Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist proposal

"Erik Andersen" <> Fri, 18 July 2014 14:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9F4F61A0AEE for <>; Fri, 18 Jul 2014 07:29:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.891
X-Spam-Status: No, score=-0.891 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EGSJ9453MMai for <>; Fri, 18 Jul 2014 07:29:28 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8D73C1A045B for <>; Fri, 18 Jul 2014 07:29:27 -0700 (PDT)
Received: from Morten ([]) by (DanDomain Mailserver) with ASMTP id 4201407181629235290; Fri, 18 Jul 2014 16:29:23 +0200
From: "Erik Andersen" <>
To: "'Phillip Hallam-Baker'" <>
References: <000b01cfa1bc$b6872ef0$23958cd0$> <> <003301cfa26b$039c77a0$0ad566e0$> <> <002501cfa286$53ffbca0$fbff35e0$> <>
In-Reply-To: <>
Date: Fri, 18 Jul 2014 16:29:22 +0200
Message-ID: <003a01cfa294$ab8c1e60$02a45b20$>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQFen6BH0OQwBY9AWxzuVVIZFItMGQHZLJJdArd3qkcCry54RQJ0HGyjAbKhHwacLKgyoA==
Content-Language: da
Cc: 'SG17-Q11' <>,,, 'Directory list' <>
Subject: Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist proposal
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 Jul 2014 14:29:29 -0000

Hi Phillip,

Thanks for your comment. I will certainly look at SCVP.

I expect the proposal will primarily be picked-up by companies working on smart grid support not too biased by old thinking.

The (smart) grid uses the SCADA (Supervisory Control And Data Acquisition) protocols, a very large set of protocol standards. These standards are developed by IEC TC57  and being implemented all over the world. We have several SCADA experts even in a small country like Denmark. WG15 of IEC TC57 is working on Smart Grid security and is working closely with ITU-T Study Group 17 to extend X.509 to cover their needs.

To answer your question. Software support for PKI adapted to Smart Grid will most likely be provided by those developing SCADA. Siemens could be a major player. At least they have a heavy interest in the matter. It could be big business. Even in a small country like Denmark, there will be millions of communicating entities, including smart meters, heat pumps, solar cells, load stations for cars, substations, wind turbines, power stations, etc. 

Smart Grid will be a prime target for terrorist attacks. Whether we can provide the necessary security, time will show.

We also see a need for machine readable certificate policies. As an example, currently X.509 (and 5280) says that an unsupported non-critical extension shall be ignored by the RP. That is not good enough, but that is how browsers work.

Kind regards,


-----Oprindelig meddelelse-----
Fra: [] På vegne af Phillip Hallam-Baker
Sendt: 18. juli 2014 15:22
Til: Erik Andersen
Cc: Tony Rutkowski;; Stephen Farrell;; Directory list;; SG17-Q11
Emne: Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist proposal

Hmm, what are you trying to achieve here. Are you trying to develop a standard that is likely to be adopted and used by Microsoft, IBM, Google and the CA industry or are you trying to get ITU imprimatur for something that is already developed?

If it is the first then I can't see any likelihood that an ITU publication would help in the slightest. The mainstream IT industry is adamant that communications standards have to be open standards. And paying for a standard completely kills it dead. So does use of ASN.1

IETF does already have SCVP which has many of the features you propose and W3C did XKMS back in the day. These days however the trend is for JSON.

I have a proposal for a 'broker' type scheme that is a bit more general than the one you propose. Rather than being a broker for just PKI information, the broker is potentially a one stop shop for all the information that a client might need to connect to another network entity or validate a connection request. has links to the papers which are the OmniQuery and OmniPublish Web Services.

On Fri, Jul 18, 2014 at 8:46 AM, Erik Andersen <> wrote:
> Hi Tony,
> I have no intention to submit a contribution without the permission 
> from the Danish ministry. I would be killed.  Before I can submit it, 
> it has to be approved by two different Danish authorities. The 
> agreement is that I first distribute it among experts to get any 
> constructive comments that could improve the proposal before getting 
> it through the approval process within Denmark.
> One use case is as follows:
> An electrical substation (e.g. transformation) has many interconnected 
> entities. One of these entities is the contact to the outside world. 
> If something happens within the substation, the situation has to be 
> detected, commands have to be sent to other entities that that have to 
> process the command and react to the commands. All this must happens 
> within 10 ms. False commands would be disastrous in this environment, 
> so authentication is necessary, but there is no time to validate a 
> long certification path, to consult OCSP, etc. It is an environment 
> very different from a browser environment and old solutions do not work here.
> Kind regards,
> Erik
> Fra: Tony Rutkowski []
> Sendt: 18. juli 2014 14:11
> Til: Erik Andersen;;
> Cc:;; SG17-Q11
> Emne: Re: [T17Q11] SV: [pkix] X.509 whitelist proposal
> Hi Erik,
> You have been participating long enough in the ITU-T to know that it 
> is an intergovernmental body, and one cannot simply create a 
> contribution using a Member nation's name - even if you are a citizen 
> - because you don't like the "red tape."  It is the Danish 
> Administration - the Ministry of Business and Growth - that gets to 
> make submissions for Denmark, not you.
> Denmark ten years ago reduced its ITU financial contribution by more 
> than a half, and has not submitted a document into the ITU-T since at 
> least 2001.  It thus seems unlikely this will occur.
> You now say that "the proposal has been submitted to that group [IEC 
> TC57 WG15} for comments," whereas your previous message said it "has 
> requested the inclusion of whitelist support in X.509."
> I don't mean to be harsh or difficult here, but your proposal is far 
> reaching with profound effects on X.509/PKI communities and 
> implementations.  This material also appears to be your own personal 
> proposal with no other apparent support.  You should be proceeding to 
> get reactions and support from others on your ideas before attributing 
> them to a Member State or using your position as Q11/17 rapporteur to 
> advance them.
> --tony
> On 2014-07-18 5:31 AM, Erik Andersen wrote:
> There is some pressure by the major electricity company
> (  to make me the Danish 
> Member representative in ITU-T SG17. It takes a lot of red tape. I am 
> also active in IEC TC57 WG15. As I mentioned, the proposal has been 
> submitted to that group for comments.
> _______________________________________________
> wpkops mailing list