Re: [lamps] Interest to standardize PKI REST APIs?
Tomas Gustavsson <tomas.gustavsson@primekey.com> Thu, 13 June 2019 06:45 UTC
Return-Path: <tomas.gustavsson@primekey.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22F3712023D for <spasm@ietfa.amsl.com>; Wed, 12 Jun 2019 23:45:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=primekey.com header.b=HDgCv8UB; dkim=pass (1024-bit key) header.d=primekey.com header.b=HDgCv8UB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jbtpBMAW0bPc for <spasm@ietfa.amsl.com>; Wed, 12 Jun 2019 23:45:06 -0700 (PDT)
Received: from mail.primekey.com (mail.primekey.com [84.55.121.163]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1970B120219 for <spasm@ietf.org>; Wed, 12 Jun 2019 23:45:05 -0700 (PDT)
Received: from mail.primekey.com (localhost [127.0.0.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.primekey.com (Postfix) with ESMTPS id 2FA7C6AA0090 for <spasm@ietf.org>; Thu, 13 Jun 2019 08:44:57 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=primekey.com; s=mail; t=1560408297; bh=EnMH/15pFlVnMh76TuB+eonk2OHbW60stroYNG4F/4I=; h=Subject:To:References:From:Date:In-Reply-To:From; b=HDgCv8UB5ieQ1iD2aoNT+GQDkQBhOfkAHOY+0yDksOmrFoAKBAdw4RwH4nE8wVT7E cv8AIU/7cnVlY8dAaSAxAtz5JYOju+3CVnMebY4ofty1X0Ei4Se3HsAC5YzMdPO84N ANrMEhb/qgIjSSzjss+3bQi8cgfV1xEZOZ6VV3JQ=
Received: from [10.11.0.9] (gatekeeper.primekey.se [84.55.121.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.primekey.com (Postfix) with ESMTPSA id 8192A6AA008F for <spasm@ietf.org>; Thu, 13 Jun 2019 08:44:56 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=primekey.com; s=mail; t=1560408297; bh=EnMH/15pFlVnMh76TuB+eonk2OHbW60stroYNG4F/4I=; h=Subject:To:References:From:Date:In-Reply-To:From; b=HDgCv8UB5ieQ1iD2aoNT+GQDkQBhOfkAHOY+0yDksOmrFoAKBAdw4RwH4nE8wVT7E cv8AIU/7cnVlY8dAaSAxAtz5JYOju+3CVnMebY4ofty1X0Ei4Se3HsAC5YzMdPO84N ANrMEhb/qgIjSSzjss+3bQi8cgfV1xEZOZ6VV3JQ=
To: spasm@ietf.org
References: <AM0PR10MB24028210BCE560C64195A74EFE320@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402B5BB06E4FB59A8ECB16BFE060@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402C7C1AAA09EABF047F0CEFE1D0@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <29FAEBF1-2D67-469F-BE78-AF58F78D055E@vigilsec.com> <BN7PR11MB2547D526E00CE7C5DDCDB3E9C91E0@BN7PR11MB2547.namprd11.prod.outlook.com> <17374.1559083024@localhost> <HE1PR0701MB24447D45A6A7461DEC49FE7B9B1F0@HE1PR0701MB2444.eurprd07.prod.outlook.com> <12129.1559329924@localhost> <7f83213b-2e63-57f5-5a1a-956d47b58683@primekey.com> <AM0PR10MB2402726EDDA7074FEDFF917DFE100@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <23b41fcd-29e7-eb80-a397-e619072cd0fc@openca.org>
From: Tomas Gustavsson <tomas.gustavsson@primekey.com>
Openpgp: preference=signencrypt
Autocrypt: addr=tomas.gustavsson@primekey.com; prefer-encrypt=mutual; keydata= mQENBEyuwwYBCAD31Jsxn1lf7rnFc7y3Ol+TE7pU7ohO78kMdoVrZdAMnU9W0P33GedbU+kF 8/RFq7HlXV8a91RkgtdcMAK8tSdtBKDGZCOJZm5qOZ/EHikY8k/7s1wgSQSF4hYSG/IABCCA W139joDFl4L3buWyk2lsYX1HDBpuXGDL5HFyu165T0ZVlt23T04xmAwpIHUViKUWw1QYnlRz s66Desn2WeP+X8/QlqF1zOTUXbgrThB1X/Oh2+wzP08HVoTQCzlrEMeb9x2k+oa8PtVdnflh nZKBtyyBkZxRoHG3tNKcaf7JLoadSXcSKSKvfApcsxpP2JpkQgIhLi3JWik/Z+RR2WD1ABEB AAG0MFRvbWFzIEd1c3RhdnNzb24gPHRvbWFzLmd1c3RhdnNzb25AcHJpbWVrZXkuY29tPokB NwQTAQgAIQUCWX8yTAIbIwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBibcSbAEP+QGAU CAC82dn8XCQ8Ei7gxQAdRSc2imaP/388i/ObDMYhNhg5j4gXs3tkfxuCvhwkzskUFgOtmaEy uz/gIiVjQIsjQrHh5tl9M0q2tqbDHJpWfE6/SkXPUmTqQ0VGyq1MmZ3/zg2jSoll74qBSfdH V7sWugRXeCBxfaPeYo8DdPCGi27yrdL8zb3xkJ3BxPcDGNdkLm+Yza+qAOrssCD7MSLN+6Sd ML5Xcmw6pgRPlQ0aCsM7scrwgBNb7KrwxaqBxqwcuqF0NMgNjeiEHi2Oj3HOZdYU4Blk2GFq 9zHuCzTWumgNOlfksZ9K3ZMJBn6KLPot5bVXIKdnHwWRzoKMDxkSZjM5uQENBEyuwwYBCADZ 98eCFQ64zKo1OKkUgEJHO1JdsiqRO1znu6KyaTcd2vXfOCGkFFVBL+vjzzyyYV7Sg1/AaG4r l9TKJCwvx8mUmTJkKQspTfOj6AY33bmfMB/8LBYj2BjtxXyMucPjNTJqbL2r1HeGPV2nwyof MAyo2qcYuiLs20Ob7U8vooOV3GDDKEkXtJYZzTEU6qabGsepGIvMu770OZwvm4akQiCGe5sQ 4+/UH1pMZQNi+/fGbONFx+TUVMM8EkXD6dQ5WoL+xPabPjqiUmR7EBvg0uocr70Ag93tWk1d 4RgFcicjwMFcPg4TZ8Y/3Y7Nmbyo14+4SMNfNPFLgQMawL+cLLkdABEBAAGJAR8EGAECAAkC GwwFAlYXhXUACgkQYm3EmwBD/kA2igf/QNpPe7sLt3KdRD3x4cStxGjLCWyj7x1YLVnV4Nnu TvaNhC+KHx3uG39y1x3PJQwslpeSQ6JipOUmxeQjjGJGQZLV41L1PCJVhCL98Dinr6dJkYB7 cAVhfmW8PI51jiANExLZu8U5gnthj5CGv4428ODQgSoRI0demG3HmVCNrKdap+orhT8zRkq8 DuHTO01U7PKsfvQ2k8AqSAC/JjMOs1mpFe032IApXxlZkE+33Q3dE5BiJmICYg8hsRXvpKTm ZMCdNZJUQLq+XNpg6RtAPQIPMmCepXrE9M/KuH+jFS2G5+Hx5VBSM644E1G2i+HOPCVdHjof iaNi3V/ItEG3jw==
Message-ID: <4dceb42d-c91a-b0de-743b-889632daf46c@primekey.com>
Date: Thu, 13 Jun 2019 08:45:00 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <23b41fcd-29e7-eb80-a397-e619072cd0fc@openca.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/JG06Dyg49meOtZqdXHcwKNIf5Vg>
Subject: Re: [lamps] Interest to standardize PKI REST APIs?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 06:45:10 -0000
On 2019-06-12 20:18, Dr. Pala wrote: > Hi Tomas, all, > > I have not followed all the thread - however, it seems to me we already > have what is being proposed. ACME is a web-oriented protocol that works > for low-volume/low-efficiency issuance of certificates and works well > for the Web PKI(s). Similarly, CMP and CMS allow for full management of > credentials (although they require the client to be know what type of > credentials are needed on the device). > > One thing I do not like about ACME and EST in particular (and probably > about what you are proposing here), it is their dependency on the > transport protocol - this is usually a very bad idea that prevents > abstracting from the specific transport media, therefore limiting your > options and require IP connectivity. > > From this point of view, I do not really see the need to define "yet > another HTTP-based way to transfer the same information" - ACME already > duplicated so much of the work we already have done 20 years ago with no > relevant benefits besides being more inefficient, lacking all the more > traditional controls, and not providing much benefits from an automation > standpoint. > > Let's try to avoid doing the same mistake again :D I think it's about using the right tool for the right jobs, and a full toolbox is needed :-) Simply looking at the usage of ACME I think it's clear that it does provide some standardization benefits, for this/these use cases. Otherwise we would not see the quick uptake and use I believe. So some benefits there must be. There will be many REST APIs created, within IETF or not. With a little luck there may be some harmonization driven by market needs. > I also would like to draw your attention on some work that is going on > in some other WGs. In particular, we are working in the EMU WG to > provide a EAP-Based method for credentials management (EAP-CREDS > currently NOT a WG document, but we hope it will be adopted - > https://datatracker.ietf.org/doc/draft-pala-eap-creds/) - you might find > some inspiration for ideas there - we provide a minimal protocol for > handling different types of secrets and the possibility to encapsulate > your own protocol (e.g., an existing one like CMP or a proprietary one). > Maybe this approach might inspire some further ideas in case you still > want to pursue :D > > Last but not least, I think that if any standardization is needed > (instead of "yet another API to do the same thing") is in the > /*interface to your Cryptographic API*/. This is, I think, much more > interesting (and needed). > > Today, I think, one of the main issue we have is to be able to integrate > crypto libraries and being able to switch across platforms. Especially > if you work in a application-level layer (maybe with JS or another > interpreted language), you might have noticed that the support for the > security primitives (and advanced functionalities) is not very well > implemented. Moreover, porting to a different Crypto Service Provider is > usually a nightmare... > > Why not working on a Standard API for Cryptographic Libraries instead ? > Similarly to what we did for LDAP, this could provide the portability > for applications (and programming frameworks) that we really need. We > started a Mailing List sometime ago - but did not have the time to move > forward with real work. If you are interested, please let me know. All platforms/OS/programming languages have their standards. This will be hard to sell. Something that would be very useful (from my usage) is a new standard API for HSMs. PKCS#11 have been ruling this area for decades, but large fragmentation is happening now (let's hope a bit on PKCS#11 v3). Also not a topic I want to spend the rest of my days on though, it will be a lengthy process and a tough sale... > > Just my 2 cents.... > > Cheers, > Max > > P.S.: Last thing - as soon as we are done updating the CMS interface in > LibPKI we will probably add support for either CMP or CMC. Maybe this is > also relevant to your effort... :D > > On 6/7/19 11:22 AM, Brockhaus, Hendrik wrote: >> Hi Tomas >> >> I fully understand your pain implementing many different proprietary APIs and I also dislike such proprietary APIs for certificate management. Typically such proprietary APIs or protocols lack the desired security features a certificate management protocol developed by an IETF Security WG offer. >> That is the reason to enhance the usability of existing standards like CMP. This may also hold true for the request for RESTful APIs especially from cloud developer. >> >> I think we need to first collect the required certificate management use cases and check if they are addressed by existing protocols. >> Then I see two approaches: >> - Develop a new certificate management protocol using standard functionality of REST frameworks and learn from or even copy parts from existing protocols. >> - Take an existing certificate management protocol, e.g. CMP, adapt the transport to REST APIs and adapt the transaction concept slightly to allow a state-less server. >> As already said, I dislike to develop further certificate management protocols. I think there are enough around already. Therefor I would prefer the second approach. But finally the solution must be acceptable to the target audience of developers asking for REST APIs for certificate management. >> >> Are there also other opinions in the WG? >> >> Hendrik >> >>> -----Ursprüngliche Nachricht----- >>> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Tomas Gustavsson >>> Gesendet: Samstag, 1. Juni 2019 13:54 >>> An: spasm@ietf.org >>> Betreff: [lamps] Interest to standardize PKI REST APIs? >>> >>> Hi, >>> >>> This is a continuation of a topic that appeared in another thread, that I chose >>> to start another thread about to not diverge the original thread. (original >>> thread [lamps] Support for working on the lightweight CMP profile). Consider >>> this an exploratory discussion. >>> >>> - Background: >>> Today RESTful APIs are popular due to the simplicity of implementation on >>> the client and on the server. I myself has worked with implementation on >>> servers and clients for a range of standard APIs (such as SCEP, CMP, EST, >>> ACME, PKCS#11 and more). I also find REST APIs engaging to work with as >>> you don't need any special client software. If implementing in Java you just >>> go at it with the standard API, if scripting you just use curl, etc. You also >>> typically get easy to parse error messages back in JSON format. Very nice and >>> easy. >>> >>> - Benefits of standard APIs >>> Using standard APIs you get less lock-in effects. Less lock-in is typically good >>> for the whole industry and use base long-term. Using standard APIs an end >>> user can replace various components (clients, RA, >>> CA) in their system to other vendors if they so desire. We have seen this >>> work in practice, replacing CA technology components transparently for the >>> rest of the system, quick and cost effective. >>> IETF has been very good at producing industry wide standards used across >>> multiple verticals. >>> >>> - Current REST-like protocols >>> In lamps/pkix we have a couple of RESTlike APIs today. >>> ACME for enrolling server certificates. A protocol for a specific purpose, but >>> gaining popularity due to the easiness of implementing clients (often as >>> scripts). >>> EST is perhaps not a strict REST API but can be used in a similar form on the >>> client side. All you need is openssl and curl to use it from the client side. >>> >>> - Current limitations >>> In many deployments there are three components: client - RA - CA. EST and >>> ACME typically runs on the client-RA side. EST also runs on the RA-CA side in >>> simpler use cases. For more complex use cases, where say revocation is also >>> needed it's more common to use CMP or a proprietary SOAP or REST API on >>> the RA-CA side. Just to make this single point, the current REST-like APIs does >>> not have revoke (EST has full-CMC method but that makes it complete non- >>> REST-like and harder to implement). >>> >>> - Current "full" REST APIs >>> Various products have REST APIs. These are proprietary (completely natural >>> as there are no standards) and thus clients/RAs/CAs suffer from having to >>> implements multiple REST APIs in order to be interoperable with various >>> vendors. >>> >>> - Probe: >>> Do others see the need/interest to standardize a more "full" REST API? >>> We see requests and customer interest for REST APIs. Some of the >>> requested REST functionality could very well be standardized, while some are >>> more product specific and could be harder. >>> >>> Do others see the same? >>> >>> - Disclosure: >>> I work for PrimeKey, a vendor who implements the (open source) CA >>> software EJBCA. >>> >>> Regards, >>> Tomas >>> >>> _______________________________________________ >>> Spasm mailing list >>> Spasm@ietf.org >>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww >>> ..ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=02%7C01%7Chendrik. >>> brockhaus%40siemens.com%7Cdf45bd27b9c241677a3a08d6e687d111%7C38a >>> e3bcd95794fd4addab42e1495d55a%7C1%7C0%7C636949868334006281& >>> sdata=rUYwh%2BPG4ZIdPzUYSWBOv1OvDb23N7fdHbyUOCup1dw%3D&am >>> p;reserved=0 >> _______________________________________________ >> Spasm mailing list >> Spasm@ietf.org >> https://www.ietf.org/mailman/listinfo/spasm > -- > Best Regards, > Massimiliano Pala, Ph.D. > OpenCA Labs Director > OpenCA Logo > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] Proposed Re-Chartering Text for CMP updat… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Panos Kampanakis (pkampana)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Peylo, Martin (Nokia - FI/Espoo)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Dr. Pala
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Panos Kampanakis (pkampana)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Panos Kampanakis (pkampana)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Panos Kampanakis (pkampana)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Fries, Steffen
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- [lamps] Support for working on the lightweight CM… Russ Housley
- Re: [lamps] Support for working on the lightweigh… Tomas Gustavsson
- Re: [lamps] Support for working on the lightweigh… Peylo, Martin (Nokia - FI/Espoo)
- Re: [lamps] Support for working on the lightweigh… Brockhaus, Hendrik
- Re: [lamps] Support for working on the lightweigh… Panos Kampanakis (pkampana)
- Re: [lamps] Support for working on the lightweigh… Michael Richardson
- Re: [lamps] Support for working on the lightweigh… Fries, Steffen
- Re: [lamps] Support for working on the lightweigh… Tomas Gustavsson
- Re: [lamps] Support for working on the lightweigh… Peylo, Martin (Nokia - FI/Espoo)
- Re: [lamps] Support for working on the lightweigh… Michael Richardson
- Re: [lamps] Support for working on the lightweigh… Michael Richardson
- Re: [lamps] Support for working on the lightweigh… Tomas Gustavsson
- [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Support for working on the lightweigh… Brockhaus, Hendrik
- Re: [lamps] Interest to standardize PKI REST APIs? Brockhaus, Hendrik
- Re: [lamps] Interest to standardize PKI REST APIs? Michael Richardson
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Salz, Rich
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Salz, Rich
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Salz, Rich
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Brockhaus, Hendrik
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Brockhaus, Hendrik
- Re: [lamps] Interest to standardize PKI REST APIs? Salz, Rich
- Re: [lamps] Interest to standardize PKI REST APIs? Dr. Pala
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson