IETF Logo Mail Archive

Re: [lamps] Interest to standardize PKI REST APIs?

"Dr. Pala" <madwolf@openca.org> Wed, 12 June 2019 18:18 UTC

Return-Path: <madwolf@openca.org>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73B60120280 for <spasm@ietfa.amsl.com>; Wed, 12 Jun 2019 11:18:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3PHvo9iRgURM for <spasm@ietfa.amsl.com>; Wed, 12 Jun 2019 11:18:05 -0700 (PDT)
Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id 26F11120236 for <spasm@ietf.org>; Wed, 12 Jun 2019 11:18:05 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mail.katezarealty.com (Postfix) with ESMTP id A07A43741042 for <spasm@ietf.org>; Wed, 12 Jun 2019 18:18:04 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([127.0.0.1]) by localhost (mail.katezarealty.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id wWfLhTjezC3C for <spasm@ietf.org>; Wed, 12 Jun 2019 14:18:03 -0400 (EDT)
Received: from Maxs-MacBook-Pro.local (unknown [192.160.73.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id C93F53741025 for <spasm@ietf.org>; Wed, 12 Jun 2019 14:18:02 -0400 (EDT)
To: spasm@ietf.org
References: <AM0PR10MB24028210BCE560C64195A74EFE320@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402B5BB06E4FB59A8ECB16BFE060@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402C7C1AAA09EABF047F0CEFE1D0@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <29FAEBF1-2D67-469F-BE78-AF58F78D055E@vigilsec.com> <BN7PR11MB2547D526E00CE7C5DDCDB3E9C91E0@BN7PR11MB2547.namprd11.prod.outlook.com> <17374.1559083024@localhost> <HE1PR0701MB24447D45A6A7461DEC49FE7B9B1F0@HE1PR0701MB2444.eurprd07.prod.outlook.com> <12129.1559329924@localhost> <7f83213b-2e63-57f5-5a1a-956d47b58683@primekey.com> <AM0PR10MB2402726EDDA7074FEDFF917DFE100@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM>
From: "Dr. Pala" <madwolf@openca.org>
Message-ID: <23b41fcd-29e7-eb80-a397-e619072cd0fc@openca.org>
Date: Wed, 12 Jun 2019 12:18:02 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <AM0PR10MB2402726EDDA7074FEDFF917DFE100@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM>
Content-Type: multipart/alternative; boundary="------------865391C4A6C2095F879DFAE0"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/RNMHdFZA_hfwfR-G_6eOUNxFYdw>
Subject: Re: [lamps] Interest to standardize PKI REST APIs?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 18:18:11 -0000

Hi Tomas, all,

I have not followed all the thread - however, it seems to me we already 
have what is being proposed. ACME is a web-oriented protocol that works 
for low-volume/low-efficiency issuance of certificates and works well 
for the Web PKI(s). Similarly, CMP and CMS allow for full management of 
credentials (although they require the client to be know what type of 
credentials are needed on the device).

One thing I do not like about ACME and EST in particular (and probably 
about what you are proposing here), it is their dependency on the 
transport protocol - this is usually a very bad idea that prevents 
abstracting from the specific transport media, therefore limiting your 
options and require IP connectivity.

 From this point of view, I do not really see the need to define "yet 
another HTTP-based way to transfer the same information" - ACME already 
duplicated so much of the work we already have done 20 years ago with no 
relevant benefits besides being more inefficient, lacking all the more 
traditional controls, and not providing much benefits from an automation 
standpoint.

Let's try to avoid doing the same mistake again :D

I also would like to draw your attention on some work that is going on 
in some other WGs. In particular, we are working in the EMU WG to 
provide a EAP-Based method for credentials management (EAP-CREDS 
currently NOT a WG document, but we hope it will be adopted - 
https://datatracker.ietf.org/doc/draft-pala-eap-creds/) - you might find 
some inspiration for ideas there - we provide a minimal protocol for 
handling different types of secrets and the possibility to encapsulate 
your own protocol (e.g., an existing one like CMP or a proprietary one). 
Maybe this approach might inspire some further ideas in case you still 
want to pursue :D

Last but not least, I think that if any standardization is needed 
(instead of "yet another API to do the same thing") is in the 
/*interface to your Cryptographic API*/. This is, I think, much more 
interesting (and needed).

Today, I think, one of the main issue we have is to be able to integrate 
crypto libraries and being able to switch across platforms. Especially 
if you work in a application-level layer (maybe with JS or another 
interpreted language), you might have noticed that the support for the 
security primitives (and advanced functionalities) is not very well 
implemented. Moreover, porting to a different Crypto Service Provider is 
usually a nightmare...

Why not working on a Standard API for Cryptographic Libraries instead ? 
Similarly to what we did for LDAP, this could provide the portability 
for applications (and programming frameworks) that we really need. We 
started a Mailing List sometime ago - but did not have the time to move 
forward with real work. If you are interested, please let me know.

Just my 2 cents....

Cheers,
Max

P.S.: Last thing - as soon as we are done updating the CMS interface in 
LibPKI we will probably add support for either CMP or CMC. Maybe this is 
also relevant to your effort... :D

On 6/7/19 11:22 AM, Brockhaus, Hendrik wrote:
> Hi Tomas
>
> I fully understand your pain implementing many different proprietary APIs and I also dislike such proprietary APIs for certificate management. Typically such proprietary APIs or protocols lack the desired security features a certificate management protocol developed by an IETF Security WG offer.
> That is the reason to enhance the usability of existing standards like CMP. This may also hold true for the request for RESTful APIs especially from cloud developer.
>
> I think we need to first collect the required certificate management use cases and check if they are addressed by existing protocols.
> Then I see two approaches:
> - Develop a new certificate management protocol using standard functionality of REST frameworks and learn from or even copy parts from existing protocols.
> - Take an existing certificate management protocol, e.g. CMP, adapt the transport to REST APIs and adapt the transaction concept slightly to allow a state-less server.
> As already said, I dislike to develop further certificate management protocols. I think there are enough around already. Therefor I would prefer the second approach. But finally the solution must be acceptable to the target audience of developers asking for REST APIs for certificate management.
>
> Are there also other opinions in the WG?
>
> Hendrik
>
>> -----Ursprüngliche Nachricht-----
>> Von: Spasm <spasm-bounces@ietf.org> Im Auftrag von Tomas Gustavsson
>> Gesendet: Samstag, 1. Juni 2019 13:54
>> An: spasm@ietf.org
>> Betreff: [lamps] Interest to standardize PKI REST APIs?
>>
>> Hi,
>>
>> This is a continuation of a topic that appeared in another thread, that I chose
>> to start another thread about to not diverge the original thread. (original
>> thread [lamps] Support for working on the lightweight CMP profile). Consider
>> this an exploratory discussion.
>>
>> - Background:
>> Today RESTful APIs are popular due to the simplicity of implementation on
>> the client and on the server. I myself has worked with implementation on
>> servers and clients for a range of standard APIs (such as SCEP, CMP, EST,
>> ACME, PKCS#11 and more). I also find REST APIs engaging to work with as
>> you don't need any special client software. If implementing in Java you just
>> go at it with the standard API, if scripting you just use curl, etc. You also
>> typically get easy to parse error messages back in JSON format. Very nice and
>> easy.
>>
>> - Benefits of standard APIs
>> Using standard APIs you get less lock-in effects. Less lock-in is typically good
>> for the whole industry and use base long-term. Using standard APIs an end
>> user can replace various components (clients, RA,
>> CA) in their system to other vendors if they so desire. We have seen this
>> work in practice, replacing CA technology components transparently for the
>> rest of the system, quick and cost effective.
>> IETF has been very good at producing industry wide standards used across
>> multiple verticals.
>>
>> - Current REST-like protocols
>> In lamps/pkix we have a couple of RESTlike APIs today.
>> ACME for enrolling server certificates. A protocol for a specific purpose, but
>> gaining popularity due to the easiness of implementing clients (often as
>> scripts).
>> EST is perhaps not a strict REST API but can be used in a similar form on the
>> client side. All you need is openssl and curl to use it from the client side.
>>
>> - Current limitations
>> In many deployments there are three components: client - RA - CA. EST and
>> ACME typically runs on the client-RA side. EST also runs on the RA-CA side in
>> simpler use cases. For more complex use cases, where say revocation is also
>> needed it's more common to use CMP or a proprietary SOAP or REST API on
>> the RA-CA side. Just to make this single point, the current REST-like APIs does
>> not have revoke (EST has full-CMC method but that makes it complete non-
>> REST-like and harder to implement).
>>
>> - Current "full" REST APIs
>> Various products have REST APIs. These are proprietary (completely natural
>> as there are no standards) and thus clients/RAs/CAs suffer from having to
>> implements multiple REST APIs in order to be interoperable with various
>> vendors.
>>
>> - Probe:
>> Do others see the need/interest to standardize a more "full" REST API?
>> We see requests and customer interest for REST APIs. Some of the
>> requested REST functionality could very well be standardized, while some are
>> more product specific and could be harder.
>>
>> Do others see the same?
>>
>> - Disclosure:
>> I work for PrimeKey, a vendor who implements the (open source) CA
>> software EJBCA.
>>
>> Regards,
>> Tomas
>>
>> _______________________________________________
>> Spasm mailing list
>> Spasm@ietf.org
>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
>> .ietf.org%2Fmailman%2Flistinfo%2Fspasm&amp;data=02%7C01%7Chendrik.
>> brockhaus%40siemens.com%7Cdf45bd27b9c241677a3a08d6e687d111%7C38a
>> e3bcd95794fd4addab42e1495d55a%7C1%7C0%7C636949868334006281&amp;
>> sdata=rUYwh%2BPG4ZIdPzUYSWBOv1OvDb23N7fdHbyUOCup1dw%3D&am
>> p;reserved=0
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org
> https://www.ietf.org/mailman/listinfo/spasm
-- 
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo

v2.23.0 | Report a Bug | By Email