Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist proposal

"Erik Andersen" <> Fri, 18 July 2014 12:46 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7CCCE1A0AF0 for <>; Fri, 18 Jul 2014 05:46:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.89
X-Spam-Status: No, score=-0.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DK=1.009, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ecIEb9vWgj3H for <>; Fri, 18 Jul 2014 05:46:48 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 018D71A0645 for <>; Fri, 18 Jul 2014 05:46:47 -0700 (PDT)
Received: from Morten ([]) by (DanDomain Mailserver) with ASMTP id 4201407181446433131; Fri, 18 Jul 2014 14:46:43 +0200
From: "Erik Andersen" <>
To: <>, <>, <>
References: <000b01cfa1bc$b6872ef0$23958cd0$> <> <003301cfa26b$039c77a0$0ad566e0$> <>
In-Reply-To: <>
Date: Fri, 18 Jul 2014 14:46:42 +0200
Message-ID: <002501cfa286$53ffbca0$fbff35e0$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0026_01CFA297.178A6160"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQFen6BH0OQwBY9AWxzuVVIZFItMGQHZLJJdArd3qkcCry54RZxNx9AA
Content-Language: da
Cc:, Directory list <>,, 'SG17-Q11' <>
Subject: Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist proposal
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 Jul 2014 12:46:50 -0000

Hi Tony,


I have no intention to submit a contribution without the permission from the
Danish ministry. I would be killed.  Before I can submit it, it has to be
approved by two different Danish authorities. The agreement is that I first
distribute it among experts to get any constructive comments that could
improve the proposal before getting it through the approval process within


One use case is as follows:


An electrical substation (e.g. transformation) has many interconnected
entities. One of these entities is the contact to the outside world. If
something happens within the substation, the situation has to be detected,
commands have to be sent to other entities that that have to process the
command and react to the commands. All this must happens within 10 ms. False
commands would be disastrous in this environment, so authentication is
necessary, but there is no time to validate a long certification path, to
consult OCSP, etc. It is an environment very different from a browser
environment and old solutions do not work here.


Kind regards,




Fra: Tony Rutkowski [] 
Sendt: 18. juli 2014 14:11
Til: Erik Andersen;;
Cc:;; SG17-Q11
Emne: Re: [T17Q11] SV: [pkix] X.509 whitelist proposal


Hi Erik,

You have been participating long enough in the ITU-T
to know that it is an intergovernmental body, and one
cannot simply create a contribution using a Member
nation's name - even if you are a citizen - because 
you don't like the "red tape."  It is the Danish 
Administration - the Ministry of Business and 
Growth - that gets to make submissions for 
Denmark, not you.

Denmark ten years ago reduced its ITU financial
contribution by more than a half, and has not
submitted a document into the ITU-T since at
least 2001.  It thus seems unlikely this will occur.

You now say that "the proposal has been submitted
to that group [IEC TC57 WG15} for comments," whereas
your previous message said it "has requested the
inclusion of whitelist support in X.509."

I don't mean to be harsh or difficult here, but your
proposal is far reaching with profound effects on
X.509/PKI communities and implementations.  This 
material also appears to be your own personal 
proposal with no other apparent support.  You 
should be proceeding to get reactions and support
from others on your ideas before attributing them
to a Member State or using your position as Q11/17
rapporteur to advance them.


On 2014-07-18 5:31 AM, Erik Andersen wrote:

There is some pressure by the major electricity company
(  to make me the Danish Member
representative in ITU-T SG17. It takes a lot of red tape. I am also active
in IEC TC57 WG15. As I mentioned, the proposal has been submitted to that
group for comments.