Re: [Ace] est-coaps clarification on /att and /crts
Jim Schaad <ietf@augustcellars.com> Wed, 12 December 2018 19:18 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85EBE130F16; Wed, 12 Dec 2018 11:18:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvMF7n6opDbK; Wed, 12 Dec 2018 11:18:01 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA713130F09; Wed, 12 Dec 2018 11:18:00 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 12 Dec 2018 11:12:51 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Hannes Tschofenig' <Hannes.Tschofenig@arm.com>, "'Panos Kampanakis (pkampana)'" <pkampana@cisco.com>, 'Michael Richardson' <mcr+ietf@sandelman.ca>, ace@ietf.org, anima@ietf.org
CC: 'Peter van der Stok' <stokcons@bbhmail.nl>, "'Max Pritikin (pritikin)'" <pritikin@cisco.com>
References: <c07a0c0ecb5d48c4aed2595ab8cbef5c@XCH-ALN-010.cisco.com> <3831.1544545763@localhost> <47b9e5cbf7e64fad91a9fc79e83e392c@XCH-ALN-010.cisco.com> <27594.1544566907@localhost> <e5c042393be24304b0275ed07ea6ba2b@XCH-ALN-010.cisco.com> <VI1PR0801MB2112BE91B53B96FEB3C35E80FAA70@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB2112BE91B53B96FEB3C35E80FAA70@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Date: Wed, 12 Dec 2018 11:17:49 -0800
Message-ID: <04a101d4924f$610eab50$232c01f0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGPjv7lcqlAiUUAise1VV4kpyPAbQIUVGQwAvmGCYUCY0fpRgJQ0QBzAff7TbOlp7ECMA==
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/bPRddujBexTPxjStbXi0gdsYlIk>
Subject: Re: [Ace] est-coaps clarification on /att and /crts
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Dec 2018 19:18:05 -0000
> -----Original Message----- > From: Ace <ace-bounces@ietf.org> On Behalf Of Hannes Tschofenig > Sent: Wednesday, December 12, 2018 8:01 AM > To: Panos Kampanakis (pkampana) <pkampana@cisco.com>; Michael > Richardson <mcr+ietf@sandelman.ca>; ace@ietf.org; anima@ietf.org > Cc: Peter van der Stok <stokcons@bbhmail.nl>; Max Pritikin (pritikin) > <pritikin@cisco.com> > Subject: Re: [Ace] est-coaps clarification on /att and /crts > > Hi Panos, Hi Michael, > > > We want all our clients to be authenticated by DTLS before they start loading > up our RF network. > > I'm not suggesting that the DTLS be skipped, I'm suggesting that the client > certificate presented might be meaningless to the EST server. > > I am curious what security model you have in mind? If you don't do client > authentication then you are essentially issuing certificates to an anonymous > entity. This feels like a very bad idea, particularly since the CA is supposed to > assert the identifier of the client via the certificate. > > What am I missing here? Hannes, What you are missing is that the question is not about issuing the certificate. That is going to require client authentication. What is being looked at is getting the list of trust anchors or the template for a certificate request based on an anonymous client. Jim > > Ciao > Hannes > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended recipient, > please notify the sender immediately and do not disclose the contents to any > other person, use it for any purpose, or store or copy the information in any > medium. Thank you. > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace
- [Ace] est-coaps clarification on /att and /crts Michael Richardson
- Re: [Ace] est-coaps clarification on /att and /cr… Jim Schaad
- Re: [Ace] est-coaps clarification on /att and /cr… Panos Kampanakis (pkampana)
- Re: [Ace] est-coaps clarification on /att and /cr… Michael Richardson
- Re: [Ace] est-coaps clarification on /att and /cr… Michael Richardson
- Re: [Ace] est-coaps clarification on /att and /cr… Max Pritikin (pritikin)
- Re: [Ace] est-coaps clarification on /att and /cr… Panos Kampanakis (pkampana)
- Re: [Ace] est-coaps clarification on /att and /cr… Hannes Tschofenig
- Re: [Ace] est-coaps clarification on /att and /cr… Panos Kampanakis (pkampana)
- Re: [Ace] est-coaps clarification on /att and /cr… Jim Schaad
- Re: [Ace] est-coaps clarification on /att and /cr… Michael Richardson
- Re: [Ace] [Anima] est-coaps clarification on /att… Michael Richardson
- Re: [Ace] est-coaps clarification on /att and /cr… Michael Richardson