Re: [Ace] EST over CoAP
Mohit Sethi <mohit.m.sethi@ericsson.com> Tue, 15 May 2018 05:37 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14F881275F4 for <ace@ietfa.amsl.com>; Mon, 14 May 2018 22:37:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.309
X-Spam-Level:
X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KRXc5jt6gx1s for <ace@ietfa.amsl.com>; Mon, 14 May 2018 22:37:13 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31C59120727 for <ace@ietf.org>; Mon, 14 May 2018 22:37:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1526362631; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=5SgxijOsbXU655xrNuiNQ9ntEx0cYtyQfgXFBQMgHSM=; b=ZmaNNrTpbeAMNDlkwxY3SpJQyxq05Pstlc2DJpk33ikP3W9qZuh7FxKfH0+w6+EK PPxENx1KYbFxzUqpgAIv/OwhXuT3RzU5Dtb+TkfCGCrEMAMgRaT5cB+p17poIPCk 9mb6qjQGSN4c6OSi7JI0G4UkXMC3Hf+4l/U3mW17xUk=;
X-AuditID: c1b4fb3a-5a4b59c000006a47-39-5afa720743e1
Received: from ESESSHC024.ericsson.se (Unknown_Domain [153.88.183.90]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id EE.6B.27207.7027AFA5; Tue, 15 May 2018 07:37:11 +0200 (CEST)
Received: from nomadiclab.fi.eu.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.92) with Microsoft SMTP Server id 14.3.382.0; Tue, 15 May 2018 07:37:10 +0200
Received: from nomadiclab.fi.eu.ericsson.se (localhost [127.0.0.1]) by nomadiclab.fi.eu.ericsson.se (Postfix) with ESMTP id B12E84812DD; Tue, 15 May 2018 08:37:10 +0300 (EEST)
Received: from [127.0.0.1] (localhost [IPv6:::1]) by nomadiclab.fi.eu.ericsson.se (Postfix) with ESMTP id 59B53480A7D; Tue, 15 May 2018 08:37:10 +0300 (EEST)
To: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "ace@ietf.org" <ace@ietf.org>
References: <VI1PR0801MB21122D93F906F952E5E85C87FA9C0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <a4d27053f1d2431abee07d2597e14972@XCH-ALN-010.cisco.com>
From: Mohit Sethi <mohit.m.sethi@ericsson.com>
Message-ID: <068f2690-e1a1-b225-463a-4048e06365af@ericsson.com>
Date: Tue, 15 May 2018 08:37:10 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <a4d27053f1d2431abee07d2597e14972@XCH-ALN-010.cisco.com>
Content-Type: multipart/alternative; boundary="------------0A747E04D237818445BE20CA"
Content-Language: en-US
X-AV-Checked: ClamAV using ClamSMTP
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupkkeLIzCtJLcpLzFFi42KZGbE9Spe96FeUwYqnchbfv/UwW9yccYrJ 4suFVYwOzB5r5q1h9JjyeyOrx5IlP5kCmKO4bFJSczLLUov07RK4Mrb96WYr2NXPWLHkZm0D 48+CLkZODgkBE4lNN76wdTFycQgJHGGUeLDoHyNIQkhgB6PEjHk2EInNjBLH9t1lh3AWMkpM nL+ZDaRKWEBBYlnzf2aQhIhAG6PEj683oapmM0rMe3gPrIpNQE+i89xxZhCbV8BeYvGq32A7 WARUJZZvPQRmiwpESNw7/4kNokZQ4uTMJywgNqeAq8SERzOYQGxmgTCJPfOuQ9niEreezGeC eEJZYkHLIqi71SW2dhxgnMAoNAvJqFlI2mchaZ/FyAFk20s82FoGEZaXaN46mxnC1pe4fuc+ K7L4Akb2VYyixanFxbnpRkZ6qUWZycXF+Xl6eaklmxiBEXRwy2+rHYwHnzseYhTgYFTi4VUv /BUlxJpYVlyZe4hRgoNZSYR3t9HPKCHelMTKqtSi/Pii0pzU4kOM0hwsSuK8TmkWUUIC6Ykl qdmpqQWpRTBZJg5OqQZGtYyi07Nddyg9UePSNi7/llf4lKetan7u7yX3HggvfmXXuMAvYHOe 353ir3UnOZZ6rfl1uTV2/erPyvxflFauXcVieWbtUesolVif+/7Je+4H/jTyKdOc9HdHj758 2/KS1zfbot48X7J7mzXvrlMipluEDnLppL5oLWhrWOfTtiz8sRDPC4YaJZbijERDLeai4kQA qrnDW5wCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/GkMu6v6G1MT4fkyVS-9hkRbytK4>
Subject: Re: [Ace] EST over CoAP
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 May 2018 05:37:16 -0000
Hi Panos, How do you intend to use these server generated keys once they are provisioned onto the device? --Mohit On 05/14/2018 04:58 PM, Panos Kampanakis (pkampana) wrote: > > Hi Hannes, > > To address your question about server-side key gen, below is the > explanation we have put in the draft already and will be in the next > iteration > /~~~~~~~~~~~~~/ > > / Constrained devices sometimes do not have the necessary hardware to/ > > / generate statistically random numbers for private keys and DTLS/ > > / ephemeral keys. Past experience has shown that cheap endpoints/ > > / sometimes generate numbers which could allow someone to decrypt the/ > > / communication or guess the private key and impersonate as the device./ > > / Studies have shown that the same keys are generated by the same model/ > > / devices deployed on-line./ > > // > > / Additionally, random number key generation is costly, thus energy/ > > / draining. Even though the random numbers that constitute the/ > > / identity/cert do not get generated often, an endpoint may not want to/ > > / spend time and energy generating keypairs, and just ask for one from/ > > / the server./ > > // > > / In these scenarios, server-side key generation can be used. The/ > > / client asks for the server or proxy to generate the private key and/ > > / the certificate which is transferred back to the client in the/ > > / server-side key generation response./ > /~~~~~~~~~~~~~/ > > This is a need that we have heard from customers at Cisco. > > About the proxy-Registrar question, we already have made the change in > the working copy of the draft as well. We no longer call this > functionality proxying, but instead use the concept of the registrar > that terminates the connection and establishes the next one. > > We didn’t add any new features in the doc after removing the BRSKI stuff. > > If you want an early preview to comment on, we can share the > repository with you. > > Panos > > *From:* Ace [mailto:ace-bounces@ietf.org] *On Behalf Of *Hannes Tschofenig > *Sent:* Monday, May 14, 2018 5:05 AM > *To:* ace@ietf.org > *Subject:* [Ace] EST over CoAP > > Hi all, > > At IETF#101 Peter presented a list of open issues with the EST over > CoAP draft, see > > https://datatracker.ietf.org/meeting/101/materials/slides-101-ace-est-over-secure-coap-00 > > -Operational parameter values > > -Server side key generation using simple multipart encoding > > -Explain trust relations for http/coap proxying > > I have challenged the usefulness of the server-side key generation > during the meeting but in general I am curious where we are with the > document. It would be great to get it finalized. It appears that we > are adding new features and therefore will not be able to complete the > work in any reasonable timeframe. > > So, do we have a plan for how to complete the document? > > Ciao > > Hannes > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged.. If you are not the intended > recipient, please notify the sender immediately and do not disclose > the contents to any other person, use it for any purpose, or store or > copy the information in any medium. Thank you. > > > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace
- [Ace] EST over CoAP Hannes Tschofenig
- Re: [Ace] EST over CoAP Michael Richardson
- Re: [Ace] EST over CoAP Hannes Tschofenig
- Re: [Ace] EST over CoAP Panos Kampanakis (pkampana)
- Re: [Ace] EST over CoAP Hannes Tschofenig
- Re: [Ace] EST over CoAP Michael Richardson
- Re: [Ace] EST over CoAP Hannes Tschofenig
- Re: [Ace] EST over CoAP Michael Richardson
- Re: [Ace] EST over CoAP Hannes Tschofenig
- Re: [Ace] EST over CoAP Panos Kampanakis (pkampana)
- Re: [Ace] EST over CoAP Michael StJohns
- Re: [Ace] EST over CoAP Mohit Sethi
- Re: [Ace] EST over CoAP Hannes Tschofenig
- Re: [Ace] EST over CoAP Hannes Tschofenig
- Re: [Ace] EST over CoAP Panos Kampanakis (pkampana)
- Re: [Ace] EST over CoAP Hannes Tschofenig
- Re: [Ace] EST over CoAP Panos Kampanakis (pkampana)
- Re: [Ace] EST over CoAP Mohit Sethi
- Re: [Ace] EST over CoAP Hannes Tschofenig
- [Ace] CA generated keys (was Re: EST over CoAP) Michael Richardson