IETF Logo Mail Archive

Re: [Ace] Protocol Action: 'Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)' to Proposed Standard (draft-ietf-ace-dtls-authorize-18.txt)

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 04 November 2021 17:56 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34A443A11CB for <ace@ietfa.amsl.com>; Thu, 4 Nov 2021 10:56:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8G01ZDxaZki for <ace@ietfa.amsl.com>; Thu, 4 Nov 2021 10:56:01 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 122423A11C5 for <ace@ietf.org>; Thu, 4 Nov 2021 10:56:00 -0700 (PDT)
Received: from dooku.sandelman.ca (cpe788a207f397a-cmbc4dfb96bb50.sdns.net.rogers.com [174.116.121.43]) by relay.sandelman.ca (Postfix) with ESMTPS id 908851F4A2 for <ace@ietf.org>; Thu, 4 Nov 2021 17:55:57 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 9C52F1A02ED; Thu, 4 Nov 2021 13:55:56 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "ace@ietf.org" <ace@ietf.org>
In-reply-to: <HE1PR0701MB305019E7D9893F29E83A16FB898D9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <HE1PR0701MB305019E7D9893F29E83A16FB898D9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
Comments: In-reply-to John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> message dated "Thu, 04 Nov 2021 14:08:16 -0000."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 04 Nov 2021 13:55:56 -0400
Message-ID: <170629.1636048556@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Ibn4vRCmfFmrY-Px-4wpLEMV6CE>
Subject: Re: [Ace] Protocol Action: 'Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)' to Proposed Standard (draft-ietf-ace-dtls-authorize-18.txt)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Nov 2021 17:56:06 -0000

We are really some years away from *DTLS* from being ubiquitously available
in libraries.   Even for those that have some of it, it doesn't all work that
well.  And it might not be available in FIPS certified libraries yet.

In RFC8995, we wrote (section 5.1) after IESG review:

   Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer is
   REQUIRED on the pledge side.

Encourage 1.3.  Tolerate 1.2.
This does cause some policy bifuration because of the different ways in which
ciphers are named/negotiated, but that should not be a problem in practice.
The CCM-8/MTI for CoAPS is really the bigger problem that we need to resolve.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email