IETF Logo Mail Archive

Re: [lamps] Interest to standardize PKI REST APIs?

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Fri, 07 June 2019 17:22 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A642D120020 for <spasm@ietfa.amsl.com>; Fri, 7 Jun 2019 10:22:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0J2a9Da3iW1R for <spasm@ietfa.amsl.com>; Fri, 7 Jun 2019 10:22:56 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on060d.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::60d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5911912012D for <spasm@ietf.org>; Fri, 7 Jun 2019 10:22:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector2-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6XRG/Q7jYM0wvdrHx1NLe/RtwUydfdScvOUmMlK5Ww4=; b=C+WqBXoUbusE3Vhvz7qUKEqsp+mxmbzV5Wmaxm6ODyN4/W2eXK4vypaXMz2Wq3DN75LKsskyTOrPpsZl5bWJktfprA1pAN04dCsWWoBM55UI6O6UtLKgLA4w5AB+KSC8GyZxEYBP2gQgRTm1ydogGV8ZDNex/K8OvixLsYDWq8Q=
Received: from AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM (20.177.110.224) by AM0PR10MB2562.EURPRD10.PROD.OUTLOOK.COM (20.178.119.224) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1965.15; Fri, 7 Jun 2019 17:22:53 +0000
Received: from AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM ([fe80::a1d3:2a6c:c2ff:2fa3]) by AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM ([fe80::a1d3:2a6c:c2ff:2fa3%7]) with mapi id 15.20.1965.011; Fri, 7 Jun 2019 17:22:53 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Tomas Gustavsson <tomas.gustavsson@primekey.com>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Interest to standardize PKI REST APIs?
Thread-Index: AQHVGHCvl8HgPTUm30+9zuWHsj3AZKaQehew
Date: Fri, 07 Jun 2019 17:22:53 +0000
Message-ID: <AM0PR10MB2402726EDDA7074FEDFF917DFE100@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM>
References: <AM0PR10MB24028210BCE560C64195A74EFE320@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402B5BB06E4FB59A8ECB16BFE060@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402C7C1AAA09EABF047F0CEFE1D0@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <29FAEBF1-2D67-469F-BE78-AF58F78D055E@vigilsec.com> <BN7PR11MB2547D526E00CE7C5DDCDB3E9C91E0@BN7PR11MB2547.namprd11.prod.outlook.com> <17374.1559083024@localhost> <HE1PR0701MB24447D45A6A7461DEC49FE7B9B1F0@HE1PR0701MB2444.eurprd07.prod.outlook.com> <12129.1559329924@localhost> <7f83213b-2e63-57f5-5a1a-956d47b58683@primekey.com>
In-Reply-To: <7f83213b-2e63-57f5-5a1a-956d47b58683@primekey.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-document-confidentiality: NotClassified
authentication-results: spf=none (sender IP is ) smtp.mailfrom=hendrik.brockhaus@siemens.com;
x-originating-ip: [80.146.228.122]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 03effb07-a912-4315-41f3-08d6eb6cc666
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:AM0PR10MB2562;
x-ms-traffictypediagnostic: AM0PR10MB2562:
x-ms-exchange-purlcount: 1
x-ld-processed: 38ae3bcd-9579-4fd4-adda-b42e1495d55a,ExtAddr
x-microsoft-antispam-prvs: <AM0PR10MB256257E5B4F2E865572C61C1FE100@AM0PR10MB2562.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0061C35778
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(396003)(366004)(346002)(376002)(136003)(189003)(199004)(476003)(7696005)(66574012)(486006)(11346002)(99286004)(446003)(5660300002)(2501003)(53936002)(33656002)(68736007)(6506007)(26005)(25786009)(52536014)(186003)(256004)(2906002)(45080400002)(102836004)(66066001)(76176011)(14454004)(66446008)(66556008)(66946007)(64756008)(73956011)(76116006)(7736002)(66476007)(305945005)(110136005)(316002)(6306002)(6116002)(55016002)(3846002)(86362001)(71200400001)(71190400001)(9686003)(478600001)(966005)(81166006)(14444005)(81156014)(8936002)(6436002)(8676002)(74316002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR10MB2562; H:AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: siemens.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: /Sw/7nLBYVSRcgR2VcmtjHJWxceDitYVoBJyhPwPIYOSKgWwtP/RDmTA7ziIpUZ4IPaKk/YZtwP5VJRw1zxGzPub7eM2rLcaYUb/fnk6+6vZbovbgtnpCKyIUpG/tmyy79s5P4c5QJ05XXZg5z5K8AB49iKe8vKTMtqi1xrQsvZiZEAhsJq/Yd61nNMFvf4RyQ7vjzNxj8a1rWoI1GlkMqpvFN1LtxTB+RnLFux72BNjt3FMS76c3uEVxkd2AC1CoNdLXGn4gf9dq6HQ6a+WZaLAUPceyqWPiu2DJcPMLiOF7YtUGiDnvuyQz66y2iaj3NHB32RA6DmzzI1yyLJVAVmB6BLxZspPh6Ud71MslCv7o31aDdLBSYa0OqjYQ8wHry2MVzjobsv8cZzq0dxbuanNqO3oz7Byq8DE2n8YcJA=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 03effb07-a912-4315-41f3-08d6eb6cc666
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jun 2019 17:22:53.5310 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hendrik.brockhaus@siemens.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB2562
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/C6zwSbgAu2Def5BFRZIaxqPDDGQ>
Subject: Re: [lamps] Interest to standardize PKI REST APIs?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jun 2019 17:23:00 -0000

Hi Tomas

I fully understand your pain implementing many different proprietary APIs and I also dislike such proprietary APIs for certificate management. Typically such proprietary APIs or protocols lack the desired security features a certificate management protocol developed by an IETF Security WG offer.
That is the reason to enhance the usability of existing standards like CMP. This may also hold true for the request for RESTful APIs especially from cloud developer.

I think we need to first collect the required certificate management use cases and check if they are addressed by existing protocols.
Then I see two approaches:
- Develop a new certificate management protocol using standard functionality of REST frameworks and learn from or even copy parts from existing protocols. 
- Take an existing certificate management protocol, e.g. CMP, adapt the transport to REST APIs and adapt the transaction concept slightly to allow a state-less server.
As already said, I dislike to develop further certificate management protocols. I think there are enough around already. Therefor I would prefer the second approach. But finally the solution must be acceptable to the target audience of developers asking for REST APIs for certificate management.

Are there also other opinions in the WG?

Hendrik

> -----Ursprüngliche Nachricht-----
> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Tomas Gustavsson
> Gesendet: Samstag, 1. Juni 2019 13:54
> An: spasm@ietf.org
> Betreff: [lamps] Interest to standardize PKI REST APIs?
> 
> Hi,
> 
> This is a continuation of a topic that appeared in another thread, that I chose
> to start another thread about to not diverge the original thread. (original
> thread [lamps] Support for working on the lightweight CMP profile). Consider
> this an exploratory discussion.
> 
> - Background:
> Today RESTful APIs are popular due to the simplicity of implementation on
> the client and on the server. I myself has worked with implementation on
> servers and clients for a range of standard APIs (such as SCEP, CMP, EST,
> ACME, PKCS#11 and more). I also find REST APIs engaging to work with as
> you don't need any special client software. If implementing in Java you just
> go at it with the standard API, if scripting you just use curl, etc. You also
> typically get easy to parse error messages back in JSON format. Very nice and
> easy.
> 
> - Benefits of standard APIs
> Using standard APIs you get less lock-in effects. Less lock-in is typically good
> for the whole industry and use base long-term. Using standard APIs an end
> user can replace various components (clients, RA,
> CA) in their system to other vendors if they so desire. We have seen this
> work in practice, replacing CA technology components transparently for the
> rest of the system, quick and cost effective.
> IETF has been very good at producing industry wide standards used across
> multiple verticals.
> 
> - Current REST-like protocols
> In lamps/pkix we have a couple of RESTlike APIs today.
> ACME for enrolling server certificates. A protocol for a specific purpose, but
> gaining popularity due to the easiness of implementing clients (often as
> scripts).
> EST is perhaps not a strict REST API but can be used in a similar form on the
> client side. All you need is openssl and curl to use it from the client side.
> 
> - Current limitations
> In many deployments there are three components: client - RA - CA. EST and
> ACME typically runs on the client-RA side. EST also runs on the RA-CA side in
> simpler use cases. For more complex use cases, where say revocation is also
> needed it's more common to use CMP or a proprietary SOAP or REST API on
> the RA-CA side. Just to make this single point, the current REST-like APIs does
> not have revoke (EST has full-CMC method but that makes it complete non-
> REST-like and harder to implement).
> 
> - Current "full" REST APIs
> Various products have REST APIs. These are proprietary (completely natural
> as there are no standards) and thus clients/RAs/CAs suffer from having to
> implements multiple REST APIs in order to be interoperable with various
> vendors.
> 
> - Probe:
> Do others see the need/interest to standardize a more "full" REST API?
> We see requests and customer interest for REST APIs. Some of the
> requested REST functionality could very well be standardized, while some are
> more product specific and could be harder.
> 
> Do others see the same?
> 
> - Disclosure:
> I work for PrimeKey, a vendor who implements the (open source) CA
> software EJBCA.
> 
> Regards,
> Tomas
> 
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> .ietf.org%2Fmailman%2Flistinfo%2Fspasm&amp;data=02%7C01%7Chendrik.
> brockhaus%40siemens.com%7Cdf45bd27b9c241677a3a08d6e687d111%7C38a
> e3bcd95794fd4addab42e1495d55a%7C1%7C0%7C636949868334006281&amp;
> sdata=rUYwh%2BPG4ZIdPzUYSWBOv1OvDb23N7fdHbyUOCup1dw%3D&am
> p;reserved=0

v2.23.0 | Report a Bug | By Email