Re: [lamps] Revocation Request Format?
"Dr. Pala" <madwolf@openca.org> Wed, 21 March 2018 13:23 UTC
Return-Path: <madwolf@openca.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5279126DFB for <spasm@ietfa.amsl.com>; Wed, 21 Mar 2018 06:23:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VqVrW3QzLBzS for <spasm@ietfa.amsl.com>; Wed, 21 Mar 2018 06:22:58 -0700 (PDT)
Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id A6CEF1200A0 for <spasm@ietf.org>; Wed, 21 Mar 2018 06:22:58 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mail.katezarealty.com (Postfix) with ESMTP id 896433741012 for <spasm@ietf.org>; Wed, 21 Mar 2018 13:22:58 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([127.0.0.1]) by localhost (mail.katezarealty.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id hE_LsekTHw9J for <spasm@ietf.org>; Wed, 21 Mar 2018 09:22:52 -0400 (EDT)
Received: from dhcp-98fb.meeting.ietf.org (dhcp-98fb.meeting.ietf.org [31.133.152.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id A7AF83741011 for <spasm@ietf.org>; Wed, 21 Mar 2018 09:22:51 -0400 (EDT)
To: spasm@ietf.org
References: <CAMm+LwjAP78hNL9Yaxqaf4K9RHYGk4M8ayJjCWt=F3_VN28cFQ@mail.gmail.com> <7E8301B2-B15E-4B3D-A559-4F29D8031F2A@vigilsec.com>
From: "Dr. Pala" <madwolf@openca.org>
Message-ID: <6a779839-fede-3d96-6ab9-993d0688e25f@openca.org>
Date: Wed, 21 Mar 2018 13:22:50 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <7E8301B2-B15E-4B3D-A559-4F29D8031F2A@vigilsec.com>
Content-Type: multipart/alternative; boundary="------------C0CE0C5289FA6320AA552FF2"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/AX6uGoUsD3S0Oq7hK5tK5VLDYKM>
Subject: Re: [lamps] Revocation Request Format?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 13:23:01 -0000
+1 to Russ's response. Some solutions I saw deployed involve the "owner" of the account for those keys to sign a single CMS with the administrative (or account) key/certificate and then to submit the generated signed message through a web-portal. Mass-revocation (or mass-any-pki-op) is not currently handled well with existing protocols, if I am not mistaken, unfortunately. So, there might be mixed proprietary/standard combination that are, today, more efficient. Things might happen (most probably outside IETF) to address these cases, especially for IoT environments. Cheers, Max On 3/5/18 4:58 PM, Russ Housley wrote: > Phill: > > PKCS#10 does not specify a method to request certificate revocation. > > CMP has a Revocation Request; see Section 5.3.9 of RFC 4210. > > CMC has a Revocation Request; see Section 6.11 of RFC 5272. > > EST does not specify a method to request certificate revocation, but > it does specify a way to carry a "Full PKI Request", which could be a > CMC Revocation Request. > > SCEP does not specify a method to request certificate revocation. > > Russ > > On Fri, Mar 2, 2018 at 9:24 AM, Phillip Hallam-Baker > <phill@hallambaker.com <mailto:phill@hallambaker.com>> wrote: > > Do we have a PKIX revocation request format? > > I am asking because of a detail in the Trustico situation in which > a file of 23K private keys was emailed to a CA to request revocation. > > At the point, the circumstances of that situation are not clear. > But I can see a scenario in which it is entirely plausible that a > CA reseller would have access to large numbers of TLS private keys > and that is when they are either hosting or managing the Web sites. > > The management interfaces that allow Web sites to be wheeled > around a data center have become very sophisticated of late with > virtualization and much of that infrastructure is 'secret sauce'. > > What might appear to be a five racks of 100 separate machines is > likely visible in the management console as one single entity. > > > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm
- [lamps] Revocation Request Format? Phillip Hallam-Baker
- Re: [lamps] Revocation Request Format? Ryan Sleevi
- Re: [lamps] Revocation Request Format? Peter Bowen
- Re: [lamps] Revocation Request Format? Phillip Hallam-Baker
- Re: [lamps] Revocation Request Format? Jacob Hoffman-Andrews
- Re: [lamps] Revocation Request Format? Ryan Sleevi
- Re: [lamps] Revocation Request Format? Stephen Farrell
- Re: [lamps] Revocation Request Format? Phillip Hallam-Baker
- Re: [lamps] Revocation Request Format? Ryan Sleevi
- Re: [lamps] Revocation Request Format? Tim Hollebeek
- Re: [lamps] Revocation Request Format? Ryan Sleevi
- Re: [lamps] Revocation Request Format? Tim Hollebeek
- Re: [lamps] Revocation Request Format? Tim Hollebeek
- Re: [lamps] Revocation Request Format? Stephen Farrell
- Re: [lamps] Revocation Request Format? Phillip Hallam-Baker
- Re: [lamps] Revocation Request Format? Ryan Sleevi
- Re: [lamps] Revocation Request Format? Phillip Hallam-Baker
- Re: [lamps] Revocation Request Format? Tim Hollebeek
- Re: [lamps] Revocation Request Format? Stephen Farrell
- Re: [lamps] Revocation Request Format? Tim Hollebeek
- Re: [lamps] Revocation Request Format? Ryan Sleevi
- Re: [lamps] Revocation Request Format? Russ Housley
- Re: [lamps] Revocation Request Format? Russ Housley
- Re: [lamps] Revocation Request Format? Ryan Sleevi
- Re: [lamps] Revocation Request Format? Russ Housley
- Re: [lamps] Revocation Request Format? Stephen Farrell
- Re: [lamps] Revocation Request Format? Dr. Pala