Re: [Ace] 4. Security modes (Re: Open Issues)
Ludwig Seitz <ludwig@sics.se> Mon, 20 January 2014 15:09 UTC
Return-Path: <ludwig@sics.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7C301A0173 for <ace@ietfa.amsl.com>; Mon, 20 Jan 2014 07:09:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.615
X-Spam-Level:
X-Spam-Status: No, score=0.615 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_SE=0.35, RP_MATCHES_RCVD=-0.535] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CSxQCUoU0FAC for <ace@ietfa.amsl.com>; Mon, 20 Jan 2014 07:09:06 -0800 (PST)
Received: from fsmsg2.sics.se (fsmsg2.sics.se [IPv6:2001:6b0:3a:1:250:56ff:fea9:52ad]) by ietfa.amsl.com (Postfix) with ESMTP id 50A881A0171 for <ace@ietf.org>; Mon, 20 Jan 2014 07:09:06 -0800 (PST)
Received: from pps.filterd (fsmsg2 [127.0.0.1]) by fsmsg2.sics.se (8.14.5/8.14.5) with SMTP id s0KF5g4S020335 for <ace@ietf.org>; Mon, 20 Jan 2014 16:09:05 +0100
Received: from letter.sics.se (letter.sics.se [193.10.64.6]) by fsmsg2.sics.se with ESMTP id 1hh3320e7a-1 for <ace@ietf.org>; Mon, 20 Jan 2014 16:09:04 +0100
Received: from [10.101.1.17] (sjombord-3.ictservices.se [188.121.67.51]) (Authenticated sender: ludwig@sics.se) by letter.sics.se (Postfix) with ESMTPSA id 72D9640119 for <ace@ietf.org>; Mon, 20 Jan 2014 16:09:04 +0100 (CET)
Message-ID: <52DD3C0F.1030506@sics.se>
Date: Mon, 20 Jan 2014 16:09:03 +0100
From: Ludwig Seitz <ludwig@sics.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: ace@ietf.org
References: <52D7FA4C.701@tzi.de> <52D7FF29.70103@sics.se> <52D80D48.3090805@tzi.de> <ED142857-F784-4292-8DBB-AF09BE9E0F32@tzi.org>
In-Reply-To: <ED142857-F784-4292-8DBB-AF09BE9E0F32@tzi.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms000801020406020109040000"
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-20_01:2014-01-20, 2014-01-20, 1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=1 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1401200080
Subject: Re: [Ace] 4. Security modes (Re: Open Issues)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2014 15:09:11 -0000
On 01/17/2014 09:48 AM, Carsten Bormann wrote: > On 16 Jan 2014, at 17:48, Stefanie Gerdes <gerdes@tzi.de> wrote: > >>>> 4. Security modes for CoAP >>>> (http://www.ietf.org/mail-archive/web/ace/current/msg00104.html). Is it >>>> in the scope of ACE to define security modes for CoAP? >>> >>> I'm obviously biased here, since it's the title of my draft. My main >>> argument for including this is that the security modes are the first >>> authorization step. What you do is to authorize the client to establish >>> a DTLS connection in the first place. >>> >> >> I think it is interesting to think about the various possible solutions >> for authenticating the authorization information such as symmetric and >> asymmetric key approaches or even object security. I am not sure, >> however, if we need new security modes for CoAP for that. Don't we just >> need to define how we use the existing ones? > > I think that’s mostly a matter of “semantics” (understanding of terms). > > Some people read the section 9 about security modes in the CoAP spec and > derive a very literal understanding of what these security modes are. > Some others read them as building blocks. The first group would think > they are defining new security modes when the second group thinks they > are applying the existing security modes in scenarios that are more > complex than those used to explain the modes in the spec. >[...] draft-seitz-core-security-modes adds some ways to use them and > calls them additional CoAP modes. This terminology may confuse some > who think we are extending TLS with fundamentally new cipher suites. > It may also be more useful to define the entire authorization protocol > instead of just the “CoAP mode” aspect of it. Carsten, I am fine renaming the draft to something like "usage profile for CoAP security modes" if you think that can help to avoid confusion. The bigger question is: Is this work that people consider useful within ACE (I'm obviously biased here)? I'm also all in favour of defining the entire authorization protocol, but the question is: do we want to cram everything into one draft? The advantage I see with having draft-seitz-core-security-modes separate is that it allows you to implement a very coarse grain access control (at the level of "who can initiate a DTLS connection with this device?"). I suspect this would be enough for a relevant number of applications, that don't need to implement more sophisticated access control. /Ludwig -- Ludwig Seitz, PhD SICS Swedish ICT AB Ideon Science Park Building Beta 2 Scheelevägen 17 SE-223 70 Lund Phone +46(0)70-349 92 51 http://www.sics.se
- [Ace] Open Issues Stefanie Gerdes
- Re: [Ace] Open Issues Ludwig Seitz
- Re: [Ace] Open Issues Corinna Schmitt
- Re: [Ace] Open Issues Göran Selander
- Re: [Ace] Open Issues Stefanie Gerdes
- Re: [Ace] Open Issues Bert Greevenbosch
- Re: [Ace] Open Issues Göran Selander
- Re: [Ace] Open Issues Ludwig Seitz
- [Ace] 4. Security modes (Re: Open Issues) Carsten Bormann
- Re: [Ace] 4. Security modes (Re: Open Issues) Ludwig Seitz
- Re: [Ace] Open Issues Likepeng