Re: [Ace] est-coaps clarification on /att and /crts

Jim Schaad <ietf@augustcellars.com> Wed, 12 December 2018 19:18 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85EBE130F16; Wed, 12 Dec 2018 11:18:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvMF7n6opDbK; Wed, 12 Dec 2018 11:18:01 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA713130F09; Wed, 12 Dec 2018 11:18:00 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 12 Dec 2018 11:12:51 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Hannes Tschofenig' <Hannes.Tschofenig@arm.com>, "'Panos Kampanakis (pkampana)'" <pkampana@cisco.com>, 'Michael Richardson' <mcr+ietf@sandelman.ca>, <ace@ietf.org>, <anima@ietf.org>
CC: 'Peter van der Stok' <stokcons@bbhmail.nl>, "'Max Pritikin (pritikin)'" <pritikin@cisco.com>
References: <c07a0c0ecb5d48c4aed2595ab8cbef5c@XCH-ALN-010.cisco.com> <3831.1544545763@localhost> <47b9e5cbf7e64fad91a9fc79e83e392c@XCH-ALN-010.cisco.com> <27594.1544566907@localhost> <e5c042393be24304b0275ed07ea6ba2b@XCH-ALN-010.cisco.com> <VI1PR0801MB2112BE91B53B96FEB3C35E80FAA70@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB2112BE91B53B96FEB3C35E80FAA70@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Date: Wed, 12 Dec 2018 11:17:49 -0800
Message-ID: <04a101d4924f$610eab50$232c01f0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGPjv7lcqlAiUUAise1VV4kpyPAbQIUVGQwAvmGCYUCY0fpRgJQ0QBzAff7TbOlp7ECMA==
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/bPRddujBexTPxjStbXi0gdsYlIk>
Subject: Re: [Ace] est-coaps clarification on /att and /crts
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Dec 2018 19:18:05 -0000


> -----Original Message-----
> From: Ace <ace-bounces@ietf.org> On Behalf Of Hannes Tschofenig
> Sent: Wednesday, December 12, 2018 8:01 AM
> To: Panos Kampanakis (pkampana) <pkampana@cisco.com>om>; Michael
> Richardson <mcr+ietf@sandelman.ca>ca>; ace@ietf.org; anima@ietf.org
> Cc: Peter van der Stok <stokcons@bbhmail.nl>nl>; Max Pritikin (pritikin)
> <pritikin@cisco.com>
> Subject: Re: [Ace] est-coaps clarification on /att and /crts
> 
> Hi Panos, Hi Michael,
> 
> > We want all our clients to be authenticated by DTLS before they start
loading
> up our RF network.
> > I'm not suggesting that the DTLS be skipped, I'm suggesting that the
client
> certificate presented might be meaningless to the EST server.
> 
> I am curious what security model you have in mind? If you don't do client
> authentication then you are essentially issuing certificates to an
anonymous
> entity. This feels like a very bad idea, particularly since the CA is
supposed to
> assert the identifier of the client via the certificate.
> 
> What am I missing here?

Hannes, 

What you are missing is that the question is not about issuing the
certificate.  That is going to require client authentication.  What is being
looked at is getting the list of trust anchors or the template for a
certificate request based on an anonymous client.

Jim

> 
> Ciao
> Hannes
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
recipient,
> please notify the sender immediately and do not disclose the contents to
any
> other person, use it for any purpose, or store or copy the information in
any
> medium. Thank you.
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace