Re: [Ace] Call for adoption draft-msahni-ace-cmpv2-coap-transport-01

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Thu, 08 October 2020 06:07 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 172553A1110 for <ace@ietfa.amsl.com>; Wed, 7 Oct 2020 23:07:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.8
X-Spam-Level:
X-Spam-Status: No, score=-1.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eW8bPZHZrdEo for <ace@ietfa.amsl.com>; Wed, 7 Oct 2020 23:07:53 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2058.outbound.protection.outlook.com [40.107.22.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBBD73A1048 for <ace@ietf.org>; Wed, 7 Oct 2020 23:07:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NKA5513liwYTOEIF+mJW8HIKrik8yQYTviyKI+uaXl3NHaFBNtlEtzB7z7uO9dtufJUxBpoJmxtBkBuFuF6B0x8ob0L2T6bBXvktk4OqkmsNTLJbxCjQUmbaL3/ecMmASLB5uCy9u1Kdef+kjfTNFkBG3vcoo/nyxi95ULitLtR/XEyRTGP0GPMMDLeG8TXtCZO28k5KMcB4MRTOh3ahvqYruBBdAC69V2TG64Hf9RHiHJm+z0QahO2O0UJjaB/h8wNIokhAEl8Q3mrprlr8o1DaUOFKLsU6WYhUg2yKeZF6gTrF7LklIz0GZg9z8w8c69xca8piJkNzUx/DAtVkCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KaFHZPsWGHT36rf7g6hYyWQP615YlU31JnakGgqYHXw=; b=V2kupUasmfQrEzftHU1wdQOVcj+xJxMUqenMYDo7e7VViV1qD9wXuOlSEO8jX7V8Mt3BbFLdtlMGTy3fFMJa6d5SAtT4fbOcaWokTqEGHCi+J8OFpaTI9KjDDfcih2utSOBvr1/j3+FGSlZVTTzpfDPFylbOW7xYMN+mfqhl1GPJ+OxyWXYQPdm1ZubX9ifzljXOeAOfTAXFDJAkxmcl0JLez7Pexckqocq7C++9tKbNDfWQJWgchuOlKfAWWY8mQ+xPrVgNVAlkHkpQixFQtMM/bnGwvOaOhG6fftuSeYikf6Nl+to/sU6lOLz0lN5/YwbHigdnqY9yLR48EVIr3A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KaFHZPsWGHT36rf7g6hYyWQP615YlU31JnakGgqYHXw=; b=m8N+6IH3YAwStTOPKxlt9UuYdHFgvyr8UYBwspFbRS0AuiXuLtvLoI4S0NnKoJLQ+/GMMANbwn1C/YupHHLpalkPV/BVwrlzSNCr+Z4HdqFfJZ5pxunw4vVs5MwlqJZH/jDdutG/UsVmbXtCMlqJz7Wj2cvxCf/GqaYFTjIOab0=
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:dd::17) by AM9PR10MB4021.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:1f7::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3455.22; Thu, 8 Oct 2020 06:07:50 +0000
Received: from AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::815c:e3e3:e2be:5eed]) by AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM ([fe80::815c:e3e3:e2be:5eed%6]) with mapi id 15.20.3433.046; Thu, 8 Oct 2020 06:07:50 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: "Panos Kampanakis (pkampana)" <pkampana=40cisco.com@dmarc.ietf.org>, Mohit Sahni <mohit06jan@gmail.com>, Ace Wg <ace@ietf.org>
CC: "stripathi@paloaltonetworks.com" <stripathi@paloaltonetworks.com>, "saurabh.tripathi@gmail.com" <saurabh.tripathi@gmail.com>, Mohit Sahni <msahni@paloaltonetworks.com>
Thread-Topic: [Ace] Call for adoption draft-msahni-ace-cmpv2-coap-transport-01
Thread-Index: AQHWmugf2jgqXegeAEWC7bN66U2odKmJJuOAgAQTMrA=
Content-Class:
Date: Thu, 8 Oct 2020 06:07:50 +0000
Message-ID: <AM0PR10MB24183F163B988B1BE3B4B976FE0B0@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM>
References: <CAEpwuw09Ud-LBNhAc5591mbB+MpOOaeUKBEKfuRW5oJGCs5qZQ@mail.gmail.com> <BN7PR11MB254786CF6D99AF95C1EF0089C90C0@BN7PR11MB2547.namprd11.prod.outlook.com>
In-Reply-To: <BN7PR11MB254786CF6D99AF95C1EF0089C90C0@BN7PR11MB2547.namprd11.prod.outlook.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2020-10-08T06:07:49Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=ae32384d-3ab5-45c6-8cfe-f4bb5ca9f9d6; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none; dmarc.ietf.org; dmarc=none action=none header.from=siemens.com;
x-originating-ip: [165.225.200.184]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 71ca16b6-6b06-45d4-bc71-08d86b507cc2
x-ms-traffictypediagnostic: AM9PR10MB4021:
x-microsoft-antispam-prvs: <AM9PR10MB4021033D351613B43152EAB1FE0B0@AM9PR10MB4021.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: i3in4Gth2Jx9iYFV1bCIEksqh+tGcb6xUWfH/oXk+LljY5ZMmzOQXUbIgOPGjkXfv4uqQU0U5nhnIqmZP1q9DmcjmoKLNha24L1EhiF7YGHiDoEy6D7gqDtmHxpVO455q46sWXx7igW0v0p0eEtCN6IQlncXQ/nKTOi6Mc9/iz3sO6h2THF1WA5ApkgfBxbkdgFyyBLe+LcTdCtCK39zUbhCtMi+mjBbAixjWym5g1ljLYCDuKLTJ+Rua9niXCFUrP1CDsl1v1+dyrEl+Ldz2jdOW1midNd5CbIhUgHDNz64+C+BN0iOCadT6vtAb4jl7d+0duf8VupKtHANBv1su8+1HoDR7ghXoFGwWhEkAa7b2IH/mWHk7DW0YMk34+3DLe/z5akJaJztau4tMFL2Vg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(376002)(346002)(366004)(39860400002)(71200400001)(966005)(54906003)(8676002)(478600001)(66946007)(66476007)(5660300002)(76116006)(316002)(9686003)(52536014)(64756008)(66446008)(4326008)(66556008)(110136005)(33656002)(86362001)(6506007)(7696005)(8936002)(53546011)(55236004)(83380400001)(166002)(83080400001)(2906002)(26005)(186003)(55016002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: xEVK5kZ1JcQe7HYGX3RmEDD5L2GZSLZC426IgrCQawFCAMRc5fxXwimsvlCo0UzTETnIos56D8AzsBPCcqVmKs0Aztja7PqhWsikVPaFyiHZ5ngHXWtqPsdrV48S8NEx/YI4mj7sgoWeG9XDW5WHcdP//qB+qZSdhxcYhGvB7BPMRXV9Jyq4/ZZbJRbAe7s/wivBT2tRjOMBacIJpNcTMpjD+6gka5KmBU5SbTwVKL7w1zk4XAk5vSNmy//bfkgJmVJPHbYpn4z/iIthKlD6AdK5iEz47WwfQPcDr9sbaWesw8FWR+ASKPkmjfL66ZSAcAuk3OxcKe5ZtkZVnH2oHIozSfP8nhiXnWBjam33QCnkjCNaHhnfSyivcvpVtBBkI2PVkmIlKiL0Pu6rTsFho13eVl3Xx431n+2RwZn3GHlAkB/QVL4LNSEEFGqjFV4+C5y9IiNg/XgmxMpkvLqxwn4bE/caEpObJu6gc6L1OlqzL7cnhkPAs71qXHBU8CE3AVe8wnz4/h8ZjzL0dJnQ3P0XaXoISMhcq14/7BVGmiZWStFkfinKk0ysT1aOQE+pFn0X2O9TQ0oN/fYmy07mLbPi1m61BXS1+/3GBW8Ed9b9bpDKeoYjJhPQ7B7bVNkTba97ZUGzC06kI2FpFwU6yg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR10MB24183F163B988B1BE3B4B976FE0B0AM0PR10MB2418EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 71ca16b6-6b06-45d4-bc71-08d86b507cc2
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2020 06:07:50.6348 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cSCFaii3RJIXZtzzxDhe5n028/+lBo/9jnNXl5eao4j59OfYuHqShY30dIaqhGDXuilbzBi6wCceTFRoQGk6RiAq4u7c9ds4WvPab5i4swk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR10MB4021
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Og51ak5tHgTOewS01GPpwAcfAgs>
Subject: Re: [Ace] Call for adoption draft-msahni-ace-cmpv2-coap-transport-01
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2020 06:07:55 -0000

I honor Panos opinion and understand that he whishes to have EST as the one and only enrollment protocol. But also after EST, there were further enrollment protocols standardized, e.g., ACME, OPC-UA GDS, SCEP. But I do not want to argue pro or con a specific protocol. I think we have to accept that there are different protocols with different abilities chosen in different verticals.

The point here is, does the group support Mohits draft on specify CoAP transport for CMP.

Just to recap the discussion from IETF 108:
---------------------snip---------------------
### CoAP Transport for CMP - Mohit Sahni - 5:11

JS: This is here for possible adoption, but the WG is not not expected to have
expertise in the CMP protocol, but just looking at how the CoAP work is done.
DM: Objections to doing this work? No objections registered. DM: Need to
re-charter and then adopt. JS: Recharter does not stop us from doing reviews.
GS: Reading table of contents - multicast and proxy support MS: Don't use
multicast for this.  Only used for service discovery. Need to have proxy
support to get additional security for servers. GS: This is just a transport
draft? MS: Yes.
---------------------snip---------------------

I would appreciate further votes.

Hendrik

Von: Ace <ace-bounces@ietf.org> Im Auftrag von Panos Kampanakis (pkampana)
Gesendet: Montag, 5. Oktober 2020 17:44
An: Mohit Sahni <mohit06jan@gmail.com>om>; Ace Wg <ace@ietf.org>
Cc: stripathi@paloaltonetworks.com; saurabh.tripathi@gmail.com; Mohit Sahni <msahni@paloaltonetworks.com>om>; Brockhaus, Hendrik (T RDA CST SEA-DE) <hendrik.brockhaus@siemens.com>
Betreff: Re: [Ace] Call for adoption draft-msahni-ace-cmpv2-coap-transport-01

I oppose adoption.

IETF in the past has come up with SCEP, CMP, CMC and EST, all of them for the most part doing the same thing with minor differences. I don’t think we need two enrollment protocols to run over COAP. We should not repeat mistakes of the past.

In ACE we have EST-coaps which is done. We worked on it because EST was in IEC 62351 and we needed a solution for some COAP usecases. Since then EST-coaps has been picked up by Fairhair and Thread.

The argument about L7 protection in CMPv2 could also be satisfied by draft-selander-ace-coap-est-oscore. draft-selander-ace-coap-est-oscore was trying to secure EST over L7 encrypted COSE messages.

Additionally, I would argue that L7 proof-of-identity is not a strong advantage in an (L)RA trust model for both EST-coaps and CMPv2-coaps. What is more, having the CA trust all potential manufacturer roots in order to do L7 proof of identity will not be trivial unless the CA is a private one. And in a private CA and (L)RA scenario I don’t know that end-to-end proof or identity is that important.

I oppose adoption unless there is a compelling reason why. Also I am not sure where this draft would be implemented and used. If this is just for one or two vendors I don’t think ACE needs to spend the cycles.

Thanks,
Panos


From: Ace <ace-bounces@ietf.org<mailto:ace-bounces@ietf.org>> On Behalf Of Mohit Sahni
Sent: Monday, October 05, 2020 3:21 AM
To: Ace Wg <ace@ietf.org<mailto:ace@ietf.org>>
Cc: stripathi@paloaltonetworks.com<mailto:stripathi@paloaltonetworks.com>; saurabh.tripathi@gmail.com<mailto:saurabh.tripathi@gmail.com>; Mohit Sahni <msahni@paloaltonetworks.com<mailto:msahni@paloaltonetworks.com>>; Brockhaus, Hendrik <hendrik.brockhaus@siemens.com<mailto:hendrik.brockhaus@siemens.com>>
Subject: [Ace] Call for adoption draft-msahni-ace-cmpv2-coap-transport-01

Hello Ace WG,
I am presenting the draft-msahni-ace-cmpv2-coap-transport-01 to be adopted by ACE WG. This document supplements the "Lightweight CMP Profile" draft (https://tools.ietf.org/html/draft-brockhaus-lamps-lightweight-cmp-profile-03<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-brockhaus-lamps-lightweight-cmp-profile-03&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7C569aa1028dda403452b908d86945b7d3%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637375095443650434&sdata=%2FuzMYm2UIhbrSarrugX4w50w8%2B0ArPfSP%2BZvY8UcTT4%3D&reserved=0>) which specify the modifications to the CMPv2 protocol for it to be used efficiently by the constrained devices for PKI operations.

I discussed this draft in IETF-108 ACE session and the need for the recharter of ACE WG in order to adopt this draft, to which we had a consensus. Please state your opinion on whether this draft should be adopted by ACE WG.

Link to the draft https://datatracker.ietf.org/doc/draft-msahni-ace-cmpv2-coap-transport/<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-msahni-ace-cmpv2-coap-transport%2F&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7C569aa1028dda403452b908d86945b7d3%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637375095443660389&sdata=TpdqdyKHNxiu1fLAdJxXeot%2BjA9jNV0JVMGJ870H8Ac%3D&reserved=0>

Regards,
Mohit Sahni