Re: [Ace] draft-ietf-ace-mqtt-tls-profile connections

Ludwig Seitz <ludwig.seitz@ri.se> Thu, 23 May 2019 06:29 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 362CD12012A for <ace@ietfa.amsl.com>; Wed, 22 May 2019 23:29:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MSWhqRiM0Y8f for <ace@ietfa.amsl.com>; Wed, 22 May 2019 23:29:09 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30046.outbound.protection.outlook.com [40.107.3.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77A171200D6 for <ace@ietf.org>; Wed, 22 May 2019 23:29:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector2-RISEcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oVCcx30akh19EcYM7B/Nuf0pY4jl22S16HBGeS7v8Nw=; b=Skga9rcvWtyAsEg0B+jP3pHvxGaLqsXL8e9LxRJ9cOKV0HpW0K1UDzAU996DMXdPecVRjlKJlcKqTSI7+72u6/McDjgeF0UzZdyEE7PruvQcaWIAzsohf/aZJxOfmulrprFVdjaX5Bh5fWSIc4K+mhqVsf+mYFhnIYQhkh8qnfQ=
Received: from DB6P18901CA0011.EURP189.PROD.OUTLOOK.COM (2603:10a6:4:16::21) by AM5P189MB0323.EURP189.PROD.OUTLOOK.COM (2603:10a6:206:20::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.16; Thu, 23 May 2019 06:29:05 +0000
Received: from HE1EUR02FT018.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e05::203) by DB6P18901CA0011.outlook.office365.com (2603:10a6:4:16::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1922.15 via Frontend Transport; Thu, 23 May 2019 06:29:05 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by HE1EUR02FT018.mail.protection.outlook.com (10.152.10.248) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1922.16 via Frontend Transport; Thu, 23 May 2019 06:29:04 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Thu, 23 May 2019 08:29:04 +0200
To: <ace@ietf.org>
References: <001901d50e05$74847200$5d8d5600$@augustcellars.com> <CAA7SwCPXLnpt7TbQTsx7emY9OdDVx50nssatYkhLGgOVwujyaw@mail.gmail.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <1438cd8c-0322-a83b-4635-cbf8ea85102a@ri.se>
Date: Thu, 23 May 2019 08:28:51 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CAA7SwCPXLnpt7TbQTsx7emY9OdDVx50nssatYkhLGgOVwujyaw@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms090003060209060703080207"
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(376002)(136003)(346002)(396003)(39850400004)(2980300002)(189003)(199004)(76176011)(53936002)(53546011)(386003)(33964004)(478600001)(6246003)(31686004)(16526019)(106002)(26005)(77096007)(486006)(336012)(126002)(476003)(2616005)(11346002)(446003)(6116002)(3846002)(186003)(44832011)(71190400001)(22756006)(568964002)(6666004)(40036005)(74482002)(235185007)(356004)(84326002)(68736007)(22746008)(65806001)(65956001)(5660300002)(69596002)(70586007)(2351001)(70206006)(64126003)(65826007)(305945005)(7736002)(2906002)(58126008)(16576012)(16586007)(81166006)(8676002)(36756003)(14444005)(5024004)(6916009)(229853002)(86362001)(316002)(31696002)(81156014)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5P189MB0323; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 9bfb5326-7329-4144-db3d-08d6df47f3e2
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(4709054)(2017052603328)(7193020); SRVR:AM5P189MB0323;
X-MS-TrafficTypeDiagnostic: AM5P189MB0323:
X-Microsoft-Antispam-PRVS: <AM5P189MB03231B4F8E00DDA2D4AE827A82010@AM5P189MB0323.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 00462943DE
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: HTVBV/4Bm4dY/CdPy/06I0Z1D6eyred/uNW1IJ7SrfR+B5uVJ+rv8zhNbO1L1ApTZRbjyJD/C80BbbXBzUqjuVDjNxH5Zu4va6pZ6nquhwgHBHIpD+IFLYyh+DWkrmJ9fieNE/nDv4uCSJxl48gf+rN+ahXtLNP8Vw6P7G/C/QU2R/hkAAfCbLHhSmpBwXlnpgeAfnbPXHQ5cDLhQ+N2t4PBxWAwZo93X1ve8Qw6ro3h2TlfvWzRdzAgvKI+48ngoJhw2zarclm5PS1Uklv1/y8SiltoFzdLZq9cIWX2yuueIzJpzDkyTO34P2xsIkpWf/RlQ4sUfsGP8tzt93AyG2Ceth5kHagdzwHIm74vw5RxbADTHx3ZzKJ4MKhAG/tR+V18YZZzCqM4zyZAolgRCYG22zxMMtaMsK3OrAU+C94=
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 May 2019 06:29:04.6176 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9bfb5326-7329-4144-db3d-08d6df47f3e2
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P189MB0323
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Fw5hCNlAfyFkJQD2I4B0gBQu_l4>
Subject: Re: [Ace] draft-ietf-ace-mqtt-tls-profile connections
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2019 06:29:12 -0000

On 21/05/2019 22:35, Cigdem Sengul wrote:
> Thank you for your comments.  I see that we tried to cover too many 
> options in the draft, and things got mixed up.I tried to clarify inline.
> 
>     * So as a client I get a token from the AS.  For the first run,
>     assume that
>     it has a RPK in it.
>     * I now connect to the server using TLS.
>              Question #1 - Am I doing client authentication at this
>     point in TLS?
>     This is what is happening for all of the current profiles, but it is not
>     clear that this is happening for this profile.  The answer appears to be
>     both yes and no.
> 
> The basic method we were thinking:
> 
> 
>  1. We have not assumed client-side certificates for authenticating
>     clients during TLS handshake. RS uses a server-side certificate.



One quick question: If I understand it correctly there is a variant of 
MQTT using UDP (MQTT-SN). Since TLS and TCP are not exactly 
"constrained-friendly", would it make sense to look at that as well to 
define a "MQTT-SN-over-DTLS-based" profile?

/Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51