Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt
"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Mon, 20 May 2019 15:31 UTC
Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 592FB1200E5 for <ace@ietfa.amsl.com>; Mon, 20 May 2019 08:31:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=CHBZM5Sj; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=RWFUQLSe
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ekN9AedoZlw4 for <ace@ietfa.amsl.com>; Mon, 20 May 2019 08:31:44 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0E9A12008F for <ace@ietf.org>; Mon, 20 May 2019 08:31:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8360; q=dns/txt; s=iport; t=1558366304; x=1559575904; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=XnpbhTDEHw89RFPL/nhYIwagxGx0O4Q6La9gdQW/Jw8=; b=CHBZM5SjPjxj28ICbYwixQ+Pm1RJc0ZABVpNUq8NS8LIrBDg5QNNNYfL 1y4JdLWjdOMOmSpV8WRq7SgJIymDAys6WUMPefHzGTHRm7jbIuZHbgAtF gq8Y6Q5uDsSzkr9/hu3B/SvUXIWlzKd3L1UFShpSBiwKq4IFSW2rvg9l1 w=;
IronPort-PHdr: 9a23:PTTc2xRPc5bgIKwCeIrhqG8cWtpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESXBNfA8/wRje3QvuigQmEG7Zub+FE6OJ1XH15g640NmhA4RsuMCEn1NvnvOjQ5FcFaXVls13q6KkNSXs35Yg6arw==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BIAAAIyOJc/5ldJa1lHAEBAQQBAQcEAQGBUQcBAQsBgT1QA2lVIAQLKIQTg0cDhFKKJYJXlyeBLoEkA1QJAQEBDAEBGA8GAgEBhEACF4IlIzQJDgEDAQEEAQECAQRtHAyFSgEBAQMBAQEQEQQNDAEBLAwEBwQCAQgRBAEBAwImAgICJQsVCAgCBAESCBqDAYFqAw4PAQ6bLQKBNYhfcXwzgnkBAQWBMwEDAg5BgncYgg8JgQwoAYtQF4FAP4ERRoJMPoJhAQECAQEWgTEYFYJzMoImjXaaJgkCgg2GLoxpgh1nhW6DeokzjFKBJYVIjk4CBAIEBQIOAQEFgU84gVdwFRohgmwJggaDb4UUhT9yAQmBH44OAQE
X-IronPort-AV: E=Sophos;i="5.60,491,1549929600"; d="scan'208";a="275885313"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 20 May 2019 15:31:20 +0000
Received: from XCH-RCD-010.cisco.com (xch-rcd-010.cisco.com [173.37.102.20]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id x4KFVIwh006066 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 20 May 2019 15:31:18 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-010.cisco.com (173.37.102.20) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 20 May 2019 10:31:17 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 20 May 2019 10:31:17 -0500
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 20 May 2019 11:31:17 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XnpbhTDEHw89RFPL/nhYIwagxGx0O4Q6La9gdQW/Jw8=; b=RWFUQLSerGo4wjEqHzQjPoPJA8VHdwHdXXhpzRyAnBsrApcXcDHSyJ1GBtOd82fr0oUZ8+rg8Crl+pekbT385AFlCRbh+YXbRnX8B6QqWia2/IhAO5iElqsrYCDJ8wfoLUkEZY/bGxkGUE6dmVon6lL0WQnmTLoDDe1rNy8r0QQ=
Received: from MWHPR11MB1838.namprd11.prod.outlook.com (10.175.53.141) by MWHPR11MB1549.namprd11.prod.outlook.com (10.172.54.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1900.16; Mon, 20 May 2019 15:31:15 +0000
Received: from MWHPR11MB1838.namprd11.prod.outlook.com ([fe80::4964:5495:9121:8f12]) by MWHPR11MB1838.namprd11.prod.outlook.com ([fe80::4964:5495:9121:8f12%7]) with mapi id 15.20.1900.020; Mon, 20 May 2019 15:31:15 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt
Thread-Index: AQHVDMWddQFmHhPwYk+M2tBX23+L/6ZvciLAgAQfnoCAAI3gkA==
Date: Mon, 20 May 2019 15:31:15 +0000
Message-ID: <MWHPR11MB1838CC9A9B05329DE6FF298AC9060@MWHPR11MB1838.namprd11.prod.outlook.com>
References: <155810704144.26327.4695280572619758639@ietfa.amsl.com> <MWHPR11MB18385D70221AC1A962C97623C90B0@MWHPR11MB1838.namprd11.prod.outlook.com> <DB6P190MB005480059C7AC6C165475F7CFD060@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <DB6P190MB005480059C7AC6C165475F7CFD060@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pkampana@cisco.com;
x-originating-ip: [2001:420:c0c4:1003::189]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ac9875bb-7131-4c8e-0e34-08d6dd383299
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:MWHPR11MB1549;
x-ms-traffictypediagnostic: MWHPR11MB1549:
x-ms-exchange-purlcount: 7
x-microsoft-antispam-prvs: <MWHPR11MB1549416A5082680BAD309E67C9060@MWHPR11MB1549.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 004395A01C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(396003)(346002)(39860400002)(376002)(366004)(13464003)(199004)(189003)(53754006)(68736007)(2501003)(476003)(11346002)(446003)(46003)(229853002)(6506007)(53546011)(186003)(102836004)(316002)(66574012)(110136005)(76176011)(99286004)(33656002)(7696005)(486006)(2906002)(81166006)(25786009)(8936002)(53936002)(6246003)(71200400001)(71190400001)(5660300002)(73956011)(66946007)(66556008)(64756008)(66446008)(66476007)(76116006)(14454004)(478600001)(305945005)(14444005)(52536014)(6436002)(74316002)(8676002)(81156014)(966005)(6306002)(55016002)(6116002)(86362001)(9686003)(7736002)(256004); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR11MB1549; H:MWHPR11MB1838.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 8fm/AxUJYkd4vhbBnIjhOwW0yZyQgrQuTdIvFRVTFlmaC8x14Ur6fxsfIyifDL2BD5sQktxY7VpVw6qzvUz86dkfP1Zjyyp49HXGVCyMzyDBuBj/aeft2CvC/EPbOd4r7oYYm5xm1EZCAyrqbq7UpluqcglXAVH/vjJruGHcjSwJo+Hxtx4hGeBPofyUbBZpUrcwclqvGaT4cajnPcsSPGwj8YuLTfcC0L71arI/bgq/4Z7fVVMQtgxXY6Em5n3ATh1pQld0hzxq2370LODtqitvnLH8LiWWvhEUqwop5NLCyghnPbyYFIyWX3/toqlj1Zqv4X8a1B8GzIiu4nSlWKsX2qjCD4tckOrKkpzbKFCx9jKq6Hmri+xYf6QVAjp3yzNe8NK2qQCOZgirPa4ltPpqJ0htwO6Yb2Sl+QKTr0U=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: ac9875bb-7131-4c8e-0e34-08d6dd383299
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 May 2019 15:31:15.4510 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1549
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.20, xch-rcd-010.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/BvoAYW-wt4HV_fx5r24QuucRCL0>
Subject: Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2019 15:31:46 -0000
Thanks Esko. Addressed in https://github.com/SanKumar2015/EST-coaps/blob/84ce0c1d5e768d40e97184214bae404da21bd050/draft-ietf-ace-coap-est.xml Two comments: > page 11 bottom requirement: " The client SHOULD use resource discovery when he is unaware of the available EST-coaps resources." - when an EST server is known, this requirement does not really apply since the server always supports .well-known EST resources. So I read it as doing an RD discovery or multicast CoAP discovery if the client doesn't known the EST server address. Hope this is clear enough in the text and intended? There are optional resources like /att, /skg and /skc that the server does not have to support, so that is what this sentence was referring to. > page 11 bottom: " It is up to the implementation to choose its resource paths” -> seems not really the case, because the root resource structure is forced by the specification. It could have been designed as free choice (because it can be discovered anyway) but it is not. The text says that the server MUST support the default /.well-known/est root resource and it SHOULD support resource discovery for non-default URIs (like /est or /est/ArbitraryLabel) or ports. In the latter case it is up to the server to decide the paths he makes its resources available at. That is what this sentence was referring to. But you are right; I realized that this sentence is redundant so I only kept "Throughout this document the example root resource of /est is used." Will reupload the next iteration in a few days. Rgs, Panos -----Original Message----- From: Esko Dijk <esko.dijk@iotconsultancy.nl> Sent: Monday, May 20, 2019 2:31 AM To: Panos Kampanakis (pkampana) <pkampana@cisco.com>; ace@ietf.org Cc: draft-ietf-ace-coap-est@ietf.org Subject: RE: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt Thanks, A few comments I had still on the discovery section - sorry to be late post-WGLC with this: - page 10 bottom mentions "management data" - should say "management resources", or "EST resources" perhaps? - page 10 bottom: " Upon success, the return payload will contain the root resource of the EST resources." - this is not true, since only the individual supported resources are returned. The root (e.g. "/est" in the examples) can be deduced from the response but it is never returned as one link format entry. - page 11 top: the example is only correct for a secure (coaps://) discovery GET request, I think this could be mentioned in text or indicated in the request line. - page 11 bottom requirement: " The client SHOULD use resource discovery when he is unaware of the available EST-coaps resources." - when an EST server is known, this requirement does not really apply since the server always supports .well-known EST resources. So I read it as doing an RD discovery or multicast CoAP discovery if the client doesn't known the EST server address. Hope this is clear enough in the text and intended? - page 11 bottom: "he supports" -> "it supports" - page 11 bottom: " It is up to the implementation to choose its resource paths” -> seems not really the case, because the root resource structure is forced by the specification. It could have been designed as free choice (because it can be discovered anyway) but it is not. Best regards Esko -----Original Message----- From: Ace <ace-bounces@ietf.org> On Behalf Of Panos Kampanakis (pkampana) Sent: Friday, May 17, 2019 17:36 To: ace@ietf.org Subject: Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt Hi all, This latest update addresses feedback while in WGLC" - the comments by Hannes and Esko related to RNG and server-side key gen. It aims to prevent misunderstandings that random numbers are not needed any more if server-side key gen is used. - the nits with "/crt" instead of "/crts" pointed out by Esko. The diff is here https://tools.ietf.org/rfcdiff?url2=draft-ietf-ace-coap-est-11.txt Thanks, Panos -----Original Message----- From: Ace <ace-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org Sent: Friday, May 17, 2019 11:31 AM To: i-d-announce@ietf.org Cc: ace@ietf.org Subject: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Authentication and Authorization for Constrained Environments WG of the IETF. Title : EST over secure CoAP (EST-coaps) Authors : Peter van der Stok Panos Kampanakis Michael C. Richardson Shahid Raza Filename : draft-ietf-ace-coap-est-11.txt Pages : 48 Date : 2019-05-17 Abstract: Enrollment over Secure Transport (EST) is used as a certificate provisioning protocol over HTTPS. Low-resource devices often use the lightweight Constrained Application Protocol (CoAP) for message exchanges. This document defines how to transport EST payloads over secure CoAP (EST-coaps), which allows constrained devices to use existing EST functionality for provisioning certificates. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-ace-coap-est/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-ace-coap-est-11 https://datatracker.ietf.org/doc/html/draft-ietf-ace-coap-est-11 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-ace-coap-est-11 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
- [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt internet-drafts
- Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.… Panos Kampanakis (pkampana)
- Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.… Esko Dijk
- Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.… Panos Kampanakis (pkampana)
- Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.… Esko Dijk
- Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.… Panos Kampanakis (pkampana)