Re: [wpkops] [pkix] X.509 whitelist proposal
"Erik Andersen" <era@x500.eu> Wed, 06 August 2014 09:19 UTC
Return-Path: <era@x500.eu>
X-Original-To: wpkops@ietfa.amsl.com
Delivered-To: wpkops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F1DD1B2CF4 for <wpkops@ietfa.amsl.com>; Wed, 6 Aug 2014 02:19:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.51
X-Spam-Level:
X-Spam-Status: No, score=0.51 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DK=1.009, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WkobgIcPT0ff for <wpkops@ietfa.amsl.com>; Wed, 6 Aug 2014 02:19:46 -0700 (PDT)
Received: from mail03.dandomain.dk (mail03.dandomain.dk [194.150.112.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DDF31B2CEC for <wpkops@ietf.org>; Wed, 6 Aug 2014 02:19:45 -0700 (PDT)
Received: from Morten ([62.44.134.3]) by mail03.dandomain.dk (DanDomain Mailserver) with ASMTP id 3201408061119412059; Wed, 06 Aug 2014 11:19:41 +0200
From: Erik Andersen <era@x500.eu>
To: "'Sill, Alan'" <alan.sill@ttu.edu>
References: <000b01cfa1bc$b6872ef0$23958cd0$@x500.eu> <53C85314.3040102@yaanatech.com> <42131021-11E3-4806-9C05-0D6F40190A1C@ttu.edu>
In-Reply-To: <42131021-11E3-4806-9C05-0D6F40190A1C@ttu.edu>
Date: Wed, 06 Aug 2014 11:19:42 +0200
Message-ID: <003001cfb157$8e82c680$ab885380$@x500.eu>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0031_01CFB168.52102A60"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQFen6BH0OQwBY9AWxzuVVIZFItMGQHZLJJdAhs4DJychcg2kA==
Content-Language: da
Archived-At: http://mailarchive.ietf.org/arch/msg/wpkops/uLsWIbk5AfhvKvd1B5JjLsmIxxE
Cc: pkix@ietf.org, wpkops@ietf.org, tony@yaanatech.com, stephen.farrell@cs.tcd.ie
Subject: Re: [wpkops] [pkix] X.509 whitelist proposal
X-BeenThere: wpkops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <wpkops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wpkops>, <mailto:wpkops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/wpkops/>
List-Post: <mailto:wpkops@ietf.org>
List-Help: <mailto:wpkops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wpkops>, <mailto:wpkops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Aug 2014 09:19:50 -0000
Hi Alan, Thanks for your comments. My proposal is a very initial proposal. I was just eager to see reaction to the general approach. I has primarily been concerned with the case where a RP only have 1-2 ms to validate a received a PDU, meaning that the validation has to happen a thousand times faster than in a traditional Web environment. I will be very happy to receive some of the solutions you have seen work in practice. I am always open to new ideas. Kind regards, Erik Fra: Sill, Alan [mailto:alan.sill@ttu.edu] Sendt: 31. juli 2014 23:17 Til: Erik Andersen Cc: Sill, Alan; stephen.farrell@cs.tcd.ie; pkix@ietf.org; wpkops@ietf.org; tony@yaanatech.com Emne: Re: [pkix] X.509 whitelist proposal Erik, With the desire to wind this discussion back to its actual content and avoid for the present further discussion of procedures, let me say that the use case proposed is a familiar one in the world of extended use of PKI as an authentication piece of access control systems in distributed infrastructure environments. The solution invariably is to implement a separate authorization layer that can work with the existing certificate infrastructure, which is out or scope as a work item for any of the proposed groups. My personal belief is that this is not worth pursuing in its present form. I would be happy, off-list or on an individual basis, to pass on some of the solutions that I have seen work in practice in distributed computational, storage and other related control settings, some of which can be achieved within the existing X.509 settings through the use, for example, of time limited or otherwise membership-limited extended attribute certificates. My suggestion, with great respect and due deference to its proposers, is to drop the referenced proposal until exploration of appropriate authorization technologies has been done and again offer to have that discussion off these lists or on a different one. Alan Sill, TTU VP of Standards, Open Grid Forum On Jul 18, 2014, at 12:49 AM, Tony Rutkowski <tony@yaanatech.com <mailto:tony@yaanatech.com> > wrote: Hi Steve, The note below was distributed earlier on the ITU-T SG17 sub-group Q11/17 list by the group's rapporteur. It might be useful to gauge industry reaction in IETF and CA/B Forum venues. Note that although the document appears on an ITU-T template, it has not been submitted. In addition, although the source is indicated as "Denmark," it is not apparent that the source is any other than than the rapporteur himself, who is identified as the contact. Lastly, although the note asserts that "IEC TC57 WG15 (smart grid security) has requested the inclusion of whitelist support in X.509," there is no apparent liaison to this effect. --tony -------- Original Message -------- Subject: [T17Q11] X.509 whitelist support Date: Thu, 17 Jul 2014 14:43:30 +0200 From: Erik Andersen <mailto:era@x500.eu> <era@x500.eu> To: Directory list <mailto:x500standard@freelists.org> <x500standard@freelists.org>, SG17-Q11 <mailto:T13sg17q11@lists.itu.int> <T13sg17q11@lists.itu.int> CC: SG17-Q10 <mailto:t13sg17q10@lists.itu.int> <t13sg17q10@lists.itu.int> IEC TC57 WG15 (smart grid security) has requested the inclusion of whitelist support in X.509. A preliminary proposal for such a feature may be found as <http://www.x500standard.com/uploads/extensions/whitelistInX509.pdf> http://www.x500standard.com/uploads/extensions/whitelistInX509.pdf The feature may in some way be combined with the trust broker concept, which probably will involve a number of changes. As it is quite important that we have workable solution, any comment is welcome. I hope you will find the time to review the proposal before it is submitted to ITU-T. Kind regards, Erik <whitelistInX509.pdf>_______________________________________________ pkix mailing list <mailto:pkix@ietf.org> pkix@ietf.org <https://www.ietf.org/mailman/listinfo/pkix> https://www.ietf.org/mailman/listinfo/pkix
- [wpkops] X.509 whitelist proposal Tony Rutkowski
- Re: [wpkops] [pkix] X.509 whitelist proposal Erik Andersen
- Re: [wpkops] X.509 whitelist proposal Stephen Farrell
- Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist … Tony Rutkowski
- Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist … Erik Andersen
- Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist … Phillip Hallam-Baker
- Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist … Erik Andersen
- Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist … Tony Rutkowski
- Re: [wpkops] [pkix] [T17Q11] SV: X.509 whitelist … Erwann Abalea
- Re: [wpkops] [x500standard] Re: SV: [T17Q11] SV: … Erik Andersen
- Re: [wpkops] [x500standard] Re: SV: [T17Q11] SV: … Tony Rutkowski
- Re: [wpkops] [pkix] [T17Q11] SV: X.509 whitelist … Erik Andersen
- Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist … Massimiliano Pala
- Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist … Erik Andersen
- Re: [wpkops] [T17Q11] SV: [pkix] X.509 whitelist … Olivier Dubuisson
- Re: [wpkops] [pkix] X.509 whitelist proposal Sill, Alan
- Re: [wpkops] [pkix] X.509 whitelist proposal Erik Andersen
- Re: [wpkops] [pkix] X.509 whitelist proposal Sill, Alan