Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2

Jim Schaad <> Tue, 10 September 2019 03:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7292E1200F5; Mon, 9 Sep 2019 20:34:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XYY8ZuVMABSv; Mon, 9 Sep 2019 20:34:08 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2B36A120020; Mon, 9 Sep 2019 20:34:08 -0700 (PDT)
Received: from Jude ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 9 Sep 2019 20:34:02 -0700
From: Jim Schaad <>
To: 'Michael Richardson' <>
CC: <>, <>, 'Benjamin Kaduk' <>
References: <> <027701d55ebf$994184b0$cbc48e10$> <> <> <> <> <> <> <> <007901d5674b$9bc75e00$d3561a00$>
In-Reply-To: <007901d5674b$9bc75e00$d3561a00$>
Date: Mon, 9 Sep 2019 20:34:01 -0700
Message-ID: <008e01d56788$985bbda0$c91338e0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIXV+tDlosvqNImECv+N/+Ud7Gh2wKJlQMAAbM3AHgCj7Ug0QK+5t/8AjJ0tzcB31OHDwIOvfELAeARbzsCV/1ipKYBQTmw
Content-Language: en-us
X-Originating-IP: []
Archived-At: <>
Subject: Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 Sep 2019 03:34:11 -0000


Are we ready to produce a new draft that addresses most, if not all, of
Ben's comments?  Do we have a pull request to deal with this that we can
point to?


-----Original Message-----
From: Jim Schaad <>; 
Sent: Monday, September 9, 2019 1:17 PM
To: 'Michael Richardson' <>;; 'Benjamin Kaduk'
Subject: RE: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2

-----Original Message-----
From: Michael Richardson <>; 
Sent: Monday, September 9, 2019 9:38 AM
To: Benjamin Kaduk <>;
Subject: Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2

Benjamin Kaduk <>; wrote:
    >> So, on a constrained device, I'd like to know what to expect (what to
    >> code for).  While I do'nt particularly care for server-generated
    >> it should probably be specified correctly.  I see that the complexity
    >> of sorting this means that I think that Content-Format 284
    >> (unprotected) will get used most often.

    > Your constrained device is probably only going to implement one cipher
    > [mode], too, right?  If it's an AEAD mode, you use AuthEnvelopedData;
    > otherwise, classic EnvelopedData.

Yes, but each constrained device type might have a different set, and the
EST server for such an installation has to figure out how to send the right

[JLS] This is the function of section in RFC 7030 which says that
the DecryptKeyIdentifier must be present.  This will provide the EST server
a method to identify the correct key and the correct symmetric encryption

    >> I think that we could go to TLS Exporter right now, but it would take
    >> some work.

    > I'd rather have both classic-EST and coap-EST benefit than just
    > coap-EST.

So you'd agree to deferring this to a document (maybe in LAMPS?) that would
Updates: 7030 and this document.

]               Never tell me the odds!                 | ipv6 mesh networks
]   Michael Richardson, Sandelman Software Works        | network architect
]        |   ruby on rails