Re: [Ace] How to specify DTLS MTI in COAP-EST

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 07 June 2018 16:30 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 567361310FD for <ace@ietfa.amsl.com>; Thu, 7 Jun 2018 09:30:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6A7X1KkB3UvT for <ace@ietfa.amsl.com>; Thu, 7 Jun 2018 09:30:12 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-ve1eur02on060b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe06::60b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F39ED130FD1 for <ace@ietf.org>; Thu, 7 Jun 2018 09:30:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9yGTWl/CaIHCcBXLhk85K0Q0zdYxjFi5/6UzyWxlqt0=; b=Rb56kXAOZM5NZ46uqKdWXbgwzH7h1hdDIkYTwzeLk7cD42HxbiMggzzSEhZfdsNxcUOYzR6AkeQg6d/x4Wjnq7y/YtUL4ixFI5E1CuFQWGB5kVkTkdNDXSr1TJaAQFWigjT72/+nfMlB2z4n6DlEt5Jzux7ucodDjRHzrL6SVnQ=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1887.eurprd08.prod.outlook.com (10.173.73.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.841.16; Thu, 7 Jun 2018 16:30:09 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::d1df:1498:96ec:6b35]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::d1df:1498:96ec:6b35%4]) with mapi id 15.20.0820.015; Thu, 7 Jun 2018 16:30:09 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Russ Housley <housley@vigilsec.com>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] How to specify DTLS MTI in COAP-EST
Thread-Index: AQHT/e65x8uyz3CYSUqqld4MOn23DqRU0nmAgAAqbVA=
Date: Thu, 7 Jun 2018 16:30:08 +0000
Message-ID: <VI1PR0801MB2112950E1677D701165C74E2FA640@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <13635.1528327933@localhost> <CE664422-ED4B-43FE-A531-4EAA090CA036@vigilsec.com>
In-Reply-To: <CE664422-ED4B-43FE-A531-4EAA090CA036@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [195.149.223.146]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1887; 7:vQUjM4twshBK2E63CFULUJVNWGO4I+Jxp7hrE+kC92PQQSAdZ3KlTZA0suwW/7h50yV1V3c2mVPl6kDxW8lS4CsYqEYpx6vFRJg4z1omGDz4/VW3VqO83IPU4CKX6re7AiOpFBstvSWXH3Zo7bpsQcW1bHCLvCkcbnhFQ0dAyylJCy5glgEJOSuy3oh3YKeQQcSdomE/fS03u7Ry4sIQtuGA3PJB3c3z7G1A7w1EDYRaeT/lF2GmPu3woC0eAERH
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1887;
x-ms-traffictypediagnostic: VI1PR0801MB1887:
x-microsoft-antispam-prvs: <VI1PR0801MB18875113FA9A1669C067B595FA640@VI1PR0801MB1887.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3002001)(3231254)(944501410)(52105095)(93006095)(93001095)(10201501046)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:VI1PR0801MB1887; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1887;
x-forefront-prvs: 06968FD8C4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(376002)(39860400002)(346002)(39380400002)(396003)(13464003)(199004)(189003)(40434004)(72206003)(3846002)(6116002)(3660700001)(26005)(478600001)(486006)(7696005)(110136005)(33656002)(6246003)(6506007)(99286004)(105586002)(53546011)(53936002)(186003)(6306002)(9686003)(316002)(966005)(476003)(102836004)(106356001)(2906002)(97736004)(66066001)(76176011)(59450400001)(446003)(5660300001)(5250100002)(5890100001)(3280700002)(11346002)(8936002)(81156014)(81166006)(8676002)(4326008)(55016002)(25786009)(14454004)(86362001)(68736007)(305945005)(229853002)(7736002)(2900100001)(74316002)(6436002)(217873001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1887; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: i0V6DhrzkYhgnkunPNgwmqWikAoORytACtMAH5tP2qaxQyvvsbTxip4FWi0pYjfYzDkWfAO7AY2cJ2AaFw6PxBwVUy/QsF69Wn22fDarqdRQOLW2LEJp5lbJVY8LvAo1sG20s7H7Qo41NRRvWW+x5EgsIQEFgyarmuBPjww3n4GAorD7wCvO36lnDjw7fIJG
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: d165c395-522a-49ab-c581-08d5cc93ef53
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d165c395-522a-49ab-c581-08d5cc93ef53
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Jun 2018 16:30:08.9046 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1887
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/4rPMdVlRGxXnv1UFXGonSX681Ys>
Subject: Re: [Ace] How to specify DTLS MTI in COAP-EST
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jun 2018 16:30:17 -0000

Hi Russ, Hi Michael,

why don't you just reference https://tools.ietf.org/html/rfc7925?

I am not a big fan of making all sorts of different crypto recommendations in our specs that differ slightly.

Ciao
Hannes

PS: Next time someone suggests the use of a new crypto algorithm I will demand that they also implement one themselves.

-----Original Message-----
From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Russ Housley
Sent: 07 June 2018 15:55
To: Michael Richardson
Cc: ace@ietf.org
Subject: Re: [Ace] How to specify DTLS MTI in COAP-EST

Michael:

These words were first used by IPsec; see RFC 4307.  They have gained broader acceptance.  I see no problem just using them here.

Russ


> On Jun 6, 2018, at 7:32 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>
>
> In draft-ietf-ace-coap-est, we would like to specify some mandatory to
> implement algorithms for DTLS.
>
> We write:
>   The mandatory cipher suite for DTLS in EST-coaps is
>   TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 defined in [RFC7251] which is the
>   mandatory-to-implement cipher suite in CoAP.
>
>   Additionally, the curve secp256r1 MUST be supported [RFC4492]; this curve
>   is equivalent to the NIST P-256 curve.
>
> And this is fine for now, but we'd like to signal that Curve25519
> should be considered as an alternative, but we don't want to make it a
> MUST *today*, and we don't want to force implementations 15 years down
> the road that have it to include secp256r1.
>
> IPsec(ME) has published things like:
> https://datatracker.ietf.org/doc/rfc8247/
> which include language like:
>
>   SHOULD+   This term means the same as SHOULD.  However, it is likely
>             that an algorithm marked as SHOULD+ will be promoted at
>             some future time to be a MUST.
>
>   SHOULD-   This term means the same as SHOULD.  However, an algorithm
>             marked as SHOULD- may be deprecated to a MAY in a future
>             version of this document.
>
>   MUST-     This term means the same as MUST.  However, it is expected
>             at some point that this algorithm will no longer be a MUST
>             in a future document.  Although its status will be
>             determined at a later time, it is reasonable to expect that
>             if a future revision of a document alters the status of a
>             MUST- algorithm, it will remain at least a SHOULD or a
>             SHOULD- level.
>
> I don't think TLS has done this... maybe TLS plans to.
> We think that we'd like to use SHOULD+ for Curve25519 and MUST- for
> secp256r1, but we aren't sure that the WG will like us to use so many
> words as IPsec to say so.
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        | network architect  [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
>
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.