Re: [Ace] EST over CoAP in ACE wg

Samuel Erdtman <samuel@erdtman.se> Mon, 21 November 2016 16:30 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3253F1296AF for <ace@ietfa.amsl.com>; Mon, 21 Nov 2016 08:30:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JGtaxnbKhG3Q for <ace@ietfa.amsl.com>; Mon, 21 Nov 2016 08:30:51 -0800 (PST)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F82C12963E for <ace@ietf.org>; Mon, 21 Nov 2016 08:30:51 -0800 (PST)
Received: by mail-wm0-x233.google.com with SMTP id f82so154677633wmf.1 for <ace@ietf.org>; Mon, 21 Nov 2016 08:30:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IULcAwVxHsnWDxIxEq5JepeEgMqfuoe9WemLn+TfQ0c=; b=xWpYeXKPTWI+CjmJBNmuCjzvCajSZTSYPxmWKPXhod128anstMHrvrHhTmETbtXHwa rGGGcuEObiq0t7bsBR0btBfVk+5CH3nVg0C51AV53wjp5ANgsWX8GDzaUAJgYHIuZwcR pe7j3Pr21EcdwnVyLo9p4a5DTKFs36H3jPAl83vFfG5pq4XGm7z5gU3R+eOE5sBnB/q0 Szj0V1z69P0V69PI6flsDZQsMtEMffPrLkthbqy7Rd3pCTEYrekNBYEw1v8O83X6NInz iQTsidzSV0GMzlAvF6OzRrOwhFtVUWc4AEjuODQfrZYWSGzIno4PXNfEM1J3Jy4zB2V9 Z4Aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IULcAwVxHsnWDxIxEq5JepeEgMqfuoe9WemLn+TfQ0c=; b=Flk0ri9AYg3KJYdhdwd8HscSJsHmlRgoH+POGhK31SSpPqXA0WhCYpRuLdD156ySDb N2+WjeMh1IsVXnEFIfiL1eTrzgtNF5QQ6+BoriE96/F/Ifiew0SJThGtBd0IMum7GCxV 5MqXFuGGHE0uQfQYAXW0SvsbUY1NxFfamvDfDB3uYsD4A+2yrCvANeAoc4a+iP5Uoqhi NktyBpyLmN5JHGqzxqb4yx1ez1cEi9NNHOqb9TX0Qv7Cq2kb8TCeYAg7R/g7pQEbuCFF VA3GtLGJYWcskLr95TAFQlFfEfTbUVGx/Az8uwOwlvow00RZ08SVva7KZk7lZ4xsypyI sohg==
X-Gm-Message-State: AKaTC02UqiUYvQYASckxoE7XY+MC+FVOghneNt/XUNVGuotwx5BYdKViHNEC3pJ9tR57wGrV91r19DsQOis4/Q==
X-Received: by 10.28.178.10 with SMTP id b10mr16934860wmf.83.1479745849954; Mon, 21 Nov 2016 08:30:49 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.117.103 with HTTP; Mon, 21 Nov 2016 08:30:49 -0800 (PST)
In-Reply-To: <6525c5f0b6e040b683ccd9c43b1c5e2f@VI1PR9003MB0237.MGDPHG.emi.philips.com>
References: <6525c5f0b6e040b683ccd9c43b1c5e2f@VI1PR9003MB0237.MGDPHG.emi.philips.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Mon, 21 Nov 2016 17:30:49 +0100
Message-ID: <CAF2hCbZ20qp91wVyMCSsXu-HMD5dzPhq5KKJkO+SVBrTK09qbQ@mail.gmail.com>
To: "Kumar, Sandeep" <sandeep.kumar@philips.com>
Content-Type: multipart/alternative; boundary=001a1144513cbead910541d22d2f
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/0PIuQQtVnemZIz5Hydar0rLMGVA>
Cc: Shahid Raza <shahid@sics.se>, "Panos Kampanakis \(pkampana\)" <pkampana@cisco.com>, "consultancy@vanderstok.org" <consultancy@vanderstok.org>, "ace@ietf.org" <ace@ietf.org>
Subject: Re: [Ace] EST over CoAP in ACE wg
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2016 16:30:58 -0000

Hi All,

To run EST over DTLS and CoAP to address more constrained devices is not
new to me, this was part of conversations that neXus (my previous employer)
and SICS had about one and a half year ago.

I would support this work. I think certificates makes sense for ACE because
of the connection to existing security infrastructure.

At neXus we did SCEP and CMP enrollment but when moving to more constrained
devices it would make sense to move to use EST over CoAP and DTLS.
In addition to being quite simple compared to SCEP and CMP, EST also
support server side generated keys which could be a benefit for constrained
devices. Not because the devices could not generate the key but in some
case keys needs to be generated in trusted and certified hardware (FIPS, CC
etc.) to "know" that keys are of good quality.

//Samuel






On Mon, Nov 21, 2016 at 3:00 PM, Kumar, Sandeep <sandeep.kumar@philips.com>
wrote:

> Dear ACE members
>
>
>
> Peter van Stok gave a short overview during the ACE f2f meeting on the
> work related to EST (RFC 7030) over DTLS secured CoAP (
> draft-vanderstok-core-coap-est-00
> <https://tools.ietf.org/html/draft-vanderstok-core-coap-est-00>). In the
> meeting there was general interest among the audience for the work and ACE
> as the preferred WG for this item. There are additional drafts and work on
> the same topic like the draft-pritikin-coap-bootstrap-01
> <https://tools.ietf.org/html/draft-pritikin-coap-bootstrap-01> and the
> email from Shahid https://www.ietf.org/mail-archive/web/ace/current/
> msg02029.html
>
> The idea is to merge these into a single draft (already discussed among
> us).
>
>
>
> We would like to get feedback on the mailing list if indeed ACE would be a
> right place to continue this work as was perceived during the f2f meeting.
> Please respond if you support (or not) the activity going forward in ACE wg.
>
>
>
> Kind Regards
>
> Sandeep
>
>
>
>
>
> ------------------------------
> The information contained in this message may be confidential and legally
> protected under applicable law. The message is intended solely for the
> addressee(s). If you are not the intended recipient, you are hereby
> notified that any use, forwarding, dissemination, or reproduction of this
> message is strictly prohibited and may be unlawful. If you are not the
> intended recipient, please contact the sender by return e-mail and destroy
> all copies of the original message.
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>
>