Re: [Ace] How to specify DTLS MTI in COAP-EST

Hannes Tschofenig <> Fri, 08 June 2018 06:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 820FB130E2C for <>; Thu, 7 Jun 2018 23:56:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ObNOUT4tN9iE for <>; Thu, 7 Jun 2018 23:56:35 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2B009130DCB for <>; Thu, 7 Jun 2018 23:56:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NwcGXzxU4OHrNvqcjNVmsCr/bh/Wg4A/h53ODHalGLo=; b=COMboo/waFgg44UmV4VUSPgWpiB55EOV/WGHGKlLZX1jCXE5j9wT8eEGe4NwTcMUGAAaV1VS487fX7GT0mfMJlUkmpBq5hhg+EyIsq39KSQqCsqif9sBGhVlOht8xzIg5IpMHZ+QJCqN2Ty3yRe9dUpPDUwqbpVWjJQOrTb4klQ=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.841.14; Fri, 8 Jun 2018 06:56:31 +0000
Received: from ([fe80::65ac:45dd:6b32:4853]) by ([fe80::65ac:45dd:6b32:4853%12]) with mapi id 15.20.0841.015; Fri, 8 Jun 2018 06:56:31 +0000
From: Hannes Tschofenig <>
To: Eric Rescorla <>, Michael Richardson <>
CC: "" <>
Thread-Topic: [Ace] How to specify DTLS MTI in COAP-EST
Thread-Index: AQHT/e65x8uyz3CYSUqqld4MOn23DqRU0nmAgAAqbVCAABS2gIAALIKAgACtKIA=
Date: Fri, 08 Jun 2018 06:56:30 +0000
Message-ID: <>
References: <13635.1528327933@localhost> <> <> <12464.1528393277@localhost> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM5PR0801MB1379; 7:DQHIhCVWXFCl8q10LNaAzWcpzKdUvKL9wVW+ICvCW7z5zwMacxejiyrsRPsNCrgi7u6HbkIjCsQeSBFHWfyWZNYQrH5pxpSIMQ9aqKNrhqxRae7dt+GaoxvPWFCWE+9FPQcaxPIqwob8ll23OemCllnBNQhiefk97NsuCsJva/OOZO2JoTSGlSaZ3+SrcFTiJZvW6JX7pUyAOZgjEkdOjA+dXYvNNO0jSovvfPjSAyTtZRDExLceUrhhWyOPZNbC
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:AM5PR0801MB1379;
x-ms-traffictypediagnostic: AM5PR0801MB1379:
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(28532068793085)(180628864354917)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(93006095)(93001095)(3231254)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(20161123558120)(20161123562045)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:AM5PR0801MB1379; BCL:0; PCL:0; RULEID:; SRVR:AM5PR0801MB1379;
x-forefront-prvs: 06973FFAD3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(366004)(346002)(396003)(39850400004)(39380400002)(51444003)(40434004)(199004)(189003)(5250100002)(486006)(97736004)(9686003)(3660700001)(25786009)(33656002)(74316002)(2906002)(81156014)(81166006)(8936002)(55016002)(478600001)(5890100001)(790700001)(66066001)(3846002)(6116002)(86362001)(6436002)(14454004)(72206003)(8676002)(6246003)(2900100001)(106356001)(105586002)(5660300001)(53936002)(68736007)(7696005)(76176011)(93886005)(26005)(966005)(606006)(229853002)(102836004)(110136005)(59450400001)(16297215004)(53546011)(3280700002)(6506007)(446003)(7736002)(11346002)(476003)(99286004)(236005)(6306002)(54896002)(186003)(316002)(4326008)(217873001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5PR0801MB1379;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 5lrXTzu5+nNG8+sHedYgh2eQWmYuqRJq90NJB0Olf1vlBJfqEBkyxcIeJzWkF+dQ0+H+nU7C9JlHCQkJZD4zzF1+CCgNdLHv9BTq/K8BppAvSRiL4cs5YeYW7hlRmU3xjTzk6aZL5siVIHp5rWllkMwufceycUBn7wMFwOncqhfUzJ1oVvIbXUgjkZYTVZ2q
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_AM5PR0801MB2097054338CC03563649549FFA7B0AM5PR0801MB2097_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: e7c6e281-80fd-4922-d6fd-08d5cd0cf71d
X-MS-Exchange-CrossTenant-Network-Message-Id: e7c6e281-80fd-4922-d6fd-08d5cd0cf71d
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2018 06:56:31.0341 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0801MB1379
Archived-At: <>
Subject: Re: [Ace] How to specify DTLS MTI in COAP-EST
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Jun 2018 06:56:39 -0000

Here are my thoughts:

·       This group or any other IoT group should not come up with their own algorithm recommendations. Reason: we already have a group working on these recommendations - CFRG

·       There is no need to talk about new algorithms recommendations. Reason: the recommendations have already been made by the CFRG and the TLS 1.3 spec lists them.

·       The pace of switching to new crypto algorithm seems to be much slower in the IoT world (for the discussed reasons). I feel there is very little most of us can do to influence the pace. Reason: very few folks work on implementations of crypto algorithms for IoT devices.


From: Eric Rescorla []
Sent: 07 June 2018 22:21
To: Michael Richardson
Cc: Hannes Tschofenig;
Subject: Re: [Ace] How to specify DTLS MTI in COAP-EST

TBH, I'm not a fan of SHOULD+, etc., and they're pretty alien to TLS, so you should just use words if you want to convey these points.

With that said, I don't really understand the objective here: we're generally moving towards the CFRG curves, so what's the reasoning for the P256 MUST and why do you think that will change.


On Thu, Jun 7, 2018 at 10:41 AM, Michael Richardson <<>> wrote:

Hannes Tschofenig <<>> wrote:
    > why don't you just reference

Ignorance :-)
Thank you, I think that we will reference it then;

Section 4.4 includes:

        At the time of writing, the
        recommended curve is secp256r1, and the use of uncompressed points
        follows the recommendation in CoAP.  Note that standardization for
        Curve25519 (for ECDHE) is ongoing (see [RFC7748]), and support for
        this curve will likely be required in the future.

which is what we want to say anyway.

    > I am not a big fan of making all sorts of different crypto
    > recommendations in our specs that differ slightly.
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]<>        |   ruby on rails    [

Ace mailing list<>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.