Re: [Ace] Charter discussion

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Wed, 04 November 2020 03:35 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 687553A1387 for <ace@ietfa.amsl.com>; Tue, 3 Nov 2020 19:35:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.601
X-Spam-Level:
X-Spam-Status: No, score=-9.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=i1aanUXS; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=etAL0hgI
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tG3iMlc5youE for <ace@ietfa.amsl.com>; Tue, 3 Nov 2020 19:35:52 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D32C53A138B for <ace@ietf.org>; Tue, 3 Nov 2020 19:35:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=30816; q=dns/txt; s=iport; t=1604460951; x=1605670551; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=j9/93Rl2DV/ibjhzQjikbfPBVmFLlnZKARxIR/BIpTU=; b=i1aanUXSJYzWxKAL6wtctVBqJZggVRPDzEWwFi0RI04R+078M+I8Z+CK P95ZZg0EjZqdoSuzfXvsrxrc77xKymxy18OcoUIHZD3qc91X02Yy3lqcN Ygci69RdNnxt6MzWAHvSU9ohJ+1DSqcUr7JN9XzX0DziWe3RoLDFLEFLL w=;
X-Files: smime.p7s : 4024
IronPort-PHdr: =?us-ascii?q?9a23=3AL5hrERFgrtgoZTqIjONvwJ1GYnJ96bzpIg4Y7I?= =?us-ascii?q?YmgLtSc6Oluo7vJ1Hb+e401gObUYDS8fkCiufKvebnQ2NTqZqCsXVXdptKWl?= =?us-ascii?q?dFjMgNhAUvDYaDDlGzN//laSE2XaEgHF9o9n22Kw5ZTcD5YVCBrni79zVUGx?= =?us-ascii?q?jjO0xyPOumUoLXht68gua1/ZCbag5UhT27NLV1Khj+rQjYusQMx4V4LaNkwR?= =?us-ascii?q?rSqXwOcONTlm4=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ChCABQIKJf/5pdJa1igQmBT4EjLyM?= =?us-ascii?q?uB3AsLS8uCod8A41PihOObIEuFIERA1QEBwEBAQoDAQEgDQIEAQGESgKCCgI?= =?us-ascii?q?lNgcOAgMBAQsBAQUBAQECAQYEcYVhDIVyAQEBAQMSGxMBASwCBAYPAgEIEQQ?= =?us-ascii?q?BARYLBwcCHxEUCQgCBAESCAYUgwWBfk0DHw8BDgOkQwKBO4hodIE0gwQBAQW?= =?us-ascii?q?BMwEDAw1BgnwNC4IJBwMGgTiBU4EfhHeBPoQTG4FBP4ERQ4JPPoIbQgEBAgE?= =?us-ascii?q?BFX8JHAEBIhUWCQmDC4IskDBBi0yBaZhzOFQKgm2EUIJigViIO4QxhTWDGIo?= =?us-ascii?q?SlEOTTYp4gm6SXgIEAgQFAg4BAQWBWwYtKg2BIHAVO4JpEz0XAg2OKxeDToU?= =?us-ascii?q?UhUR0AgE1AgYBCQEBAwl8iwgtgQYBMV8BAQ?=
X-IronPort-AV: E=Sophos;i="5.77,449,1596499200"; d="p7s'?scan'208,217";a="598382353"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 04 Nov 2020 03:35:50 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 0A43ZomY027356 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 4 Nov 2020 03:35:50 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 3 Nov 2020 21:35:50 -0600
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 3 Nov 2020 22:35:48 -0500
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 3 Nov 2020 21:35:48 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TqaPt94Wi2nNcwapmcSlHUB1NUD18+FpDXB2jCryDkZat7LqBSmEuqtW15krvevUdwwncBGPs26kwt89+ATPJPFlUtYdyfWqn+rD8JwoS/WG9QR2p1AO6RcTYaoJF2Hble563TiPl3YaJcLucMLy0ZvQkRkRsdk0PHgtRBdeIPX+QeNBWyetnKjoixSg5K4aklVcW017Xe3hgbzE8IljXffok8u9b++2q/yXmYkknBr1r9RlY7VyftwjUJXywgULdL5+AcXjTDXsLPhstl+/d2pV/no3mg7k3BFzmQ5WX8rwV5dsvksfRgkCquD7YoZ3UfPQjNm3+3zC6I7OPyEZ1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iRNJpsF0mPDm3fL4xbgZBBji4Z2WffNaKGXxdhB+nmE=; b=eDc9Zy7BertA2ERSuGvVl2UqzjqB2UXTHuEqRuyXiDoOxgtnp4ZHyDpHwiZC4aT/INvijqifImR+hZt5N04rYeAKZQ1EI6kgaxfo5eEOCXMK2sHOcOf1PLTtBesrkpUu+4z5nNBQb5CYMgwGQD2VH6QGb6Bm8rF1uY4xUlb4ZkVO4EKfMIvUiJOZpJ5riaK+r2JG/PFP3B5dW1GqS8ajWR+xqfEFtfB9PAvSxAPtYzzExz7ohHwkZy/ixncMIT+MZk4hHNjE6SWGiP4bKxQIQtWoeaxqsW6NpKjDcxwsLP9gRnPx233LyydMK2QAiQvs1lJ/j35XfkiT4Taeo6FiwA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iRNJpsF0mPDm3fL4xbgZBBji4Z2WffNaKGXxdhB+nmE=; b=etAL0hgIgQZKsyfzpoagomWu9x+5Qi+UcL1DPuNNGMa3GwK2hX6v9aBDV6FNpMwJGeChJDieQ6ET95Ss1TtH1pU4EHQticSLV4JypltmTWYDLGUY6doQkdn1Nxflykzr0/aFTDswlhJS/cwDOH9VSc5zVYXhxFjzDuiKK5k76rw=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN6PR11MB4162.namprd11.prod.outlook.com (2603:10b6:405:84::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.24; Wed, 4 Nov 2020 03:35:46 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::1dc1:e7f4:84ef:3711]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::1dc1:e7f4:84ef:3711%6]) with mapi id 15.20.3499.030; Wed, 4 Nov 2020 03:35:46 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: =?iso-8859-1?Q?G=F6ran_Selander?= <goran.selander=40ericsson.com@dmarc.ietf.org>, Daniel Migault <mglt.ietf@gmail.com>, Ace Wg <ace@ietf.org>
Thread-Topic: [Ace] Charter discussion
Thread-Index: AQHWoxtrcodXjqWDJUyIaw3LXSI/oqm2S5IAgAElT0A=
Date: Wed, 4 Nov 2020 03:35:45 +0000
Message-ID: <BN7PR11MB2547BF9B877E80FB9E1E7DBBC9EF0@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <CADZyTkmnV_Dhb5iXzykUyEAskLDg7tj=80CbEBGmSyFQNS2FHw@mail.gmail.com> <HE1PR0702MB3674F5E7C6044443418E8B1BF4110@HE1PR0702MB3674.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0702MB3674F5E7C6044443418E8B1BF4110@HE1PR0702MB3674.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [68.93.142.48]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fe0acebd-1d74-43ee-6391-08d88072b798
x-ms-traffictypediagnostic: BN6PR11MB4162:
x-microsoft-antispam-prvs: <BN6PR11MB4162BB493CFAC9EE1298D4CBC9EF0@BN6PR11MB4162.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5UNy5oUrLdPC/uXOkW3OH6GwwCam+kU990REf0xD2v3+FGP558lKx7HREgYp/8byrIQAFFEZ/AEN+qdo34dXlihHdVTbiwDgsdm7mbxOZeoSWKN+52V/7wa3yEVNxabg9QuiA+VfC9VEYZPEIOYLBveN1wf3zhkZ7H6ImFgAJYYz8v8tnSC1NSjwPI3RDpbYrQjPMaym40ft1US9IA9O9Yq3QkR3nZ0ISDmaGIBerivjaNVoUh/I7iQlBGpAXacF+SihzFFmzif4jk2pZ6jiQmQVcxx5IvgNRe2mgHcykiHh/CZg5NokH1DQjBqwH7WxYBimoOqW4KzYHjnxrEdrZbzUXfaeRwqHnDHkx4uusSUC6044XGKmdPpyDVdYcOCYfBxgkVRI0bsOQb+uDIkiIve04z7LTw8GFhrrtkyvn1rqLTf2V4qW4mIz71TKgrNbgMMU3S7kUV1F9+DQ4muOww==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(366004)(376002)(136003)(39860400002)(396003)(8676002)(71200400001)(8936002)(5660300002)(99936003)(66616009)(66446008)(66476007)(52536014)(66574015)(33656002)(86362001)(66946007)(66556008)(64756008)(83380400001)(76116006)(4001150100001)(6506007)(53546011)(2906002)(110136005)(166002)(9686003)(966005)(7696005)(478600001)(55016002)(316002)(26005)(186003)(15940465004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: jAXQOfnwUtLjQbUHJV35KRg82J1f7MfKUhM6JPls3Lp43+F5+em4bDNRskbNVKQUIfN9W2kRDBXiYhQ5tvuPnDZfPiVr5j+WR3I7Ltmgw3mywJ3nC3o3urK56Gcsd7b2Pd+ePXufMYhZ8KNEZpsjChf4uK7hhDBZfauV6w7dGcO79kODR5x5siXwOJO2EBrZ+qTBD5R3/tm0Mmx4HzKZxk8RySqLgo8MOVRAPW2JSurH5PqlE/AUkXYClBgDC3zw/27DUNeISd2Jly3YxjPjsFdcPPiSVRfpPa6uDCGLvzAtkDlF2/7wrL3uMkgX+4pWZoDbzeaLdvomJuJ2w+5Jn9KP6Gbml7H9NbnvuylFX4hA/557gXN9dOs7f1mjG4TcfvXOupzmo/hAdAfpXohe6ibg4NnusZV+qvppPbvp7ts+9pDxUDKqBYbca5YfBU41DRu7sHUh9v1UQNVQho3ZB+vNS8nYhKgEHQ4Jw1jMADDH95HzWPDLpSKvlh/2LBVyMwsd128vl8iCgsXh4bL8T0zgLRVHs933xbl70vsFVsuotbdqxirtdiImPeguzi+RTl8z+0Vyr1O6z+8of10LRyRCM9RilSw3hJirSp/dXfS2bZIklmH4m+EFEgX976MqOlF+UVYyY+LTOeK8vBg7ew==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0007_01D6B231.A9D44210"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2547.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fe0acebd-1d74-43ee-6391-08d88072b798
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2020 03:35:46.6250 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nBj5q5WpxQ3uFXcBUIjDWSObCTIDVWoVSMOobd7IKBFkE8iVqA5q6ut63TgHW0hGJ75eNWMR1DJeu5p7e73lWA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB4162
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/FOqT0dCQPeJEtgWc4Kg2y2im1s0>
Subject: Re: [Ace] Charter discussion
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2020 03:35:54 -0000

I support the addition of draft-selander-ace-coap-est-oscore in the Charter
as it introduces OSCORE with its advantages in constrained environments for
EST which is already standardized in EST-coaps in ACE. 

 

As I have said before, I oppose the addition of CMPv2 over COAP in the
charter. Summarizing the reasons here again for brevity:

- we should not repeat the mistakes of the past and introduce multiple
protocols doing the same thing (cert enrollment or management) over COAP
unless there is a compelling reason. To answer your other question Daniel, I
don’t think we need a new certificate management protocol at this stage. 

- I am not convinced of the technical advantages of using CMPv2 over COAP in
constrained environments. 

- I have not seen overwhelming support for the draft in the list other than
Michael saying “why not” and Steffen and Hendrik (from Siemens) clearly
supporting it. Also, minutes from IETF-108 say “DM: Objections to doing this
work? No objections registered”. I was not there to oppose, but I would not
call that overwhelming active support either. 

- it is not clear who intends to use and implement the draft. If it is a one
or two vendor thing then I don’t think ACE should spend the cycles. I have
not seen many people chiming in that want to the draft and are willing to
review. 

 

Rgs,

Panos

 

 

From: Ace <ace-bounces@ietf.org> On Behalf Of Göran Selander
Sent: Tuesday, November 03, 2020 5:06 AM
To: Daniel Migault <mglt.ietf@gmail.com>om>; Ace Wg <ace@ietf.org>
Subject: Re: [Ace] Charter discussion

 

Hi Daniel, and all,

 

Some comments on the proposed charter and your mail, sorry for late
response.  

 

1.

”The Working Group is charged with maintenance of the framework and existing
profiles thereof, and may undertake work to specify profiles of the
framework for additional secure communications protocols”

 

I take it this text covers (should the WG want to adopt):

 

*	draft-tiloca-ace-group-oscore-profile
*	an ACE-EDHOC profile (i.e. the POST /token response and the access
token provision information to support authentication with EDHOC, e.g. raw
public key of the other party). Such a profile could provide good trust
management properties, potentially at the cost of a larger access token etc.

 

Right?

 

2.

”In particular the discussion might revive a discussion that happened in
2017 [2] - when I was not co-chair of ACE -and considered other expired work
such as [3]. Please make this discussion constructive on this thread.”

 

As I remember it, the outcome of this discussion was – in line with the
mindset of EST – that it is beneficial to re-use authentication and
communication security appropriate for actual use case. If coaps is suitable
for a particular use case, then it makes sense to protect also the enrolment
procedure with this protocol. But whereas the security protocol is coaps
instead of https, the enrolment functionality and semantics should reuse
that of EST, possibly profiled for the new setting: [4]. 

 

In the same spirit there was support at the meeting [2] to specify
protection of EST payloads profiled for use with OSCORE as communication
security protocol, together with a suitable AKE for authentication.
Following the adoption of EDHOC in LAKE this work has now been revived [5].
IMHO the reasoning above still makes sense.

 

With this in mind, and taking into account recent discussion on the list,
perhaps this part of the charter:

 

”The Working Group will standardize how to use Constrained Application
Protocol (CoAP) as a Transport Medium for the Certificate management
protocol version 2 (CMPv2).   ”

 

should be rephrased or complemented with the reasoning above, for example:

 

The scope of the Working Group includes profiles of the Enrolment over
Secure Transport (EST) transported with the Constrained Application Protocol
(CoAP)” 

 

Thanks

Göran

 

[4]  <https://tools.ietf.org/html/draft-ietf-ace-coap-est>
https://tools.ietf.org/html/draft-ietf-ace-coap-est

[5] https://tools.ietf.org/html/draft-selander-ace-coap-est-oscore

 

 

 

 

On 2020-10-15, 19:50, "Ace" <ace-bounces@ietf.org
<mailto:ace-bounces@ietf.org> > wrote:

Hi, 

I would like to start the charter discussion. Here is a draft of a proposed
charter [1]. 

 

It seems to be that additional discussion is needed with regard to the last
paragraph related certificate management. In particular the discussion might
revive a discussion that happened in 2017 [2] - when I was not co-chair of
ACE -and considered other expired work such as [3]. Please make this
discussion constructive on this thread. 

 

The fundamental question is whether we need certificate management at this
stage. If the answer is yes, and we have multiple proposals, it would be
good to clarify the position of the different proposals and evaluate whether
a selection is needed or not before validating the charter. 

 

Please provide your inputs on the mailing list before October 30. Of course
for minor edits, you may suggest them directly on the google doc.

 

Yours, 

Daniel

 

[1]
https://docs.google.com/document/d/1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDi
ptY/edit?usp=sharing
<https://protect2.fireeye.com/v1/url?k=4f3d9c3b-118c475b-4f3ddca0-86e2237f51
fb-627e48b069462d70
<https://protect2.fireeye.com/v1/url?k=4f3d9c3b-118c475b-4f3ddca0-86e2237f51
fb-627e48b069462d70&q=1&e=6924b2a6-e7e5-4ec1-a1af-c94637953dc5&u=https%3A%2F
%2Fdocs.google.com%2Fdocument%2Fd%2F1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoD
iptY%2Fedit%3Fusp%3Dsharing>
&q=1&e=6924b2a6-e7e5-4ec1-a1af-c94637953dc5&u=https%3A%2F%2Fdocs.google.com%
2Fdocument%2Fd%2F1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY%2Fedit%3Fusp%3
Dsharing> 

[2]
https://datatracker.ietf.org/doc/minutes-interim-2017-ace-03-201710191300/

[3] https://datatracker.ietf.org/doc/draft-selander-ace-eals/

 

-- 

Daniel Migault

 

Ericsson