Re: [6tisch] xxx-bootstrap
Göran Selander <goran.selander@ericsson.com> Tue, 06 December 2016 19:05 UTC
Return-Path: <goran.selander@ericsson.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FBD8129AE0 for <6tisch@ietfa.amsl.com>; Tue, 6 Dec 2016 11:05:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KLwYVUzl2aN3 for <6tisch@ietfa.amsl.com>; Tue, 6 Dec 2016 11:05:04 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06BAF129A90 for <6tisch@ietf.org>; Tue, 6 Dec 2016 11:04:38 -0800 (PST)
X-AuditID: c1b4fb2d-26a859800000561e-95-58470bc4e280
Received: from ESESSHC002.ericsson.se (Unknown_Domain [153.88.183.24]) by (Symantec Mail Security) with SMTP id E4.52.22046.4CB07485; Tue, 6 Dec 2016 20:04:36 +0100 (CET)
Received: from ESESSMB303.ericsson.se ([169.254.3.128]) by ESESSHC002.ericsson.se ([153.88.183.24]) with mapi id 14.03.0319.002; Tue, 6 Dec 2016 20:03:41 +0100
From: Göran Selander <goran.selander@ericsson.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, 6tisch <6tisch@ietf.org>
Thread-Topic: [6tisch] xxx-bootstrap
Thread-Index: AQHSSuDPU1xNoBfYBUWdkIQa1WBi/qDyKnSAgAkmswA=
Date: Tue, 06 Dec 2016 19:03:39 +0000
Message-ID: <D46CC86D.6E92A%goran.selander@ericsson.com>
References: <efb18853e63642bc4a996dc419cd1efb@xs4all.nl> <31466.1480551529@obiwan.sandelman.ca>
In-Reply-To: <31466.1480551529@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.0.161029
x-originating-ip: [153.88.183.148]
Content-Type: text/plain; charset="utf-8"
Content-ID: <33BED076ACDA6D4DA596702F2E3A2D2D@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrBIsWRmVeSWpSXmKPExsUyM2K7hO4RbvcIg1WTjC2W3e1jtni0fxWb Rc+hfnYHZo8lS34yebTM2cPscaJhO3sAcxSXTUpqTmZZapG+XQJXxss/GQXblCvudLWzNjAe UOpi5OSQEDCRmN9+nKWLkYtDSGAdo8S5y5eYIJzFjBK/Du5lAqliE3CReNDwCMwWEfCQmPVx BwuIzSxgK7HjyxZ2EFtYQFni5NXNbBA1KhK3p+9ihLCtJL40nWMFsVmA4isXLWQGsXkFLCTW PL8FZgsJJErMeboDrJ5TwFji58J+sJmMAmIS30+tYYLYJS5x68l8JoirBSSW7DnPDGGLSrx8 /A9svqiAnsTsKQ3sEHElicYlT4DiHEC9mhLrd+lDjLGWmPVoBSOErSgxpfshO8Q5ghInZz5h mcAoPgvJtlkI3bOQdM9C0j0LSfcCRtZVjKLFqcXFuelGxnqpRZnJxcX5eXp5qSWbGIHxd3DL b90djKtfOx5iFOBgVOLhLbjkFiHEmlhWXJl7iFGCg1lJhNcJGL1CvCmJlVWpRfnxRaU5qcWH GKU5WJTEec1W3g8XEkhPLEnNTk0tSC2CyTJxcEo1MNa1yZq9SJ0b11a7YNu5vh/sp69wGqnM 2xDwjqX/0YGy+Vm11npPVVQ+8holZUkxXryQ+K3k7JFsS2/uJb+/Rv3cfIJz2r71H+YdPzw5 t0Lz/JWUOoGzG4recnZOd9c/us5jzY7uPMu2T5cT6iV6ZwQ+cdzvrOXrF/L+fYbG3Pe2bzYv CgqzO6TEUpyRaKjFXFScCABcStzduwIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/fdPk4oSwI26Wo1tl3EqXof5eTQw>
Cc: "consultancy@vanderstok.org" <consultancy@vanderstok.org>
Subject: Re: [6tisch] xxx-bootstrap
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2016 19:05:11 -0000
Apologies for the previous empty mail, this is the mail I wanted to comment on. On 2016-12-01 01:18, "6tisch on behalf of Michael Richardson" <6tisch-bounces@ietf.org on behalf of mcr+ietf@sandelman.ca> wrote: > >Hi, I haven't read the entire thread yet, but I wanted to pull out another >email from a private thread about some ideas I had before I forgot. > >This would be the phase 1. Now that I understand more about EDHOC, >I think that the certificate exchange and EDHOC setup would occur >at the GET /nonce phase. > >Peter, if this is what you have in mind, then let's develop one of the >EST/CoAP drafts into saying this. > >==== > >I am thinking about if we can come up with a mechanism that can be driven >by >either side, which uses the same protocol and message encodings. >I had been thinking last night that CMS was getting in the way, but I >think that actually that's probably not the case; we are going to use >pkcs7/11 anyway, and if that's really the extent of it, then no big deal. > >I'm trying to find a way to merge this into netconf-keystore essentially, >and >that document is not really particular about the formats. > >I'm looking at draft-ietf-anima-bootstrapping-keyinfra-04 section 5.7, >and EST section 4. > >I imagine that one can reverse the process in 6tisch, and we could POST >From the JCE to client /cacerts, etc... > >So, if the straight EST process looks like: > > new-node registrar > POST /requestaudittoken--> [includes nonce] > <--- 200 OK + audit token- [section 5.2] > > GET /cacerts -----------> > <--- domain certificate-- (application/pkcs7-mime, > CMC Simple PKI RESPONSE) > GET /csrattrs ----------> > <--- app/csrattrs ------- [ASN as per 7030] > > POST /simpleenroll------> (PKCS#10 Cert Req) > <--- LDevID cert--------- (pkcs7) > > >Then the JCE driven process should instead look like: > > pledge JCE > <--- CoAP GET /nonce----- > ----- 200 OK, nonce ----> [could be empty if nonce > > <--- CoAP POST /voucher-- {audit token or ownership voucher} > ----- 200 OK------------> [or 4xx or 5xx code! ] In the interest of reducing round-trips, could anything of this be sent in parallel with the key exchange? Göran > > <--- CoAP POST /cacerts-- [block-transfer] [maybe not??] > (application/pkcs7-mime, > CMC Simple PKI RESPONSE) > ----200 OK--------------> > > <--- CoAP POST /csrattrs- [ASN as per 7030] > ----200 OK--------------> > > <--- CoAP GET /csr------ > ----200 OK ---PKCS10 ---- [PKCS#10 Cert Req] > > <--- CoAP POST /cert----- [PKCS7 Certificate] > ----200 OK -------------- > >Except that ideally, the above would be described in YANG with Kent's help >in netconf-keystore. >(Pascal, in our SoW #7, the above protocol would be Deliverable 3, btw) > > > >-- >Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > >
- [6tisch] xxx-bootstrap peter van der Stok
- Re: [6tisch] xxx-bootstrap Mališa Vučinić
- Re: [6tisch] xxx-bootstrap peter van der Stok
- Re: [6tisch] xxx-bootstrap Mališa Vučinić
- Re: [6tisch] xxx-bootstrap Michael Richardson
- Re: [6tisch] xxx-bootstrap Michael Richardson
- Re: [6tisch] xxx-bootstrap peter van der Stok
- Re: [6tisch] xxx-bootstrap peter van der Stok
- Re: [6tisch] xxx-bootstrap Göran Selander
- Re: [6tisch] xxx-bootstrap peter van der Stok
- Re: [6tisch] xxx-bootstrap Michael Richardson
- Re: [6tisch-security] [6tisch] xxx-bootstrap Michael Richardson
- Re: [6tisch-security] [6tisch] xxx-bootstrap Göran Selander
- Re: [6tisch] xxx-bootstrap Göran Selander
- Re: [6tisch] xxx-bootstrap peter van der Stok
- Re: [6tisch] xxx-bootstrap Mališa Vučinić
- Re: [6tisch] xxx-bootstrap peter van der Stok
- Re: [6tisch] xxx-bootstrap Mališa Vučinić