Re: [lamps] Interest to standardize PKI REST APIs?
"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Wed, 12 June 2019 05:49 UTC
Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A19E6120086 for <spasm@ietfa.amsl.com>; Tue, 11 Jun 2019 22:49:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a9YRp9VVLV8g for <spasm@ietfa.amsl.com>; Tue, 11 Jun 2019 22:49:50 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40045.outbound.protection.outlook.com [40.107.4.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DAF412007A for <spasm@ietf.org>; Tue, 11 Jun 2019 22:49:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector2-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rScxfmJtXCHtdXS4vqGqgQEVm+yM+GTzCH9CUUaqj/c=; b=ntOUmDqCiISoqTavBPwMHyB3lXVzDQH6vMtvaGzAPYXLGSJlV8Cpl0M2yR+wGDiU8X28dmzVicXtHMGMP6c4/bako9rP59zIGEgzhke8/Whf+ojQvCu3kdY2XkQiUyDLxpXR0sdCptNKh7FRsCpdHmYWKCAPema10Tf8N5B114M=
Received: from AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM (20.177.110.224) by AM0PR10MB1986.EURPRD10.PROD.OUTLOOK.COM (52.134.84.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1965.16; Wed, 12 Jun 2019 05:49:46 +0000
Received: from AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM ([fe80::a1d3:2a6c:c2ff:2fa3]) by AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM ([fe80::a1d3:2a6c:c2ff:2fa3%7]) with mapi id 15.20.1965.017; Wed, 12 Jun 2019 05:49:46 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "spasm@ietf.org" <spasm@ietf.org>
Thread-Topic: [lamps] Interest to standardize PKI REST APIs?
Thread-Index: AQHVGHCvl8HgPTUm30+9zuWHsj3AZKaQehewgAAsQgCABubnEA==
Date: Wed, 12 Jun 2019 05:49:46 +0000
Message-ID: <AM0PR10MB2402E1A22C3CB3D4507BE1E0FEEC0@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM>
References: <AM0PR10MB24028210BCE560C64195A74EFE320@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402B5BB06E4FB59A8ECB16BFE060@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402C7C1AAA09EABF047F0CEFE1D0@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <29FAEBF1-2D67-469F-BE78-AF58F78D055E@vigilsec.com> <BN7PR11MB2547D526E00CE7C5DDCDB3E9C91E0@BN7PR11MB2547.namprd11.prod.outlook.com> <17374.1559083024@localhost> <HE1PR0701MB24447D45A6A7461DEC49FE7B9B1F0@HE1PR0701MB2444.eurprd07.prod.outlook.com> <12129.1559329924@localhost> <7f83213b-2e63-57f5-5a1a-956d47b58683@primekey.com> <AM0PR10MB2402726EDDA7074FEDFF917DFE100@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <6992.1559937612@localhost>
In-Reply-To: <6992.1559937612@localhost>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-document-confidentiality: NotClassified
authentication-results: spf=none (sender IP is ) smtp.mailfrom=hendrik.brockhaus@siemens.com;
x-originating-ip: [80.146.228.83]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6f4896c4-2de5-4f35-d6df-08d6eef9c68f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:AM0PR10MB1986;
x-ms-traffictypediagnostic: AM0PR10MB1986:
x-microsoft-antispam-prvs: <AM0PR10MB1986913B74981A703E34C806FEEC0@AM0PR10MB1986.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0066D63CE6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(136003)(346002)(366004)(396003)(39860400002)(199004)(189003)(66946007)(6436002)(55016002)(25786009)(9686003)(86362001)(53936002)(2501003)(81156014)(3846002)(66476007)(68736007)(71200400001)(256004)(14444005)(316002)(14454004)(71190400001)(486006)(52536014)(99286004)(8676002)(76116006)(73956011)(66066001)(33656002)(5660300002)(478600001)(11346002)(66446008)(110136005)(446003)(2906002)(81166006)(66556008)(476003)(64756008)(8936002)(26005)(7736002)(76176011)(305945005)(6116002)(6506007)(186003)(74316002)(7696005)(102836004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR10MB1986; H:AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: siemens.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: UrioKGEOBq2/NYjr6p9wsB2M9jNg1DIAqKbm9Uorwfqu+LVDcQ67TzWxBDSEqtZUJNDJiiuAeR4rIWfnv3X8SRrPOOYvLDsO2BCWKek3GNpFn6g8duOqThUoI73Hj+dR94A/p+9dKD5beQR8Lm8GoOf0QIGxpy3ljcPgTW0KkdJL+j1KViLEP/e53X68arXI7x2Hqo3A6I+UG12+XHOINezvG82xbPXmv59Wlha5locJQCeLDGHMiilc2jqa/Wi3LEZV8GRN6Qc9/uyoReKfL/+GlnAjNjVBYxd8x4WHa5Z7wlv59tog88SosNluDuxbp67oGKRSj/7c3yaW22St2KKb9C7aVBRTAc6weEXz7V3rv/kyTOg7e18HOa+fbOCQP4Ho9NY0xMnvB250qHFOk5xt/u6qxSCodzhy6etdIFs=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6f4896c4-2de5-4f35-d6df-08d6eef9c68f
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jun 2019 05:49:46.4137 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hendrik.brockhaus@siemens.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB1986
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/itcXypdaM6ze0sIJmy3JyY5Potg>
Subject: Re: [lamps] Interest to standardize PKI REST APIs?
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 05:49:53 -0000
> Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > Brockhaus, Hendrik <hendrik.brockhaus@siemens.com> wrote: > > I think we need to first collect the required certificate management > > use cases and check if they are addressed by existing protocols. > > I don't want to do that. It's boiling the ocean. IMHO knowing about the uses cases we want to address is not 'boiling the ocean'. If we want to come up with a solution that fits our needs, we should do this. Other vice we come up with a solution that looks nice, but cannot be used for major use cases. Like EST is an interesting approach for the last mile, but does not offer revocation, self-contained messages and end-to-end security. All are required in more complex scenarios. I see the following requirements. - Enrollment, update und revocation - Local and central key generation - Confirmation of certificate enrollment/update - Polling for delayed delivery - Some general messages like GetCSRParam and RootCACertUpadate - Approval of request by intermediate RAs, e.g. by adding additional signatures - Security features . Self-contained protection of requests/responses (end-to-end security) . Proof-of-possession . Proof-of-identity, e.g. signature, HMAC . Replay protection, e.g. nonces . Timeliness, e.g. timestamps So there is no surprise. But some features like self-contains messages together with approval of an RA is not available in protocols like ACME and EST. So we can discuss extending these, or we utilize an existing protocol like CMP that already offers the above and adapt its transport and messages flow to REST.
- [lamps] Proposed Re-Chartering Text for CMP updat… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Panos Kampanakis (pkampana)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Peylo, Martin (Nokia - FI/Espoo)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Dr. Pala
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Panos Kampanakis (pkampana)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Panos Kampanakis (pkampana)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Panos Kampanakis (pkampana)
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Fries, Steffen
- Re: [lamps] Proposed Re-Chartering Text for CMP u… Brockhaus, Hendrik
- [lamps] Support for working on the lightweight CM… Russ Housley
- Re: [lamps] Support for working on the lightweigh… Tomas Gustavsson
- Re: [lamps] Support for working on the lightweigh… Peylo, Martin (Nokia - FI/Espoo)
- Re: [lamps] Support for working on the lightweigh… Brockhaus, Hendrik
- Re: [lamps] Support for working on the lightweigh… Panos Kampanakis (pkampana)
- Re: [lamps] Support for working on the lightweigh… Michael Richardson
- Re: [lamps] Support for working on the lightweigh… Fries, Steffen
- Re: [lamps] Support for working on the lightweigh… Tomas Gustavsson
- Re: [lamps] Support for working on the lightweigh… Peylo, Martin (Nokia - FI/Espoo)
- Re: [lamps] Support for working on the lightweigh… Michael Richardson
- Re: [lamps] Support for working on the lightweigh… Michael Richardson
- Re: [lamps] Support for working on the lightweigh… Tomas Gustavsson
- [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Support for working on the lightweigh… Brockhaus, Hendrik
- Re: [lamps] Interest to standardize PKI REST APIs? Brockhaus, Hendrik
- Re: [lamps] Interest to standardize PKI REST APIs? Michael Richardson
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Salz, Rich
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Salz, Rich
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Salz, Rich
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Brockhaus, Hendrik
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson
- Re: [lamps] Interest to standardize PKI REST APIs? Brockhaus, Hendrik
- Re: [lamps] Interest to standardize PKI REST APIs? Salz, Rich
- Re: [lamps] Interest to standardize PKI REST APIs? Dr. Pala
- Re: [lamps] Interest to standardize PKI REST APIs? Tomas Gustavsson