Re: [Ace] Embedded Content Types

Jim Schaad <> Fri, 22 February 2019 03:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DFF0B130E11 for <>; Thu, 21 Feb 2019 19:55:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v-sOARozNoiu for <>; Thu, 21 Feb 2019 19:55:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4023D1275F3 for <>; Thu, 21 Feb 2019 19:55:21 -0800 (PST)
Received: from Jude ( by ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 21 Feb 2019 19:55:08 -0800
From: Jim Schaad <>
To: "'Panos Kampanakis (pkampana)'" <>, 'Carsten Bormann' <>
CC: 'ace' <>, 'Klaus Hartke' <>
References: <02a201d4c945$eb10a510$c131ef30$> <> <> <> <032f01d4ca2f$ff19c6a0$fd4d53e0$> <> <033201d4ca35$23f58f40$6be0adc0$> <> <033301d4ca3e$14130180$3c390480$> <>
In-Reply-To: <>
Date: Thu, 21 Feb 2019 19:55:08 -0800
Message-ID: <034001d4ca62$691b7580$3b526080$>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJrZGJxf0tFnICB97QT3wBXQb1jnQH8O2UCAceAOO4BnmC3sAE5b/I6AkVh340B7+iMHAIsQf8dAs+5bgMCbu2uyaQsGu4g
Content-Language: en-us
X-Originating-IP: []
Archived-At: <>
Subject: Re: [Ace] Embedded Content Types
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Feb 2019 03:55:24 -0000


Someplace you are not understanding what I am saying.  

> -----Original Message-----
> From: Panos Kampanakis (pkampana) <>
> Sent: Thursday, February 21, 2019 7:21 PM
> To: Jim Schaad <>om>; 'Carsten Bormann' <>
> Cc: 'ace' <>rg>; 'Klaus Hartke' <>
> Subject: RE: [Ace] Embedded Content Types
> That comes with a set of problems. A simplification needs to take place. It is
> probably better to just mandate one content-type for cert to get away
> without complicated combined content types. We don't need to support
> TBD287 and 281 in the embedded responses. It makes more sense to not do
> so.
> As for why, there are a three reasons I can think of:
> 1) Two separate URIs means we are adding state tracking for the CA. The CA
> now needs to support
> - EST that says "give me the key and a cert all at once and then forget about
> it".
> - EST-coaps that says "give me a key. Remember this key/cert pair and serve
> the certificate until I decide to come back and get it". Now imagine I have
> 10000 of endpoints enrolling. The server keeps state for all of them and
> cannot forget them until he gets the equivalent requests. And then, what
> happens if a cert is lost on the way back? The CA is supposed to remember
> the key / cert for some time. There is a DoS vector right there.

I don't see this as occurring because that is not what I am suggestion.  In my world view there is no difference between doing the following:

POST /est/skg/XXX
POST /est/skg?ct=XXX

In both cases the client posts the CSR to the CA and returns a multipart response.  The response contains the private key and the certificate.  I would say that the difference between /est/skg and /est/skgXXX is that the first returns the certificate as a PKCS#2 and the second returns it as a bare certificate.  In both cases how one wraps the key (encrypted or not) is going to be based on either an attribute in the CSR or a decision on the part of the CA.  (It could be either encrypt w/ the key just given or don't issue certificate because you did not give me the needed attribute.)

If the CA does not need to spend a long time doing the processing of the certificate creation, then there is no need for a cache.  Using this method means that an RA which is using a current CA would send the post to the normal location on the CA and then convert the certificate to from a PKCS#7 to a plain certificate for the second URI, just like what you are probably thinking for the query parameter.  

By the way - you still have this same potential DOS for the case of manual intervention where the CA needs to keep the approval of the CSR around and match it against the request the second time it comes in when you say - ask me again later.  The expectation is that there would be a "limited" number of requests kept or for a limited amount of time.

> 2) One more challenge with two URIs is that the client needs to somehow
> signal in the 2nd request to the server to tell him what key/cert he is
> expecting to get, so there is one more new thing the client now needs to do.

No, the client does not need to do this because the multipart always returns a single answer.

> 3) Additionally, it sounds like we are doomed with the discovery. The server
> cannot tell the client what embedded types he supports, thus the client will
> just try asking different combinations until he gets a response.

That is the reason for doing the second URI.  The second URI can be identified by name and thus the client can know which combination is going to work.


> That is why I think two URIs are a bad idea. A query type may be OK, but I can
> see Carsten and Klaus' point. We can just keep one cert content type in the
> multipart, that simplifies it.
> Rgs,
> Panos
> -----Original Message-----
> From: Jim Schaad <>
> Sent: Thursday, February 21, 2019 6:35 PM
> To: 'Carsten Bormann' <>
> Cc: Panos Kampanakis (pkampana) <>om>; 'ace'
> <>rg>; 'Klaus Hartke' <>de>; draft-ietf-ace-
> Subject: RE: [Ace] Embedded Content Types
> It is true that the query parameters are part of the type.  However, the use
> of two different URIs allows for the discovery to figure out if both versions
> are supported rather than having either a failure occur because the query
> parameter is not supported or getting the wrong answer back because it is
> not looked for.
> Jim
> > -----Original Message-----
> > From: Carsten Bormann <>
> > Sent: Thursday, February 21, 2019 2:52 PM
> > To: Jim Schaad <>
> > Cc: Panos Kampanakis (pkampana) <>om>; ace
> > <>rg>; Klaus Hartke <>de>;
> > draft-ietf-ace-coap-
> > Subject: Re: [Ace] Embedded Content Types
> >
> > On Feb 21, 2019, at 23:31, Jim Schaad <> wrote:
> > >
> > > I am thinking of two different URLs, that is not do the difference
> > > by a query
> > parameter but by changing the URI.
> >
> > Note that the query parameters are part of the URI, so fundamentally
> > there is no difference between putting the info there or in the path
> > part of the URI.
> >
> > The path part can be slightly more concise.  We are more used to
> > “computing” the query part.  I don’t have a strong preference.
> >
> > But in either case it is good if discovery can find the URI being
> > offered (including its query parameters, if those are used).
> >
> > (And I agree that the “ct” target attribute really is for the top
> > level media type; of course we could invent a new target attribute
> > “ect” for embedded content formats [and fight against autocorrection
> > for the rest of our lives :-
> > )].)
> >
> > Grüße, Carsten