IETF Logo Mail Archive

Re: [Ace] draft-selander-ace-eals vs. draft-vanderstok-ace-coap-est

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Wed, 11 October 2017 14:59 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8306C1331F2 for <ace@ietfa.amsl.com>; Wed, 11 Oct 2017 07:59:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wL4KtBUI__K1 for <ace@ietfa.amsl.com>; Wed, 11 Oct 2017 07:59:09 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44EBF132331 for <Ace@ietf.org>; Wed, 11 Oct 2017 07:59:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3574; q=dns/txt; s=iport; t=1507733949; x=1508943549; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=61beYO2hwc3BzBrhycw+7P+h5u1SCwTVDADL396vQy8=; b=GPG8Poy4/n+9/6z5bN3Y0q+Vt4aIIwucBSa7JMjAZvE8Uo0X41gXrvJ1 KzL09bIgZdxYJmkvHGrtTT5RhoLEA3rmG21Ay3LFmZ6LrlFZ1C6GmSeTn 6bkoZilIAQwFHpBrmGxMFMxqSaZAzjx59ubgEi5Dg4tA8vN5nXKFcDjxx M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C5AAAQMd5Z/4oNJK1UCRkBAQEBAQEBAQEBAQcBAQEBAYMuLWRuJweOEo8tgXaWL4ISChgPhEVPAoRfPxgBAgEBAQEBAQFrKIUdAQEBAQMBATg0FwQCAQgRBAEBHwkHJwsUCQgCBAESCBIBigkQrBOLMwEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgy2CB4FRgWqDKoRbhh4FiDWZCAKHXINiiSCTGJU2AhEZAYE4AR84gQ54FUmHHXYBiTmBEQEBAQ
X-IronPort-AV: E=Sophos;i="5.43,361,1503360000"; d="scan'208";a="309493820"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Oct 2017 14:58:58 +0000
Received: from XCH-ALN-010.cisco.com (xch-aln-010.cisco.com [173.36.7.20]) by alln-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id v9BEwwgW010480 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 11 Oct 2017 14:58:58 GMT
Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-ALN-010.cisco.com (173.36.7.20) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 11 Oct 2017 09:58:57 -0500
Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1320.000; Wed, 11 Oct 2017 09:58:57 -0500
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "Ace@ietf.org" <Ace@ietf.org>
Thread-Topic: [Ace] draft-selander-ace-eals vs. draft-vanderstok-ace-coap-est
Thread-Index: AQHTLKb26Oagi29XQ0+/G4UGVDQnCqLe1tTQ
Date: Wed, 11 Oct 2017 14:58:57 +0000
Message-ID: <a07803580ea24fa1a6a0cfd7df397d89@XCH-ALN-010.cisco.com>
References: <e5f4cf2f-b394-6466-ea76-7c1a83d1837f@gmx.net>
In-Reply-To: <e5f4cf2f-b394-6466-ea76-7c1a83d1837f@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.108.5]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/93y_TiycoueCh0LpcjL_uJvKVDs>
Subject: Re: [Ace] draft-selander-ace-eals vs. draft-vanderstok-ace-coap-est
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Oct 2017 14:59:18 -0000

Sorry for responding to this late. 

Full disclosure, I am also one of the authors of draft-vanderstok-ace-coap-est. 

draft-vanderstok-ace-coap-est uses well established DTLS to secure the COAP channel at the transport layer in order to carry the cert provisioning messages of EST. EST is a protocol that has certain advantages and has been seeing adoption for some time now. Some examples include Digicert https://www.digicert.com/news/2017-02-06-digicert-launches-auto-provisioning-for-iot-devices , Entrust https://www.entrustdatacard.com/blog/2017/may/certificate-management-to-client-or-not-to-client , Java Bouncy Castle https://www.bouncycastle.org/ , EJBCA https://sourceforge.net/p/ejbca/discussion/132019/thread/1d749923 , Cisco https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/xe-3s/sec-pki-xe-3s-book/sec-est-client-supp-pki.html , Samsung https://www.samsungknox.com/en/article/est-cmc-change-notes Of course DTLS, COAP are also well adopted and implemented. We have seen a few vendors asking EST run over COAP over DTLS specifically in lighting and IoT verticals in order to be bootstrapped and provisioned an identity. EALS on the other hand uses CMC messages over COAP by defining new URIs and new uses OSCOAP/EDHOC to secure the messages at the application layer. The CMC messages are similar to EST's and thus I don't see these as competing, but the new eals APIs are replicating functionality already existing in EST. Though, securing the messages at the application layer is a significant difference. There might be certain usecases for application layer security with OSCOAP like code size, but as already brought up in an earlier meeting the OSCOAP protections replicate the protections in DTLS at the transport layer. In other words, draft-vanderstok-ace-coap-est is based on established and trusted protocols that are already implemented and we have seen demand in the industry for this solution, thus the draft. EALS introduces newer protection mechanisms that could well have some usecases in the industry. 

I see the two drafts as defining two separate secure channels of securing the same COAP messages. I would suggest that the new protection mechanism offered in EALS could be a separate draft of protecting the EST-coap messages instead of DTLS, in order to reap the fruits of oscoap, but I would like to see the EST-coap message bindings be common without separate CMC messages. That way the BRSKI messages do not need to be redefined for bootstrapping over COAP either. 

I think these will be discussed in one of the upcoming interims, but I wanted to bring the points to prepare the discussion. 

Rgs,
Panos


-----Original Message-----
From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Wednesday, September 13, 2017 11:43 AM
To: Ace@ietf.org
Subject: [Ace] draft-selander-ace-eals vs. draft-vanderstok-ace-coap-est

Hi all,

in previous IETF meetings we had presentations on these two documents and it appears that there is an overlap. So far we haven't had a lot of discussions on these proposals on the list but since there seems to be interest from the folks attending the IETF meetings I am recommending to have a discussion about the direction we should go with this work.

Any thoughts?

Ciao
Hannes

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email