Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt

Esko Dijk <> Tue, 21 May 2019 22:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3F2C01200FF; Tue, 21 May 2019 15:30:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.891
X-Spam-Status: No, score=-1.891 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VdRerAgXhL5T; Tue, 21 May 2019 15:30:41 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CEA3012004C; Tue, 21 May 2019 15:30:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-iotconsultancynl-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aHqwTKJWtZLNSpsKDjxak71iugKQ5lXMQyzdDGWuUyI=; b=eA0W14g1BLCl6b7TGKDSu8nmgT8+8AibignefZ6rndVP27Ci9/goF6pEVCcenbSi/IL190ZLDR/ujsfbkPBqez/w1F7Zf7D8CZA0wbvYd228Hq75WwrFcKbAVBNV5SDnBGd6q7wD6Kbz+TMUHDWUP2NIDM0tug2Gn1B4kk1aEJo=
Received: from DB6P190MB0054.EURP190.PROD.OUTLOOK.COM ( by DB6P190MB0085.EURP190.PROD.OUTLOOK.COM ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1900.16; Tue, 21 May 2019 22:30:36 +0000
Received: from DB6P190MB0054.EURP190.PROD.OUTLOOK.COM ([fe80::c46d:5ae5:fe3e:ca20]) by DB6P190MB0054.EURP190.PROD.OUTLOOK.COM ([fe80::c46d:5ae5:fe3e:ca20%8]) with mapi id 15.20.1900.020; Tue, 21 May 2019 22:30:36 +0000
From: Esko Dijk <>
To: "Panos Kampanakis (pkampana)" <>, "" <>
CC: "" <>
Thread-Topic: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt
Thread-Index: AQHVDMWjkc1/UB/X3EaGxntG4OXylKZvcuOAgAQcGnCAAJmXgIAB7o2g
Date: Tue, 21 May 2019 22:30:36 +0000
Message-ID: <DB6P190MB00549304E499B7215D88277DFD070@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM>
References: <> <> <DB6P190MB005480059C7AC6C165475F7CFD060@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM> <>
In-Reply-To: <>
Accept-Language: en-US, nl-NL
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d98a8b41-9f71-49f3-605a-08d6de3bf1ee
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(7168020)(4627221)(201702281549075)(8990200)(7048125)(7027125)(7023125)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:DB6P190MB0085;
x-ms-traffictypediagnostic: DB6P190MB0085:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DB6P190MB0085A75796C4F6717DC473DBFD070@DB6P190MB0085.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0044C17179
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(13464003)(189003)(199004)(14454004)(5660300002)(76116006)(110136005)(99286004)(55236004)(966005)(3846002)(256004)(305945005)(229853002)(14444005)(76176011)(66556008)(64756008)(6506007)(53546011)(73956011)(74316002)(33656002)(66946007)(66476007)(66446008)(7736002)(66066001)(52536014)(102836004)(7696005)(446003)(4326008)(2501003)(8676002)(6436002)(186003)(11346002)(53936002)(81166006)(508600001)(55016002)(476003)(68736007)(74482002)(8936002)(2906002)(71190400001)(81156014)(71200400001)(26005)(6246003)(6116002)(9686003)(86362001)(25786009)(6306002)(44832011)(486006); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6P190MB0085; H:DB6P190MB0054.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: tZerxQDyzpZtlVX02M1k5eHl/HQnX2/XMEWZLHclXFrBtwizAOHmqYsQYbMQSnvgt512ZJJLRJRQ8TWILNjlqrE5sspYtjMBSHp49Z1c7mgX07R19Ngnv3bI8ac34NO/zvat72+v/+j9PkvIJI3pMxfSK5aBxNgu5jQ9GnyMSNZVDPf2OSxJHtXxsqASIH/BHmEOQXq0U2kvfwCQ2IPiMBESf09LYdzbG9Z4hgr3HqW2AgVES5EpKsXgeOm0xKbjvKvqe20Yy/RW+3NaXqEhpQpcgWys30n7zjAvXrk6qRwvG2TrwS5g6RsZih7tZAvvq+1GtqYY8HyaxdgZj6zYdyYO/td4YvhK6ZcdlMIdfUHFdlRn3xvxrDJs19WJR5qaEjzJyYr+DGLVtRytZoydEsNJ9S/Rh4PPT8JsH0eYd/A=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d98a8b41-9f71-49f3-605a-08d6de3bf1ee
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 May 2019 22:30:36.1881 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P190MB0085
Archived-At: <>
Subject: Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 21 May 2019 22:30:44 -0000

Hello Panos,

For the draft text I have a couple of more review remarks:

* page 8 first bullet: a previously issues client certificate could also expire, in some cases even without the client knowing. If the client then performs simple re-enrollment -- using its previous operational cert as authentication, what would happen?  I would expect the server MAY also want to use this certificate to authenticate the client. Because the purpose of the client connecting again to the EST server is to do simple re-enrollment, to get a new certificate.   Suppose a case where the handshake to the EST server fails because the EST server rejects the expired operational cert:  what would the client do now? It could be a certificate_expired message.  RFC 7030 provides no guidance in this matter; would EST-coaps need to define this? E.g. client SHOULD retry using the bullet #2 certificate (e.g. IDevID)?

* page 8 middle: "CoAP and DTLS can provide proof-of-identity for EST-coaps clients and servers with simple PKI messages as described in Section 3.1 of [RFC5272] "
Looking up this section it says: "The Simple PKI Request MUST NOT be used if a proof-of-identity needs to be included."   This seems to say the opposite of the above text?  This requires at least some more explanation.

* page 8 middle: "Moreover, channel-binding information for linking proof-of-identity with connection-based proof-of-possession is OPTIONAL for EST-coaps"  -> is it OPTIONAL for client, server, or both? I would assume it is OPTIONAL for both. If the (light-weight) client does not implement it and if the server does mandate it, the client can not connect to that server if its policy is set to "linking POP/identity required".

* page 14 top bullet: "The CoAP Options used are .... " 
  -> the item Block could be expanded to "Block1, Block2" to capture the actual Option names.
  -> Location-Path is never used in any of the CoAP interactions defined; should be removed.

* Page 14 first 5.5 paragraph: "Similarly, 2.01, 2.02 or 2.04 MUST be used in response to EST POST requests"
  -> 2.01 Created is like HTTP 201, which is not used in EST - so can be removed here.
  -> 2.02 Deleted has no HTTP equivalent, so is not used in EST. It should be removed here.
  -> that leaves only 2.04 responses. However the text should say this is for successful (HTTP 200 or 202 in EST) responses , so suggestion is to change above sentence to: "Similarly, 2.04 MUST be used in a response to a successful EST POST request"

* page 14 bottom: "EST makes use of HTTP 204 and 404 responses when a resource is not  available for the client.  The equivalent CoAP codes to use in an EST-coaps responses are 2.04 and 4.04.  "
  -> CoAP 2.04 can only be used in responses to POST or PUT requests, not for GET responses.
  -> so in CoAP the server could either return 2.05 with empty payload (equivalent to HTTP 204), or return 4.04 (equivalent to HTTP 404)

* page 15 bottom: "The EST-coaps client and server MUST support Block2.  Block1 MUST be supported for EST-coaps enrollment requests that exceed the Path MTU."
  -> could be clarified better, I expect a EST-coaps server MUST support Block1 because that server doesn't know in advance how big the client's request payload is going to be and whether that client will use Block1.
  -> e.g. "The EST-coaps client and server MUST support Block2.  The EST-coaps server MUST support Block1. The EST-coaps client MUST support Block1 if it sends EST-coaps requests with an IP packet size that exceeds the Path MTU."

* page 16 example: the payloads are not indicating that each "{CSR req}" payload is different. I.e., a different block. It would be more clear if that is shown e.g. "{CSR 1}", "{CSR 2}", ... up to "{CSR N1+1}". The "req" string is not needed since the R in CSR already stands for request.

* page 17 example: see above payloads remark; and the following:
  --> what I find strange here is that a blockwise POST request ends with a 5.03 response, and then the same request after that gives a 2.01 response. In CoAP AFAIK, one request can never give 2 responses in sequence.
  --> once a response is delivered back to the client piggybacked on an ACK, the server closes the transaction normally and no further state for the transaction is kept.
  --> normally if a server sends 5.03 with Max-Age the client needs to send a new request i.e. retry with a new request after this waiting time.   That implies the client would need to resend the entire request: all blocks of it!
  --> I do realize that resending all blocks is very inefficient ; but at the same time the example also seems incompatible with CoAP specs.
  --> another question is why does the server use Block2 option in the 5.03 response that has no payload. In RFC 7959 Section 2.1, "the Block2 Option pertains to the response payload" and "payload-bearing responses". So it should be just left out in the response without payload I think.
  --> I understand this sequence of messages was tested using interops/code; was a specific CoAP library used that exhibits this behavior? I would be interested to understand better why this works.

Hope these comments can still be used for improvement of the spec. I will send further review comments in a next email: still need to write these down.

Best regards

-----Original Message-----
From: Panos Kampanakis (pkampana) <>; 
Sent: Monday, May 20, 2019 17:31
To: Esko Dijk <>;;
Subject: RE: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt

Thanks Esko. 

Addressed in Two comments: 

> page 11 bottom requirement: " The client SHOULD use resource discovery when he is unaware of the available  EST-coaps resources." - when an EST server is known, this requirement does not really apply since the server always supports .well-known EST resources.  So I read it as doing an RD discovery or multicast CoAP discovery if the client doesn't known the EST server address.  Hope this is clear enough in the text and intended?

There are optional resources like /att, /skg and /skc that the server does not have to support, so that is what this sentence was referring to. 

> page 11 bottom: " It is up to the implementation to choose its resource paths” -> seems not really the case, because the root resource structure is forced by the specification. It could have been designed as free choice (because it can be discovered anyway) but it is not.

The text says that the server MUST support the default /.well-known/est root resource and it SHOULD support resource discovery for non-default URIs (like /est or /est/ArbitraryLabel) or ports. In the latter case it is up to the server to decide the paths he makes its resources available at. That is what this sentence was referring to. But you are right; I realized that this sentence is redundant so I only kept "Throughout this document the example root resource of /est is used."

Will reupload the next iteration in a few days.