Re: [Ace] Embedded Content Types

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Fri, 22 February 2019 04:09 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6004130E25 for <ace@ietfa.amsl.com>; Thu, 21 Feb 2019 20:09:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xKwB6JegkLsc for <ace@ietfa.amsl.com>; Thu, 21 Feb 2019 20:09:44 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B035D1286D8 for <ace@ietf.org>; Thu, 21 Feb 2019 20:09:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8938; q=dns/txt; s=iport; t=1550808584; x=1552018184; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=dSCbru/GaWNAoHuEWyREQcFm6O4/JnuboGsp5IMCKYc=; b=ZoA1D8Kk/JN1658Qy3nKXNXNPlmEnagcpGhO27r+f7AcdL0jQ52QLEv+ mI9hXYAZzQSwsCF0d5KWzseaUQimPsFzBreBYOZL+quo/a/8/CWLnFWjU ycfmRPqkt+NubvYzajGKHExHiAWobRcokBkY5sa3mWxA1aKQfzxsgJh0p s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AHAADRdG9c/4cNJK1lGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBUwIBAQEBAQsBgVQvgWonCoN9lX58gkmUWYF7CwEBhGw?= =?us-ascii?q?CF4NjIjYHDQEDAQECAQECbSiFSgEBAQECASMRRQwEAgEGAg4DBAEBAQICJgI?= =?us-ascii?q?CAjAVCAgCBAENBQiFAwiQKJthgS+KM4ELix8BHReBQD+BEYJdNYRaES2CcoJ?= =?us-ascii?q?XApBOkwUJApJUIYFxkRqKSYEQkHcCERSBKCYHKoFWcBWDJ4IoF44eQTGNPoE?= =?us-ascii?q?ugR8BAQ?=
X-IronPort-AV: E=Sophos;i="5.58,398,1544486400"; d="scan'208";a="239708613"
Received: from alln-core-2.cisco.com ([173.36.13.135]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Feb 2019 04:09:43 +0000
Received: from XCH-ALN-006.cisco.com (xch-aln-006.cisco.com [173.36.7.16]) by alln-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id x1M49hkn015133 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 22 Feb 2019 04:09:43 GMT
Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-ALN-006.cisco.com (173.36.7.16) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 21 Feb 2019 22:09:42 -0600
Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1395.000; Thu, 21 Feb 2019 22:09:42 -0600
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Jim Schaad <ietf@augustcellars.com>, "'Carsten Bormann'" <cabo@tzi.org>
CC: "'ace'" <ace@ietf.org>, "'Klaus Hartke'" <hartke@projectcool.de>
Thread-Topic: [Ace] Embedded Content Types
Thread-Index: AdTJQwabXPaUkoDzRkqcz/D5vJfkVwAH1C+AABSNAYAACQoogAAiZMuAAAwKIdD//6n5gIAABfcAgAAL6ICAACd+QIAAIS0AgABhhmA=
Date: Fri, 22 Feb 2019 04:09:42 +0000
Message-ID: <fbd29dc440954e70abd0635122b4fa63@XCH-ALN-010.cisco.com>
References: <02a201d4c945$eb10a510$c131ef30$@augustcellars.com> <17e617f1090e451c8b17f6550c2e213a@XCH-ALN-010.cisco.com> <CCD28BCC-16AA-492B-8E14-DAE9F2CF2E3C@tzi.org> <38fa1ec646974a329c286279b3fa9ff0@XCH-ALN-010.cisco.com> <032f01d4ca2f$ff19c6a0$fd4d53e0$@augustcellars.com> <b4bb6e5f3c7c47ffa040389f000f027f@XCH-ALN-010.cisco.com> <033201d4ca35$23f58f40$6be0adc0$@augustcellars.com> <6F0FAFC5-947C-4B8E-B83F-82D68750A80A@tzi.org> <033301d4ca3e$14130180$3c390480$@augustcellars.com> <3c160f55d99d43368a319c041d6eadc8@XCH-ALN-010.cisco.com> <034001d4ca62$691b7580$3b526080$@augustcellars.com>
In-Reply-To: <034001d4ca62$691b7580$3b526080$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.82.243.182]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.36.7.16, xch-aln-006.cisco.com
X-Outbound-Node: alln-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Y1zr2hrJYDckW7uXRy1g4tRdetg>
Subject: Re: [Ace] Embedded Content Types
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2019 04:09:47 -0000

OK, I was clearly misunderstanding what you were proposing. 
I can see that second URI working fine without affecting existing systems. Will update the draft. 


-----Original Message-----
From: Jim Schaad <ietf@augustcellars.com>; 
Sent: Thursday, February 21, 2019 10:55 PM
To: Panos Kampanakis (pkampana) <pkampana@cisco.com>;; 'Carsten Bormann' <cabo@tzi.org>;
Cc: 'ace' <ace@ietf.org>;; 'Klaus Hartke' <hartke@projectcool.de>;
Subject: RE: [Ace] Embedded Content Types

Panos,

Someplace you are not understanding what I am saying.  


> -----Original Message-----
> From: Panos Kampanakis (pkampana) <pkampana@cisco.com>;
> Sent: Thursday, February 21, 2019 7:21 PM
> To: Jim Schaad <ietf@augustcellars.com>;; 'Carsten Bormann' 
> <cabo@tzi.org>;
> Cc: 'ace' <ace@ietf.org>;; 'Klaus Hartke' <hartke@projectcool.de>;
> Subject: RE: [Ace] Embedded Content Types
> 
> 
> That comes with a set of problems. A simplification needs to take 
> place. It is probably better to just mandate one content-type for cert 
> to get away without complicated combined content types. We don't need 
> to support
> TBD287 and 281 in the embedded responses. It makes more sense to not 
> do so.
> 
> As for why, there are a three reasons I can think of:
> 1) Two separate URIs means we are adding state tracking for the CA. 
> The CA now needs to support
> - EST that says "give me the key and a cert all at once and then 
> forget about it".
> - EST-coaps that says "give me a key. Remember this key/cert pair and 
> serve the certificate until I decide to come back and get it". Now 
> imagine I have
> 10000 of endpoints enrolling. The server keeps state for all of them 
> and cannot forget them until he gets the equivalent requests. And 
> then, what happens if a cert is lost on the way back? The CA is 
> supposed to remember the key / cert for some time. There is a DoS vector right there.

I don't see this as occurring because that is not what I am suggestion.  In my world view there is no difference between doing the following:

POST /est/skg/XXX
POST /est/skg?ct=XXX

In both cases the client posts the CSR to the CA and returns a multipart response.  The response contains the private key and the certificate.  I would say that the difference between /est/skg and /est/skgXXX is that the first returns the certificate as a PKCS#2 and the second returns it as a bare certificate.  In both cases how one wraps the key (encrypted or not) is going to be based on either an attribute in the CSR or a decision on the part of the CA.  (It could be either encrypt w/ the key just given or don't issue certificate because you did not give me the needed attribute.)

If the CA does not need to spend a long time doing the processing of the certificate creation, then there is no need for a cache.  Using this method means that an RA which is using a current CA would send the post to the normal location on the CA and then convert the certificate to from a PKCS#7 to a plain certificate for the second URI, just like what you are probably thinking for the query parameter.  

By the way - you still have this same potential DOS for the case of manual intervention where the CA needs to keep the approval of the CSR around and match it against the request the second time it comes in when you say - ask me again later.  The expectation is that there would be a "limited" number of requests kept or for a limited amount of time.

> 
> 2) One more challenge with two URIs is that the client needs to 
> somehow signal in the 2nd request to the server to tell him what 
> key/cert he is expecting to get, so there is one more new thing the client now needs to do.

No, the client does not need to do this because the multipart always returns a single answer.

> 
> 3) Additionally, it sounds like we are doomed with the discovery. The 
> server cannot tell the client what embedded types he supports, thus 
> the client will just try asking different combinations until he gets a response.

That is the reason for doing the second URI.  The second URI can be identified by name and thus the client can know which combination is going to work.

Jim


> 
> That is why I think two URIs are a bad idea. A query type may be OK, 
> but I can see Carsten and Klaus' point. We can just keep one cert 
> content type in the multipart, that simplifies it.
> 
> Rgs,
> Panos
> 
> -----Original Message-----
> From: Jim Schaad <ietf@augustcellars.com>;
> Sent: Thursday, February 21, 2019 6:35 PM
> To: 'Carsten Bormann' <cabo@tzi.org>;
> Cc: Panos Kampanakis (pkampana) <pkampana@cisco.com>;; 'ace'
> <ace@ietf.org>;; 'Klaus Hartke' <hartke@projectcool.de>;; 
> draft-ietf-ace- coap-est@ietf.org
> Subject: RE: [Ace] Embedded Content Types
> 
> It is true that the query parameters are part of the type.  However, 
> the use of two different URIs allows for the discovery to figure out 
> if both versions are supported rather than having either a failure 
> occur because the query parameter is not supported or getting the 
> wrong answer back because it is not looked for.
> 
> Jim
> 
> 
> > -----Original Message-----
> > From: Carsten Bormann <cabo@tzi.org>;
> > Sent: Thursday, February 21, 2019 2:52 PM
> > To: Jim Schaad <ietf@augustcellars.com>;
> > Cc: Panos Kampanakis (pkampana) <pkampana@cisco.com>;; ace 
> > <ace@ietf.org>;; Klaus Hartke <hartke@projectcool.de>;;
> > draft-ietf-ace-coap- est@ietf.org
> > Subject: Re: [Ace] Embedded Content Types
> >
> > On Feb 21, 2019, at 23:31, Jim Schaad <ietf@augustcellars.com>; wrote:
> > >
> > > I am thinking of two different URLs, that is not do the difference 
> > > by a query
> > parameter but by changing the URI.
> >
> > Note that the query parameters are part of the URI, so fundamentally 
> > there is no difference between putting the info there or in the path 
> > part of the URI.
> >
> > The path part can be slightly more concise.  We are more used to 
> > “computing” the query part.  I don’t have a strong preference.
> >
> > But in either case it is good if discovery can find the URI being 
> > offered (including its query parameters, if those are used).
> >
> > (And I agree that the “ct” target attribute really is for the top 
> > level media type; of course we could invent a new target attribute 
> > “ect” for embedded content formats [and fight against autocorrection 
> > for the rest of our lives :-
> > )].)
> >
> > Grüße, Carsten
>