IETF Logo Mail Archive

Re: [lamps] Support for working on the lightweight CMP profile

"Peylo, Martin (Nokia - FI/Espoo)" <martin.peylo@nokia.com> Wed, 29 May 2019 12:00 UTC

Return-Path: <martin.peylo@nokia.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 229A4120116 for <spasm@ietfa.amsl.com>; Wed, 29 May 2019 05:00:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epiM8HGoHjHF for <spasm@ietfa.amsl.com>; Wed, 29 May 2019 05:00:38 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20118.outbound.protection.outlook.com [40.107.2.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3857D1200C1 for <spasm@ietf.org>; Wed, 29 May 2019 05:00:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ey6AtBABpXYLgaqoJpwcJ9B3kekS68lnWrlgUupUG1s=; b=fu7wvP6fo/CtZDNtXHvvEjLSwfYAGwFz83Rcc0kmpWTb91EWh3xjiXUvetnat3KRFPf0QsKD5xEx5MZgSYUk4TsgH+x19TumtWpLVQe39UI9h7ffggKrmBf2HGwEijGKNhND2l++e/cRezxS5Ujtt6oYm79znHA09LFdF3XrUgo=
Received: from HE1PR0701MB2444.eurprd07.prod.outlook.com (10.168.130.8) by HE1PR0701MB2747.eurprd07.prod.outlook.com (10.168.188.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1943.13; Wed, 29 May 2019 12:00:33 +0000
Received: from HE1PR0701MB2444.eurprd07.prod.outlook.com ([fe80::4457:ee7d:f295:6ceb]) by HE1PR0701MB2444.eurprd07.prod.outlook.com ([fe80::4457:ee7d:f295:6ceb%9]) with mapi id 15.20.1943.015; Wed, 29 May 2019 12:00:33 +0000
From: "Peylo, Martin (Nokia - FI/Espoo)" <martin.peylo@nokia.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Support for working on the lightweight CMP profile
Thread-Index: AQHVFKwNiB+RnXVsz0qy43JaaEsToaaAoW+AgACA9wCAANis4A==
Date: Wed, 29 May 2019 12:00:33 +0000
Message-ID: <HE1PR0701MB24447D45A6A7461DEC49FE7B9B1F0@HE1PR0701MB2444.eurprd07.prod.outlook.com>
References: <AM0PR10MB24028210BCE560C64195A74EFE320@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402B5BB06E4FB59A8ECB16BFE060@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402C7C1AAA09EABF047F0CEFE1D0@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <29FAEBF1-2D67-469F-BE78-AF58F78D055E@vigilsec.com> <BN7PR11MB2547D526E00CE7C5DDCDB3E9C91E0@BN7PR11MB2547.namprd11.prod.outlook.com> <17374.1559083024@localhost>
In-Reply-To: <17374.1559083024@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=martin.peylo@nokia.com;
x-originating-ip: [131.228.2.0]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3044f27b-0b7d-4cea-ba93-08d6e42d4122
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:HE1PR0701MB2747;
x-ms-traffictypediagnostic: HE1PR0701MB2747:
x-microsoft-antispam-prvs: <HE1PR0701MB27473C3BC42B70C8C71BB6519B1F0@HE1PR0701MB2747.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2399;
x-forefront-prvs: 0052308DC6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(39850400004)(376002)(366004)(136003)(13464003)(189003)(199004)(76116006)(186003)(26005)(55016002)(81166006)(8936002)(11346002)(476003)(6436002)(110136005)(14454004)(478600001)(229853002)(446003)(9686003)(8676002)(486006)(66946007)(66556008)(53546011)(6506007)(66476007)(316002)(66446008)(64756008)(73956011)(81156014)(7736002)(76176011)(7696005)(6246003)(3846002)(6116002)(68736007)(66066001)(305945005)(53936002)(25786009)(5660300002)(52536014)(102836004)(71190400001)(256004)(2906002)(2501003)(74316002)(86362001)(71200400001)(33656002)(99286004)(7756004); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1PR0701MB2747; H:HE1PR0701MB2444.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 4hv476/nruz8EqrXGOHkBEO4h/U+CqBvRf25GUbKMo13ptUTNog52ZdJ6lXSwsv54uSiYgqN4n31lDlitbBLgPvdHUmUbT6kNzXVMJSW/Vw4I6JWKSIZtDplEhJ/xeaeFr1J7WNUST83uRGVtxVPQQ43U/tqbJqpmOGnxxwOmtVMVUT5rmuV5OR79tG4GRBrYWk5d90jOq78mMZDCv251D45g1EutZoWdsx6x2IpScviv1sPIyKIPE9tJdr3OqHrLnuy0dvY7MrprNM9Jc/JK4oRjNVBXUiEp9HY1SqB7vOlI5J6yfWwVZlOdHo940vA3U/gaGnShxFwFLc2DZMJXqkXGrNJE+DckK/TST8abjZFb6nS7dxcpu6JAi+T8jeV1uwARtlmTcdJNrwt8swhhx7oqyc1PSn+DoyS41vkSpI=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3044f27b-0b7d-4cea-ba93-08d6e42d4122
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 May 2019 12:00:33.4978 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: martin.peylo@nokia.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2747
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/t1QDlGIQRMIwcPYenR857gOi8EA>
Subject: Re: [lamps] Support for working on the lightweight CMP profile
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 May 2019 12:00:40 -0000

Hi Michael,

> I don't really know why we need CMP, let alone a lightweight CMP.

Obviously, I also cannot say why you would need CMP, but e.g. the telco industry understands it, and therefore we are using it actively. I also know that the FOSS CMP implementation is utilized actively by more silent users including the banking, IT, academia fields. 

To ease standard conforming, interoperable implementation for various use cases where EST and SCEP are totally useless (e.g. RA-CA interface), it'd be great to have some standards-track clarifications (= profiling). Profiling CMP would be more or less this "remove features" you're asking for, as the richness of options in CMP wasn't necessarily beneficial for out-of-the-box interoperability in the past.

One should note that the subject of this email seems to be somewhat misleading as it is overly limiting the scope. I expect that besides clarifications for e.g. RA-CA communications, the upcoming work will also include a refresh of mandatory algorithms (bye bye SHA-1). While both of those will certainly be beneficial also for the lightweight CMP on the interface to EEs, it will also have positive influence beyond the "lightweight CMP" scope.

> Plus we have a bunch of proprietary RESTful interfaces to CAs.

As they are proprietary, they seem to be somewhat out of IETF scope and interoperability might not have been your focus when you were creating those?

Cheers,
Martin

-----Original Message-----
From: Spasm <spasm-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: Wednesday, May 29, 2019 1:37 AM
To: spasm@ietf.org
Subject: Re: [lamps] Support for working on the lightweight CMP profile


Panos Kampanakis (pkampana) <pkampana@cisco.com> wrote:
    > Sorry, for insisting. I still have the concern that by adopting this, IETF
    > will continue the trend of endorsing different certificate management
    > protocols and profiles (SCEP, CMPv2, CMC, EST) that mostly do the same
    > things. Specifically for industrial automation we already have SCEP and EST
    > in IE 61850/IEC 62351. OPC UA has its own SDP for the same purposes. Now, we
    > want to add one more (CMP) in the mix for this vertical.

I agree with Panos.
I don't really know why we need CMP, let alone a lightweight CMP.
Plus we have a bunch of proprietary RESTful interfaces to CAs.

I have less of an objection to the IETF doing something, but I won't be reading/editing or implementing.

If anything, I'd like to remove features from the protocols we have to simplify them and focus them better.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email