Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist proposal

Phillip Hallam-Baker <> Fri, 18 July 2014 13:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7C1521A0322; Fri, 18 Jul 2014 06:21:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JUn9-YRdQbzG; Fri, 18 Jul 2014 06:21:47 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c00::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6E5151A01DC; Fri, 18 Jul 2014 06:21:47 -0700 (PDT)
Received: by with SMTP id k14so3427586wgh.20 for <multiple recipients>; Fri, 18 Jul 2014 06:21:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=cRXhPT8oVayclC1oLbo6sesObaLVr+eRRPXwbdzN+RQ=; b=gBn4cWdLZoS0FDtV3KgaLnbx4qwV1/2nzOtu0nipW/r3/duI+E+zCTix0aYlPnSuGq paqDEzFPdrY94LCLwk5OSDL9RqjApiiQkI77m6ZghSN8CSf+cd/NMmzGClvDTZWM4pES cj6i1GZbYJpmyMHSZ9YxgfwC7Cj1ETO9UuAFEXwF6VAusAGklxITK2f9X+q0oOklfp58 VOiHXeYWJmeH0DVAWpAcFyRgyn9uLabidB6i8TyROvaTjljloni87gcnBMyHuVzY3rh2 +XFzuuyUrvilBlSHpJtN1zL6hUJFjlU27ruSpXdnoGncpv4dmGIcMntnFPGe/R9Dg1Nf WoKg==
MIME-Version: 1.0
X-Received: by with SMTP id gb10mr29791835wib.65.1405689705999; Fri, 18 Jul 2014 06:21:45 -0700 (PDT)
Received: by with HTTP; Fri, 18 Jul 2014 06:21:45 -0700 (PDT)
In-Reply-To: <002501cfa286$53ffbca0$fbff35e0$>
References: <000b01cfa1bc$b6872ef0$23958cd0$> <> <003301cfa26b$039c77a0$0ad566e0$> <> <002501cfa286$53ffbca0$fbff35e0$>
Date: Fri, 18 Jul 2014 09:21:45 -0400
X-Google-Sender-Auth: oR0QW2-wHqZSANqwwk8PMPlCtYE
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Erik Andersen <>
Content-Type: text/plain; charset=UTF-8
Cc: "" <>,, SG17-Q11 <>, Directory list <>, "" <>, Tony Rutkowski <>, Stephen Farrell <>
Subject: Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist proposal
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 Jul 2014 13:21:49 -0000

Hmm, what are you trying to achieve here. Are you trying to develop a
standard that is likely to be adopted and used by Microsoft, IBM,
Google and the CA industry or are you trying to get ITU imprimatur for
something that is already developed?

If it is the first then I can't see any likelihood that an ITU
publication would help in the slightest. The mainstream IT industry is
adamant that communications standards have to be open standards. And
paying for a standard completely kills it dead. So does use of ASN.1

IETF does already have SCVP which has many of the features you propose
and W3C did XKMS back in the day. These days however the trend is for

I have a proposal for a 'broker' type scheme that is a bit more
general than the one you propose. Rather than being a broker for just
PKI information, the broker is potentially a one stop shop for all the
information that a client might need to connect to another network
entity or validate a connection request. has links to the papers which are the OmniQuery
and OmniPublish Web Services.

On Fri, Jul 18, 2014 at 8:46 AM, Erik Andersen <> wrote:
> Hi Tony,
> I have no intention to submit a contribution without the permission from the
> Danish ministry. I would be killed.  Before I can submit it, it has to be
> approved by two different Danish authorities. The agreement is that I first
> distribute it among experts to get any constructive comments that could
> improve the proposal before getting it through the approval process within
> Denmark.
> One use case is as follows:
> An electrical substation (e.g. transformation) has many interconnected
> entities. One of these entities is the contact to the outside world. If
> something happens within the substation, the situation has to be detected,
> commands have to be sent to other entities that that have to process the
> command and react to the commands. All this must happens within 10 ms. False
> commands would be disastrous in this environment, so authentication is
> necessary, but there is no time to validate a long certification path, to
> consult OCSP, etc. It is an environment very different from a browser
> environment and old solutions do not work here.
> Kind regards,
> Erik
> Fra: Tony Rutkowski []
> Sendt: 18. juli 2014 14:11
> Til: Erik Andersen;;
> Cc:;; SG17-Q11
> Emne: Re: [T17Q11] SV: [pkix] X.509 whitelist proposal
> Hi Erik,
> You have been participating long enough in the ITU-T
> to know that it is an intergovernmental body, and one
> cannot simply create a contribution using a Member
> nation's name - even if you are a citizen - because
> you don't like the "red tape."  It is the Danish
> Administration - the Ministry of Business and
> Growth - that gets to make submissions for
> Denmark, not you.
> Denmark ten years ago reduced its ITU financial
> contribution by more than a half, and has not
> submitted a document into the ITU-T since at
> least 2001.  It thus seems unlikely this will occur.
> You now say that "the proposal has been submitted
> to that group [IEC TC57 WG15} for comments," whereas
> your previous message said it "has requested the
> inclusion of whitelist support in X.509."
> I don't mean to be harsh or difficult here, but your
> proposal is far reaching with profound effects on
> X.509/PKI communities and implementations.  This
> material also appears to be your own personal
> proposal with no other apparent support.  You
> should be proceeding to get reactions and support
> from others on your ideas before attributing them
> to a Member State or using your position as Q11/17
> rapporteur to advance them.
> --tony
> On 2014-07-18 5:31 AM, Erik Andersen wrote:
> There is some pressure by the major electricity company
> (  to make me the Danish Member
> representative in ITU-T SG17. It takes a lot of red tape. I am also active
> in IEC TC57 WG15. As I mentioned, the proposal has been submitted to that
> group for comments.
> _______________________________________________
> wpkops mailing list