Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-04
Mohit Sahni <msahni@paloaltonetworks.com> Fri, 08 July 2022 17:24 UTC
Return-Path: <msahni@paloaltonetworks.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 317DAC15948F for <ace@ietfa.amsl.com>; Fri, 8 Jul 2022 10:24:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.603
X-Spam-Level:
X-Spam-Status: No, score=-1.603 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_NOVOWEL=0.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=paloaltonetworks.com header.b=pEAE/BeD; dkim=pass (2048-bit key) header.d=paloaltonetworks.com header.b=aizngeVL
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gEyLSn4vfRyb for <ace@ietfa.amsl.com>; Fri, 8 Jul 2022 10:24:02 -0700 (PDT)
Received: from mx0b-00169c01.pphosted.com (mx0a-00169c01.pphosted.com [67.231.148.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35035C1595E6 for <ace@ietf.org>; Fri, 8 Jul 2022 10:24:01 -0700 (PDT)
Received: from pps.filterd (m0048493.ppops.net [127.0.0.1]) by mx0a-00169c01.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 268E4DWH002926 for <ace@ietf.org>; Fri, 8 Jul 2022 10:24:00 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paloaltonetworks.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=PPS12012017; bh=nGbH2jUMwn71lH1jvOITlB8ayCF0xO2Zbt7VMBddCrw=; b=pEAE/BeDOG8mV4a5CNTf93zuX4DdTlnLoJZzKjGjDfKFpLE58ebG6Mj4S6pwISsgvkKf bMaV+rbigC7aOZsx7dBKCIOLBjjirVIDzdwihi7KAe6DsemeJ6hJNlMAb3IT4fgnyZXF 8KFbJ0ASu04rpsWf4GBvRh/EBZG+xHZ7kPo4oJ5DGfcO3ta4tVuS0xI/9L3Nn+LSbjPh sEW34yTni5rfrncFo1lWo9xHoo6gotGXw3H3f+GbY72me4eiQfVPjUNIGbgLTK1Ix5Jj e0WGr7hfiraFN/tts29NV0aLk58iGdRxMbu/kETVtP96VsD23CWXljs+AQ66ItZe5ndA +A==
Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) by mx0a-00169c01.pphosted.com (PPS) with ESMTPS id 3h4uamxmpm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <ace@ietf.org>; Fri, 08 Jul 2022 10:23:58 -0700
Received: by mail-ed1-f71.google.com with SMTP id f13-20020a0564021e8d00b00437a2acb543so16450972edf.7 for <ace@ietf.org>; Fri, 08 Jul 2022 10:23:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paloaltonetworks.com; s=google.paloaltonetworks.com; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nGbH2jUMwn71lH1jvOITlB8ayCF0xO2Zbt7VMBddCrw=; b=aizngeVLy+mZ+kom6EaB+3NZxX1W2P5ntZUw5rJtdPFCDpxSyPEJhqG0AFVfBtiEOp m81tReIQKyMFaFLj+Nj4pVy5rDhwj2nzuN4jzKhYHAWM8dfgY8jxZ5Vwficfluxn8/sp 2Yg9dVF/jAOuV3ksMGL6MCWNqAc8vu4hypsTtPfuKs/2HjoG+cyJprPJxy3HYSblmFd3 54WsnAarMl1REvIh/sPpJoCoGyhwa9PkPNsMPFVpaz4jUo1Y50m88ZwIytds8JpqrUKj n/PccsCg41hN9igDyULppADP0UTcRGEgTE3HBol55JzuPEzEg0ah/FgJs4JQYySvhQM1 Xfcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nGbH2jUMwn71lH1jvOITlB8ayCF0xO2Zbt7VMBddCrw=; b=0C0dmPDml/qXFcy9Q1XDNhHbSC+vpfS3ZEjn7XMl1qs7e76A6UjQ39B8C7ONN55eSM sgG7AABNQ1x5AggtS+cOTjeCPtv2K9s95BYKqQ3tPo9062cEOFCUKxLMrI///wwBkOUA glHtBhVDRQUBjOY5sg36KHRzchYl2GFhjr1pDOdNRqdspbWtJ9BBdKw8PYXhOejQdAQ+ LyvsfV5wSetM4Xtb3umCqJV3ekBR+iRKUKeoNElpoLd5814/EC/7vy2uQBN3HHLeiZy8 8Bqic398r8jD+yA20mt434rvyoLDLpMbHkR2lAE9X4x9IL1cQcoadQqes3TvQMaUOXZD 5x8g==
X-Gm-Message-State: AJIora+jMsNmUn+of7jpml2GAfaCtqlapvolrE4P8p8wtiVXHWPtwVX4 CRFyAIS/mGoZaqd7j4URBd+wU8TBBIUUxIPMEsPxOWg1xIKhObXG5e3A73BVE0GZ+f1BkISuDZE GT+e8E9J376btKPuZw40=
X-Received: by 2002:a17:907:2bc5:b0:72b:2e3f:3581 with SMTP id gv5-20020a1709072bc500b0072b2e3f3581mr2683489ejc.211.1657301035648; Fri, 08 Jul 2022 10:23:55 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1uN/DKPNPe3FrY7NEDoyUcCwh4P12y77ad0P+eKN/NeoRTCUNL8Pp5MUD61YKCIDWGycoQRdpXzrjEvsdZRo2E=
X-Received: by 2002:a17:907:2bc5:b0:72b:2e3f:3581 with SMTP id gv5-20020a1709072bc500b0072b2e3f3581mr2683469ejc.211.1657301035342; Fri, 08 Jul 2022 10:23:55 -0700 (PDT)
MIME-Version: 1.0
References: <20220214192217.GA12881@kduck.mit.edu> <AS4PR10MB5199EC594C9FEEB0744BD4CCFE349@AS4PR10MB5199.EURPRD10.PROD.OUTLOOK.COM> <20220216232919.GG12881@kduck.mit.edu> <DB6PR1001MB1269E35301354C3F0E9E2C22FEEE9@DB6PR1001MB1269.EURPRD10.PROD.OUTLOOK.COM> <GV2PR10MB6210A4E74D215CA87CA3C566FE829@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <GV2PR10MB6210A4E74D215CA87CA3C566FE829@GV2PR10MB6210.EURPRD10.PROD.OUTLOOK.COM>
From: Mohit Sahni <msahni@paloaltonetworks.com>
Date: Fri, 08 Jul 2022 10:23:36 -0700
Message-ID: <CAMRcsGTQnW=NyzQEZadsiyur6vmoH4D95okAXYss=Szq2Tq9pw@mail.gmail.com>
To: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
Cc: "ace@ietf.org" <ace@ietf.org>, Daniel Migault <mglt.ietf@gmail.com>, Benjamin Kaduk <kaduk@mit.edu>, "paul.wouters@aiven.io" <paul.wouters@aiven.io>, "stripathi@paloaltonetworks.com" <stripathi@paloaltonetworks.com>, "draft-ietf-ace-cmpv2-coap-transport.all@ietf.org" <draft-ietf-ace-cmpv2-coap-transport.all@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007f75c505e34e7735"
X-Proofpoint-ORIG-GUID: Pt-vjdiMt_Oog1y2ZYSqPfuEe6vgcACx
X-Proofpoint-GUID: Pt-vjdiMt_Oog1y2ZYSqPfuEe6vgcACx
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.883,Hydra:6.0.517,FMLib:17.11.122.1 definitions=2022-07-08_14,2022-07-08_01,2022-06-22_01
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 lowpriorityscore=0 spamscore=0 suspectscore=0 phishscore=0 bulkscore=0 clxscore=1011 impostorscore=0 mlxlogscore=999 adultscore=0 mlxscore=0 priorityscore=1501 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207080067
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/8t9YDecyUjDoX1RJ1GZBTOszFTE>
Subject: Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-04
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2022 17:24:07 -0000
Hi Hendrik The draft expired last month and I will publish a new version with changes catering to Ben's comments. I apologize to everyone for slacking on this draft due to some ongoing personal issues. Regards Mohit On Thu, Jul 7, 2022 at 10:54 PM Brockhaus, Hendrik < hendrik.brockhaus@siemens.com> wrote: > WG ACE > > After approval of CMP Updates at IESG last week, I would appreciate > progress on this draft, as it is blocking publication of CMP Updates. > I haven't seen any progress for a while and the current version of the > draft is outdated. > What is the status and the current timeline of the document in ACE? > > Hendrik > > -----Ursprüngliche Nachricht----- > Von: Brockhaus, Hendrik (T CST SEA-DE) > Gesendet: Freitag, 15. April 2022 17:07 > An: Mohit Sahni <msahni@paloaltonetworks.com> > Cc: ace@ietf.org;; Benjamin Kaduk <kaduk@mit.edu>; > stripathi@paloaltonetworks.com > Betreff: AW: [Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-04 > > Mohit > > After discussing the issue regarding well-known URI path segments on email > and during IETF113 LAMPS meeting, I updated the CMP Updates document > reflecting the agreed solution. > The solution is registering a well-known CMP registry. CMP Updates will > register the path segment 'p' that is defined to be followed by a CA or > certificate profile name. > The path segments for usage with http and coap defining the PKI management > operations will be registered by Lightweight CMP Profile. > > You can update the CoAP Transfer for CMP draft accordingly and align it > with the changes describes above. > > If you have any questions, please feel free to contact me. > > Hendrik > > > Von: Benjamin Kaduk <kaduk@mit.edu> > > Gesendet: Donnerstag, 17. Februar 2022 00:29 > > > > Hi Hendrik, > > > > On Tue, Feb 15, 2022 at 07:42:31AM +0000, Brockhaus, Hendrik wrote: > > > Ben > > > > > > Thank you for your review and your comment on CMP Updates. > > > I will just comment on the usage of "cmp" well-known URI and leave > > > the other > > comments to the authors of draft-ietf-ace-cmpv2-coap-transport-04. > > > > Understood. > > > > I am under a bit of a time crunch preparing for tomorrow's IESG > > telechat, but the short answer is: RFC 7030 is not a good example, but > > for draft-ietf-ace- coap-est it is more important to be consistent > > with RFC 7030 EST than to use regular best practices for well-known URIs. > > > > A brief look into the history of RFC 7030 reveals that several > > reviewers took objection to the usage of "arbitrary labels" under > > /.well-known/est in question here, including a DISCUSS ballot from > Stephen Farrell. > > Unfortunately, (in my assessment) it seems that that position was > > converted to a COMMENT prematurely, as only the question of "how would > > this even work at all" was resolved, and the question of "why does this > need to be well-known" > > was not. > > > > In particular, if you have out-of-band between client and server about > > what "arbitrary label" to use, then there is by assumption a channel > > that could be used to coordinate what URI to use, so the server could > > just assign a regular URI out of the portion of the URI namespace that > > is wholly under its control (i.e., just the toplevel /arbitraryLabel1 > > would work) in a manner that is compliant with BCP 190. Given this > > configuration channel there is no need to use a well-known URI at all, > > and re-delegating a portion of the well-known namespace back to the > > hosting server seems to provide little or no value, at the cost of > making future protocol evolution much more difficult. > > > > That said, if there is some use case (perhaps a third-party > > coordinator that does not control the server's URI namespace) for > > remaining under well-known, it is safe to specify in the RFC that > > (e.g.) /.well-known/cmp/local is available for the server to use with > > arbitrary labels underneath it, and ideally what the semantics of those > labels are. > > My strongest concern is with the intermingling of arbitrary labels at > > the toplevel /.well-known/cmp/ with potential future protocol > > extensions. We need to retain a well-known namespace fully under the > > control of the protocol and with no risk of conflict to > server-operator-assigned names. > > > > -Ben > > > > > > Von: Ace <ace-bounces@ietf.org> Im Auftrag von Benjamin Kaduk > > > > Gesendet: Montag, 14. Februar 2022 20:22 > > > > > > > > Hi all, > > > > > > > > Jumping right in... > > > > > > > > > > > > I guess this is probably more of a comment on > > > > draft-ietf-lamps-cmp-updates, but since we are duplicating some of > > > > its content I will still call it out as a as a serious concern. > > > > My concern relates > > to the usage of the "cmp" > > > > well-known URI -- we hvae some text in §2.1 that effectively says > > > > that a local site can just put more path segments under that path > > > > at its own discretion, and there's not even any restrictions made > > > > on the structucture of the additional path segments -- the next > > > > segment could be an operational label or a profile label, in the > > > > examples given. This seems entirely at odds with the purpose of > > > > well-known URIs as per RFC 8615 -- they are to be URIs whose > > > > semantics are entirely specified by a protocol specification and > > > > are *not* subject to local operator control. While it is possible > > > > for a specification to introduce additional structure under its > > > > registered well-known path, it's expected that the semantics of > > > > those subtrees are still specified by the protocol, and any > > > > extensions are to be managed by a (sub-)registry. See, for > > > > example, §8.3.2 of RFC 8995, that establishes a sub- > > registry for the path components under /.well-known/brski . > > > > > > > > Any changes here will of course need to be synchronized with > > > > draft-ietf- lamps-cmp-updates, but I don't think this draft can go > > > > forward in its current form. > > > > > > > When writing the sections on http and coap transfer in Lightweight > > > CMP > > Profile and CMP Updates I took RFC 7030 as example. > > > RFC 7030 §3.2.2 states > > > An EST server MAY provide service for multiple CAs as indicated by > an > > > OPTIONAL additional path segment between the registered application > > > name and the operation path. To avoid conflict, the CA label MUST > > > NOT be the same as any defined operation path segment. The EST > > > server MUST provide services regardless of whether the additional > > > path segment is present. The following are three example valid > URIs: > > > > > > 1. > > > > https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww__;JSUl!!Mt_FR42WkD9csi9Y!Z8DfJbXNFzm1NU0YAP0dvSZSKIL0Wj9lCdrTSEQ-VIF4ZOsnbLGjeV4x-xhEFcdXetxtP09fJB9nIyI5IlYEEN-NEMPgECfsOg$ > . > > > example.com%2F.well- > > known%2Fest%2Fcacerts&data=04%7C01%7Chendrik.b > > > > > rockhaus%40siemens.com%7C8a6420277bd348c6861b08d9f1a42e6c%7C38ae3 > > bcd95 > > > > > 794fd4addab42e1495d55a%7C1%7C0%7C637806509737370525%7CUnknown% > > 7CTWFpbG > > > > > Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn > > 0% > > > > > 3D%7C3000&sdata=Ava58spSAMOM0KnNKIsMy0LR4TDmUpozu7ErsgdlTys > > %3D& > > > ;reserved=0 > > > > > > 2. > > > > https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww__;JSUl!!Mt_FR42WkD9csi9Y!Z8DfJbXNFzm1NU0YAP0dvSZSKIL0Wj9lCdrTSEQ-VIF4ZOsnbLGjeV4x-xhEFcdXetxtP09fJB9nIyI5IlYEEN-NEMPgECfsOg$ > . > > > example.com%2F.well- > > known%2Fest%2FarbitraryLabel1%2Fcacerts&data=0 > > > > > 4%7C01%7Chendrik.brockhaus%40siemens.com%7C8a6420277bd348c6861b08 > > d9f1a > > > > > 42e6c%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637806509737 > > 370525% > > > > > 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi > > I6Ik > > > > > 1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=WV0n8BBfqMY0R9OqCh1TXRV > > 7%2FzPmQT > > > rP5LtD3NY5Nw4%3D&reserved=0 > > > > > > 3. > > > > https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww__;JSUl!!Mt_FR42WkD9csi9Y!Z8DfJbXNFzm1NU0YAP0dvSZSKIL0Wj9lCdrTSEQ-VIF4ZOsnbLGjeV4x-xhEFcdXetxtP09fJB9nIyI5IlYEEN-NEMPgECfsOg$ > . > > > example.com%2F.well- > > known%2Fest%2FarbitraryLabel2%2Fcacerts&data=0 > > > > > 4%7C01%7Chendrik.brockhaus%40siemens.com%7C8a6420277bd348c6861b08 > > d9f1a > > > > > 42e6c%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637806509737 > > 370525% > > > > > 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi > > I6Ik > > > > > 1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=WYjgD3ZJl5V%2BzhMGdTVFSPz > > O1KdV3L > > > CzNOy7GIkAnmE%3D&reserved=0 > > > > > > Also draft-ietf-ace-coap-est §5.1 makes use of arbitraryLables > > > For both types of installations, saving header space is important > and > > > short EST-coaps URIs are specified in this document. These URIs are > > > shorter than the ones in [RFC7030]. Two example EST-coaps resource > > > path names are: > > > > > > coaps://example.com:<port>/.well-known/est/<short-est> > > > > > > coaps://example.com:<port>/.well-known/est/ArbitraryLabel/<short-est > > > > > > > > > > CMP Updates §3.3 makes use of these examples and adapts them to CMP > > needs renaming arbitraryLable to profileLable. The operationLable is > > specified in Lightweight CMP Profile. > > > The CMP client needs to be configured with sufficient information to > > > form the CMP server URI. This is at least the authority portion of > > > the URI, e.g., > > ' > https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.com/?url=http*3A*2F*2Fwww__;JSUl!!Mt_FR42WkD9csi9Y!Z8DfJbXNFzm1NU0YAP0dvSZSKIL0Wj9lCdrTSEQ-VIF4ZOsnbLGjeV4x-xhEFcdXetxtP09fJB9nIyI5IlYEEN-NEMNrTbTCIw$ > . > > exa mple.com%2F&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C > > 8a6420277bd348c6861b08d9f1a42e6c%7C38ae3bcd95794fd4addab42e1495d5 > > 5a%7C1%7C0%7C637806509737370525%7CUnknown%7CTWFpbGZsb3d8eyJWI > > joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C300 > > 0&sdata=QirARZYWEWP8Bh3vW2t0hC4cCPuUAQJXXoKPiYSrHKw%3D& > > ;reserved=0', or the full operation path > > > segment of the PKI management entity. Additionally, OPTIONAL path > > > segments MAY be added after the registered application name as part > > > of the full operation path to provide further distinction. A path > > > segment could for example support the differentiation of specific > > > CAs, certificate profiles, or PKI management operations. A valid > > > full CMP path can look like this: > > > > > > > > > https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.com/?url=http*3A*2F*2Fwww.e__;JSUl!!Mt_FR42WkD9csi9Y!Z8DfJbXNFzm1NU0YAP0dvSZSKIL0Wj9lCdrTSEQ-VIF4ZOsnbLGjeV4x-xhEFcdXetxtP09fJB9nIyI5IlYEEN-NEMMvgfw4Ow$ > > xa > > mple.com%2F.well- > > known%2Fcmp&data=04%7C01%7Chendrik.brockhaus%40siemens.com%7 > > C8a6420277bd348c6861b08d9f1a42e6c%7C38ae3bcd95794fd4addab42e1495d > > 55a%7C1%7C0%7C637806509737370525%7CUnknown%7CTWFpbGZsb3d8eyJ > > WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C > > 3000&sdata=sw43ICQHH%2F%2F5VicZWkvmFt1GuKXfAprm6QWfQ63xgOI > > %3D&reserved=0 > > > > > > https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.com/?url=http*3A*2F*2Fwww.e__;JSUl!!Mt_FR42WkD9csi9Y!Z8DfJbXNFzm1NU0YAP0dvSZSKIL0Wj9lCdrTSEQ-VIF4ZOsnbLGjeV4x-xhEFcdXetxtP09fJB9nIyI5IlYEEN-NEMMvgfw4Ow$ > > xa > > mple.com%2F.well- > > known%2Fcmp%2FoperationLabel&data=04%7C01%7Chendrik.brockhaus > > %40siemens.com%7C8a6420277bd348c6861b08d9f1a42e6c%7C38ae3bcd9579 > > 4fd4addab42e1495d55a%7C1%7C0%7C637806509737370525%7CUnknown%7C > > TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJX > > VCI6Mn0%3D%7C3000&sdata=ZII30%2FXZ%2Blpgf%2BeQ3lXAeMe2ikNyBE > > XkLXs7VGUSJuQ%3D&reserved=0 > > > > > > https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.com/?url=http*3A*2F*2Fwww.e__;JSUl!!Mt_FR42WkD9csi9Y!Z8DfJbXNFzm1NU0YAP0dvSZSKIL0Wj9lCdrTSEQ-VIF4ZOsnbLGjeV4x-xhEFcdXetxtP09fJB9nIyI5IlYEEN-NEMMvgfw4Ow$ > > xa > > mple.com%2F.well- > > known%2Fcmp%2FprofileLabel&data=04%7C01%7Chendrik.brockhaus%40 > > siemens.com%7C8a6420277bd348c6861b08d9f1a42e6c%7C38ae3bcd95794fd4 > > addab42e1495d55a%7C1%7C0%7C637806509737370525%7CUnknown%7CTWF > > pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6 > > Mn0%3D%7C3000&sdata=1FRZmawKgb%2BCC5mxxZ8ENPG9y31Tt5gRxDc > > oRs8xNqI%3D&reserved=0 > > > > > > > https://urldefense.com/v3/__https://eur01.safelinks.protection.outlook.com/?url=http*3A*2F*2Fwww__;JSUl!!Mt_FR42WkD9csi9Y!Z8DfJbXNFzm1NU0YAP0dvSZSKIL0Wj9lCdrTSEQ-VIF4ZOsnbLGjeV4x-xhEFcdXetxtP09fJB9nIyI5IlYEEN-NEMNrTbTCIw$ > > > .e > > > xample.com%2F.well- > > known%2Fcmp%2FprofileLabel%2FoperationLabel&dat > > > > > a=04%7C01%7Chendrik.brockhaus%40siemens.com%7C8a6420277bd348c6861 > > b08d9 > > > > > f1a42e6c%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C6378065097 > > 373705 > > > > > 25%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL > > CJBTiI > > > > > 6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=WJtAZ3zVq1fiR%2BtEYtodL > > Hx7Y1Y > > > FND1usqu8sK3kCHM%3D&reserved=0 > > > > > > The operational labels for usage with http are further specified in > > > Lightweight > > CMP Profile §6.1 (and for coap see §6.2). > > > PKI management operations SHOULD use URI paths consisting of > '/.well- > > > known/cmp/' followed by an operation label depending on the type of > > > PKI management operation. > > > > > > +============================+=====================+=========+ > > > | PKI management operation | operation label | Details | > > > +============================+=====================+=========+ > > > | Enroll client to new PKI | /initialization | Section | > > > | | | 4.1.1 | > > > +----------------------------+---------------------+---------+ > > > | Enroll client to existing | /certification | Section | > > > | PKI | | 4.1.2 | > > > +----------------------------+---------------------+---------+ > > > | Update client certificate | /keyupdate | Section | > > > | | | 4.1.3 | > > > +----------------------------+---------------------+---------+ > > > | Enroll client using | /p10 | Section | > > > | PKCS#10 | | 4.1.4 | > > > +----------------------------+---------------------+---------+ > > > | Revoke client certificate | /revocation | Section | > > > | | | 4.2 | > > > +----------------------------+---------------------+---------+ > > > | Get CA certificates | /getcacerts | Section | > > > | | | 4.3.1 | > > > +----------------------------+---------------------+---------+ > > > | Get root CA certificate | /getrootupdate | Section | > > > | update | | 4.3.2 | > > > +----------------------------+---------------------+---------+ > > > | Get certificate request | /getcertreqtemplate | Section | > > > | template | | 4.3.1 | > > > +----------------------------+---------------------+---------+ > > > | Get CRL updates | /getcrls | Section | > > > | | | 4.3.4 | > > > +----------------------------+---------------------+---------+ > > > | Batching messages | /nested | Section | > > > | | | 5.2.2.2 | > > > | Note: This path element is | | | > > > | applicable only between | | | > > > | PKI management entities. | | | > > > +----------------------------+---------------------+---------+ > > > > > > Table 1: HTTP endpoints > > > > > > May be I missed something. Could you explain where you see the > > > difference > > between the usage of /.well-known/ in RFC 7030 and in CMP Updates and > > Lightweight CMP Profile or why this approach is not appropriate anymore. > > > > > > Hendrik >
- [Ace] AD review of draft-ietf-ace-cmpv2-coap-tran… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Michael Richardson
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Mohit Sahni
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Daniel Migault
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Daniel Migault
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Daniel Migault
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Brockhaus, Hendrik
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Paul Wouters
- Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-… Daniel Migault