Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Mon, 20 May 2019 15:31 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 592FB1200E5 for <ace@ietfa.amsl.com>; Mon, 20 May 2019 08:31:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=CHBZM5Sj; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=RWFUQLSe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ekN9AedoZlw4 for <ace@ietfa.amsl.com>; Mon, 20 May 2019 08:31:44 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0E9A12008F for <ace@ietf.org>; Mon, 20 May 2019 08:31:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8360; q=dns/txt; s=iport; t=1558366304; x=1559575904; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=XnpbhTDEHw89RFPL/nhYIwagxGx0O4Q6La9gdQW/Jw8=; b=CHBZM5SjPjxj28ICbYwixQ+Pm1RJc0ZABVpNUq8NS8LIrBDg5QNNNYfL 1y4JdLWjdOMOmSpV8WRq7SgJIymDAys6WUMPefHzGTHRm7jbIuZHbgAtF gq8Y6Q5uDsSzkr9/hu3B/SvUXIWlzKd3L1UFShpSBiwKq4IFSW2rvg9l1 w=;
IronPort-PHdr: =?us-ascii?q?9a23=3APTTc2xRPc5bgIKwCeIrhqG8cWtpsv++ubAcI9p?= =?us-ascii?q?oqja5Pea2//pPkeVbS/uhpkESXBNfA8/wRje3QvuigQmEG7Zub+FE6OJ1XH1?= =?us-ascii?q?5g640NmhA4RsuMCEn1NvnvOjQ5FcFaXVls13q6KkNSXs35Yg6arw=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BIAAAIyOJc/5ldJa1lHAEBAQQBAQc?= =?us-ascii?q?EAQGBUQcBAQsBgT1QA2lVIAQLKIQTg0cDhFKKJYJXlyeBLoEkA1QJAQEBDAE?= =?us-ascii?q?BGA8GAgEBhEACF4IlIzQJDgEDAQEEAQECAQRtHAyFSgEBAQMBAQEQEQQNDAE?= =?us-ascii?q?BLAwEBwQCAQgRBAEBAwImAgICJQsVCAgCBAESCBqDAYFqAw4PAQ6bLQKBNYh?= =?us-ascii?q?fcXwzgnkBAQWBMwEDAg5BgncYgg8JgQwoAYtQF4FAP4ERRoJMPoJhAQECAQE?= =?us-ascii?q?WgTEYFYJzMoImjXaaJgkCgg2GLoxpgh1nhW6DeokzjFKBJYVIjk4CBAIEBQI?= =?us-ascii?q?OAQEFgU84gVdwFRohgmwJggaDb4UUhT9yAQmBH44OAQE?=
X-IronPort-AV: E=Sophos;i="5.60,491,1549929600"; d="scan'208";a="275885313"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 May 2019 15:31:20 +0000
Received: from XCH-RCD-010.cisco.com (xch-rcd-010.cisco.com [173.37.102.20]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id x4KFVIwh006066 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 20 May 2019 15:31:18 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-010.cisco.com (173.37.102.20) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 20 May 2019 10:31:17 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 20 May 2019 10:31:17 -0500
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 20 May 2019 11:31:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XnpbhTDEHw89RFPL/nhYIwagxGx0O4Q6La9gdQW/Jw8=; b=RWFUQLSerGo4wjEqHzQjPoPJA8VHdwHdXXhpzRyAnBsrApcXcDHSyJ1GBtOd82fr0oUZ8+rg8Crl+pekbT385AFlCRbh+YXbRnX8B6QqWia2/IhAO5iElqsrYCDJ8wfoLUkEZY/bGxkGUE6dmVon6lL0WQnmTLoDDe1rNy8r0QQ=
Received: from MWHPR11MB1838.namprd11.prod.outlook.com (10.175.53.141) by MWHPR11MB1549.namprd11.prod.outlook.com (10.172.54.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1900.16; Mon, 20 May 2019 15:31:15 +0000
Received: from MWHPR11MB1838.namprd11.prod.outlook.com ([fe80::4964:5495:9121:8f12]) by MWHPR11MB1838.namprd11.prod.outlook.com ([fe80::4964:5495:9121:8f12%7]) with mapi id 15.20.1900.020; Mon, 20 May 2019 15:31:15 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt
Thread-Index: AQHVDMWddQFmHhPwYk+M2tBX23+L/6ZvciLAgAQfnoCAAI3gkA==
Date: Mon, 20 May 2019 15:31:15 +0000
Message-ID: <MWHPR11MB1838CC9A9B05329DE6FF298AC9060@MWHPR11MB1838.namprd11.prod.outlook.com>
References: <155810704144.26327.4695280572619758639@ietfa.amsl.com> <MWHPR11MB18385D70221AC1A962C97623C90B0@MWHPR11MB1838.namprd11.prod.outlook.com> <DB6P190MB005480059C7AC6C165475F7CFD060@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <DB6P190MB005480059C7AC6C165475F7CFD060@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pkampana@cisco.com;
x-originating-ip: [2001:420:c0c4:1003::189]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ac9875bb-7131-4c8e-0e34-08d6dd383299
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:MWHPR11MB1549;
x-ms-traffictypediagnostic: MWHPR11MB1549:
x-ms-exchange-purlcount: 7
x-microsoft-antispam-prvs: <MWHPR11MB1549416A5082680BAD309E67C9060@MWHPR11MB1549.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 004395A01C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(396003)(346002)(39860400002)(376002)(366004)(13464003)(199004)(189003)(53754006)(68736007)(2501003)(476003)(11346002)(446003)(46003)(229853002)(6506007)(53546011)(186003)(102836004)(316002)(66574012)(110136005)(76176011)(99286004)(33656002)(7696005)(486006)(2906002)(81166006)(25786009)(8936002)(53936002)(6246003)(71200400001)(71190400001)(5660300002)(73956011)(66946007)(66556008)(64756008)(66446008)(66476007)(76116006)(14454004)(478600001)(305945005)(14444005)(52536014)(6436002)(74316002)(8676002)(81156014)(966005)(6306002)(55016002)(6116002)(86362001)(9686003)(7736002)(256004); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR11MB1549; H:MWHPR11MB1838.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 8fm/AxUJYkd4vhbBnIjhOwW0yZyQgrQuTdIvFRVTFlmaC8x14Ur6fxsfIyifDL2BD5sQktxY7VpVw6qzvUz86dkfP1Zjyyp49HXGVCyMzyDBuBj/aeft2CvC/EPbOd4r7oYYm5xm1EZCAyrqbq7UpluqcglXAVH/vjJruGHcjSwJo+Hxtx4hGeBPofyUbBZpUrcwclqvGaT4cajnPcsSPGwj8YuLTfcC0L71arI/bgq/4Z7fVVMQtgxXY6Em5n3ATh1pQld0hzxq2370LODtqitvnLH8LiWWvhEUqwop5NLCyghnPbyYFIyWX3/toqlj1Zqv4X8a1B8GzIiu4nSlWKsX2qjCD4tckOrKkpzbKFCx9jKq6Hmri+xYf6QVAjp3yzNe8NK2qQCOZgirPa4ltPpqJ0htwO6Yb2Sl+QKTr0U=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: ac9875bb-7131-4c8e-0e34-08d6dd383299
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 May 2019 15:31:15.4510 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1549
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.20, xch-rcd-010.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/BvoAYW-wt4HV_fx5r24QuucRCL0>
Subject: Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2019 15:31:46 -0000

Thanks Esko. 

Addressed in https://github.com/SanKumar2015/EST-coaps/blob/84ce0c1d5e768d40e97184214bae404da21bd050/draft-ietf-ace-coap-est.xml Two comments: 

> page 11 bottom requirement: " The client SHOULD use resource discovery when he is unaware of the available  EST-coaps resources." - when an EST server is known, this requirement does not really apply since the server always supports .well-known EST resources.  So I read it as doing an RD discovery or multicast CoAP discovery if the client doesn't known the EST server address.  Hope this is clear enough in the text and intended?

There are optional resources like /att, /skg and /skc that the server does not have to support, so that is what this sentence was referring to. 

> page 11 bottom: " It is up to the implementation to choose its resource paths” -> seems not really the case, because the root resource structure is forced by the specification. It could have been designed as free choice (because it can be discovered anyway) but it is not.

The text says that the server MUST support the default /.well-known/est root resource and it SHOULD support resource discovery for non-default URIs (like /est or /est/ArbitraryLabel) or ports. In the latter case it is up to the server to decide the paths he makes its resources available at. That is what this sentence was referring to. But you are right; I realized that this sentence is redundant so I only kept "Throughout this document the example root resource of /est is used."

Will reupload the next iteration in a few days. 

Rgs,
Panos


-----Original Message-----
From: Esko Dijk <esko.dijk@iotconsultancy.nl>; 
Sent: Monday, May 20, 2019 2:31 AM
To: Panos Kampanakis (pkampana) <pkampana@cisco.com>;; ace@ietf.org
Cc: draft-ietf-ace-coap-est@ietf.org
Subject: RE: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt

Thanks,

A few comments I had still on the discovery section - sorry to be late post-WGLC with this:

- page 10 bottom mentions "management data" - should say "management resources", or "EST resources" perhaps?
- page 10 bottom: " Upon success, the return payload will contain the root resource of the EST resources." - this is not true, since only the individual supported resources are returned. The root (e.g. "/est" in the examples) can be deduced from the response but it is never returned as one link format entry.
- page 11 top: the example is only correct for a secure (coaps://) discovery GET request, I think this could be mentioned in text or indicated in the request line.
- page 11 bottom requirement: " The client SHOULD use resource discovery when he is unaware of the available  EST-coaps resources." - when an EST server is known, this requirement does not really apply since the server always supports .well-known EST resources.  So I read it as doing an RD discovery or multicast CoAP discovery if the client doesn't known the EST server address.  Hope this is clear enough in the text and intended?
- page 11 bottom: "he supports" -> "it supports"
- page 11 bottom: " It is up to the implementation to choose its resource paths” -> seems not really the case, because the root resource structure is forced by the specification. It could have been designed as free choice (because it can be discovered anyway) but it is not.

Best regards
Esko

-----Original Message-----
From: Ace <ace-bounces@ietf.org>; On Behalf Of Panos Kampanakis (pkampana)
Sent: Friday, May 17, 2019 17:36
To: ace@ietf.org
Subject: Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt

Hi all, 

This latest update addresses feedback while in WGLC" 
- the comments by Hannes and Esko related to RNG and server-side key gen. It aims to prevent misunderstandings that random numbers are not needed any more if server-side key gen is used. 
- the nits with "/crt" instead of "/crts" pointed out by Esko. 

The diff is here https://tools.ietf.org/rfcdiff?url2=draft-ietf-ace-coap-est-11.txt 

Thanks,
Panos

-----Original Message-----
From: Ace <ace-bounces@ietf.org>; On Behalf Of internet-drafts@ietf.org
Sent: Friday, May 17, 2019 11:31 AM
To: i-d-announce@ietf.org
Cc: ace@ietf.org
Subject: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Authentication and Authorization for Constrained Environments WG of the IETF.

        Title           : EST over secure CoAP (EST-coaps)
        Authors         : Peter van der Stok
                          Panos Kampanakis
                          Michael C. Richardson
                          Shahid Raza
	Filename        : draft-ietf-ace-coap-est-11.txt
	Pages           : 48
	Date            : 2019-05-17

Abstract:
   Enrollment over Secure Transport (EST) is used as a certificate
   provisioning protocol over HTTPS.  Low-resource devices often use the
   lightweight Constrained Application Protocol (CoAP) for message
   exchanges.  This document defines how to transport EST payloads over
   secure CoAP (EST-coaps), which allows constrained devices to use
   existing EST functionality for provisioning certificates.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-ace-coap-est/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-ace-coap-est-11
https://datatracker.ietf.org/doc/html/draft-ietf-ace-coap-est-11

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-ace-coap-est-11


Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace