Re: [Ace] WGLC comments draft-ietf-ace-coap-est-07

Michael Richardson <> Tue, 15 January 2019 20:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5D01C1295D8; Tue, 15 Jan 2019 12:25:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4AXSmirRqeH5; Tue, 15 Jan 2019 12:25:43 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 440DF1294D0; Tue, 15 Jan 2019 12:25:43 -0800 (PST)
Received: from (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by (Postfix) with ESMTP id 5D1643808A; Tue, 15 Jan 2019 15:25:04 -0500 (EST)
Received: by (Postfix, from userid 179) id 98BEB12E3; Tue, 15 Jan 2019 15:25:39 -0500 (EST)
Received: from (localhost []) by (Postfix) with ESMTP id 9730212DE; Tue, 15 Jan 2019 15:25:39 -0500 (EST)
From: Michael Richardson <>
To: Jim Schaad <>
In-Reply-To: <026e01d4acfd$a0becff0$e23c6fd0$>
References: <003b01d4abcd$1e2b0c10$5a812430$> <620.1547565175@localhost> <026e01d4acfd$a0becff0$e23c6fd0$>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Tue, 15 Jan 2019 15:25:39 -0500
Message-ID: <5692.1547583939@localhost>
Archived-At: <>
Subject: Re: [Ace] WGLC comments draft-ietf-ace-coap-est-07
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Jan 2019 20:25:47 -0000

Jim Schaad <> wrote:
    > The question I was asking was more about the original enrollment rather
    > than renewal although it could come into question there as well.

    > - I have the implicit trust anchors and get a EST server URL.
    > - Call /cacerts
    > - I now have the explicit trust anchors but potentially have the same EST
    > server URL.
    > - Given that I have a NEW trust anchor, what do I do with the current DTLS
    > session?
    > - I now do an enrollment with the EST server to get a certificate.

    > One can say it is fine to use the implicit TA for that enrollment, but one
    > could also say that as the certificate chain is now different then the
    > DTLS session should be released and a new one established.

I think that the purpose of calling /cacerts is to get context for living
within the network.  I think that one continues with enrollment with the
same connection.  Restarting it might not actually work.

The resulting certificate should validate with the set of trust anchors
provided, and the anchors should let the client validate other clients.

Michael Richardson <>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-