IETF Logo Mail Archive

Re: [Ace] FW: WGLC comments draft-ietf-ace-coap-est-07

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Fri, 18 January 2019 20:59 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 801C41313E2 for <ace@ietfa.amsl.com>; Fri, 18 Jan 2019 12:59:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.642
X-Spam-Level:
X-Spam-Status: No, score=-14.642 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8LEn7JsM_1rX for <ace@ietfa.amsl.com>; Fri, 18 Jan 2019 12:59:03 -0800 (PST)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8474130FB4 for <ace@ietf.org>; Fri, 18 Jan 2019 12:59:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8958; q=dns/txt; s=iport; t=1547845142; x=1549054742; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=F04E9qJ++okOJCdleN+rBy8xg54xI9pFQkQuq1frh9Y=; b=ZHtVfOERzLtZSAeusIpOm6LGBelosw3pA5TIjNRzh1TTUz6HxeesTi3L lf3txxlvN0xsZ2Fw+bNPiCBbxInNJyWNjrpFdnQQf9RRrcM5qRlkz8YjV fjQDAuANRh6JJJbzNBa4Hue1RefxxMg4w2K1ZPlSU0B6TVD9rVJbMm4T7 c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAADEPUJc/40NJK1kGQEBAQEBAQEBAQEBAQcBAQEBAQGBUQQBAQEBAQsBgVUuZoECJwqMEYtogg2YAYF7CwEBGA2ERwKCXCI0CQ0BAwEBAgEBAm0cDIVKAQEBAQMBATg0FwQCAQgOAwQBAR8QJwsdCAEBBAESCIMbggEPrTyBOYJ5AoVzBYl5gkgXgUA/gRGDEoMeAQECGIEgEYV2AolBGZhGCQKHIoNXhxgggWaFLoM4h0iKBIEIhBSLVgIRFIEnHziBVnAVO4JshgmFFIU/QTGHRwIkBAOBAYEfAQE
X-IronPort-AV: E=Sophos;i="5.56,492,1539648000"; d="scan'208";a="507215202"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Jan 2019 20:59:01 +0000
Received: from XCH-RCD-010.cisco.com (xch-rcd-010.cisco.com [173.37.102.20]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id x0IKx0VL032356 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 18 Jan 2019 20:59:01 GMT
Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-RCD-010.cisco.com (173.37.102.20) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 18 Jan 2019 14:58:59 -0600
Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1395.000; Fri, 18 Jan 2019 14:58:59 -0600
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] FW: WGLC comments draft-ietf-ace-coap-est-07
Thread-Index: AdSrtk3M3NcfgQ45QNualt2l/rHBKAAh1EAwAMs/eJA=
Date: Fri, 18 Jan 2019 20:58:59 +0000
Message-ID: <82341b1eb21f4eccb00741d78964f853@XCH-ALN-010.cisco.com>
References: <011501d4ac3d$ab2b9650$0182c2f0$@augustcellars.com>
In-Reply-To: <011501d4ac3d$ab2b9650$0182c2f0$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.82.245.247]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.37.102.20, xch-rcd-010.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Ej8M0jNQHKmd8oYojlUCw7faRG4>
Subject: Re: [Ace] FW: WGLC comments draft-ietf-ace-coap-est-07
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Jan 2019 20:59:06 -0000

Hi Jim,

Again, thank you for your thorough reviews. We addressed all of them. The new version of the draft is at https://github.com/SanKumar2015/EST-coaps/blob/master/draft-ietf-ace-coap-est.txt 

For a more easily consumable content, your latest feedback was tracked and addressed here https://github.com/SanKumar2015/EST-coaps/issues?utf8=%E2%9C%93&q=is%3Aissue+draft-ietf-ace-coap-est-07 

I also lay out the changes  below: 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- We fixed all the nits. 

- About the Arbitrary Label, we added 
"Arbitrary Labels are usually defined and used by EST CAs in order to route client requests to the appropriate certificate profile."

- About guidance when discovery is necessary, we added 
"Discovery SHOULD NOT be chosen when the client is preconfigured to use the default /.well known/est server root resource and port 5684. If the default root resource requests fail, the client SHOULD fall back to doing a resource discovery. Resource discovery SHOULD be employed when non-default URIs (like /est or /est/ArbitraryLabel) or ports are supported by the server or when the client is unaware of what EST-coaps resources are available by the server."

- About CBOR in section 5.7 we added 
"The sever-side key generation response is returned with content
   format application/multipart-core [I-D.ietf-core-multipart-ct]
   containing a CBOR array with four items (Section 5.2.1).  "

- About tlsl-unique and TLS exporters, this was discussed before for TLS 1.3 (https://mailarchive.ietf.org/arch/msg/tls/-8rDHLR6hiR7wsLsf6nVLtqCCmU ) but we can't really mandate using a TLS exporter for tls-unique as this is not standardized anywhere. If there was an 5929-bis to update the tls-unique in order to address the risk and use an exporter then this draft would automatically inherit it.

Note that the implications of 3SHAKE were significant to TLS because the clients were not checking the server cert after the renegotiation (Step 3 of the paper). The implication to POP linking that EST-coaps uses though is minimal because it does not expose anything private, it just deems channel binding useless.

To address the concern I added text in the Security Considerations
" What's more, POP linking uses tls-unique as it is defined in [RFC5929]. The 3SHAKE attack [tripleshake] poses a risk by allowing a man-in-the-middle to leverage session resumption and renegotiation to inject himself between a client and server even when channel binding is in use. The attack was possible because of certain (D)TLS implementation imperfections. In the context of this specification, an attacker could invalidate the purpose of the POP linking ChallengePassword in the client request by resuming an EST-coaps connection. Even though the practical risk of such an attack to EST-coaps is not devastating, we would rather use a more secure channel binding mechanism. Such a mechanism could include an updated tls-unique value generation like the tls-unique-prf defined in [I-D.josefsson-sasl-tls-cb] by using a TLS exporter [RFC5705] in TLS 1.2 or TLS 1.3's updated exporter (Section 7.5 of [RFC8446]). Such mechanism has not been standardized yet. Adopting in this document a channel binding value generated from an exporter would break backwards compatibility. Thus, in this specification we still depend in the tls-unique mechansim defined in [RFC5929], especially since the practicallity of such an attack would not expose any messages exchanged with EST-coaps."

- About the persistent DTLS connections (Sect 7), the last two paragraphs of section 7 explain why in some cases DTLS connections need to stay open for a limited amount of time. They also point to the Section 11.1 about the caveats of a persistent connection and the implicit DB. I do not think it is up to this draft to tell the client that he should use the new cert after an enrollment. The old cert might still be perfectly valid or the new cert may be generated for a non DTLS client auth use. So, I don't think we need to state in this draft that the new cert needs to be used in new DTLS connections.

- About the DTLS connections (Sec 11.1), We have usecases where a client does not want to spend the resources, time, performance implications to do 3-5 DTLS connections back to back in order to update its trustanchor and do its enrollments for multiple certs. In this cases, explained in section 7 last paragraphs will keep a persistent DTLS connection. That is what section 11.1 is trying to explain. Please keep in mind that in there we state that it is RECOMMENDED for the client to start using the new explicit DB right after the cacerts request. We just add the MAY keep the authenticated with implicit DB DTLS connection open in some cases, but then he MUST use the new DB starting for the next DTLS connection. 

So, I think our language in Sections 7 and 11.1 suffices when talking about persistent TLS connections.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let us know if there are more comments. 

Rgs,
Panos


-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of Jim Schaad
Sent: Monday, January 14, 2019 2:17 PM
To: ace@ietf.org
Subject: [Ace] FW: WGLC comments draft-ietf-ace-coap-est-07

I forgot to include the working group on the to list.

-----Original Message-----
From: Jim Schaad <ietf@augustcellars.com> 
Sent: Sunday, January 13, 2019 9:51 PM
To: 'draft-ietf-ace-coap-est@ietf.org' <draft-ietf-ace-coap-est@ietf.org>
Subject: WGLC comments draft-ietf-ace-coap-est-07


Section 5.7  -  Validate that CBOR array is the correct response type not
multipart/cbor

Section 6 - Based on earlier mails on the list I expected to see a short
description of the purpose of "ArbitraryLabel".  

Section 6 - The fact that there are multiple ways to get the things and they
might not be in the same location.  Some guidance for an application on how
to decide which method should be used and the choice of an ArbitraryLabel to
use would be very helpful.  At present I would guess that I would send a
request to the well known address, if that does not work then do a discovery
but it might be easier to just do the discovery to begin with and not worry
about the well-known address.  That is one would only do discovery if one
was hitting up a resource directory and not the actual machine.  On the
other hand if things are rooted at /est rather than in well-known it would
lead to shorter requests which once one starts doing block wise would be
good.

Section 7 - I would like to see some discussion of using a tls-exporter
rather than tls-unique for this protocol.  I am not sure what the required
changes would be.  I have seen notes that tls-unique is broken for TLS 1.2.

Section 7 - I think it makes sense to say that after a successful enrollment
the (D)TLS link MUST be torn down and the new certificate used to do
authentication in the future.

Section 11.1 - When changing from the implicit trust anchor to explicit
trust anchors, do you expect that the est server that you are going to be
talking to is generally going to change?  I think that it should probably be
recommended that the DTLS connection NOT be persistent across a change in
the trust anchors if they are different.

Nits:

Section 2 para 1:  I would suggest that the last sentence should read along
the lines of "EST is defined to transport messages over HTTPS."

Section 3 para 2:  The phrase 'taken over from' is a bit odd sounding
English.  They could be 'taken from' or 'imported from'.  'taken over' tends
to indicate that you are changing them in some way.  (example use - he took
over the country).

Section 5.5 - SAN needs to be expanded on first use.

Section 6 - Please verify that quotes on the content type when multiple
values are presented are not needed.

Section 8 - This sentence "The EST server can exist outside the constrained
network that supports TLS/HTTP." Does not say what I think you meant to say.
It is unclear if the constrained network is what supports TLS/HTTP.

Section 10.1 - s/registered temporarily/registered provisionally/

s/looke/look/


Examples:

* Section A.1  I don't know what the meaning of Max-Age would be for a GET
request.  You may want to remove this just to avoid confusion.

* Section A.2 - I am unclear about the Content-Format note in this example.
If you are asking for a specific content then the correct option would be
Accept.  If you are indicating the content type of the response then you
should probably put a header line in to that effect.

Jim


_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email