Re: [Ace] Alexey Melnikov's Discuss on draft-ietf-ace-coap-est-17: (with DISCUSS and COMMENT)
"Alexey Melnikov" <aamelnikov@fastmail.fm> Fri, 20 December 2019 15:47 UTC
Return-Path: <aamelnikov@fastmail.fm>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 399D9120106; Fri, 20 Dec 2019 07:47:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.fm header.b=syO/vlUe; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=LPm+pN4U
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QiZ_mPErdMEp; Fri, 20 Dec 2019 07:47:17 -0800 (PST)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E190212088F; Fri, 20 Dec 2019 07:47:12 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 55978221B6; Fri, 20 Dec 2019 10:47:12 -0500 (EST)
Received: from imap1 ([10.202.2.51]) by compute7.internal (MEProxy); Fri, 20 Dec 2019 10:47:12 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.fm; h= mime-version:message-id:in-reply-to:references:date:from:to:cc :subject:content-type; s=fm1; bh=cqsLz0TePuvX6U473mq9JFXhpfcT0Ek XYJjdwIggGaQ=; b=syO/vlUepPdOIScSZ3xycHAMs3ujSoQY18PNZm7uBJ3Ty3w EiMZ79/7XJtvCKd+6atmyGo8Rva1gb/C9QhyYPqvo2NJYo01qUXQ42d+PQ3I0+9K cTBAiaswlZ0S/07fJUknWRhPOBtvtsszfkvZvrNDu22KHNB80OF/yEs0jnyMXw5M 968lrLDq/T9bUMN/Ci38XPDgyZjYOrd9kzvDWurezJOPu7M6MKkO3r7SQ5uhKAz9 KADzzkrsyFZhP8C6t5R39ZDTpRr6qBnrsRMluBIizCv8RLP7iL2FQaj4DNTmUJFC Yva+rdv880fidV49XutSC5gDEgXCV4F7Cn17REw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=cqsLz0 TePuvX6U473mq9JFXhpfcT0EkXYJjdwIggGaQ=; b=LPm+pN4UuBO48tTk8b5N6h IouHAe+e0W409nuFkrH2GSqM2YY61h6+QfvuST4FDj7fOuyoONOOaqmQsSbpkpTh 4BVp+i8IvJwUmZaq2vFahw/SgisOXOZtGw0K5P2jP23dJdjheuaiORzI8vVagqxa E8Qu0YOfNPs+sPw1FwnRuVdMwLRjbEiKbHO+0OUTgv7Cq4iNEc0hAxXGVWWtVYem eu/w1ILgQVkn7FnOhp8WDC8STncxMD81AMcf9QVYR9WUUZsGpqu+uhfQeEklYNoP O+RcWeMx89w2guW6UqVQ8FheW8H06pXtaEy4cHYZRuttzxZwltgPSWkuiWrXdfQg ==
X-ME-Sender: <xms:_-z8XWC9A19KbKFz6zoAJYLpxKu8S6vkDOj0K_vdthg7L0de46GXNg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrvddufedgjeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreerjeenucfhrhhomhepfdetlhgv gigvhicuofgvlhhnihhkohhvfdcuoegrrghmvghlnhhikhhovhesfhgrshhtmhgrihhlrd hfmheqnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrrghmvghlnhhikhhovhesfhgrshht mhgrihhlrdhfmhenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:_-z8XUzXYEaUWrcCPM4sy93EnQqGuxOF1Cb58rKWLge0gZFBouhJPQ> <xmx:_-z8XUngZBz1vcZm70Oaimm7iSil2Z9wOVJpq1uJbSEM63vwG9MFdQ> <xmx:_-z8XZEewNj_EQ5GyIaYNYYaZfvhHat8BSz8HAb3UEtjXa68cBSpMg> <xmx:AO38XZTzpTGRa4MmA7hNKvv-wamuauZ4Gx1XfqxKe1PHK2hOdjnXOw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 89449C200A4; Fri, 20 Dec 2019 10:47:11 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-694-gd5bab98-fmstable-20191218v1
Mime-Version: 1.0
Message-Id: <e8bc4e71-0e83-4a3e-8405-37131cc535ab@www.fastmail.com>
In-Reply-To: <019a01d5b6d3$23aef180$6b0cd480$@augustcellars.com>
References: <157667562611.29907.6804425237641037015.idtracker@ietfa.amsl.com> <20191220004728.GF35479@kduck.mit.edu> <019a01d5b6d3$23aef180$6b0cd480$@augustcellars.com>
Date: Fri, 20 Dec 2019 15:45:48 +0000
From: Alexey Melnikov <aamelnikov@fastmail.fm>
To: Jim Schaad <ietf@augustcellars.com>, Benjamin Kaduk <kaduk@mit.edu>
Cc: 'The IESG' <iesg@ietf.org>, draft-ietf-ace-coap-est@ietf.org, ace-chairs@ietf.org, ace@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/V8fKih-WXEcEHDpHmcK_xN7Nt4g>
Subject: Re: [Ace] Alexey Melnikov's Discuss on draft-ietf-ace-coap-est-17: (with DISCUSS and COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 15:47:20 -0000
Hi Jim, On Fri, Dec 20, 2019, at 1:16 AM, Jim Schaad wrote: > > > -----Original Message----- > From: Benjamin Kaduk <kaduk@mit.edu> > Sent: Thursday, December 19, 2019 4:47 PM > To: Alexey Melnikov <aamelnikov@fastmail.fm> > Cc: The IESG <iesg@ietf.org>; draft-ietf-ace-coap-est@ietf.org; > ietf@augustcellars.com; ace-chairs@ietf.org; ace@ietf.org > Subject: Re: Alexey Melnikov's Discuss on draft-ietf-ace-coap-est-17: (with > DISCUSS and COMMENT) > > On Wed, Dec 18, 2019 at 05:27:06AM -0800, Alexey Melnikov via Datatracker > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- (snip) > > 7. Parameters > > > > It is recommended, based on experiments, > > to follow the default CoAP configuration parameters ([RFC7252]). > > However, depending on the implementation scenario, retransmissions > > and timeouts can also occur on other networking layers, governed by > > other configuration parameters. When a change in a server parameter > > has taken place, the parameter values in the communicating endpoints > > MUST be adjusted as necessary. > > > > The last sentence: use of MUST with passive voice is really unhelpful > here. > > Adjusted by whom? How can this MUST be satisfied? > > [JLS] My assumption is that is this going to be done either by a congestion > protocol, a couple have been looked at in the CoRE working group. It could > also be done by a provisioning agent or by a firmware update. Lots of > options but no specific one is required. I think the text needs clarifying, as it is not clear on that. > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Comment: > > > > 5.1. Discovery and URIs > > > > Clients and servers MUST support the short resource EST-coaps URIs. > > > > Just to clarify: the original EST URIs are prohibited in COAP-EST? > > My understanding is that the servers also have to support the original > (long) EST paths. > > [JLS] My understanding is that the short names MUST be supported. Support > for the long names is optional and would probably be implemented as aliases > on the server side. I don't think this is clear, so it should be clarified in the document. > I would not expect clients to use the long names as > they consume more network bandwidth (hence the short names). A server is > very likely to support both the long and short names if it is supporting > both EST and COAP-EST. > > jim > > -Ben > > > In 5.8: > > > > In the case where the asymmetric encryption key is suitable for > > transport key operations the generated private key is encrypted with > > a symmetric key which is encrypted by the client-defined (in the > > CSR) > > > > I would break up this sentence into 2 to make it clearer, as I > > initially read this as 2 encryption operations applying to the generated > private key itself. > > So I suggest something like: > > > > In the case where the asymmetric encryption key is suitable for > > transport key operations the generated private key is encrypted with > > a symmetric key. The symmetric key itself is encrypted by the > > client-defined (in the CSR) > > > > asymmetric public key and is carried in an encryptedKey attribute in > > a KeyTransRecipientInfo structure. > > > > Finally, if the asymmetric > > encryption key is suitable for key agreement, the generated private > > key is encrypted with a symmetric key which is encrypted by the > > client defined (in the CSR) asymmetric public key and is carried in > > an recipientEncryptedKeys attribute in a KeyAgreeRecipientInfo. > > > > As above. > > > > > >
- [Ace] Alexey Melnikov's Discuss on draft-ietf-ace… Alexey Melnikov via Datatracker
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Jim Schaad
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Carsten Bormann
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Peter van der Stok
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Alexey Melnikov
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Alexey Melnikov
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Klaus Hartke
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Carsten Bormann
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Panos Kampanakis (pkampana)
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Peter van der Stok
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Alexey Melnikov
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Panos Kampanakis (pkampana)
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Benjamin Kaduk
- Re: [Ace] Alexey Melnikov's Discuss on draft-ietf… Alexey Melnikov