Re: [Ace] EST over CoAP: Introduction

"Panos Kampanakis (pkampana)" <> Sun, 27 May 2018 03:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5A836120047 for <>; Sat, 26 May 2018 20:02:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9UWc64PLqLpM for <>; Sat, 26 May 2018 20:02:00 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0B54D1241F5 for <>; Sat, 26 May 2018 20:02:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=10694; q=dns/txt; s=iport; t=1527390120; x=1528599720; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=7D6bhygzBbVXVDdZNmqO2nCiZrNn97jbhxx4CKF63G4=; b=BRHhbxle0efamc1+TfmDJI9JjDmr8vH3y/BZFqfBIvJDXQwhyF+e5O0b rtiXJiP7cc4/mM/m1Ac4THhPj4oZq6iqkKqQd8WoBpgu2Q2TbQ3ZJfnVS Vtgi29MJqEaKJs3Y2A6DCVlBWqihvEgxvc2HXNvfHXWdvXnlPfIGjB4iC 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.49,446,1520899200"; d="scan'208,217";a="120938872"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 27 May 2018 03:01:59 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id w4R31xH3026971 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 27 May 2018 03:01:59 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1320.4; Sat, 26 May 2018 22:01:58 -0500
Received: from ([]) by ([]) with mapi id 15.00.1320.000; Sat, 26 May 2018 22:01:58 -0500
From: "Panos Kampanakis (pkampana)" <>
To: Hannes Tschofenig <>, "" <>
Thread-Topic: EST over CoAP: Introduction
Thread-Index: AdPsLs4i7p+ZRhEOTMSeKeo6haRT5QJN1T6g
Date: Sun, 27 May 2018 03:01:58 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_d343f9f443f3474eb543c776fa0bbe0bXCHALN010ciscocom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Ace] EST over CoAP: Introduction
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 27 May 2018 03:02:03 -0000

Hi Hannes,
Thank you for the text. The 15.4 was only serving only as a motivation usecase. We revamped the Intro similar to what you suggested. It will be fixed  in the next iteration.

From: Ace [] On Behalf Of Hannes Tschofenig
Sent: Tuesday, May 15, 2018 5:34 AM
Subject: [Ace] EST over CoAP: Introduction

Here is a proposal to change the introduction to the relevant parts only and to avoid repetition.
(The current document still keeps talking about IEEE 802.15.4 when there are so many other radio technologies as well.
There is nothing in this spec that makes this 15.4 specific. I understand that some of the authors really like 15.4 but .....)

Here is my proposal to replace Section 1 and Section 1.1:


1.  Introduction

   "Classical" Enrollment over Secure Transport (EST) [RFC7030] is used for
   authenticated/authorized endpoint certificate enrollment (and
   optionally key provisioning) through a Certificate Authority (CA) or
   Registration Authority (RA).  It uses HTTPS.

   This specification defines a new transport for EST based on the
   Constrained Application Protocol (CoAP) since some Internet of Things (IoT)
   devices use CoAP instead of HTTP. This specification therefore utilizes DTLS [RFC6347],
   CoAP [RFC7252], and UDP instead of TLS [RFC5246], HTTP [RFC7230] and TCP.

   This document also profiles EST and only supports certificate-based client
   Authentication. The results are:

      *  The EST-coaps client does not support HTTP Basic authentication
         (as described in Section 3.2.3 of [RFC7030]).

      *  The EST-coaps client does not support authentication at the
         application layer (as described in Section 3.2.3 of [RFC7030]).

   EST messages may be relatively large and for this reason this
   document re-uses CoAP Block-Wise Transfer [RFC7959] to
   offer a fragmentation mechanism of EST messages at the CoAP layer.



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.