Re: [Ace] Embedded Content Types

Jim Schaad <ietf@augustcellars.com> Thu, 21 February 2019 00:39 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C34AB130EE4; Wed, 20 Feb 2019 16:39:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XRGB9m11O_tL; Wed, 20 Feb 2019 16:39:51 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51E97130F00; Wed, 20 Feb 2019 16:39:51 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 20 Feb 2019 16:39:44 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: "'Panos Kampanakis (pkampana)'" <pkampana@cisco.com>, <ace@ietf.org>, 'Klaus Hartke' <hartke@projectcool.de>
CC: <draft-ietf-ace-coap-est@ietf.org>
References: <02a201d4c945$eb10a510$c131ef30$@augustcellars.com> <17e617f1090e451c8b17f6550c2e213a@XCH-ALN-010.cisco.com>
In-Reply-To: <17e617f1090e451c8b17f6550c2e213a@XCH-ALN-010.cisco.com>
Date: Wed, 20 Feb 2019 16:39:43 -0800
Message-ID: <02da01d4c97d$f22eb7f0$d68c27d0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJrZGJxf0tFnICB97QT3wBXQb1jnQH8O2UCpKxPgAA=
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/8-XVVUMcWJASnzfuKHtzK0OKngU>
Subject: Re: [Ace] Embedded Content Types
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 00:39:54 -0000


> -----Original Message-----
> From: Panos Kampanakis (pkampana) <pkampana@cisco.com>;
> Sent: Wednesday, February 20, 2019 1:34 PM
> To: Jim Schaad <ietf@augustcellars.com>;; ace@ietf.org; Klaus Hartke
> <hartke@projectcool.de>;
> Cc: draft-ietf-ace-coap-est@ietf.org
> Subject: RE: [Ace] Embedded Content Types
> 
> Hi Jim,
> 
> Thank you. Sorry I couldn't make it to the CORE interim meeting.
> 
> I see the challenge with content-format ID explosion in option c. So I
agree
> that in the long run, there needs to be a long-term solution and option b
> seems the best for the general case.
> 
> There are challenges with option b and EST-coaps though. If we broke the
> requests to different URIs, it means that a client needs to keep track of
his
> transactions and on top of it he needs to correlate the key and the cert
he
> receives at a later time. So, after pulling the two URIs he has to
> cryptographically confirm the key is tied to the certificate.
Additionally, this
> deviates from the logic of the EST protocol which we are trying to profile
on.
> We are adding new APIs to the protocol.

[JLS]  I don't understand what you are saying here.  If you defined
/est/sgkA and /est/sgkB and said that the multipart content returned for
each of this is a fixed content type, then the client is going to send a
message to one of them in a consistent manner and both the key and the
certificate would be returned in a single response.  

The question of the key being encrypted is controlled by an attribute in the
CSR and thus there is no outside negotiation needed for that aspect.  The
only difference in content is the use of PKCS#7 vs bare certificate.

Jim

> 
> Because of these challenges, I would like to use option c in the ETS-coaps
> draft. It is not violating RFC7252 and it does not affect the long term
plan
> (option b) either. There are only to content types we are talking about in
EST-
> coaps, a key and a cert. A key can be encrypted or not. A cert can be in
> PKCS#7 or plain pkix-cert. That makes four combinations. The number cannot
> explode further, so we could live with it in this context.
> 
> Any strong objections?
> 
> Rgs,
> Panos
> 
> 
> 
> -----Original Message-----
> From: Ace <ace-bounces@ietf.org>; On Behalf Of Jim Schaad
> Sent: Wednesday, February 20, 2019 12:59 PM
> To: ace@ietf.org
> Cc: draft-ietf-ace-coap-est@ietf.org
> Subject: [Ace] Embedded Content Types
> 
> The CoRE working had an interesting virtual meeting this morning (my time)
> where the main topic of discussion was how to deal with embedded content
> types.  This is a current problem that needs to be addressed with the EST
> document which is currently trying to deal with last call comments.  The
log
> from the meeting can be found at https://etherpad.tools.ietf.org/p/core-
> interim-2019-02-20.
> 
> The takeaway from this that I got was:
> 1.  There is a real problem and we need to figure out the best ways to try
> and deal with this in a generic manner.   This is a problem not only here,
> but it the Publish/Subscribe CoRE document and in many other cases that we
> can see.
> 
> 2.  We are not going to get a general solution immediately so EST needs to
> look at  doing something now.
> 
> 3.  A couple of different possibilities where discussed that could be
used:
> a)  Return a list of links rather than a multipart content and let the
client sort
> through that list and download the things that they want.  This is a
purely
> reactive solution.
> b) Use a different URI to ask for the different options.  This could be
done
> either by the use of a different URI path or by the use of a query
parameter.
> c) Register a different content type for each of the possible return
values.
> 
> There was a general preference for the use of a different URI as being the
> solution that should be used today.  The idea of registering multiple
content
> types was generally disliked as it does not really extend well.
> There was no specific preference on whether the use of a different URI
path
> or a query parameter would be preferred.  The use of a different URI would
> allow for better discovery of capabilities.
> 
> The idea of listing nested content types in the 'ct' link type was also
> universally disliked.
> 
> The CoRE, T2TRG and other forums are expected to continue discussions on
> this topic in different contexts such as Pub-Sub and CoRAL. To come up
with
> both proactive and reactive solutions to the more general problem.
> 
> Jim
> 
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace