Re: [lamps] Seeking guidance on proceeding with question from IETF-104 presentation on lightweight CMP profile

Jim Schaad <> Tue, 02 April 2019 18:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A3CE21201A9 for <>; Tue, 2 Apr 2019 11:57:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CSO16vam6kar for <>; Tue, 2 Apr 2019 11:57:53 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B854E1201BA for <>; Tue, 2 Apr 2019 11:57:46 -0700 (PDT)
Received: from Jude ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 2 Apr 2019 11:57:36 -0700
From: Jim Schaad <>
To: "'Fries, Steffen'" <>, <>
References: <>
In-Reply-To: <>
Date: Tue, 2 Apr 2019 11:57:30 -0700
Message-ID: <027301d4e985$efd03970$cf70ac50$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQEHESUWYxk/kOgyMDAiu0FwMkKFA6fE3rog
Content-Language: en-us
X-Originating-IP: []
Archived-At: <>
Subject: Re: [lamps] Seeking guidance on proceeding with question from IETF-104 presentation on lightweight CMP profile
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Apr 2019 18:57:56 -0000

This is a quick walk through what you have below.  It would have been
helpful to have pointers to the sections/bullet points where things are
meant to be modified.

> -----Original Message-----
> From: Spasm <> On Behalf Of Fries, Steffen
> Sent: Monday, April 1, 2019 10:12 PM
> To:
> Subject: [lamps] Seeking guidance on proceeding with question from IETF-
> 104 presentation on lightweight CMP profile
> Hi,
> during the LAMPS session in IETF-104 we presented a draft for a
> industrial CMP profile. The document as such bases on CMP and targets to
> simplify the very versatile CMP.
> During the presentation we have been asked to also talk to the ACE WG
> regarding potential interest in this work, as it was not sure if LAMPS is
> right home. I talked to Jim Schaad and as we only work on CMP directly,
> with the transport nor specific considerations for constraint devices, ACE
> not be the right home. Also, Jim was asking if the draft needs to be a
> standards track RFC and thus be adopted in a WG. An alternative approach
> could also be an independent submission. To make this decision, we need
> some guidance.
> For this, let me enumerate the main points we addressed in the draft:
> - Generally Section 1.4 enlists the exceptions from the mandatory CMP
> Profile as defined in RFC4210 Appendix D:
>  o  signature-based protection is the default protection; initial
transactions may also use HMAC,  

Depending on what is being proven this is reasonable.  I would consider this
to be profiling

> o  certification of a second key pair within the same transaction is not

I would consider this to be profiling

> o  proof-of-possession (POPO) with self-signature of the certTemplate
according to [RFC4211] section 4.1 clause 3 is the only supported POPO

I would consider this to be profiling

> o  confirmation of newly enrolled certificates may be omitted, and

I would consider this to be profiling

> o  all transactions consist of request-response message pairs originating
at the end entity (EE), i.e.,  announcement messages are omitted.

I would consider this to be profiling

> - In section 4.1.5 the proceeding of central key generation needed
> extensions at least for ECC key pairs.

Not sure what you think falls here and the document is not forth coming.
This may have already been done.

> - In section 4.4.1 the RootCAUpdate is specified as request-response
> transaction and differs from the announcement message as specified in
> RFC4210 section 4.4 and Appendix E.

Depending on how this is done, it will require an update of RFC 4211.  I
believe that this means it must be an IETF consensus document and may need
to be standards track.

> - In section 5 the new Extended Key Usages id-kp-cmpRA is introduced to
> indicate that a key pair is entitled to be used by an LRA/RA for
> based protection of a CMP message.

This can be considered to be a profile.

> - Generally further topics to clarify CMP or CRMF may come up during WG
> review.
> Based on this list, are these point to be handled as profiling of the base
> protocol or are they rather seen as technical change/enhancement?
> My understanding is that for profiling an independent RFC would be fine,
> the base spec can be normatively referenced by other standards. In this
> the CMP profile document can be informational.
> If some of the points listed qualify rather for technical changes of the
> protocol, my understanding is that we need to find a home for the draft
> target the standard track. @Jim, I hope my conclusion based on our
> conversation is right.
> Regarding interest in the resulting RFC there is work ongoing in ANIMA WG
> and EAP WG, that can directly leverage the lightweight CMP.

Have either of these groups expressed any active interest in this work?
This is not something that EAP would normally be looking at as far as I know
as they normally consider the act of setting up the EAP credentials to be a
"Not My Problem" space.  


> In either case your view is appreciated.
> Best regards
> Steffen
> _______________________________________________
> Spasm mailing list