Re: [lamps] Support for working on the lightweight CMP profile
Tomas Gustavsson <tomas.gustavsson@primekey.com> Wed, 29 May 2019 10:43 UTC
Return-Path: <tomas.gustavsson@primekey.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 181C712009E for <spasm@ietfa.amsl.com>; Wed, 29 May 2019 03:43:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=primekey.com header.b=J1+D5XXJ; dkim=pass (1024-bit key) header.d=primekey.com header.b=J1+D5XXJ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EdxZ-VoT1m3q for <spasm@ietfa.amsl.com>; Wed, 29 May 2019 03:43:41 -0700 (PDT)
Received: from mail.primekey.com (mail.primekey.com [84.55.121.163]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60239120019 for <spasm@ietf.org>; Wed, 29 May 2019 03:43:41 -0700 (PDT)
Received: from mail.primekey.com (localhost [127.0.0.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.primekey.com (Postfix) with ESMTPS id ADA006AA008D for <spasm@ietf.org>; Wed, 29 May 2019 12:43:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=primekey.com; s=mail; t=1559126614; bh=Rf2FOl1iyFgMWwKrAuxgviL/HJYE6i3HiTUo/XI5phs=; h=Subject:To:References:From:Date:In-Reply-To:From; b=J1+D5XXJHfHVLxpYurkHa+SY4diZ//VBCmW2mPxBnN+hG/gWNIYe/LywcpZ7XM1BY fy9E39yBgyZCpYNGhuFOXKPmVZr9LRS0BzgelB62VBCyEyp2CMCy3YaT//78p6YgtN aqvQ0Xbcl0kVrHeH6D0DLOqGaV1pWCGbSYXL0tCk=
Received: from [192.168.3.184] (gatekeeper.primekey.se [84.55.121.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.primekey.com (Postfix) with ESMTPSA id 8F20E6AA006D for <spasm@ietf.org>; Wed, 29 May 2019 12:43:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=primekey.com; s=mail; t=1559126614; bh=Rf2FOl1iyFgMWwKrAuxgviL/HJYE6i3HiTUo/XI5phs=; h=Subject:To:References:From:Date:In-Reply-To:From; b=J1+D5XXJHfHVLxpYurkHa+SY4diZ//VBCmW2mPxBnN+hG/gWNIYe/LywcpZ7XM1BY fy9E39yBgyZCpYNGhuFOXKPmVZr9LRS0BzgelB62VBCyEyp2CMCy3YaT//78p6YgtN aqvQ0Xbcl0kVrHeH6D0DLOqGaV1pWCGbSYXL0tCk=
To: spasm@ietf.org
References: <AM0PR10MB24028210BCE560C64195A74EFE320@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402B5BB06E4FB59A8ECB16BFE060@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402C7C1AAA09EABF047F0CEFE1D0@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <29FAEBF1-2D67-469F-BE78-AF58F78D055E@vigilsec.com> <BN7PR11MB2547D526E00CE7C5DDCDB3E9C91E0@BN7PR11MB2547.namprd11.prod.outlook.com> <17374.1559083024@localhost> <E6C9F0E527F94F4692731382340B337826FA104E@DENBGAT9EJ5MSX.ww902.siemens.net>
From: Tomas Gustavsson <tomas.gustavsson@primekey.com>
Openpgp: preference=signencrypt
Autocrypt: addr=tomas.gustavsson@primekey.com; prefer-encrypt=mutual; keydata= mQENBEyuwwYBCAD31Jsxn1lf7rnFc7y3Ol+TE7pU7ohO78kMdoVrZdAMnU9W0P33GedbU+kF 8/RFq7HlXV8a91RkgtdcMAK8tSdtBKDGZCOJZm5qOZ/EHikY8k/7s1wgSQSF4hYSG/IABCCA W139joDFl4L3buWyk2lsYX1HDBpuXGDL5HFyu165T0ZVlt23T04xmAwpIHUViKUWw1QYnlRz s66Desn2WeP+X8/QlqF1zOTUXbgrThB1X/Oh2+wzP08HVoTQCzlrEMeb9x2k+oa8PtVdnflh nZKBtyyBkZxRoHG3tNKcaf7JLoadSXcSKSKvfApcsxpP2JpkQgIhLi3JWik/Z+RR2WD1ABEB AAG0MFRvbWFzIEd1c3RhdnNzb24gPHRvbWFzLmd1c3RhdnNzb25AcHJpbWVrZXkuY29tPokB NwQTAQgAIQUCWX8yTAIbIwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBibcSbAEP+QGAU CAC82dn8XCQ8Ei7gxQAdRSc2imaP/388i/ObDMYhNhg5j4gXs3tkfxuCvhwkzskUFgOtmaEy uz/gIiVjQIsjQrHh5tl9M0q2tqbDHJpWfE6/SkXPUmTqQ0VGyq1MmZ3/zg2jSoll74qBSfdH V7sWugRXeCBxfaPeYo8DdPCGi27yrdL8zb3xkJ3BxPcDGNdkLm+Yza+qAOrssCD7MSLN+6Sd ML5Xcmw6pgRPlQ0aCsM7scrwgBNb7KrwxaqBxqwcuqF0NMgNjeiEHi2Oj3HOZdYU4Blk2GFq 9zHuCzTWumgNOlfksZ9K3ZMJBn6KLPot5bVXIKdnHwWRzoKMDxkSZjM5uQENBEyuwwYBCADZ 98eCFQ64zKo1OKkUgEJHO1JdsiqRO1znu6KyaTcd2vXfOCGkFFVBL+vjzzyyYV7Sg1/AaG4r l9TKJCwvx8mUmTJkKQspTfOj6AY33bmfMB/8LBYj2BjtxXyMucPjNTJqbL2r1HeGPV2nwyof MAyo2qcYuiLs20Ob7U8vooOV3GDDKEkXtJYZzTEU6qabGsepGIvMu770OZwvm4akQiCGe5sQ 4+/UH1pMZQNi+/fGbONFx+TUVMM8EkXD6dQ5WoL+xPabPjqiUmR7EBvg0uocr70Ag93tWk1d 4RgFcicjwMFcPg4TZ8Y/3Y7Nmbyo14+4SMNfNPFLgQMawL+cLLkdABEBAAGJAR8EGAECAAkC GwwFAlYXhXUACgkQYm3EmwBD/kA2igf/QNpPe7sLt3KdRD3x4cStxGjLCWyj7x1YLVnV4Nnu TvaNhC+KHx3uG39y1x3PJQwslpeSQ6JipOUmxeQjjGJGQZLV41L1PCJVhCL98Dinr6dJkYB7 cAVhfmW8PI51jiANExLZu8U5gnthj5CGv4428ODQgSoRI0demG3HmVCNrKdap+orhT8zRkq8 DuHTO01U7PKsfvQ2k8AqSAC/JjMOs1mpFe032IApXxlZkE+33Q3dE5BiJmICYg8hsRXvpKTm ZMCdNZJUQLq+XNpg6RtAPQIPMmCepXrE9M/KuH+jFS2G5+Hx5VBSM644E1G2i+HOPCVdHjof iaNi3V/ItEG3jw==
Message-ID: <f5e704d4-bdcc-4c40-03e1-662cf2669d21@primekey.com>
Date: Wed, 29 May 2019 12:43:38 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <E6C9F0E527F94F4692731382340B337826FA104E@DENBGAT9EJ5MSX.ww902.siemens.net>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/Bn0DSMHxU2X-tAQAOPvtj4WgNuI>
Subject: Re: [lamps] Support for working on the lightweight CMP profile
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2019 10:43:45 -0000
Hi, I want to give my reasons for having a CMP profile. From the viewpoint of a product implementor implementing open standards for PKI. Sorry for the lengthy post, but I have several arguments :-) Please don't mention SCEP in this context. SCEP is not an RFC and does not fulfill even basic needs of today (EC). SCEP is quickly going away and it's best to leave it alone to die. CMC I would agree does some of the same functionality, but it's also dying. Leave it to rest. We have today two (good) alternatives for standard PKI protocols, CMP and EST. As a product supplier we see extensive use of both CMP and EST in the industry and the more interoperable these usages are the better. EST and CMP have fundamentally different security aspects, making them suitable for different use cases. It's not one of the other, both are needed due to the different ways of working: - EST uses the communication layer (TLS) for security, it is simple and easy, but depends on TLS (for good and for bad, mostly for good where this approach is suitable) - CMP uses message security and is independent of the communication layer, the messages are self-sufficient (for good and for bad, mostly for good where this approach is suitable) EST and CMP are not competing standard, but very much complementary and as product implementor we like them both. Unfortunately CMP (RFC4210) is more of a framework and solutions are not interoperable because they use fields in different ways. Profiling is needed. The best profiling of CMP that I have seen so far is 3GPP 33.310 in telecom, enabling vendors and telcos to use devices from multiple manufactures in an interoperable way, using standard products without custom development. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2293 There is profiling going on for EST, see EST over Secure CoAP for example. https://tools.ietf.org/html/draft-ietf-ace-coap-est-11 So it is not unheard of that IETF creates profiles to support different use cases. Considering the security aspects of CMP, and that it is used extensively within the industry today, making a profile is highly valuable to counter interoperability issues arising from the framework approach of RFC4210. I am glad to see that IEC 62351 is using standard protocols and has not invented it's own. What would be interesting is to compare the proposed profile agains what 62351 suggest. At least on the wikipedia page: https://en.wikipedia.org/wiki/IEC_62351 It claims "Certificate enrollment by means of SCEP / CMP / EST", hence usage of CMP already. How does IEC 62351 profile CMP? IEC 62351 is a for purchase standard, and those rarely get high traction except for their limited scope/vertical. In contrast, IETF documents get traction across the board of protocol users. This is one reason why I see the suggested profile having the potential to lift CMP up to a more interoperable level, not only for the IIoT vertical, but actually re-used for other verticals as well. IMHO, it should be profiled in openness in IETF, not in closedness in IEC. It's not a question if the profile (yes stripping down CMP) will exist or not, just a question of where it is housed. My opinion is that IETF is the best place. I like IETF standards, and they are highly referenced and spread, making the world just a little bit more interoperable. Regards, Tomas On 2019-05-29 08:14, Fries, Steffen wrote: > Michael Richardson <mcr+ietf@sandelman.ca> wrote: >> Panos Kampanakis (pkampana) <pkampana@cisco.com> wrote: >> > Sorry, for insisting. I still have the concern that by adopting this, IETF >> > will continue the trend of endorsing different certificate management >> > protocols and profiles (SCEP, CMPv2, CMC, EST) that mostly do the same >> > things. Specifically for industrial automation we already have SCEP and EST >> > in IE 61850/IEC 62351. OPC UA has its own SDP for the same purposes. Now, we >> > want to add one more (CMP) in the mix for this vertical. >> >> I agree with Panos. >> I don't really know why we need CMP, let alone a lightweight CMP. >> Plus we have a bunch of proprietary RESTful interfaces to CAs. >> >> I have less of an objection to the IETF doing something, but I won't be reading/editing or implementing. >> >> If anything, I'd like to remove features from the protocols we have to simplify them and focus them better. > That exactly is the intention of lightweight CMP. It intends to strip down functionality from an IETF defined protocol to have less requirements for interoperability for implementing devices. This lightweight approach should make it easier for others to adopt the already standardized functionality instead of defining proprietary approaches with a similar functionality. > > Best regards > Steffen > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] Proposed Re-Chartering Text for CMP updat… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Panos Kampanakis (pkampana)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Peylo, Martin (Nokia - FI/Espoo)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Dr. Pala
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Panos Kampanakis (pkampana)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Panos Kampanakis (pkampana)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Panos Kampanakis (pkampana)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Fries, Steffen
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- [lamps] Support for working on the lightweight CM… Russ Housley
- Re: [lamps] Support for working on the lightweigh… Tomas Gustavsson
- Re: [lamps] Support for working on the lightweigh… Peylo, Martin (Nokia - FI/Espoo)
- Re: [lamps] Support for working on the lightweigh… Brockhaus, Hendrik
- Re: [lamps] Support for working on the lightweigh… Panos Kampanakis (pkampana)
- Re: [lamps] Support for working on the lightweigh… Michael Richardson
- Re: [lamps] Support for working on the lightweigh… Fries, Steffen
- Re: [lamps] Support for working on the lightweigh… Tomas Gustavsson
- Re: [lamps] Support for working on the lightweigh… Peylo, Martin (Nokia - FI/Espoo)
- Re: [lamps] Support for working on the lightweigh… Michael Richardson
- Re: [lamps] Support for working on the lightweigh… Michael Richardson
- Re: [lamps] Support for working on the lightweigh… Tomas Gustavsson
- [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Support for working on the lightweigh… Brockhaus, Hendrik
- Re: [lamps] Interest to standardize PKI REST APIs? Brockhaus, Hendrik
- Re: [lamps] Interest to standardize PKI REST APIs? Michael Richardson
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Salz, Rich
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Salz, Rich
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Salz, Rich
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Brockhaus, Hendrik
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Brockhaus, Hendrik
- Re: [lamps] Interest to standardize PKI REST APIs? Salz, Rich
- Re: [lamps] Interest to standardize PKI REST APIs? Dr. Pala
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson