IETF Logo Mail Archive

[pkix] Token Provisioning versus Certificate Enrollment

Anders Rundgren <anders.rundgren@telia.com> Thu, 25 August 2011 20:04 UTC

Return-Path: <anders.rundgren@telia.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48F1521F86AF for <pkix@ietfa.amsl.com>; Thu, 25 Aug 2011 13:04:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.492
X-Spam-Level:
X-Spam-Status: No, score=-3.492 tagged_above=-999 required=5 tests=[AWL=0.106, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ag9i5qBDMOnr for <pkix@ietfa.amsl.com>; Thu, 25 Aug 2011 13:04:12 -0700 (PDT)
Received: from smtp-out21.han.skanova.net (smtp-out21.han.skanova.net [195.67.226.208]) by ietfa.amsl.com (Postfix) with ESMTP id 3C5FA21F8C43 for <pkix@ietf.org>; Thu, 25 Aug 2011 13:04:11 -0700 (PDT)
Received: from [192.168.0.200] (81.232.44.37) by smtp-out21.han.skanova.net (8.5.133) (authenticated as u36408181) id 4E526612001814F5 for pkix@ietf.org; Thu, 25 Aug 2011 22:05:20 +0200
Message-ID: <4E56AAFD.3030405@telia.com>
Date: Thu, 25 Aug 2011 22:05:17 +0200
From: Anders Rundgren <anders.rundgren@telia.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.20) Gecko/20110804 Thunderbird/3.1.12
MIME-Version: 1.0
To: "pkix@ietf.org" <pkix@ietf.org>
References: <4E5421EA.8010904@telia.com> <3712DF46-D370-4024-9C0D-FF7CF80487A3@cisco.com>
In-Reply-To: <3712DF46-D370-4024-9C0D-FF7CF80487A3@cisco.com>
X-Enigmail-Version: 1.1.1
Content-Type: multipart/alternative; boundary="------------020903060708060509010802"
Subject: [pkix] Token Provisioning versus Certificate Enrollment
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2011 20:04:13 -0000

With a hope to shed some light regarding enrollment protocols the following may be of some interest.

KeyGen2 is /_not_/ a Certificate Enrollment protocol; /it is a Token (cryptographic module) Provisioning protocol/.

Unlike Certificate Enrollment which essentially only requires a request-response pair where the response (certificate) can be securely derived to request, /Token Provisioning usually needs additional
steps /_before_/and _after_ the core message exchange as well/.

Also in contrast to Certificate Enrollment protocols, /Token Provisioning _always_ targets a specific token container/.
If /_secure_/ Token Provisioning is to be performed by remote users over the Internet, /E2ES (end-to-end-security) _must be enforced_, and preferably throughout the _entire_ process/.

Since E2ES cannot be /abstracted/, a prerequisite is that /the issuer and token _speak the same language_/.
This obviously thickens the plot considerably unless you also standardize the token (/with respect to provisioning NB/), which was the sole motivation behind KeyGen2's alter ago, the SKS.

KeyGen2/SKS in similarity to GlobalPlatform relies on a very light-weight security mechanism based on session keys and a two-level client where the provisioning middleware does the /"heavy lifting"/
and handle /user interactions/, while /the token _exclusively_ deals with low-level E2ES-centric operations/.

Token Provisioning in browsers is currently entirely based on /third-party proprietary and mostly secret "plugins"/.

Anders Rundgren
http://webpki.org/auth-token-4-the-cloud.html

v2.23.0 | Report a Bug | By Email