Re: [Ace] ace-coap-est: unclear definition of /.well-known/est URI
Peter van der Stok <stokcons@bbhmail.nl> Thu, 13 September 2018 07:16 UTC
Return-Path: <stokcons@bbhmail.nl>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5DAC130E0E for <ace@ietfa.amsl.com>; Thu, 13 Sep 2018 00:16:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ip7ngbjpsMEr for <ace@ietfa.amsl.com>; Thu, 13 Sep 2018 00:16:28 -0700 (PDT)
Received: from smtprelay.hostedemail.com (smtprelay0246.hostedemail.com [216.40.44.246]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53118130DD9 for <ace@ietf.org>; Thu, 13 Sep 2018 00:16:28 -0700 (PDT)
Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay01.hostedemail.com (Postfix) with ESMTP id 717BB100E86C1; Thu, 13 Sep 2018 07:16:27 +0000 (UTC)
X-Session-Marker: 73746F6B636F6E73406262686D61696C2E6E6C
X-Spam-Summary: 2, -10, 0, , d41d8cd98f00b204, stokcons@bbhmail.nl, :::::, RULES_HIT:1:2:41:72:152:355:379:582:599:800:960:962:967:969:973:983:988:989:1152:1189:1208:1212:1221:1260:1313:1314:1345:1359:1431:1436:1437:1516:1517:1518:1575:1588:1589:1592:1594:1730:1776:1792:2068:2069:2194:2198:2199:2200:2525:2527:2528:2551:2553:2559:2564:2682:2685:2693:2731:2859:2910:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3354:3421:3586:3622:3865:3866:3867:3868:3870:3871:3872:3873:3874:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4049:4250:4321:4361:4860:5007:6117:6119:6261:6657:6659:6678:7576:7774:7809:7875:7903:8583:8603:8957:9010:9025:9080:9108:9177:9545:10004:10848:11232:11658:11914:12043:12050:12109:12291:12379:12438:12555:12683:12740:12895:13139:13439:13846:14095:14096:21060:21080:21324:21433:21451:21627:21740:30030:30054:30060:30090:30091, 0, RBL:216.40.42.5:@bbhmail.nl:.lbl8.mailshell.net-62.8.55.100 66.201.201.201, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainC
X-HE-Tag: hose96_8f917cbc5cd19
X-Filterd-Recvd-Size: 10756
Received: from mail.bbhmail.nl (imap-ext [216.40.42.5]) (Authenticated sender: webmail@stokcons@bbhmail.nl) by omf05.hostedemail.com (Postfix) with ESMTPA; Thu, 13 Sep 2018 07:16:26 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_31c3011b5caaf6168db752e320fe9650"
Date: Thu, 13 Sep 2018 09:16:26 +0200
From: Peter van der Stok <stokcons@bbhmail.nl>
To: "Panos Kampanakis (pkampana)" <pkampana=40cisco.com@dmarc.ietf.org>
Cc: Esko Dijk <esko.dijk@iotconsultancy.nl>, ace@ietf.org
Organization: vanderstok consultancy
Reply-To: consultancy@vanderstok.org
Mail-Reply-To: consultancy@vanderstok.org
In-Reply-To: <39ff6ec1903c4c3a9d333c41a38a1ad9@XCH-ALN-010.cisco.com>
References: <DB6P190MB005479015E3F02D4028541A9FD1B0@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM> <39ff6ec1903c4c3a9d333c41a38a1ad9@XCH-ALN-010.cisco.com>
Message-ID: <fa4a3ebc9866a74409df6e0c4e3b0a6a@bbhmail.nl>
X-Sender: stokcons@bbhmail.nl
User-Agent: Roundcube Webmail/1.2.7
X-Originating-IP: [90.0.216.32]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/MGoUNnSmhqMLwZO0LD13D6u8eXc>
Subject: Re: [Ace] ace-coap-est: unclear definition of /.well-known/est URI
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Sep 2018 07:16:31 -0000
Hi esko, we can add a reference to sections 3.1 and 3.2.2. of RFC7030 Peter Panos Kampanakis (pkampana) schreef op 2018-09-12 17:31: > Hi Esko, > > Thanks for the comment.. > > Certificate authorities use the ArbitraryLabel in order to direct the CSR request and issue certificates based on a certain policy / cert profile. For example, if you are ClientX you get label ClientX198282 and when you hit the CA HTTP URI .well-known/est/ ClientX198282/sen the CA knows to use the policy for ClientX in order to issue a certificate. Of course, someone that has deployed an on-prem CA that has the same cert profile for all endpoints will not need an arbitrary label and the default EST namespace is enough. > > So, even though coaps://www.example..com/.well-known/est/<short-est> would work for many cases, we needed to keep the coaps://www.example..com/.well-known/est/ArbitraryLabel/<short-est> as well for cases where the client is getting a cert from a CA that serves more than on cert profiles. We may need to specify that the labl should be as short as possible, even though it is kind of self-explanatory. > > I hope it makes sense. > > Panos > > FROM: Ace [mailto:ace-bounces@ietf.org] ON BEHALF OF Esko Dijk > SENT: Wednesday, September 12, 2018 11:10 AM > TO: ace@ietf.org > SUBJECT: [Ace] ace-coap-est: unclear definition of /.well-known/est URI > > Dear all/authors of ace-coap-est, > > Section 5 of ace-coap-est-05 indicates URI discovery is possible to find the EST functions entry point URI.. Also a well-known URI is defined: > > coaps://www.example..com/.well-known/est/ArbitraryLabel/<short-est>. > > This URI seems more complicated than needed? What if we simply define an always-available well-known URI, usable without any discovery: > > coaps://www.example..com/.well-known/est/<short-est> > > This re-uses the well-known EST namespace which is exactly defined to do EST functions. So using the short-est names within this namespace should be fine. > > It is important that a well-known URI is available that is usable without discovery, just like EST RFC 7030 defines it for https. > > The "ArbitraryLabel" only makes the URI longer. > > best regards > > Esko Dijk > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace
- [Ace] ace-coap-est: unclear definition of /.well-… Esko Dijk
- Re: [Ace] ace-coap-est: unclear definition of /.w… Panos Kampanakis (pkampana)
- Re: [Ace] ace-coap-est: unclear definition of /.w… Peter van der Stok
- Re: [Ace] ace-coap-est: unclear definition of /.w… Esko Dijk
- Re: [Ace] ace-coap-est: unclear definition of /.w… Panos Kampanakis (pkampana)
- Re: [Ace] ace-coap-est: unclear definition of /.w… Esko Dijk
- Re: [Ace] ace-coap-est: unclear definition of /.w… Michael Richardson
- Re: [Ace] ace-coap-est: unclear definition of /.w… Peter van der Stok
- Re: [Ace] ace-coap-est: unclear definition of /.w… Esko Dijk
- Re: [Ace] ace-coap-est: unclear definition of /.w… Michael Richardson
- Re: [Ace] ace-coap-est: unclear definition of /.w… Michael Richardson
- Re: [Ace] ace-coap-est: unclear definition of /.w… Esko Dijk
- Re: [Ace] ace-coap-est: unclear definition of /.w… Esko Dijk
- Re: [Ace] ace-coap-est: unclear definition of /.w… Peter van der Stok
- Re: [Ace] ace-coap-est: unclear definition of /.w… Peter van der Stok
- Re: [Ace] ace-coap-est: unclear definition of /.w… Panos Kampanakis (pkampana)
- Re: [Ace] ace-coap-est: unclear definition of /.w… Michael Richardson
- Re: [Ace] ace-coap-est: unclear definition of /.w… Jim Schaad