IETF Logo Mail Archive

Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Mon, 16 September 2019 17:39 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D63DD12013B; Mon, 16 Sep 2019 10:39:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=aHYdJLXK; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=CDx9WBFp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U65TJrt6lzj0; Mon, 16 Sep 2019 10:39:04 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98381120131; Mon, 16 Sep 2019 10:39:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4729; q=dns/txt; s=iport; t=1568655544; x=1569865144; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=IFFxmRU1j6KtdBDhAix6am4htpXcrKjMloRovLDrCWM=; b=aHYdJLXKw3RbF0KUSGfqiq1FfjhLqfz59wtPcCyQZDFzJ1Hl+hSWCH8B 4P5LPqbBuoiW06OjIniSAqabtUPkPQsJIa3Iulw6Nn41OLqjq2sKHMFLl ZN4nMraUqLdkNB+NOk0VyeP7bQFR6PoNMuscdcFZZPbLL18JgHnan4X4s M=;
IronPort-PHdr: 9a23:fJmY5xxqK+7kIIPXCy+N+z0EezQntrPoPwUc9psgjfdUf7+++4j5YhWN/u1j2VnOW4iTq+lJjebbqejBYSQB+t7A1RJKa5lQT1kAgMQSkRYnBZudCkT+NPfsZgQxHd9JUxlu+HToeUU=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AYAABLx39d/4oNJK1cCg4NAQEBAQMBAQEHAwEBAYFTBgEBAQsBgURQA21WIAQLKodoA4RShiCCXIM5lDiBLhSBEANUCQEBAQwBASUIAgEBhD8Cgm8jNAkOAgMJAQEEAQEBAgEFBG2FLgyFSgEBAQMBEigGAQE3AQsEAgEIEQQBAQEeEDIdCAIEDgUIGoMBgWoDDg8BAgyiAwKBOIhhgiWCfQEBBYEzAYNaGIIXAwaBNAGLdxiBQD+BEUaCTD6CYQEBAoE0EwIYgzuCJoktgzOCOZ1VCoIihwWJJ4RvgjWHR48dj0GGVJB2AgQCBAUCDgEBBYFSOIFBDwhwFTuCbBOCL4Nyihg7c4Epj00BAQ
X-IronPort-AV: E=Sophos;i="5.64,513,1559520000"; d="scan'208";a="327331793"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Sep 2019 17:39:03 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id x8GHd3DC031206 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 16 Sep 2019 17:39:03 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 16 Sep 2019 12:39:02 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 16 Sep 2019 13:39:02 -0400
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 16 Sep 2019 12:39:01 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cjCqv2KuELQF97vzH68Q6WJwVMgf4tdLIG87YiSeMR5ePT1rlj+PbiDTDTQYSMQLXM+nhGRnrA2Wx4ECleay7eg5s6CLz8p4Y05CSlHvHfXDSsXDfzHqCQkqXftZZuGOaYdDD73/fRklAB0Lzwsgss2Jeu5/2NZidwGxo/Gy4DegnI5YyvslQlXfP9nnmTzut2IulvSHFLvywM6QYhB0gkcuXD5nJ5rPAPuXoKoEQxT/rK1Myycb8Miu2hx30xAPLuMmeAVeLniLENHbKYpL0d+KiX/L6GOTUANI4REaTd7Qn8+rTEC3bv50gO/3UhOW0/u1Wc80o0tI5vA7gAs9VQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u7kiMKmRKDp0uAQUk8Ier0+RO5l6G1EuUWRFZIU+H50=; b=hqEYJrEOnaPKxYuxLWeThRoXaGU6BHHb3CBme+zwHwkAzpdN9eluujgsRVQ0lNy0r0TTAbAUe730RYaBXbQTMFjwmLoilDfQl4DcZXRc+4n9OPfV4F7dHCKuraGn9ycvIkmQKASqEm1RzUOfyVt+bqIrhrx8mb20ZidWX9N3YJnu/SvQRjlZkd/YVPjEDjYAjTlG3p9YZd+cr4oGmBjjZDfS6JbhueNo+6Zch6AYvnb2/g54NHgIObUSWPP83WOK4zTwCmkEX6o1x9ELhS9ALpQ0oqFh/xYmlC2k7pruYrd0xA0KQAdJg5Zw3Az0TgglrEQHR5hSFBU7lGIUkVxLkg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u7kiMKmRKDp0uAQUk8Ier0+RO5l6G1EuUWRFZIU+H50=; b=CDx9WBFpGmMyKDjwQFAHjzlm2J2ON6F84DjXy7DHMobiJabSmWIm9UWVncIFA8extbsyRsqhWZAiqYErFNTor7ES6F96V7EyiMw3OPDzkmTj0WrYjLYGTtLD2xCcdjYWUJlNeKL6T/uMrCvfX4XEY4/fUjU1n4f/ZGfIAfRyE6g=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (52.135.255.146) by BN7PR11MB2723.namprd11.prod.outlook.com (52.135.242.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.17; Mon, 16 Sep 2019 17:39:00 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::20df:b3df:537d:fd20]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::20df:b3df:537d:fd20%7]) with mapi id 15.20.2263.023; Mon, 16 Sep 2019 17:39:00 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: 'Benjamin Kaduk' <kaduk@mit.edu>
CC: "draft-ietf-ace-coap-est.all@ietf.org" <draft-ietf-ace-coap-est.all@ietf.org>, "ace@ietf.org" <ace@ietf.org>, Jim Schaad <ietf@augustcellars.com>, Michael Richardson <mcr@sandelman.ca>, Peter van der Stok <stokcons@bbhmail.nl>
Thread-Topic: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2
Thread-Index: AQHVYlHhW15JBzQJJ0uFzt6/ui+Gy6cjRfMAgAAvCYCAACBegIAAPTSAgAB5+oCAAAtwcIAKSlxg
Date: Mon, 16 Sep 2019 17:38:59 +0000
Message-ID: <BN7PR11MB2547CF79EFAF6D77BD48C607C98C0@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <20190828233639.GI84368@kduck.mit.edu> <027701d55ebf$994184b0$cbc48e10$@augustcellars.com> <edcbc2a243cc7118e35aec77b2e1599c@bbhmail.nl> <20190901204340.GG27269@kduck.mit.edu> <6b482aaed0ce510c503984dfbac7286c@bbhmail.nl> <7cd78133c263214be535ec36734f7ec1@bbhmail.nl> <30070.1568030052@dooku.sandelman.ca> <20190909144232.GH18198@kduck.mit.edu> <7801.1568047103@dooku.sandelman.ca> <007901d5674b$9bc75e00$d3561a00$@augustcellars.com> <008e01d56788$985bbda0$c91338e0$@augustcellars.com> <BN7PR11MB254736E735A5779C1223E324C9B60@BN7PR11MB2547.namprd11.prod.outlook.com>
In-Reply-To: <BN7PR11MB254736E735A5779C1223E324C9B60@BN7PR11MB2547.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pkampana@cisco.com;
x-originating-ip: [2001:420:c0c4:1008::26]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9ccf45c4-fb90-43af-5658-08d73accc237
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:BN7PR11MB2723;
x-ms-traffictypediagnostic: BN7PR11MB2723:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <BN7PR11MB27235B7CFB0914778043665CC98C0@BN7PR11MB2723.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0162ACCC24
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(39860400002)(136003)(366004)(396003)(51444003)(199004)(189003)(13464003)(102836004)(966005)(9686003)(14444005)(256004)(86362001)(6306002)(55016002)(14454004)(316002)(5660300002)(8936002)(66476007)(81166006)(8676002)(54906003)(81156014)(478600001)(76116006)(66946007)(25786009)(6436002)(2906002)(7696005)(6116002)(53546011)(6506007)(71190400001)(33656002)(99286004)(446003)(186003)(7736002)(305945005)(229853002)(64756008)(66446008)(66556008)(76176011)(52536014)(71200400001)(476003)(74316002)(6916009)(486006)(11346002)(6246003)(4326008)(2171002)(53936002)(46003); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR11MB2723; H:BN7PR11MB2547.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: mNH7ZRlzMUiW6VJP2OCrL3ogHtA1mtwreXvOSUqXBEyVlLw4/+KTj+wFZ4mZazmmx9CHkia5JS/DeDBZAFvB5OzpqS2adaYaZ272Ll9VvOHcJxk0rPTHsc1Mtd1zY/pA2LY9i7KYybgyDhj0PBC+8jcazXqNUm9D2ODALJAPtow/JyxcKaqxwo/36eDrSHJkd6i8YxSfTUZM0uaCIrqVRCRcxYS0U+xNMUr/tEsv44fg0tSd3GGIwjAgaVxnR3XJRj0Hfz3KsS57vXN/EXSaJeCy0fey6aH9WBCHxpjBEgw2ias0Q/q4wVrHS79f1/LIMwIqwpvFnILg+F2X4vQUTkkugUIqIjUcu1aEaAhIMH5IyKaUmRX2yuvCZcdvwEJSi7tygh7XRhUWA+oaP0xlqvWrKRrVAA6UFEAf0evTPGk=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9ccf45c4-fb90-43af-5658-08d73accc237
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2019 17:38:59.6593 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Hk8KVZGGXOJ7D+Wg2yLWQFCblR0fyo5IGwi3oIplvL2IKPprLKbEI5N2xsMpv6IkWYf3/0UO62NOhcyXSDjUHA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2723
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/UUpR_JMLINY3zi8J5zZzFS_L5f8>
Subject: Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 17:39:08 -0000

Hi Ben,

I think we have now addressed all your feedback from the AD review. A big chunk of the changes were agreed upon in the list emails threads. 

The iteration that we are planning to upload that includes all the changes is at https://github.com/SanKumar2015/EST-coaps/blob/master/draft-ietf-ace-coap-est.txt 

The summary of all your comments and what went into the text is in the git issue https://github.com/SanKumar2015/EST-coaps/issues/150 To break it down 
- https://github.com/SanKumar2015/EST-coaps/issues/150#issue-489289217 has most of the changes agreed on the list.
-  https://github.com/SanKumar2015/EST-coaps/issues/150#issuecomment-528001807 has an answer to your question about addressing the tls-unique issue in a new draft. 
- https://github.com/SanKumar2015/EST-coaps/issues/150#issuecomment-531853281 has the last changes in response to your feedback that went into the draft after Peter uploade the -13 iteration. 

Two places to pay attention to is that I removed the 
>   It is strongly RECOMMENDED that the clients request that the returned
>   private key be afforded the additional security of the Cryptographic
>   Message Syntax (CMS) EnvelopedData in addition to the TLS-provided
>   security to protect against unauthorized disclosure."
and the 
>   The corresponding longer URIs from [RFC7030] MAY be supported."
The rationale behind that is in the git issue. 

Please have a look and let us know if there is anything missing. Otherwise we will upload at the end of the week. 

Rgs,
Panos


-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of Panos Kampanakis (pkampana)
Sent: Tuesday, September 10, 2019 12:18 AM
To: Jim Schaad <ietf@augustcellars.com>; 'Michael Richardson' <mcr+ietf@sandelman.ca>
Cc: draft-ietf-ace-coap-est.all@ietf.org; 'Benjamin Kaduk' <kaduk@mit.edu>; ace@ietf.org
Subject: Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2

Hi Jim,

We are tracking all of Ben's feedback here https://github.com/SanKumar2015/EST-coaps/issues/150 

The fixes that have gone in the draft so far are after each comment. There are still some that we still need to update after the threads converged. 

Panos


-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of Jim Schaad
Sent: Monday, September 09, 2019 11:34 PM
To: 'Michael Richardson' <mcr+ietf@sandelman.ca>
Cc: draft-ietf-ace-coap-est.all@ietf.org; 'Benjamin Kaduk' <kaduk@mit.edu>; ace@ietf.org
Subject: Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2

Authors,

Are we ready to produce a new draft that addresses most, if not all, of Ben's comments?  Do we have a pull request to deal with this that we can point to?

Jim


-----Original Message-----
From: Jim Schaad <ietf@augustcellars.com>
Sent: Monday, September 9, 2019 1:17 PM
To: 'Michael Richardson' <mcr+ietf@sandelman.ca>; 'Benjamin Kaduk'
<kaduk@mit.edu>
Cc: draft-ietf-ace-coap-est.all@ietf.org; ace@ietf.org
Subject: RE: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2



-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca> 
Sent: Monday, September 9, 2019 9:38 AM
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: draft-ietf-ace-coap-est.all@ietf.org; ace@ietf.org
Subject: Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2


Benjamin Kaduk <kaduk@mit.edu> wrote:
    >> So, on a constrained device, I'd like to know what to expect (what to
    >> code for).  While I do'nt particularly care for server-generated
keys,
    >> it should probably be specified correctly.  I see that the complexity
    >> of sorting this means that I think that Content-Format 284
    >> (unprotected) will get used most often.

    > Your constrained device is probably only going to implement one cipher
    > [mode], too, right?  If it's an AEAD mode, you use AuthEnvelopedData;
    > otherwise, classic EnvelopedData.

Yes, but each constrained device type might have a different set, and the
EST server for such an installation has to figure out how to send the right
thing.

[JLS] This is the function of section 4.4.1.1 in RFC 7030 which says that
the DecryptKeyIdentifier must be present.  This will provide the EST server
a method to identify the correct key and the correct symmetric encryption
algorithm.

    >> I think that we could go to TLS Exporter right now, but it would take
    >> some work.

    > I'd rather have both classic-EST and coap-EST benefit than just
    > coap-EST.

So you'd agree to deferring this to a document (maybe in LAMPS?) that would
Updates: 7030 and this document.

v2.23.0 | Report a Bug | By Email