Re: [wpkops] [pkix] X.509 whitelist proposal

"Erik Andersen" <> Wed, 06 August 2014 09:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3F1DD1B2CF4 for <>; Wed, 6 Aug 2014 02:19:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.51
X-Spam-Status: No, score=0.51 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_EQ_DK=1.009, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WkobgIcPT0ff for <>; Wed, 6 Aug 2014 02:19:46 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9DDF31B2CEC for <>; Wed, 6 Aug 2014 02:19:45 -0700 (PDT)
Received: from Morten ([]) by (DanDomain Mailserver) with ASMTP id 3201408061119412059; Wed, 06 Aug 2014 11:19:41 +0200
From: "Erik Andersen" <>
To: "'Sill, Alan'" <>
References: <000b01cfa1bc$b6872ef0$23958cd0$> <> <>
In-Reply-To: <>
Date: Wed, 6 Aug 2014 11:19:42 +0200
Message-ID: <003001cfb157$8e82c680$ab885380$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0031_01CFB168.52102A60"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQFen6BH0OQwBY9AWxzuVVIZFItMGQHZLJJdAhs4DJychcg2kA==
Content-Language: da
Subject: Re: [wpkops] [pkix] X.509 whitelist proposal
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 06 Aug 2014 09:19:50 -0000

Hi Alan,


Thanks for your comments. My proposal is a very initial proposal. I was just
eager to see reaction to the general approach.


I has primarily been concerned with the case where a RP only have 1-2 ms to
validate a received a PDU, meaning that the validation has to happen a
thousand times faster than in a traditional Web environment.


I will be very happy to receive some of the solutions you have seen work in
practice. I am always open to new ideas.


Kind regards,




Fra: Sill, Alan [] 
Sendt: 31. juli 2014 23:17
Til: Erik Andersen
Cc: Sill, Alan;;;;
Emne: Re: [pkix] X.509 whitelist proposal




With the desire to wind this discussion back to its actual content and avoid
for the present further discussion of procedures, let me say that the use
case proposed is a familiar one in the world of extended use of PKI as an
authentication piece of access control systems in distributed infrastructure


The solution invariably is to implement a separate authorization layer that
can work with the existing certificate infrastructure, which is out or scope
as a work item for any of the proposed groups.


My personal belief is that this is not worth pursuing in its present form. I
would be happy, off-list or on an individual basis, to pass on some of the
solutions that I have seen work in practice in distributed computational,
storage and other related control settings, some of which can be achieved
within the existing X.509 settings through the use, for example, of time
limited or otherwise membership-limited extended attribute certificates.


My suggestion, with great respect and due deference to its proposers, is to
drop the referenced proposal until exploration of appropriate authorization
technologies has been done and again offer to have that discussion off these
lists or on a different one.


Alan Sill, TTU

VP of Standards, Open Grid Forum


On Jul 18, 2014, at 12:49 AM, Tony Rutkowski <
<> > wrote:

Hi Steve,

The note below was distributed earlier on the ITU-T SG17
sub-group Q11/17 list by the group's rapporteur.  It might
be useful to gauge industry reaction in IETF and CA/B
Forum venues.

Note that although the document appears on an ITU-T
template, it has not been submitted.   In addition, although
the source is indicated as "Denmark," it is not apparent
that the source is any other than than the rapporteur 
himself, who is identified as the contact.  Lastly, although
the note asserts that "IEC TC57 WG15 (smart grid 
security) has requested the inclusion of whitelist 
support in X.509," there is no apparent liaison to
this effect.


-------- Original Message -------- 


[T17Q11] X.509 whitelist support


Thu, 17 Jul 2014 14:43:30 +0200


Erik Andersen  <> <>


Directory list  <>
<>rg>, SG17-Q11  <>


SG17-Q10  <> <>


IEC TC57 WG15 (smart grid security) has requested the inclusion of whitelist
support in X.509. A preliminary proposal for such a feature may be found as


The feature may in some way be combined with the trust broker concept, which
probably will involve a number of changes.


As it is quite important that we have workable solution, any comment is
welcome. I hope you will find the time to review the proposal before it is
submitted to ITU-T.


Kind regards,




pkix mailing list