Re: [Ace] How to specify DTLS MTI in COAP-EST

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 12 June 2018 15:10 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB604130FA8 for <ace@ietfa.amsl.com>; Tue, 12 Jun 2018 08:10:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0WXNsDbkYtx for <ace@ietfa.amsl.com>; Tue, 12 Jun 2018 08:10:46 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 860A2130E54 for <ace@ietf.org>; Tue, 12 Jun 2018 08:10:40 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 3BAC520090 for <ace@ietf.org>; Tue, 12 Jun 2018 11:24:27 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 6C18F31C3; Tue, 12 Jun 2018 11:07:45 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 69F1231BA for <ace@ietf.org>; Tue, 12 Jun 2018 11:07:45 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: ace@ietf.org
In-Reply-To: <9BEB6564-6096-46A2-B38A-81234D6ECEE3@tzi.org>
References: <13635.1528327933@localhost> <9BEB6564-6096-46A2-B38A-81234D6ECEE3@tzi.org>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature"
Date: Tue, 12 Jun 2018 11:07:45 -0400
Message-ID: <22219.1528816065@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/LIw02MFCxvXP5tc4ielsZlci17s>
Subject: Re: [Ace] How to specify DTLS MTI in COAP-EST
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2018 15:10:58 -0000

We have written:

+    <t>
+      As per <xref target="RFC7925" /> section 3.3 and section 4.4, the
+      mandatory cipher suite for DTLS in EST-coaps is
+      TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 defined in <xref target="RFC7251"/>,
+      and the the curve secp256r1 MUST
+      be supported <xref target="RFC4492"/>; this curve is equivalent to the
+      NIST P-256 curve.   Crypto agility is important, and the
+      recommendations in <xref target="RFC7925" /> section 4.4 and any
+      updates to RFC7925 concerning Curve25519 and other CFRG curves also applies.

https://github.com/SanKumar2015/EST-coaps/commit/94812c98492b6a6b0440155025357fa0b58ca017?diff=split

We had a discussion about whether section 4.2 (PSK) and 4.3 (RPK) also
applies, and in general they do, but we don't understand the
use cases that would result in that usage.
(Is it PSK, or EAP-SIM for for instance?)

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-