Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist proposal

"Erik Andersen" <> Thu, 24 July 2014 14:40 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id B56D91A031B for <>; Thu, 24 Jul 2014 07:40:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.891
X-Spam-Status: No, score=-0.891 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NzWxM-CsqtZK for <>; Thu, 24 Jul 2014 07:40:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 902841A032A for <>; Thu, 24 Jul 2014 07:40:30 -0700 (PDT)
Received: from Morten ([]) by (DanDomain Mailserver) with ASMTP id 3201407241640268346 for <>; Thu, 24 Jul 2014 16:40:26 +0200
From: "Erik Andersen" <>
To: <>
References: <000b01cfa1bc$b6872ef0$23958cd0$> <> <003301cfa26b$039c77a0$0ad566e0$> <> <002501cfa286$53ffbca0$fbff35e0$> <> <003a01cfa294$ab8c1e60$02a45b20$> <>
In-Reply-To: <>
Date: Thu, 24 Jul 2014 16:40:22 +0200
Message-ID: <001d01cfa74d$359d85f0$a0d891d0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Content-language: da
Thread-Index: AQFen6BH0OQwBY9AWxzuVVIZFItMGQHZLJJdArd3qkcCry54RQJ0HGyjAbKhHwYByXqYIQDt5HD8nCBrg3A=
Subject: Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist proposal
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Jul 2014 14:40:34 -0000

Hi Max,

Thank you very much. I will follow your advice.

Kind regards,


-----Oprindelig meddelelse-----
Fra: wpkops [] På vegne af Massimiliano Pala
Sendt: 24. juli 2014 16:26
Emne: Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist proposal

Hi Erik, all,

At first glance (very clear), It seems to me that this proposal is in between SCVP (that might be a bit complicated to implement in small SCADA devices) (RFC 5055), TAMP (RFC 5934), and CMC
(id-cmc-trustedAnchors) (RFC 5272 - Section 6.15 / RFC 6402) messages.

I would suggest you look into those those options as well.


On 7/18/14, 10:29 AM, Erik Andersen wrote:
> Hi Phillip,
> Thanks for your comment. I will certainly look at SCVP.
> I expect the proposal will primarily be picked-up by companies working on smart grid support not too biased by old thinking.
> The (smart) grid uses the SCADA (Supervisory Control And Data Acquisition) protocols, a very large set of protocol standards. These standards are developed by IEC TC57  and being implemented all over the world. We have several SCADA experts even in a small country like Denmark. WG15 of IEC TC57 is working on Smart Grid security and is working closely with ITU-T Study Group 17 to extend X.509 to cover their needs.
> To answer your question. Software support for PKI adapted to Smart Grid will most likely be provided by those developing SCADA. Siemens could be a major player. At least they have a heavy interest in the matter. It could be big business. Even in a small country like Denmark, there will be millions of communicating entities, including smart meters, heat pumps, solar cells, load stations for cars, substations, wind turbines, power stations, etc.
> Smart Grid will be a prime target for terrorist attacks. Whether we can provide the necessary security, time will show.
> We also see a need for machine readable certificate policies. As an example, currently X.509 (and 5280) says that an unsupported non-critical extension shall be ignored by the RP. That is not good enough, but that is how browsers work.
> Kind regards,
> Erik
> -----Oprindelig meddelelse-----
> Fra: [] På vegne af Phillip 
> Hallam-Baker
> Sendt: 18. juli 2014 15:22
> Til: Erik Andersen
> Cc: Tony Rutkowski;; Stephen Farrell; 
>; Directory list;; SG17-Q11
> Emne: Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist proposal
> Hmm, what are you trying to achieve here. Are you trying to develop a standard that is likely to be adopted and used by Microsoft, IBM, Google and the CA industry or are you trying to get ITU imprimatur for something that is already developed?
> If it is the first then I can't see any likelihood that an ITU 
> publication would help in the slightest. The mainstream IT industry is 
> adamant that communications standards have to be open standards. And 
> paying for a standard completely kills it dead. So does use of ASN.1
> IETF does already have SCVP which has many of the features you propose and W3C did XKMS back in the day. These days however the trend is for JSON.
> I have a proposal for a 'broker' type scheme that is a bit more general than the one you propose. Rather than being a broker for just PKI information, the broker is potentially a one stop shop for all the information that a client might need to connect to another network entity or validate a connection request.
> has links to the papers which are the OmniQuery and OmniPublish Web Services.
> On Fri, Jul 18, 2014 at 8:46 AM, Erik Andersen <> wrote:
>> Hi Tony,
>> I have no intention to submit a contribution without the permission 
>> from the Danish ministry. I would be killed.  Before I can submit it, 
>> it has to be approved by two different Danish authorities. The 
>> agreement is that I first distribute it among experts to get any 
>> constructive comments that could improve the proposal before getting 
>> it through the approval process within Denmark.
>> One use case is as follows:
>> An electrical substation (e.g. transformation) has many 
>> interconnected entities. One of these entities is the contact to the outside world.
>> If something happens within the substation, the situation has to be 
>> detected, commands have to be sent to other entities that that have 
>> to process the command and react to the commands. All this must 
>> happens within 10 ms. False commands would be disastrous in this 
>> environment, so authentication is necessary, but there is no time to 
>> validate a long certification path, to consult OCSP, etc. It is an 
>> environment very different from a browser environment and old solutions do not work here.
>> Kind regards,
>> Erik
>> Fra: Tony Rutkowski []
>> Sendt: 18. juli 2014 14:11
>> Til: Erik Andersen;;
>> Cc:;; SG17-Q11
>> Emne: Re: [T17Q11] SV: [pkix] X.509 whitelist proposal
>> Hi Erik,
>> You have been participating long enough in the ITU-T to know that it 
>> is an intergovernmental body, and one cannot simply create a 
>> contribution using a Member nation's name - even if you are a citizen
>> - because you don't like the "red tape."  It is the Danish 
>> Administration - the Ministry of Business and Growth - that gets to 
>> make submissions for Denmark, not you.
>> Denmark ten years ago reduced its ITU financial contribution by more 
>> than a half, and has not submitted a document into the ITU-T since at 
>> least 2001.  It thus seems unlikely this will occur.
>> You now say that "the proposal has been submitted to that group [IEC
>> TC57 WG15} for comments," whereas your previous message said it "has 
>> requested the inclusion of whitelist support in X.509."
>> I don't mean to be harsh or difficult here, but your proposal is far 
>> reaching with profound effects on X.509/PKI communities and 
>> implementations.  This material also appears to be your own personal 
>> proposal with no other apparent support.  You should be proceeding to 
>> get reactions and support from others on your ideas before 
>> attributing them to a Member State or using your position as Q11/17 
>> rapporteur to advance them.
>> --tony
>> On 2014-07-18 5:31 AM, Erik Andersen wrote:
>> There is some pressure by the major electricity company
>> (  to make me the Danish 
>> Member representative in ITU-T SG17. It takes a lot of red tape. I am 
>> also active in IEC TC57 WG15. As I mentioned, the proposal has been 
>> submitted to that group for comments.
>> _______________________________________________
>> wpkops mailing list
> _______________________________________________
> wpkops mailing list

wpkops mailing list