Re: [Ace] WGLC for draft-ietf-ace-coap-est - optimization for embedded devices
Jim Schaad <ietf@augustcellars.com> Thu, 24 January 2019 05:05 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 869B41310CD for <ace@ietfa.amsl.com>; Wed, 23 Jan 2019 21:05:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dLeDAaFSS93t for <ace@ietfa.amsl.com>; Wed, 23 Jan 2019 21:05:51 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5569F130E7E for <ace@ietf.org>; Wed, 23 Jan 2019 21:05:51 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 23 Jan 2019 21:05:22 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Michael Richardson' <mcr@sandelman.ca>, 'Esko Dijk' <esko.dijk@iotconsultancy.nl>
CC: ace@ietf.org
References: <DB6P190MB0054743FDD8DB32669C5BB23FD990@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM> <15991.1548296807@localhost>
In-Reply-To: <15991.1548296807@localhost>
Date: Wed, 23 Jan 2019 21:05:19 -0800
Message-ID: <000001d4b3a2$69396530$3bac2f90$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKPe14W3mTmO1gk9I6z01h4BEwvRAGwJtObpDrLsTA=
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/WTIXVUdYp8isXPSgMTBdeVEzRfo>
Subject: Re: [Ace] WGLC for draft-ietf-ace-coap-est - optimization for embedded devices
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2019 05:05:53 -0000
> -----Original Message----- > From: Ace <ace-bounces@ietf.org> On Behalf Of Michael Richardson > Sent: Wednesday, January 23, 2019 6:27 PM > To: Esko Dijk <esko.dijk@iotconsultancy.nl> > Cc: ace@ietf.org > Subject: Re: [Ace] WGLC for draft-ietf-ace-coap-est - optimization for > embedded devices > > > Esko Dijk <esko.dijk@iotconsultancy.nl> wrote: > > My main comment on this draft is based on recent experience with an > > embedded implementation. In the draft, the content format > > "application/pkcs7-mime;smime-type=certs-only" is used to transport a > > single certificate back to the client. However, in the embedded > > implementation crypto library there is no support for parsing this > > format, but there is support for parsing X.509v3 > > (application/pkix-cert). See > > e.g. https://tls.mbed.org/api/group__x509__module.html for an > embedded > > API that can parse CSR and certs, but not PKCS#7. > > > Therefore the X.509 format seems better to use; also given that > > 1) the signing of data that the PKCS#7 S/MIME envelope provides is > useless because the DTLS session is already end-to-end protected and the > certificate is already signed; and There is no signature for this CMS signed message format. It only contains the certificates and CRLs that are passed back. I would still think that this is a fine idea as long as you are only going to return the leaf certificate and not returning a bag of certificates or any CRLs. > > 2) RFC 7030 requires that only one certificate, the generated one, is > > carried in the /simple(re)enroll response so that a container format > > for multiple certificates is not really needed here. > > > So to reduce code size for embedded implementations it would be very > > beneficial if the EST Server would support an additional content > > format: > > application/pkix-cert (see RFC 5280) > > I think that this is a reasonable thing to do. > The client can easily say what it wants and I think the two formats are > relatively easy to swap. > > What about if we went further, and went to: > Concise Identities > draft-birkholz-core-coid-01 Given that it would be a blocking factor, I would think about this as maybe something in the future. Jim > > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works | IoT architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Esko Dijk
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Michael Richardson
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Jim Schaad
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Esko Dijk
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Michael Richardson
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Jim Schaad
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Michael Richardson
- Re: [Ace] WGLC for draft-ietf-ace-coap-est - opti… Jim Schaad