Re: [Ace] draft-selander-ace-eals vs. draft-vanderstok-ace-coap-est
Göran Selander <goran.selander@ericsson.com> Thu, 14 September 2017 06:47 UTC
Return-Path: <goran.selander@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9236713219B for <ace@ietfa.amsl.com>; Wed, 13 Sep 2017 23:47:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NMIsr8FuHYQj for <ace@ietfa.amsl.com>; Wed, 13 Sep 2017 23:47:27 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A62C7132031 for <Ace@ietf.org>; Wed, 13 Sep 2017 23:47:26 -0700 (PDT)
X-AuditID: c1b4fb25-94fff70000005333-91-59ba25f76224
Received: from ESESSHC019.ericsson.se (Unknown_Domain [153.88.183.75]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 8D.B2.21299.7F52AB95; Thu, 14 Sep 2017 08:47:19 +0200 (CEST)
Received: from ESESSMB107.ericsson.se ([169.254.7.26]) by ESESSHC019.ericsson.se ([153.88.183.75]) with mapi id 14.03.0352.000; Thu, 14 Sep 2017 08:47:18 +0200
From: Göran Selander <goran.selander@ericsson.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "Ace@ietf.org" <Ace@ietf.org>
Thread-Topic: [Ace] draft-selander-ace-eals vs. draft-vanderstok-ace-coap-est
Thread-Index: AQHTLKb0Y8jWmfoipkq/Nc92EQwk6aKz8UwA
Date: Thu, 14 Sep 2017 06:47:18 +0000
Message-ID: <D5DFAADE.87626%goran.selander@ericsson.com>
References: <e5f4cf2f-b394-6466-ea76-7c1a83d1837f@gmx.net>
In-Reply-To: <e5f4cf2f-b394-6466-ea76-7c1a83d1837f@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.3.170325
x-originating-ip: [153.88.183.150]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A52DF1F01C82104498B9C8A3D76009ED@ericsson.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprEIsWRmVeSWpSXmKPExsUyM2K7t+4v1V2RBocvcFp8/9bDbLF05z1W ByaPxZv2s3ksWfKTKYApissmJTUnsyy1SN8ugStj+u4D7AVH1CpaGhewNjAeUe1i5OSQEDCR +HvlBWsXIxeHkMARRonfL6eyQTiLGSUW/jnDBlLFJuAi8aDhEROILSIQJHHg7gJGEFtYwEdi /cyNLBBxX4nmm5+AJnEA2UYSLXelQcIsAqoSuzu+MIPYvAIWEjs2dLGC2EICVhKbTj9gB7E5 BawlznT1gK1iFBCT+H5qDdgqZgFxiVtP5jNBHCogsWTPeWYIW1Ti5eN/YHNEBfQk9va0s0HE lSRWbL/ECHICs4CmxPpd+hBjrCXW37nJCmErSkzpfsgOcY6gxMmZT1gmMIrNQrJtFkL3LCTd s5B0z0LSvYCRdRWjaHFqcVJuupGxXmpRZnJxcX6eXl5qySZGYEwd3PJbdQfj5TeOhxgFOBiV eHgtb++MFGJNLCuuzD3EKMHBrCTC+0xsV6QQb0piZVVqUX58UWlOavEhRmkOFiVxXsd9FyKE BNITS1KzU1MLUotgskwcnFINjCKhvbZnC5U2vvv7UXd7U5Zafuu9xD5H0xIG7Z7NzZNSvZLK d/yuqs3U3qL0qU1eLkSa+7vpyef7r1103P/71iqT8K1V3vuYtvA4rXyy5YKZTFqCtHRGXkdY 0/+gR8zxS/gN9CIMJ2YZxjoKTvtaxPBez6izKHzCSdHuiDBH/z9HNtz3LjmoxFKckWioxVxU nAgAL155iaUCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/7IevUYfKs_sq9_1zANCCJMOqrsE>
Subject: Re: [Ace] draft-selander-ace-eals vs. draft-vanderstok-ace-coap-est
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 06:47:28 -0000
Hi Hannes, It is interesting to note that during the last 6 months there seems to be very little activity to encourage discussion or reviews of the drafts which actually are in scope of the current ACE charter. For example, what do people think about the overlaps between the two publish-subscribe profiles (draft-sengul-kirby-ace-mqtt-tls-profile vs. draft-palombini-ace-coap-pubsub-profile)? Instead, you as co-chair of ACE encourage the WG to discuss two drafts about certificate enrolment, a topic which is not even mentioned in the current charter. As co-author of one of the drafts in the subject of this mail I of course welcome the discussion, but it is important that this thread does not to distract the ACE WG from working according to its charter on its missed milestones. Now for the topic of comparing the certificate enrolment drafts. draft-vanderstok-ace-coap-est proposes a very natural and significant optimization of EST adapted to the established security setup for CoAP, and I fully support that. There are overlapping authors between the drafts, so clearly the drafts should not be seen in opposition to each other. My view of the potential contribution with draft-selander-ace-eals (which is a first sketch we made in the spring, and which I recently stepped in revision just to keep alive) is twofold: 1. It discusses the generalisation of EST to application layer security. The enrolment procedure in EST is in principle not dependent on what layer authentication takes place, provided there is security end-to-end between the endpoint making the enrolment request and the endpoint providing the certificate. As we know, there are common IoT settings where security on transport layer does not go end-to-end because of gateways or proxies or because of change of underlying layers, which is the reason for proposing this complement on the application layer. As to the actual enrolment procedure, it may well be the same in both cases of transport layer security or application layer security. 2. In a second independent component (section 3.2), the ACE framework is applied to authorise and provide keys to the endpoints involved in the enrolment, after which the very same enrolment procedure can take place. This shows a more lightweight key establishment than with a key exchange protocol (such as the DTLS handshake or EDHOC) with fewer and smaller messages, and less public key operations, all of which are favourable properties in constrained environments. The implicit question posed by draft-selander-ace-eals is the following: If we are considering one IoT variant of EST (draft-vanderstok-ace-coap-est) should we also consider other variants using the same enrolment procedure, which can be applied to a wider range of IoT use cases and/or which are more favourable in settings with constrained IoT devices? Göran On 2017-09-13 17:42, "Ace on behalf of Hannes Tschofenig" <ace-bounces@ietf.org on behalf of hannes.tschofenig@gmx.net> wrote: >Hi all, > >in previous IETF meetings we had presentations on these two documents >and it appears that there is an overlap. So far we haven't had a lot of >discussions on these proposals on the list but since there seems to be >interest from the folks attending the IETF meetings I am recommending to >have a discussion about the direction we should go with this work. > >Any thoughts? > >Ciao >Hannes > >_______________________________________________ >Ace mailing list >Ace@ietf.org >https://www.ietf.org/mailman/listinfo/ace
- [Ace] draft-selander-ace-eals vs. draft-vandersto… Hannes Tschofenig
- Re: [Ace] draft-selander-ace-eals vs. draft-vande… Göran Selander
- Re: [Ace] draft-selander-ace-eals vs. draft-vande… Cigdem Sengul
- Re: [Ace] draft-selander-ace-eals vs. draft-vande… peter van der Stok
- Re: [Ace] draft-selander-ace-eals vs. draft-vande… Eliot Lear
- Re: [Ace] draft-selander-ace-eals vs. draft-vande… Panos Kampanakis (pkampana)