Re: [lamps] Support for working on the lightweight CMP profile

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Tue, 28 May 2019 14:55 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40920120229 for <spasm@ietfa.amsl.com>; Tue, 28 May 2019 07:55:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Y2kMU9qv; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Z9tc8XSc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NXzDAfps4jBG for <spasm@ietfa.amsl.com>; Tue, 28 May 2019 07:55:35 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DB11120221 for <spasm@ietf.org>; Tue, 28 May 2019 07:55:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=24310; q=dns/txt; s=iport; t=1559055335; x=1560264935; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=PVNAlZMC1JwmCShNvtora8fYhTYIKSLU66DFFu9hReU=; b=Y2kMU9qv/d7DlNjUM/f64wy7CTTcyicUDrscWEmt8bTYVTzcmRk7YyL+ 94+k3C3h5p+Lg3zr8V+7JQMooZb528A4Ue6+9RXOut6hdwEcHycjF97Qn NtxKAcPor+uFLVVJpIVv6vVa41SGUIKV4XNOwSwl8OK++G4TSNK1qQ1AB Y=;
IronPort-PHdr: 9a23:FFe/GR9zix+jp/9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+8ZR7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVdaGAEjjJfjjRyc7B89FElRi+iLzPA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AGAADgSu1c/4oNJK1lGQEBAQEBAQEBAQEBAQcBAQEBAQGBUgMBAQEBAQsBgQ4vJCwDaVUgBAsoCodQA459gleXK4EuFIEQA1QJAQEBDAEBGAEJCwIBAYEFXYJeAoJjIzUIDgEDAQEEAQECAQRtHAyFSgEBAQEDAQEQGxMBASwEBwEPAgEIEQQBASEHBycLFAkIAgQBDQUIGoJ7BAKBHU0DHQECDJ4bAoE4iF+CIIJ5AQEFgTIBg0gDFYIPAwaBNAGKD4FDF4FAP4ERRoIeLj6CYQEBAhiBCwkBEgEhKwmDBoIEIotFESSGdZVoCQKCDYY0jHyCH5QqjG6BKJRQAgQCBAUCDgEBBYFRAzMNWXFwFTuCbBOBWCQMF4NNhRSFP3IBAQEBgSWLKoEiATFvAQE
X-IronPort-AV: E=Sophos;i="5.60,523,1549929600"; d="scan'208,217";a="569045423"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 May 2019 14:55:33 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id x4SEtXG7000434 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 28 May 2019 14:55:33 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 28 May 2019 09:55:32 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 28 May 2019 09:55:32 -0500
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 28 May 2019 10:55:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Wi0NNpeTV7XF28eBv0ElrsknGkMUd40Wb+Feypz1Bv0=; b=Z9tc8XSctsIwKZMUvtWfDsUwxI2K8XN5+0ncM4XjnQlVMKsitQh3P4fj0u69R7qaylqxRn1gk5xDsOWfpOey7qeqHp/ldDEpen+74MeL2Bpjb/jujx+MwBaM3h5dusgYsSs8VIyq9ZEOrL2V9kJTRk0AWIFPGNWKdVwNsd0EChc=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (52.135.244.29) by BN7PR11MB2563.namprd11.prod.outlook.com (52.135.244.33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.18; Tue, 28 May 2019 14:55:29 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::5463:bad7:8321:766e]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::5463:bad7:8321:766e%6]) with mapi id 15.20.1922.021; Tue, 28 May 2019 14:55:29 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Russ Housley <housley@vigilsec.com>, "spasm@ietf.org" <spasm@ietf.org>
CC: Tim Hollebeek <tim.hollebeek@digicert.com>
Thread-Topic: [lamps] Support for working on the lightweight CMP profile
Thread-Index: AQHVFKwjCgg4zQvDK0+wrj7gz31+X6aAncgg
Date: Tue, 28 May 2019 14:55:29 +0000
Message-ID: <BN7PR11MB2547D526E00CE7C5DDCDB3E9C91E0@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <AM0PR10MB24028210BCE560C64195A74EFE320@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402B5BB06E4FB59A8ECB16BFE060@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <AM0PR10MB2402C7C1AAA09EABF047F0CEFE1D0@AM0PR10MB2402.EURPRD10.PROD.OUTLOOK.COM> <29FAEBF1-2D67-469F-BE78-AF58F78D055E@vigilsec.com>
In-Reply-To: <29FAEBF1-2D67-469F-BE78-AF58F78D055E@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pkampana@cisco.com;
x-originating-ip: [173.38.117.76]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 90ab8776-ee73-417e-489b-08d6e37c869c
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BN7PR11MB2563;
x-ms-traffictypediagnostic: BN7PR11MB2563:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <BN7PR11MB2563B0185F5660AEC31291B9C91E0@BN7PR11MB2563.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 00514A2FE6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(39860400002)(376002)(396003)(136003)(366004)(199004)(189003)(53754006)(55016002)(7696005)(54896002)(6436002)(26005)(52536014)(316002)(86362001)(81156014)(7736002)(99286004)(446003)(8936002)(478600001)(2906002)(11346002)(9686003)(476003)(102836004)(81166006)(74316002)(236005)(8676002)(68736007)(606006)(186003)(53936002)(966005)(53546011)(486006)(5660300002)(6506007)(229853002)(76176011)(2501003)(790700001)(6116002)(4326008)(3846002)(66066001)(73956011)(76116006)(66946007)(66476007)(66556008)(64756008)(66446008)(25786009)(6306002)(33656002)(14444005)(561944003)(71190400001)(71200400001)(256004)(110136005)(14454004)(6246003); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR11MB2563; H:BN7PR11MB2547.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ShtnNqWqvPCpkGzJn4nu/pMoV2tW98gv7C0Ep5n1Mpk/yBpS09grrqABAuGFA31/4GWbfgJL9Hb/JgrtPvReTwbGmPD8EQ3XSxWAcxKC/Uzkef+aAFnq+pTIdRJZD2pgwzbfcNrV5EWxmDgRCKNWhLNkV8tBp5yO4Se/g8Brv9w3PGPeJtNvAHLBggHg8w/d1LHC5lQpjMZmmUiTVJqlIGbk2rST3zYjMZqmr/2GJOi6kclXWC329bB4K607Tb29O5PEdVS15lYwtXptaH9Apo34ca06tdsa9ncEtS4ITPG4felwzOY+g/Ny2tmAAn5DM2m8rDK1HfQGx9i2rP5pPw8K79bqcvrUo7QjNaO3Xm12rv721XnRoBop3sv2tdqBd2oV0GSUMzAh04tNMHNsjwopJyxMNqss+pj+lBbLfXw=
Content-Type: multipart/alternative; boundary="_000_BN7PR11MB2547D526E00CE7C5DDCDB3E9C91E0BN7PR11MB2547namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 90ab8776-ee73-417e-489b-08d6e37c869c
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2019 14:55:29.1493 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pkampana@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2563
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/dgRgMFhGQ_t9sp-FIDtCYdEOB_w>
Subject: Re: [lamps] Support for working on the lightweight CMP profile
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 May 2019 14:55:39 -0000

Sorry, for insisting. I still have the concern that by adopting this, IETF will continue the trend of endorsing different certificate management protocols and profiles (SCEP, CMPv2, CMC, EST) that mostly do the same things. Specifically for industrial automation we already have SCEP and EST in IE 61850/IEC 62351. OPC UA has its own SDP for the same purposes. Now, we want to add one more (CMP) in the mix for this vertical.

So far I have seen one vendor that is driving this new profile. Two CAs that are interested in CMP in general, but it is not clear if they are interested in this exact profile. And I saw one more vendor that is interested in CMP profiles, but I am not exactly sure if it is for this specific profile either.

Rgs,
Panos


From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ Housley
Sent: Monday, May 27, 2019 12:49 PM
To: spasm@ietf.org
Cc: Tim Hollebeek <tim.hollebeek@digicert.com>
Subject: [lamps] Support for working on the lightweight CMP profile

Hendrik:

I see people speaking on both sides.  So, I am asking a few questions to see if there is enough support...

1) If this work is added to the charter, will you contribute to the document?

2) If this work is added to the charter, will you review to the document?

3) If this document is published as an RFC, will you implement it?

Russ



On May 27, 2019, at 9:03 AM, Brockhaus, Hendrik <hendrik.brockhaus@siemens.com<mailto:hendrik.brockhaus@siemens.com>> wrote:

Hi Russ

Did you have the time to look into my mail below?
I would like to push this topic further forward.

Hendrik

Von: Brockhaus, Hendrik (CT RDA ITS SEA-DE)
Gesendet: Montag, 20. Mai 2019 15:43
An: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>
Cc: Fries, Steffen (CT RDA ITS) <steffen.fries@siemens.com<mailto:steffen.fries@siemens.com>>; spasm@ietf.org<mailto:spasm@ietf.org>
Betreff: AW: Proposed Re-Chartering Text for CMP updates and lightweight profile (RE: Follow-up on lightweight CMP profile)

Hi Russ

We discussed my proposal on the mailing list. I feel there is quite some support.
Tomas, Max and Martin supported the activity. There were some questions and concerns from Panos, that I hopefully could clarify.

What is the next step?

Hendrik

Von: Spasm <spasm-bounces@ietf.org<mailto:spasm-bounces@ietf.org>> Im Auftrag von [ext] Brockhaus, Hendrik
Gesendet: Mittwoch, 8. Mai 2019 11:10
An: spasm@ietf.org<mailto:spasm@ietf.org>; Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>
Cc: Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>>; Fries, Steffen (CT RDA ITS) <steffen.fries@siemens.com<mailto:steffen.fries@siemens.com>>
Betreff: [lamps] Proposed Re-Chartering Text for CMP updates and lightweight profile (RE: Follow-up on lightweight CMP profile)

Hi Russ, all,

as discussed at IETF104 and on this list we would like to spend further work on updating and profiling CMP focusing on industrial use cases.
To get input, feedback and support from LAMPS we propose the following charter text.

As certificate management gets increasingly important in industrial environments, it needs to be tailored to the specific needs. CMP as existing protocol offers a vast range of options. As it is already being applied in industrial environments it needs to be enhanced to more efficiently support of industrial use cases, crypto agility and specific communication relations on the one hand and profiled to the necessary functionality on the other hand to ease application and to better facilitate interoperable implementation.


Hendrik

Von: Russ Housley <housley@vigilsec.com<mailto:housley@vigilsec.com>>
Gesendet: Mittwoch, 8. Mai 2019 02:18
An: Brockhaus, Hendrik (CT RDA ITS SEA-DE) <hendrik.brockhaus@siemens.com<mailto:hendrik.brockhaus@siemens.com>>
Cc: spasm@ietf.org<mailto:spasm@ietf.org>; Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>>; Fries, Steffen (CT RDA ITS) <steffen.fries@siemens.com<mailto:steffen.fries@siemens..com>>
Betreff: Re: [lamps] Follow-up on lightweight CMP profile

Hendrik:

The current re-charter is about two weeks away.  You would need to propose text for the charter on this list, and see if there are people that will review and implement.

Russ


On May 3, 2019, at 4:52 AM, Brockhaus, Hendrik <hendrik.brockhaus@siemens.com<mailto:hendrik.brockhaus@siemens.com>> wrote:

Hi all

Referring to the Email thread 'Seeking guidance on proceeding with question from IETF-104 presentation on lightweight CMP profile' and to the outcome of the WG meeting, we want to summarize the current state of the discussion.
The discussion we had with Jim motivate a split of the current draft into a CMP Updates and a CMP Profile document. The update of CMP is needed because we identified at least two point where a change to CMP is needed:
- Change the type of encryptedCert from EncryptedValue to EncryptedKey for ECC and post-quantum algorithm support
- Extend the RootCAUpdate announcement message to e request/response message to enable requesting the update from the client side
The remaining points from the initial email were seen as profiling topic and would therefore be handled in the CMP Profile document...

@Russ, how do you see the status of the current re-chartering process? Would you support to add both, or at least the CMP Updates, activities under the revised charter?

- Hendrik
_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fspasm&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7C743e39b041d4476e826a08d6d3950ad8%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C636929034414755277&sdata=PxGWfXa6%2FzuG2Pi844eXybqzfxwjQf0FAsc2YtDEYiM%3D&reserved=0>

_______________________________________________
Spasm mailing list
Spasm@ietf.org<mailto:Spasm@ietf.org>
https://www.ietf.org/mailman/listinfo/spasm