anyone actually
doing SCEP using a standard web server, it's always a standalone SCEP
application that isn't a web server (if anyone is implementing SCEP as a CGI
for a conventional web server, please speak up, I've never heard of one), and
secondly I don't know if anyone actually looks at the MIME types.  I wouldn't
want to put money on that, no doubt some client or other will break if you
change the strings, but I'd say that a lot of clients won't care what the
value is.

>I think either ABNF (which is pretty universally used in IETF RFCs) or in
>free text form which sort of looks like HTTP request line, but isn't. Please
>pick one and I can suggest some small specific edits to reflect that.

That would be really useful, thanks.  I think ABNF is best.

>I would like to use ABNF terminal for this and only explain that the path is
>typically as you describe only in one place in the document. 

OK, will that be part of the text above?  If you've got some appropriate
wording to put in that'd be helpful.

>As above: pick between ABNF and free form text and I can suggest some
>specific edits.

ABNF, thanks.

>So AES and SHA-2 are absolutely Normative references.

OK, I've added AES and SHA-2 refs.

>I am actually Ok with no mentioning ACME, but the text in the introduction
>reads like it is arguing that SCEP is the best thing since bread and butter
>and I don't believe what it is trying to say is accurate.

Hmm, it's just saying that it's widely used, which is why it's being
documented, it doesn't try and claim it's particularly good... the comparisons
to CMP and CMC didn't appear until draft 17, with more changes in wording
around draft 22.  As far as I know this wording was purely political, PKIX
wanted everyone to use their CMP or CMC protocols and so the references were
added to appease PKIX.  Since the market appears to have made their choice
between { CMP, CMC, SCEP }, it's probably easiest to just remove any mention
of them, so that I don't have to engage in a comparative analysis of who knows
how many different management protocols (there's a lot more than CMC and CMP
out there now).  So I can just remove that entire paragraph apart from the
first sentence and merge that with the previous paragraph:

-- Snip --

X.509 certificates serve as the basis for several standards-based security
protocols such as <xref target="TLS">TLS</xref>, <xref target="SMIME">
S/MIME</xref>, and <xref target="IKEv2">IKE/IPsec</xref>.  When an X.509
certificate is issued there typically is a need for a certificate management
protocol to enable a PKI client to request or renew a certificate from a
Certificate Authority (CA).  This specification defines a protocol, Simple
Certificate Enrolment Protocol (SCEP), for certificate management and
certificate and CRL queries.

-- Snip --

That's a pretty basic statement of functionality without trying to get into a
comparative analysis of a load of different protocols and mechanisms, and one
which will hopefully upset the least number of people.

>> I have no idea... I mean I literally have no idea, I don't know what
>> implementations do in practice.  I know that in some cases with manual
>> approval it can take hours, but I'm not sure if that's typical.  It could be
>> seconds, minutes, hours...
>
>I suspect you will get a blocking DISCUSS comment on this in IESG review. But
>if you want to take your chances, I am Ok with no change.

I've added the following, which formalises what's in the above sentence:

  The frequency of the polling operation is a CA/client configuration issue,
  and may range from seconds or minutes when the issue process is automatic
  but not instantaneous, through to hours or days if the certificate issue
  operation requires manual approval.

>I think this is unclear, as I don't know what "leaf" means here. 

It's the certificate at the end of the chain, the EE certificate.  It's a
standard PKI term, I've tried to find a definitive reference for it but it's
just used without references in other places, e.g. RFC 4043, RFC 7671, non-
IETF locations like MS Technet, etc.

>Here is a speculative example: a future extension to SCEP decides to use JSON
>for returning this information. JSON will have a different media type. If a
>client ignores it, it might be unable to parse it. Using media type names for
>signalling payload format is one of the main benefits of using MIME.

The text there already says:

  The Content-type of the reply SHOULD be "text/plain".  Clients SHOULD ignore
  the Content-type, as older implementations of SCEP may send various Content-
  types.

Given that implementations have in the past sent all sorts of stuff as the
content type (GetCACaps appeared in draft 10 but it wasn't until draft 19 that
a content type was specified), and the text says you should ignore it, which
implementations do, it won't matter what anyone puts in there.  Up until
revision 19 of the draft there was no content type specified, so you could
potentially find anything in there.  It could be text/plain or text/json or...
audio/midi and they'll all be ignored equally.  As I mentioned earlier, I
doubt anyone runs a SCEP server on an actual web server, the MIME types and
whatnot were presumably just specified because you need to put something in
there as a content type.  So most likely the Content-type will never be used
to select an actual content type.

I could perhaps add a note somewhere at the start saying that SCEP, like any
number of other PKI protocols, uses HTTP as a universal substrate, and that
you shouldn't expect that doing something HTTP-ish like setting a Content-type
will actually have any effect?  A reference to RFC 3205/BCP 56 should probably
accompany that.

Peter.

v2.23.0 | Report a Bug | By Email