Re: [Ace] draft-selander-ace-eals vs. draft-vanderstok-ace-coap-est
Cigdem Sengul <cigdem.sengul@gmail.com> Thu, 14 September 2017 09:34 UTC
Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CD9D13305C for <ace@ietfa.amsl.com>; Thu, 14 Sep 2017 02:34:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sbpDLmuYWHye for <ace@ietfa.amsl.com>; Thu, 14 Sep 2017 02:34:48 -0700 (PDT)
Received: from mail-io0-x22c.google.com (mail-io0-x22c.google.com [IPv6:2607:f8b0:4001:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3643F1331C2 for <Ace@ietf.org>; Thu, 14 Sep 2017 02:34:48 -0700 (PDT)
Received: by mail-io0-x22c.google.com with SMTP id e189so6985156ioa.4 for <Ace@ietf.org>; Thu, 14 Sep 2017 02:34:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JruOTiwpVDjVBNQe42QJ//HnF+q1TmoXNwKxpGnB7BE=; b=QwzmpjqEWrLl6XBZfZzgxAuMhMmjGfCiSZIImENBm/sZQv+nnjFgEQlJeSkuLA2B1o /9roUyhKHqnyiqqDLtG+j5bPbt79GJn8KsJaLlQJrQuVryKCIiqBZY8SgbAaYWBtDjh2 kzfL/pIWHqIq76T0TuIUNy5gtCvHuOTm9KHmnoNijs2giY+/BaKjwqShl45SOwnln2Em DT8HqpS3moUnyJa1kCcF5i/jaf4CaqxNsfTIM3f1o2JhMX2a8m5DjfqvQhl1436X6H6U 4p+1v/yDCMAsA9lNUAsswGQWpo4ZdjQg3VsnUAG/0tu99nYF2q2A2SGWeNYclWO7yLZd dJ5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JruOTiwpVDjVBNQe42QJ//HnF+q1TmoXNwKxpGnB7BE=; b=poNcTrc10uL2nHbU8IAdzNL0ZYdYdD8znr/5ZFiY1ibT8D1eU90kzJSmnMjsoju0CI dslU3Qx8vMr3cn/hK3QDgx3myM5bS6cUcL28LAeTkA9FKJ+k4kkxm7PGEyxQ3y2+Tq9e /nODG41t2ur1CLd3BGlMSRrzxbnHxnyzyD62OGp4kmgRzcUG8QtrInTn+ecpjvUnvgpv JX9ncUHCeRb0oCMeZdIlRlPXVU8fs5TLicN/J5h10XoVd7+hVTNrlcw2Ny8uYfY5opRH IBrJ8bNPdlRAVBcXojpptetR4xcObn/bzFwQpLnimiM1latjXuSLppVLR2IQmq6wAIVN PrXw==
X-Gm-Message-State: AHPjjUhoBOhvCaE+lJ80z8vz4X5a/DNwEoG0R6BP3dT/aC7EqxThqUN3 9ZQ+cQrvqb144VP60Bkoex9TuljfAKMGSE+g27I=
X-Google-Smtp-Source: AOwi7QBTrNTYQotGDog1mF4VX/WTebnlfp6oVP/5ikT6XIOCPSARR7BfVoozVVHxz84tCxVWYJlm/S3U8ArNGWbJCUw=
X-Received: by 10.202.207.132 with SMTP id f126mr22958003oig.272.1505381687330; Thu, 14 Sep 2017 02:34:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.68.131 with HTTP; Thu, 14 Sep 2017 02:34:46 -0700 (PDT)
In-Reply-To: <D5DFAADE.87626%goran.selander@ericsson.com>
References: <e5f4cf2f-b394-6466-ea76-7c1a83d1837f@gmx.net> <D5DFAADE.87626%goran.selander@ericsson.com>
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Thu, 14 Sep 2017 10:34:46 +0100
Message-ID: <CAA7SwCPcAo7a1bLDR-7jLd3tXTyGE95KN2R3ZHqzi2Y+5uVq1w@mail.gmail.com>
To: Göran Selander <goran.selander@ericsson.com>
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "Ace@ietf.org" <Ace@ietf.org>
Content-Type: multipart/alternative; boundary="001a1147d7fab98f88055922fc63"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/gngq4L-OLzWOklKQ1My7G3nJ_is>
Subject: Re: [Ace] draft-selander-ace-eals vs. draft-vanderstok-ace-coap-est
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Sep 2017 09:34:51 -0000
Hello, Just wanted to add, as one of the authors of the draft-sengul-ace-mqtt-tls-profile, I can say we would be very happy to discuss what the overlaps with the draft-palombini-ace-coap-pubsub-profile are and how we can progress with that. Of course, MQTT has some fundamental differences as a protocol. This discussion will help our next revision also, which we are working on based on the feedback we received. The new version will include options for better error and disconnection handling, and token updates with MQTT v5. Thanks, --Cigdem On Thu, Sep 14, 2017 at 7:47 AM, Göran Selander <goran.selander@ericsson.com > wrote: > Hi Hannes, > > It is interesting to note that during the last 6 months there seems to be > very little activity to encourage discussion or reviews of the drafts > which actually are in scope of the current ACE charter. For example, what > do people think about the overlaps between the two publish-subscribe > profiles (draft-sengul-kirby-ace-mqtt-tls-profile vs. > draft-palombini-ace-coap-pubsub-profile)? Instead, you as co-chair of ACE > encourage the WG to discuss two drafts about certificate enrolment, a > topic which is not even mentioned in the current charter. > > As co-author of one of the drafts in the subject of this mail I of course > welcome the discussion, but it is important that this thread does not to > distract the ACE WG from working according to its charter on its missed > milestones. > > Now for the topic of comparing the certificate enrolment drafts. > draft-vanderstok-ace-coap-est proposes a very natural and significant > optimization of EST adapted to the established security setup for CoAP, > and I fully support that. There are overlapping authors between the > drafts, so clearly the drafts should not be seen in opposition to each > other. > > My view of the potential contribution with draft-selander-ace-eals (which > is a first sketch we made in the spring, and which I recently stepped in > revision just to keep alive) is twofold: > > 1. It discusses the generalisation of EST to application layer security. > The enrolment procedure in EST is in principle not dependent on what layer > authentication takes place, provided there is security end-to-end between > the endpoint making the enrolment request and the endpoint providing the > certificate. As we know, there are common IoT settings where security on > transport layer does not go end-to-end because of gateways or proxies or > because of change of underlying layers, which is the reason for proposing > this complement on the application layer. As to the actual enrolment > procedure, it may well be the same in both cases of transport layer > security or application layer security. > > 2. In a second independent component (section 3.2), the ACE framework is > applied to authorise and provide keys to the endpoints involved in the > enrolment, after which the very same enrolment procedure can take place. > This shows a more lightweight key establishment than with a key exchange > protocol (such as the DTLS handshake or EDHOC) with fewer and smaller > messages, and less public key operations, all of which are favourable > properties in constrained environments. > > The implicit question posed by draft-selander-ace-eals is the following: > If we are considering one IoT variant of EST > (draft-vanderstok-ace-coap-est) should we also consider other variants > using the same enrolment procedure, which can be applied to a wider range > of IoT use cases and/or which are more favourable in settings with > constrained IoT devices? > > > > Göran > > > > > On 2017-09-13 17:42, "Ace on behalf of Hannes Tschofenig" > <ace-bounces@ietf.org on behalf of hannes.tschofenig@gmx.net> wrote: > > >Hi all, > > > >in previous IETF meetings we had presentations on these two documents > >and it appears that there is an overlap. So far we haven't had a lot of > >discussions on these proposals on the list but since there seems to be > >interest from the folks attending the IETF meetings I am recommending to > >have a discussion about the direction we should go with this work. > > > >Any thoughts? > > > >Ciao > >Hannes > > > >_______________________________________________ > >Ace mailing list > >Ace@ietf.org > >https://www.ietf.org/mailman/listinfo/ace > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace >
- [Ace] draft-selander-ace-eals vs. draft-vandersto… Hannes Tschofenig
- Re: [Ace] draft-selander-ace-eals vs. draft-vande… Göran Selander
- Re: [Ace] draft-selander-ace-eals vs. draft-vande… Cigdem Sengul
- Re: [Ace] draft-selander-ace-eals vs. draft-vande… peter van der Stok
- Re: [Ace] draft-selander-ace-eals vs. draft-vande… Eliot Lear
- Re: [Ace] draft-selander-ace-eals vs. draft-vande… Panos Kampanakis (pkampana)