[openssl-project] Fwd: Request for comments on 'Certificate Management Protocol (CMP, RFC 4210) extension #681'"

Matt Caswell matt at openssl.org
Wed Aug 15 16:24:26 UTC 2018

On 14/08/18 20:20, Matt Caswell wrote:
> Hi
> Back in 2007 Nokia started developing a CMP client based on OpenSSL that
> is currently in use in LTE infrastructure components. Siemens joined in
> the project some years ago to extend and utilize the code for further
> industrial use cases. We are aware that a lot of other users of this
> implementation.
> Right from the beginning it was the goal of the project to contribute
> the code upstream OpenSSL some time, see RT item #3101, GitHub issue
> #5926 and pull request #6811.
> Integrating CMPforOpenSSL would make things much easier for all people
> using it already and also for those who use OpenSSL to automate their
> certificate management based on CMP.
> The footprint of the code is about 17.000 lines of code plus test and
> configuration data.
> There are unit tests and a large amount of interoperability test (with
> EJBCA and Insta CA). These tests can provide initial confidence in the
> functionality and quality of the implementation.
> In the past months we already got some feedback supporting the
> contribution. To get the contribution reviewed and merged by the project
> we know that there will be considerable effort needed on both sides.
> Therefore we'd like to understand the opinion of the group of committers
> and OMC members if this contribution should be integrated with OpenSSL.

I'm of the view that this would be a useful addition to OpenSSL. However
the effort required to review this will be significant, and it does not
contribute towards the priority of the next release after 1.1.1 (i.e. FIPS).

Therefore I'd like to hear the opinions of the committers on this. Is
this something we should be spending time reviewing (and for the
contributors to get it into shape)? Are there volunteers to help review?

It may be helpful for us to hold an OMC vote on this to get a view up
front whether to spend the time on it. But I'd like to hear feedback first.


> Martin, David, and Hendrik
> Ps.: I will be out of the office the next weeks; Martin and David are
> available to follow up on this discussion.
> With best regards,
> Hendrik Brockhaus
> Siemens AG
> Corporate Technology
> Research and Development for Digitalization and Automation
> Security Architecture
> Otto-Hahn-Ring 6
> 81739 Muenchen, Germany Tel.: +49 89 636-633672
> Mobile: +49 174 1517765
> mailto:hendrik.brockhaus at siemens.com
> www.siemens.com/ingenuityforlife
> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim
> Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and
> Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich,
> Janina Kugel, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered
> offices: Berlin and Munich, Germany; Commercial registries: Berlin
> Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

More information about the openssl-project mailing list