IETF Logo Mail Archive

Re: [Ace] IETF 108 tentative agenda and presentations (Daniel Migault)

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Fri, 24 July 2020 14:04 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C1AD3A0883 for <ace@ietfa.amsl.com>; Fri, 24 Jul 2020 07:04:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.621
X-Spam-Level:
X-Spam-Status: No, score=-9.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=kJFhtFLa; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=kvH4wlyn
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nGwFfrOc8QQq for <ace@ietfa.amsl.com>; Fri, 24 Jul 2020 07:04:46 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B878F3A07D7 for <ace@ietf.org>; Fri, 24 Jul 2020 07:04:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9529; q=dns/txt; s=iport; t=1595599485; x=1596809085; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=ConewezViPx+7kum+O70TZ4Hs4W7+1kwOmDaLoTEwAQ=; b=kJFhtFLatvW56uMSjBPYt2qqnS32HHdEU0njCc0x/NfDpdKmBdH+G/Fc lQQqM1WjQwshvKy43Q+zDCBs87gY7/dCubz7bzUfQPySSvk/R5sU8MA+e gq1+aV69dyI0P5lJmdMQOMKvdkBa+GoJ2NYotMf7Hopx1Ig1BhnnmKzOj U=;
X-Files: smime.p7s : 4024
IronPort-PHdr: 9a23:J8CPMx9nZvd7jv9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+7ZRyN/vRgiVLPRsPQ7PcXw+bVsqW1X2sG7N7BtX0Za5VDWlcDjtlehA0vBsOJSCiZZP7nZiA3BoJOAVli+XzoKklYHcv4fBvZpXjhpTIXEw/0YAxyIOm9E4XOjsOxgua1/ZCbYwhBiDenJ71oKxDjpgTKvc5Qioxneas=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CYBQCr6Rpf/5hdJa1XCQ4OAQEBAQEBBwEBEgEBBAQBAUCBSoFSIy4HbystLywKh28DjVaKA45cglMDVQQHAQEBCQMBARsSAgQBAYRMAoIiAiQ4EwIDAQELAQEFAQEBAgEGBG2FXAyFcQEBAQMBEi4BAS4JAQQHBAIBCBEEAQEZFgIfER0IAgQBDQUIBhSDBYF+TQMOEQ8BojcCgTmIYXSBNIMBAQEFhS0NC4IHBwmBOIFTgRmGBIJmgR4agUE/gRFDgX0iLj6BBIEWQgKBMxQaPBGCeoItkiKIUYoSkBROCoJdhDOCWIFLjCGFFoQcm0OSFIhchDGSBwIEAgQFAg4BAQWBaiOBV3AVgyQJRxcCDY4eg3GKGD50NwIGCAEBAwl8jSCBDwGBEAEB
X-IronPort-AV: E=Sophos;i="5.75,391,1589241600"; d="p7s'?scan'208";a="786469191"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Jul 2020 14:04:41 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 06OE4ewJ018473 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 24 Jul 2020 14:04:41 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 24 Jul 2020 09:04:40 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 24 Jul 2020 10:04:40 -0400
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 24 Jul 2020 10:04:39 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oLSZsrXA2s+mr3Yf8Lf+WC/K+xRkSPdmm6Eq6koLduXxq3qWzb4BJQy0r3EI7dhlYkW1yYgPSy5HH+fR5dkn9QeH+9dOtKaL3NeLm4F/34jzkYiOeAggerkiIXWSyrTdXtbZR+JV/YrBMPCKrpkDOICDfg9e8mIJt314CTVBZPM/FFt5HWwLBf18A8csnQ+hqWFWG3lKvRs/OWWh7mmFDlr3V128voLF7b2jIIVniOKu/ll71zpEf4sMhMfufqx8wyMfk17+R2SnmJ4s3/5I4SPfmnO82Uq6WiIL3RaRSniOFpc6sWVinPwHG2f9v1Yo8VdsJteZzsGEGgh8pwGNSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MeCx325bAGHHwuAALSM1FfggTb1mJRrXCKsunIYZgW0=; b=fA9Vx8zpEYv1sjESvjidqJyDZXOqfvzYOrAkFDMRqSpyUIdJKG4BwsHzcADcmSO35vWxWsD32dJ0DGtLU0i2byVYPuv5G/HGRvzmwS0VTGXdlSkbb/6hEK/e1lXpn90+oPWQro+YjyrihdygVi5ktkqTqm7oxpe6HCnVficXupGlHqGPx4ywSkHf7J9fh8wwlvBMZ40sjjFzGriJAcXzPkb2V5vwXXk5c5Bt1JhKOm2TwtZWMcRZZHmdjyc30JPxDUqMzSD6dU5LWhorhpx2VBmZkFIW3b79XmAW8QOo4EbCkkrJ9323VQTJV/JgowrWWoOdjDfS0v0vzc284Iy4gA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MeCx325bAGHHwuAALSM1FfggTb1mJRrXCKsunIYZgW0=; b=kvH4wlynNNDfOgcEex4aR0lllqFVPAXLfTDmuLbUhMynArAwhYsuXf4+tDerXo2y54mxS8W/G01DxPfyaOTo4MkqWSE92CStUSptgEVlir6Z9UuTCAsLFCRiLKkL61G+BWSXdbkXAZ4OZ35hjngtKSWGUgunfTPgbruhW54T+zw=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN7PR11MB2836.namprd11.prod.outlook.com (2603:10b6:406:ad::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.20; Fri, 24 Jul 2020 14:04:38 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::b582:dfb0:1136:8535]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::b582:dfb0:1136:8535%4]) with mapi id 15.20.3216.026; Fri, 24 Jul 2020 14:04:38 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>, Benjamin Kaduk <kaduk@mit.edu>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: Mohit Sahni <mohit06jan@gmail.com>, "steffen.fries@siemens.com" <steffen.fries@siemens.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] IETF 108 tentative agenda and presentations (Daniel Migault)
Thread-Index: AQHWX5lj2xo5I7eQAk6wCDCWveBOMqkSfISAgAAYZoCAAKV/gIAAVHbwgAANy4CAAyBysA==
Date: Fri, 24 Jul 2020 14:04:38 +0000
Message-ID: <BN7PR11MB2547B298898A544F8A26C0F9C9770@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <mailman.1850.1595355742.7860.ace@ietf.org> <CAEpwuw0JN9RGzEBs+fmcL18OFcHzKj_DDzXCt4VkSkSmG3Rvnw@mail.gmail.com> <9794.1595363465@localhost> <20200721215825.GB41010@kduck.mit.edu> <AM0PR10MB3153493DF2B63A8A061BD916FE790@AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM> <DM6PR11MB25554D31E5C2DBFA677BD83AC9790@DM6PR11MB2555.namprd11.prod.outlook.com> <AM0PR10MB31536E2085A36420C0FB6A2DFE790@AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <AM0PR10MB31536E2085A36420C0FB6A2DFE790@AM0PR10MB3153.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=853d4b82-15da-4ce2-9193-0000a3646129; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2020-07-22T07:41:39Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: siemens.com; dkim=none (message not signed) header.d=none;siemens.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [68.93.142.48]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a959aa01-8a10-49ec-888f-08d82fda80c6
x-ms-traffictypediagnostic: BN7PR11MB2836:
x-microsoft-antispam-prvs: <BN7PR11MB2836F7378A75233A7623E0E0C9770@BN7PR11MB2836.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zSp4vKkd0xCfaghadjKfCv37zUfBB7g/E3H2O7GBH4VKW0CPVTgvMn1XvwbX4OOanFhryu7myWU4+HqnSDBTounN8WvnhveXAKpADPIHklecDJ0kf/QlkOOneQeU+Xoegy8j532QtwFrrBkgC/WoZtR4Fkw8CvrM9MaB/RtgspFKkEZFjIjwp58vHqQjgUoM8pbHLm3RRI05J6n0lSkxbhCucHEbXVs0cFk2D/PgCf7g0/eAoPw5iXCx5KFMyjL3wCtFms53Xw/LMJtVDOQZmcELB6kEypKpL4VAGD6StbXsq7OxcnLXP/kHCLNfV0oD2WAt3agyYkHD2XcgjpDBOA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(346002)(366004)(136003)(376002)(396003)(66616009)(99936003)(8676002)(52536014)(316002)(110136005)(76116006)(2906002)(9686003)(66446008)(66556008)(66476007)(64756008)(33656002)(66946007)(54906003)(8936002)(4326008)(478600001)(186003)(71200400001)(86362001)(53546011)(83380400001)(5660300002)(55016002)(26005)(7696005)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: KunwShmXCVWm2kIeBW2mYQ3NFXfTc14p30NOG67I+1wmtYcVuXg41NvnT6nztwcuXiLKazDZ0n0hP8K0/jSicIBAlryO7UzUgLaIqio7wHqZ9z1nlJAY+8Y2ELzlhhkzHGXelN04Ex/W+sjOzjSWah3peOBeSp5SdXLbmys+Of+1byL5fOsaX/MH7P2wmrBDAp2BTWlPXRMhtzVFCv+YLXVb3S5H09sJTYcNSdpS0EVC9UWFYVvdw6y4uh3uXP9w8MbHROFdZzcjdPie+xakXUwryBbSy/LDnThq10mse1JI06HklTBGaKfJCRzJjlWXJMp5XCR6eXgFbThlE6fjcdUcBJXgNU2o2cwjIaMjZedoUg9jxXFcfznlqVlNXYghwChAsvEFADGaAgXqk6Bb5YemYgrOLi65UxwTDcLKxGjnjqP1Kgs7ynnPk6T1O8QIaPez7cpVEV0iuCydKp6rOZg+0LaAjH9DBvhaG0zobwM=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_0023_01D661A1.D65E46E0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2547.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a959aa01-8a10-49ec-888f-08d82fda80c6
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jul 2020 14:04:38.2286 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HzoLkZj/5c88zaeTse8QtKI499+UVqYN7EfjEwLzMW4hiZXBg1H6lB28mgWz8jC70ZgzK10cd5aCRwnwUpm5CA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2836
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/R_8oCp0aryQyf3FYg4zdgttO928>
Subject: Re: [Ace] IETF 108 tentative agenda and presentations (Daniel Migault)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2020 14:04:48 -0000

Hi Hendrik, 

Thank you. Understood about the end-to-end protection of CMP and POP. 

I would argue that establishing the end-to-end keys to offer the application
level protection functionality in a scalable way does not come easily. On
the other hand, even CMP allows for an RA trust model instead of end-to-end
POP like EST-coaps does. 

> I am uncertain if I understand your question correctly. Est-over-coaps
described EST transport and not CMP transport on top of CoAP.

I meant why do we need two enrollment protocols to run over COAP?
est-over-coaps took a long time and a lot of work. The reason we pursued it
is because we were getting requests from vendors that wanted to enroll certs
in constrained environments in the energy sector and industrial automation
and EST was standardized in IEC 62351. Is the cmp-over-coap argument that
you could run it over plan UDP and use out-of-band established, end-to-end
protection the sole motivating reason? 

Rgs, 
Panos


-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of Brockhaus, Hendrik
Sent: Wednesday, July 22, 2020 9:42 AM
To: Panos Kampanakis (pkampana) <pkampana@cisco.com>; Benjamin Kaduk
<kaduk@mit.edu>; Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Mohit Sahni <mohit06jan@gmail.com>; steffen.fries@siemens.com;
ace@ietf.org
Subject: Re: [Ace] IETF 108 tentative agenda and presentations (Daniel
Migault)

Hi Panos,

thnaks for you feedback.

> Von: Panos Kampanakis (pkampana) <pkampana@cisco.com>
> 
> Hi,
> 
> > Looking into Mohits draft, cmp-over-coap is much simpler than
> est-over-coaps, as CMP does not need any binding to an underlying 
> (D)TLS handshake.
> 
> Not sure that is accurate. And EST does not bind to the tunnel 
> protocol either unless proof of possession is used. For now the 
> cmp-over-coap draft says
> 
>    When the end to end secrecy is desired for CoAP transport, CoAP over
>    DTLS [RFC6347] as a transport medium SHOULD be used.
> 
> COAP can run over DTLS or plain UDP and in rare cases TCP, TLS and 
> maybe Websockets. I am not sure someone would run cmp-over-coap over 
> TCP because then he could just run CMP natively without COAP in the 
> middle. Any application layer protocol (CMP etc) can run over any 
> transport but I am
not
> sure there are more transports than the usual ones for cmp-over-coap
anyway.

It is not needed to run CMP over CoAP over TCP. UDP as transport protocol is
fine. Actually CMP over CoAP also does not need DTLS underneath. But it also
does not hinder to have a second line of defense.
As I understand EST, proof-of-possession is purely provided by the
self-signature in PKCS#10. But EST provides the proof-of-identity of the
requesting party by the (D)TLS client authentication bound to the PKCS#10
(tls-unique copied in the P10 password filed). Is this correct?
Such binding is not required for CMP. CMP does not have any requirements in
this regard and provides prove-of-identity by signing the CMP messages. The
advantage is that this prove-of-identity can be end-to-end and not only on
the first hop to the (D)TLS server, like with EST.

> 
> 
> I agree that if this gets picked up it should be by ACE.
> 
> I would like to understand what gaps it is filling compared to 
> est-over-coaps which took a lot of work and where it will be used and 
> implemented in.

I am uncertain if I understand your question correctly. Est-over-coaps
described EST transport and not CMP transport on top of CoAP.
One prototypic implementation can be found on
github.com/siemens/embeddedCMP.

- Hendrik

v2.23.0 | Report a Bug | By Email