Re: [Ace] WGLC for draft-ietf-ace-coap-est - optimization for embedded devices
Esko Dijk <esko.dijk@iotconsultancy.nl> Thu, 24 January 2019 08:45 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8D7D12870E for <ace@ietfa.amsl.com>; Thu, 24 Jan 2019 00:45:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.031
X-Spam-Level:
X-Spam-Status: No, score=-2.031 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancynl.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkQFTx-3TpK9 for <ace@ietfa.amsl.com>; Thu, 24 Jan 2019 00:45:11 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80091.outbound.protection.outlook.com [40.107.8.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C867130E2E for <ace@ietf.org>; Thu, 24 Jan 2019 00:45:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancynl.onmicrosoft.com; s=selector1-iotconsultancy-nl; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7VcUn437duclbXMXW3zvqqs5oLcF3Gr3AbIwCu0yWsE=; b=UqTuDEq9+5HwoQXZa1uOdnl80bTULhMjnLS5d5YaEfIj7BebKOBdsPOEVlSPQ3H3BBbBTHpUTZK8lSgwMx3XKrcL2H1DGiwQoXeWTgdQwMa8WmDk2+537oLkrAMjZyfS75XTJGrteElatR/tWun+sjRElmroqxWe4A1pBjvIuI8=
Received: from DB6P190MB0054.EURP190.PROD.OUTLOOK.COM (10.172.229.12) by DB6P190MB0263.EURP190.PROD.OUTLOOK.COM (10.175.241.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.31; Thu, 24 Jan 2019 08:45:07 +0000
Received: from DB6P190MB0054.EURP190.PROD.OUTLOOK.COM ([fe80::2d19:ef79:d153:7627]) by DB6P190MB0054.EURP190.PROD.OUTLOOK.COM ([fe80::2d19:ef79:d153:7627%6]) with mapi id 15.20.1558.016; Thu, 24 Jan 2019 08:45:07 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: Jim Schaad <ietf@augustcellars.com>, 'Michael Richardson' <mcr@sandelman.ca>
CC: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] WGLC for draft-ietf-ace-coap-est - optimization for embedded devices
Thread-Index: AdSzANDF7SgGt3HDRj6nI+AEfU6Y+QAi3BaAAAWJZoAABvuaAA==
Date: Thu, 24 Jan 2019 08:45:06 +0000
Message-ID: <DB6P190MB0054525A54278343E88E2C2EFD9A0@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM>
References: <DB6P190MB0054743FDD8DB32669C5BB23FD990@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM> <15991.1548296807@localhost> <000001d4b3a2$69396530$3bac2f90$@augustcellars.com>
In-Reply-To: <000001d4b3a2$69396530$3bac2f90$@augustcellars.com>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=esko.dijk@iotconsultancy.nl;
x-originating-ip: [2001:1c02:3101:4800:653b:e57c:bc08:b670]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB6P190MB0263; 6:k1uJJSaX3n1DdT8TVKC3xIXt9CZU2P2jQrVJ1VbrPYKz0U/ZVsTM9DCiuCv1g+SFaXDth7LjBRl6SP7ENyzcvKyI+kxGwThCw0+EqSu272os2WxevagkVC47UyGdEngR3J8+lWWRTzlxMPMQy6OljXn9M2UBU9Lll7iaybVnapdV2ocssMH3/1w1csEWRN8xhPCfx0cAw8eFz2J/72fOq8A89enORPGt1PDah2YlwIS6pVMbXg7R78zaQXRs297fzD+jNI3HSwgVuMJqfldTUKMSKyjBaA25/PkzCExq/KZ1anLyeDx9Ek/tiQP8RiDPKZfmgs1ya1rLtBIcTzRL8hntm2WkPXntreULxqQxi9g1x3KEfR1ygkkcsKvEdoRlu/FvTZ0GxALxFPe8ClK1IUBbyvkQYM5BRf2hRRm23Gb7lYVG6jxNoc01jjzVUZ7TBEQnZioE3T4Y6uvk35Hg6g==; 5:OlmEPl9T+gYp+vz+S0XUq0T5TA+fiu/3khlfKi08yQyt24qfxivHwXHe2N5ZeWUUMwYuPytNq/y4/lOlo2R7xNmbVt8q/qZzmP7DN33J0H7rAQR+pNEDn8P9k83wTVUpO/2xmxPiJP6IxiOayh8pIZAmElxBEWasB1LiEc79/Q5mo2FnB889tvoPHc9b2yqr0cM2h6AhlMWz2d7s/uSb0A==; 7:QZh1PU8jYWA7uFqxtCh5QsyCnhjUeJUViQYlTgfK47k44hezWAWvGqpLdl3d/IWyDpeHCP8anoP6fJ0gxCfceEOz5IvXVWiLnxTIZC05K9YHHYGaHPtB0CA0RxLDEGLsVcV30KHW6CjxyUcdMiN4eA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 02e5c3db-9029-48d9-1d05-08d681d83dfa
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(5600110)(711020)(4605077)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7153060)(7193020); SRVR:DB6P190MB0263;
x-ms-traffictypediagnostic: DB6P190MB0263:
x-microsoft-antispam-prvs: <DB6P190MB0263164A379298D13E4A125DFD9A0@DB6P190MB0263.EURP190.PROD.OUTLOOK.COM>
x-forefront-prvs: 0927AA37C7
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(376002)(136003)(39830400003)(366004)(189003)(199004)(51444003)(13464003)(6436002)(6116002)(14444005)(256004)(68736007)(966005)(99286004)(8676002)(71200400001)(71190400001)(229853002)(14454004)(81156014)(8936002)(81166006)(508600001)(7696005)(53546011)(6506007)(33656002)(76176011)(74482002)(97736004)(110136005)(4326008)(106356001)(105586002)(86362001)(53936002)(486006)(2906002)(316002)(476003)(446003)(7736002)(9686003)(102836004)(55016002)(74316002)(25786009)(44832011)(305945005)(46003)(11346002)(186003)(6306002)(6246003); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6P190MB0263; H:DB6P190MB0054.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: iotconsultancy.nl does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: AbaScC28Dn3UXdCwwTVb1062NB5jEWuj0uWvNrCR/H3CJhPDF3/CkM1YpHK+sHObNgxXKbDtnzDP3ih3FokYke7ZB0PFrhmOytBF/QTcOy1RB0tgHho3ZJ1I/iNsMyEb30L/nN0VFWERqTsZZL4Yx+OFbtjHXHOEPYcpSJInyNiBlSdT5KSdt7JX0JC7lmeB5/Tn331KBjkY1F2abc5RpgdYjqqARYOxxzCgkgZa5qBNoTSl9eX3AOQ2K6EDr9epo0O43K8F9U0re6NJ97OHZK6yF3L9QS+g7uuwQcQavJMGnB8x4Hx8/solNo8IQhTy6sCnCX66x3jabxHxKZZ0s0T8dneOXRc4f64iD+r8U244eB8gZjkp5kKuJLD3NifTNMzfmuiRjoNEmE3nsat04Hpz/+dA7+CC+245c2t88Fs=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-Network-Message-Id: 02e5c3db-9029-48d9-1d05-08d681d83dfa
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jan 2019 08:45:07.0036 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P190MB0263
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/NKGMsxFX71I73iHDX4r6R3s5rfU>
Subject: Re: [Ace] WGLC for draft-ietf-ace-coap-est - optimization for embedded devices
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2019 08:45:16 -0000
> There is no signature for this CMS signed message format. It only contains the certificates and CRLs that are passed back. I would still think that this is a fine idea as long as you are only going to return the leaf certificate and not returning a bag of certificates or any CRLs. That's right, only the leaf certificate is returned and no CRLs; in this embedded case. Any other required certificates are already obtained from the prior DTLS handshake process. I agree that using draft-birkholz-core-coid-01 could be used in the future as an alternative format instead of an X.509 certificate. Ideally, it would become an update of RFC-EST-over-coaps and an enrolling client can indicate it uses the new formats by using e.g. CoAP Content-Format and Accept Options, or by different URI paths. Best regards Esko -----Original Message----- From: Jim Schaad <ietf@augustcellars.com> Sent: Thursday, January 24, 2019 06:05 To: 'Michael Richardson' <mcr@sandelman.ca>; Esko Dijk <esko.dijk@iotconsultancy.nl> Cc: ace@ietf.org Subject: RE: [Ace] WGLC for draft-ietf-ace-coap-est - optimization for embedded devices > -----Original Message----- > From: Ace <ace-bounces@ietf.org> On Behalf Of Michael Richardson > Sent: Wednesday, January 23, 2019 6:27 PM > To: Esko Dijk <esko.dijk@iotconsultancy.nl> > Cc: ace@ietf.org > Subject: Re: [Ace] WGLC for draft-ietf-ace-coap-est - optimization for > embedded devices > > > Esko Dijk <esko.dijk@iotconsultancy.nl> wrote: > > My main comment on this draft is based on recent experience with an > > embedded implementation. In the draft, the content format > > "application/pkcs7-mime;smime-type=certs-only" is used to > transport a > > single certificate back to the client. However, in the embedded > > implementation crypto library there is no support for parsing this > > format, but there is support for parsing X.509v3 > > (application/pkix-cert). See > > e.g. https://tls.mbed.org/api/group__x509__module.html for an > embedded > > API that can parse CSR and certs, but not PKCS#7. > > > Therefore the X.509 format seems better to use; also given that > > 1) the signing of data that the PKCS#7 S/MIME envelope provides > is useless because the DTLS session is already end-to-end protected > and the certificate is already signed; and There is no signature for this CMS signed message format. It only contains the certificates and CRLs that are passed back. I would still think that this is a fine idea as long as you are only going to return the leaf certificate and not returning a bag of certificates or any CRLs. > > 2) RFC 7030 requires that only one certificate, the generated > one, is > > carried in the /simple(re)enroll response so that a container format > > for multiple certificates is not really needed here. > > > So to reduce code size for embedded implementations it would be very > > beneficial if the EST Server would support an additional content > > format: > > application/pkix-cert (see RFC 5280) > > I think that this is a reasonable thing to do. > The client can easily say what it wants and I think the two formats > are relatively easy to swap. > > What about if we went further, and went to: > Concise Identities > draft-birkholz-core-coid-01 Given that it would be a blocking factor, I would think about this as maybe something in the future. Jim > > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works | IoT architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Esko Dijk
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Michael Richardson
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Jim Schaad
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Esko Dijk
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Michael Richardson
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Jim Schaad
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Michael Richardson
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Jim Schaad