Re: [lamps] Revocation Request Format?

"Dr. Pala" <madwolf@openca.org> Wed, 21 March 2018 13:23 UTC

Return-Path: <madwolf@openca.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5279126DFB for <spasm@ietfa.amsl.com>; Wed, 21 Mar 2018 06:23:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VqVrW3QzLBzS for <spasm@ietfa.amsl.com>; Wed, 21 Mar 2018 06:22:58 -0700 (PDT)
Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id A6CEF1200A0 for <spasm@ietf.org>; Wed, 21 Mar 2018 06:22:58 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mail.katezarealty.com (Postfix) with ESMTP id 896433741012 for <spasm@ietf.org>; Wed, 21 Mar 2018 13:22:58 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([127.0.0.1]) by localhost (mail.katezarealty.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id hE_LsekTHw9J for <spasm@ietf.org>; Wed, 21 Mar 2018 09:22:52 -0400 (EDT)
Received: from dhcp-98fb.meeting.ietf.org (dhcp-98fb.meeting.ietf.org [31.133.152.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id A7AF83741011 for <spasm@ietf.org>; Wed, 21 Mar 2018 09:22:51 -0400 (EDT)
To: spasm@ietf.org
References: <CAMm+LwjAP78hNL9Yaxqaf4K9RHYGk4M8ayJjCWt=F3_VN28cFQ@mail.gmail.com> <7E8301B2-B15E-4B3D-A559-4F29D8031F2A@vigilsec.com>
From: "Dr. Pala" <madwolf@openca.org>
Message-ID: <6a779839-fede-3d96-6ab9-993d0688e25f@openca.org>
Date: Wed, 21 Mar 2018 13:22:50 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <7E8301B2-B15E-4B3D-A559-4F29D8031F2A@vigilsec.com>
Content-Type: multipart/alternative; boundary="------------C0CE0C5289FA6320AA552FF2"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/AX6uGoUsD3S0Oq7hK5tK5VLDYKM>
Subject: Re: [lamps] Revocation Request Format?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 13:23:01 -0000

+1 to Russ's response.

Some solutions I saw deployed involve the "owner" of the account for
those keys to sign a single CMS with the administrative (or account)
key/certificate and then to submit the generated signed message through
a web-portal.

Mass-revocation (or mass-any-pki-op) is not currently handled well with
existing protocols, if I am not mistaken, unfortunately. So, there might
be mixed proprietary/standard combination that are, today, more efficient.

Things might happen (most probably outside IETF) to address these cases,
especially for IoT environments.

Cheers,
Max


On 3/5/18 4:58 PM, Russ Housley wrote:
> Phill:
>
> PKCS#10 does not specify a method to request certificate revocation.
>
> CMP has a Revocation Request; see Section 5.3.9 of RFC 4210.
>
> CMC has a Revocation Request; see Section 6.11 of RFC 5272.
>
> EST does not specify a method to request certificate revocation, but
> it does specify a way to carry a "Full PKI Request", which could be a
> CMC Revocation Request.
>
> SCEP does not specify a method to request certificate revocation.
>
> Russ
>
> On Fri, Mar 2, 2018 at 9:24 AM, Phillip Hallam-Baker
> <phill@hallambaker.com <mailto:phill@hallambaker.com>> wrote:
>
>     Do we have a PKIX revocation request format?
>
>     I am asking because of a detail in the Trustico situation in which
>     a file of 23K private keys was emailed to a CA to request revocation.
>
>     At the point, the circumstances of that situation are not clear.
>     But I can see a scenario in which it is entirely plausible that a
>     CA reseller would have access to large numbers of TLS private keys
>     and that is when they are either hosting or managing the Web sites.
>
>     The management interfaces that allow Web sites to be wheeled
>     around a data center have become very sophisticated of late with
>     virtualization and much of that infrastructure is 'secret sauce'.
>
>     What might appear to be a five racks of 100 separate machines is
>     likely visible in the management console as one single entity.
>
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm