[Ace] Re: [core] Re: I-D Action: draft-ietf-core-uri-path-abbrev-01.txt and renewal-info
Esko Dijk <esko.dijk@iotconsultancy.nl> Mon, 29 September 2025 09:05 UTC
Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: ace@mail2.ietf.org
Delivered-To: ace@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 479BD6A6FFF2; Mon, 29 Sep 2025 02:05:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=iotconsultancy.nl
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dUaImIYfHDiy; Mon, 29 Sep 2025 02:05:15 -0700 (PDT)
Received: from dane.soverin.net (dane.soverin.net [IPv6:2a10:de80:1:4091:b9e9:220b:0:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1D23D6A6FFEB; Mon, 29 Sep 2025 02:05:14 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (No client certificate requested) by dane.soverin.net (Postfix) with ESMTPS id 4cZwJ30V9nzZK4; Mon, 29 Sep 2025 09:05:07 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.100]) by soverin.net (Postfix) with ESMTPSA id 4cZwJ24P53zKh; Mon, 29 Sep 2025 09:05:06 +0000 (UTC)
Authentication-Results: smtp.soverin.net; dkim=pass (2048-bit key; unprotected) header.d=iotconsultancy.nl header.i=@iotconsultancy.nl header.a=rsa-sha256 header.s=soverin1 header.b=jrmhDgn3; dkim-atps=neutral
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=soverin1; t=1759136706; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=syDDiJRpHYdKy9nmeqXOLGsBCAcuoPUNpJXHWRaqRZI=; b=jrmhDgn3S7kDXF9h6wrky9YlSc5ewTEzmssU9H12aOGCZnVS2qursJXlE/IZ4qQhMJP85T hnxbgnXtoM9cF453KvdDvjiaaHXqvc4BwRnneePmj/PEpsjjVS6/ET5ytEM2MlKBSV8xt7 cEomRmDr6kNj5CaC1iRi/kqWWiim/oylzVgrvceuL3rKmaHakrcgiT5kI5bLR/RtZK/vJz 1ITirZ0Wdjtbx2GlJR2tnqkyNQAixFl+CHTwUMfcEn/czBAu2gu8HWuP1Af+KHwDHW4kL0 9gN7GUXRiAHvvIjjCGj6Zv3LyjlpIoU6Fglnox6nhos6FaWP1DMVuHXbfXCDBA==
Content-Type: multipart/alternative; boundary="------------qWob6dKRjZ00Ry8imxQWNbPq"
Message-ID: <cee1acb7-cb50-45e3-9c84-49da24bcd96f@iotconsultancy.nl>
Date: Mon, 29 Sep 2025 11:05:08 +0200
MIME-Version: 1.0
To: Michael Richardson <mcr+ietf@sandelman.ca>, Christian Amsüss <christian@amsuess.com>, core@ietf.org, ace@ietf.org, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, Mike Ounsworth <mike@ounsworth.ca>
References: <175892923928.1872244.8058801630242481978@dt-datatracker-6c6cdf7f94-h6rnn> <aNcmFX_as4zvohOf@hephaistos.amsuess.com> <23143.1758994334@obiwan.sandelman.ca>
Content-Language: en-US
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
Organization: IoTconsultancy.nl
In-Reply-To: <23143.1758994334@obiwan.sandelman.ca>
X-Spampanel-Class: ham
Message-ID-Hash: NAT43SIDT6Z5ZI5K66OR4Y6WNFPMRDHF
X-Message-ID-Hash: NAT43SIDT6Z5ZI5K66OR4Y6WNFPMRDHF
X-MailFrom: esko.dijk@iotconsultancy.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ace.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Ace] Re: [core] Re: I-D Action: draft-ietf-core-uri-path-abbrev-01.txt and renewal-info
List-Id: "Authentication and Authorization for Constrained Environments (ace)" <ace.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ACNgHNV3HuAAojZNDgu1GHZRwbQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Owner: <mailto:ace-owner@ietf.org>
List-Post: <mailto:ace@ietf.org>
List-Subscribe: <mailto:ace-join@ietf.org>
List-Unsubscribe: <mailto:ace-leave@ietf.org>
Renewal is indeed important for EST-obtained certificates, and knowing when to renew also. In draft-ietf-anima-constrained-voucher (cBRSKI) we call it "re-enrollment" (this includes both plain renewal as well as a potential change of domain TA). Do we have this term correct? If renewal happens frequently enough, we might have a good use case for using Uri-Path-Abbrev. But, this is only in the following case: 1. Device knows, or somehow discovers, address/port of the EST Registrar and contacts it using a /.well-known/est/... resource. There's also other cases enabled by RFC 9148: (Section 4.1) 2. Device knows, or somehow discovers, address/port of the EST Registrar, makes DTLS connection, and uses CoAPS-secured discovery to get resource names. (Shorter Link Format document - example 1 in 4.1. Still more verbose than really needed...) 3. Device uses unsecured CoAP discovery to find address/port/resources of EST Registrar, then makes DTLS connection and uses the discovered resource names. (Very long Link Format document - example 2 in 4.1.) In case 2/3, Uri-Path-Abbrev won't be used. Not a problem, just wanted to point this out. Esko On 27-9-2025 19:32, Michael Richardson wrote: > Christian Amsüss<christian@amsuess.com> wrote: > > I think this is as compact as it gets, with all the options of > > repetition deferred to future development (sketched in an appendix for > > the benefit of future documents), it's really just a simple number. > > Agreed. > > Rifaat,MikeO and I have just posted draft-yusef-lamps-rfc7030-renewal-recommendation. > It replicates RFC9773 (an ACME thing) into EST/RFC7030. > > It (renewal-info) probably should also update RFC9148 to add a new renewal-info for > EST-coaps. So this would fit into the path-abbrev 30x space! > I think it will be fine for renewal-info to block on publication of abbrev. > Probably renewal-info should return CBOR for 9148 use, so we'll need to do CDDL. > > So I'll include IANA Considerations in that document. > > ---- > > I think that renewal-info will have to resurrect the well-known/EST registry > that RFC8995 created as I-D, then walked back to make well-known/BRSKI > instead near the last minute... > > -- > Michael Richardson<mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > > > _______________________________________________ > core mailing list --core@ietf.org > To unsubscribe send an email tocore-leave@ietf.org -- *IoTconsultancy.nl* | Email/Teams: esko.dijk@iotconsultancy.nl | +31 6 2385 8339
- [Ace] Re: [core] Re: I-D Action: draft-ietf-core-… Michael Richardson
- [Ace] Re: [core] Re: I-D Action: draft-ietf-core-… Michael Richardson
- [Ace] Re: [core] Re: I-D Action: draft-ietf-core-… Esko Dijk
- [Ace] Re: [core] Re: I-D Action: draft-ietf-core-… Michael Richardson