Re: [lamps] Revocation Request Format?

Russ Housley <housley@vigilsec.com> Mon, 05 March 2018 16:59 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4894C12DA13 for <spasm@ietfa.amsl.com>; Mon, 5 Mar 2018 08:59:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SZ5_mNEtFxrX for <spasm@ietfa.amsl.com>; Mon, 5 Mar 2018 08:58:59 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2048812DA72 for <SPASM@ietf.org>; Mon, 5 Mar 2018 08:58:47 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id F243A3005D9 for <SPASM@ietf.org>; Mon, 5 Mar 2018 11:58:44 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id F4-EPgSubNX0 for <SPASM@ietf.org>; Mon, 5 Mar 2018 11:58:43 -0500 (EST)
Received: from a860b60074bd.home (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id B713C300425; Mon, 5 Mar 2018 11:58:43 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <7E8301B2-B15E-4B3D-A559-4F29D8031F2A@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_583F4112-AC0F-4ACA-8ABF-E7C4FFBC23B0"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Mon, 5 Mar 2018 11:58:54 -0500
In-Reply-To: <CAMm+LwjAP78hNL9Yaxqaf4K9RHYGk4M8ayJjCWt=F3_VN28cFQ@mail.gmail.com>
Cc: SPASM <SPASM@ietf.org>
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <CAMm+LwjAP78hNL9Yaxqaf4K9RHYGk4M8ayJjCWt=F3_VN28cFQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/ODdrF-vqjbApwalOPYe6zqWBKH4>
Subject: Re: [lamps] Revocation Request Format?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Mar 2018 16:59:06 -0000

Phill:

PKCS#10 does not specify a method to request certificate revocation.

CMP has a Revocation Request; see Section 5.3.9 of RFC 4210.

CMC has a Revocation Request; see Section 6.11 of RFC 5272.

EST does not specify a method to request certificate revocation, but it does specify a way to carry a "Full PKI Request", which could be a CMC Revocation Request.

SCEP does not specify a method to request certificate revocation.

Russ

On Fri, Mar 2, 2018 at 9:24 AM, Phillip Hallam-Baker <phill@hallambaker.com <mailto:phill@hallambaker.com>> wrote:
Do we have a PKIX revocation request format?

I am asking because of a detail in the Trustico situation in which a file of 23K private keys was emailed to a CA to request revocation.

At the point, the circumstances of that situation are not clear. But I can see a scenario in which it is entirely plausible that a CA reseller would have access to large numbers of TLS private keys and that is when they are either hosting or managing the Web sites.

The management interfaces that allow Web sites to be wheeled around a data center have become very sophisticated of late with virtualization and much of that infrastructure is 'secret sauce'.

What might appear to be a five racks of 100 separate machines is likely visible in the management console as one single entity.