Re: [Ace] Call for adoption draft-msahni-ace-cmpv2-coap-transport-01

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Mon, 05 October 2020 15:44 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5A653A0838 for <ace@ietfa.amsl.com>; Mon, 5 Oct 2020 08:44:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=H2TP472Y; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=cp5ZlJgp
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aS1FSuMlZ-0V for <ace@ietfa.amsl.com>; Mon, 5 Oct 2020 08:44:29 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF9FC3A0489 for <ace@ietf.org>; Mon, 5 Oct 2020 08:44:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15327; q=dns/txt; s=iport; t=1601912668; x=1603122268; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=e5s1d32OYpuNVIWvatSRVONgwf+qJm75NdvctbY/xz8=; b=H2TP472YCcB+nKQXZ0Y8yh+5lKUE2SF8tuWcsY6ySneSVtoHynNJypgT gjqjq4NRqh6O+FkjK3spq4lJkjQQpuaNEoXGSNqMgiR7SSjkZDimx1yzB 5ygDV3A0/El15Az8Pa8bFWoGSK7oBfuPjYyDFeyo22mR+XBQ/QOKTXbp4 c=;
X-Files: smime.p7s : 4024
IronPort-PHdr: =?us-ascii?q?9a23=3AkyMEqRX3fxlhtADT97JxemI2hS7V8LGuZFwc94?= =?us-ascii?q?YnhrRSc6+q45XlOgnF6O5wiEPSBNyHuf1BguvS9avnXD9I7ZWAtSUEd5pBH1?= =?us-ascii?q?8AhN4NlgMtSMiCFQXgLfHsYiB7eaYKVFJs83yhd0QAHsH4ag7dp3Sz6XgZHR?= =?us-ascii?q?CsfQZwL/7+T4jVicn/3uuu+prVNgNPgjf1Yb57IBis6wvLscxDiop5IaF3wR?= =?us-ascii?q?zM8XY=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CUBwB0Pntf/4gNJK1XCYJYgSMvUQd?= =?us-ascii?q?wLC0vLAqEM4NGA41wihGJe4RvgS6BJQNVBAcBAQEKAwEBJQgCBAEBhEoCgjg?= =?us-ascii?q?CJTUIDgIDAQELAQEFAQEBAgEGBG2FXAyFcgEBAQEDEgsGChMBATcBDwIBCBE?= =?us-ascii?q?EAQErAgICHxEdCAIEAQ0FCAYNB4MFgX5NAx8PAQ6dEQKBOYhhdoEygwEBAQW?= =?us-ascii?q?BNwIOQYMFDQuCCQcDBoE4gVOBH4JcS0KCRIN1HRuBQT+BEUOCTT6CGkIBAQM?= =?us-ascii?q?BgS8uK4JqM4ItkDSCTD2TApBAUgqCZ4RKgl+BVYZYhgCFLYMOigKUD5MUim6?= =?us-ascii?q?Cao4PhC8CBAIEBQIOAQEFgVYBN4FXcBWDJFAXAg2SEIUUhUJ0NwIGAQkBAQM?= =?us-ascii?q?JfIw7AYEQAQE?=
X-IronPort-AV: E=Sophos;i="5.77,338,1596499200"; d="p7s'?scan'208,217";a="562614494"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 05 Oct 2020 15:44:27 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 095FiR4D026381 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 5 Oct 2020 15:44:27 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 5 Oct 2020 10:44:27 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 5 Oct 2020 10:44:04 -0500
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 5 Oct 2020 10:44:04 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pc3OcBZeSiXR7rck+LgxtJGlHjJAPYLwRvbfXlhZhRBjBLsZpTTIVrmINopsDZwYcFw11C0op+zwT3tvukNNefBqwqVPLPtyEDAZTHXz67LkYGZPSzyfEeIcEV/Hpa/8vyw8tsgQkVRaB/qu+jlBuoaHJxFBJNwBwHr9sIp81oBUuvqVQ3k+1XdEBXeF2Vgm7TYp9N0fLLEVzM6GVax5LqPtDFJWENQa85/Jqan/++etMRQlQ7ulUWJs8XpchADnTrnSXQW0tWawPcpfRTUevlSA7kXSmPzTGfqPVFO1ybkXDF83qkbr3jRZp/df88j59IWxrrDAjZp1JbRCPTuBag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rEArB+0I8G8XW4u++TzcXvHXxq+JvficKa4rXBQ+6gE=; b=McEiO8ABaEIYUhG+NFNPuAwvk/Yexm9LmrtcrTbFzIj9XEkrHQIsQGso1XEZbcKn//Ol/iJQO1oFGMz4EdQQ2+nYIJ2CEc/gMMRJ8IMrYOogbOA6digdm/V8ilT66cE1u2K2yzijmbBQaLmEqtTQbg20QQ5310SCJCFOAgdJIx58+FwnUPIUkJZXUX2Y1+ocDJV98ip6k8Fxu/5okHfQ1rITMT2uFedaEeAwYW60d5G4Xmi03jChdMZ248jQpTKrvwLQlFM68ApuziozUGnbr4KnK1sD8WHbAJKXOcyT9s10BaIsjihnJntlKSh0AiTXBSJeo3GvS7Pmx5pZVnk+Lg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rEArB+0I8G8XW4u++TzcXvHXxq+JvficKa4rXBQ+6gE=; b=cp5ZlJgpXAFmWsshTq7VAIHO7q5ao29YmEr9rJzH6hEWHvATgDpiO4WV9EuLZ91PHKcAt1H8Z3ASpry2F/zQRiNw3rZUix4Cf9uYoiODzVifMIsSykhyg9DTcT8Xb+az3qnqvNGRQH3tCAJpHomoa53V1MxWkFZVsaqcN9dnqMY=
Received: from BN7PR11MB2547.namprd11.prod.outlook.com (2603:10b6:406:af::18) by BN6PR11MB3873.namprd11.prod.outlook.com (2603:10b6:405:83::37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.34; Mon, 5 Oct 2020 15:44:03 +0000
Received: from BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::2180:35e4:fe29:e470]) by BN7PR11MB2547.namprd11.prod.outlook.com ([fe80::2180:35e4:fe29:e470%3]) with mapi id 15.20.3433.044; Mon, 5 Oct 2020 15:44:03 +0000
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: Mohit Sahni <mohit06jan@gmail.com>, Ace Wg <ace@ietf.org>
CC: "stripathi@paloaltonetworks.com" <stripathi@paloaltonetworks.com>, "saurabh.tripathi@gmail.com" <saurabh.tripathi@gmail.com>, Mohit Sahni <msahni@paloaltonetworks.com>, "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
Thread-Topic: [Ace] Call for adoption draft-msahni-ace-cmpv2-coap-transport-01
Thread-Index: AQHWmugoDnu5TvqPKEq8g/5d0WIacqmJEZ8g
Date: Mon, 5 Oct 2020 15:44:03 +0000
Message-ID: <BN7PR11MB254786CF6D99AF95C1EF0089C90C0@BN7PR11MB2547.namprd11.prod.outlook.com>
References: <CAEpwuw09Ud-LBNhAc5591mbB+MpOOaeUKBEKfuRW5oJGCs5qZQ@mail.gmail.com>
In-Reply-To: <CAEpwuw09Ud-LBNhAc5591mbB+MpOOaeUKBEKfuRW5oJGCs5qZQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [68.93.142.48]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b9338a10-3f87-4c6a-486f-08d869457c9d
x-ms-traffictypediagnostic: BN6PR11MB3873:
x-microsoft-antispam-prvs: <BN6PR11MB38732C0B63821D8C7C2E5B63C90C0@BN6PR11MB3873.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: rVHa1pGDC89JE6HT9I0o5LdMplGcXeUMXSL+b85tqF00u1QTq9kZngFx1aFIYfy9IvCVIEhsEoqOcD4jwT/nBahmigJ5wu3W/unsDPe0QKdf58EvOLIpLJsGycG3kruCmK5SiqidzA+oQ7b2aZ6nST4vp8UcQTlAakq/ixb25iAy1fkci+87YOlpAUgb0b77TN3vR7z/0X152TZJSD1tIU4b+NPDzZm1SCQgK5Tte0pvn1FE9t+Y7tchIRFlT3X5s2VUIM+h0VOifWoEYpFzxFWerdBTV/qVxFbkGK1BEnSRlCtTqCPvPe6/QhXBqOnlI1PiwZFJGU2vlLwJ3pwgI/c0Op6wPv+i2A0digoTbJ1Y8smhJu4AZnCrQ9x22crOHyVl8sndl4OYQiWzKyC7ew==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN7PR11MB2547.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(136003)(396003)(39860400002)(376002)(366004)(86362001)(66446008)(64756008)(53546011)(166002)(66616009)(66556008)(6506007)(66946007)(186003)(66476007)(83080400001)(52536014)(8676002)(966005)(9686003)(7696005)(478600001)(2906002)(110136005)(54906003)(316002)(71200400001)(55016002)(5660300002)(33656002)(4326008)(26005)(8936002)(83380400001)(76116006)(99936003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: cnxdqp3iwgfMXoQ8lluPtt9cosIu59/mZ4wZBuZEhPraHdktYklYikf3HS2ziSBWGVNd2tIl1zGnREOvYhiP3vknOTQTNiekpsZtxCZaHeO8waN7+81VrSff6gVGSYvA2KmXv6bXxacTGl3/uzHQRe0DK9ByJRb/lCjO0A+PD1wkQ/9lqUIflDT23xkgzPUy86Wab8XwT7iu201aY1KOp0NLA/Ymp84DT/InUnJGrdc70S0XBz/6m95pn1mQ8QKK8lPnxOfrXWjDZMfvpofxYijxcx+b5Pa7jY3bG7qXlf5Cv/YI5z8Jt/hva8UmCehQaIscivQLIMbf7/dwzIfN2TpIO4Codh3CqdfAELmeaJBuQUcgzbn8R5me+4RqkPZnLuil8ohAwgFwsvwdX3DSXx0lq0ZH7xqxACp7usjwECVAuCn5lGV0/EAwAoRBvHdke3kopoBLqK6UvEBuPnjdYzZtTBvO4Vtl20jL2TAWBAe3vAcHDyZYBKD42NAHtXJaQ+VjHC4mU1x1PPu6hosGbHINeopkIT+g/rx89J5fzkVs4m+7uDsaaFMBmyzLCik2d70nzBLNDZJn9IsqQQiyHNqyORkomdbnu3m7QyEkKJQBnIXyuwAVHiBt/GLFScn9rakZ1z0l2E+gMKTOwV1AcA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0025_01D69B0C.A1017B30"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN7PR11MB2547.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b9338a10-3f87-4c6a-486f-08d869457c9d
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Oct 2020 15:44:03.5418 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TqP/OjZKITFReV5bYNPbg00GxLyHcAZZqHU08IgcgKnl/P29JnR8yjB+MnohpOo1L/ZVfUKDov87nky6U/dbZQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB3873
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.13, xch-rcd-003.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/kkqD75ACFFBZpmXNWSdl3bvTJnk>
Subject: Re: [Ace] Call for adoption draft-msahni-ace-cmpv2-coap-transport-01
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2020 15:44:31 -0000

I oppose adoption.

 

IETF in the past has come up with SCEP, CMP, CMC and EST, all of them for the most part doing the same thing with minor differences. I don’t think we need two enrollment protocols to run over COAP. We should not repeat mistakes of the past. 

 

In ACE we have EST-coaps which is done. We worked on it because EST was in IEC 62351 and we needed a solution for some COAP usecases. Since then EST-coaps has been picked up by Fairhair and Thread. 

 

The argument about L7 protection in CMPv2 could also be satisfied by draft-selander-ace-coap-est-oscore. draft-selander-ace-coap-est-oscore was trying to secure EST over L7 encrypted COSE messages. 

 

Additionally, I would argue that L7 proof-of-identity is not a strong advantage in an (L)RA trust model for both EST-coaps and CMPv2-coaps. What is more, having the CA trust all potential manufacturer roots in order to do L7 proof of identity will not be trivial unless the CA is a private one. And in a private CA and (L)RA scenario I don’t know that end-to-end proof or identity is that important. 

 

I oppose adoption unless there is a compelling reason why. Also I am not sure where this draft would be implemented and used. If this is just for one or two vendors I don’t think ACE needs to spend the cycles. 

 

Thanks,

Panos

 

 

From: Ace <ace-bounces@ietf.org> On Behalf Of Mohit Sahni
Sent: Monday, October 05, 2020 3:21 AM
To: Ace Wg <ace@ietf.org>
Cc: stripathi@paloaltonetworks.com; saurabh.tripathi@gmail.com; Mohit Sahni <msahni@paloaltonetworks.com>om>; Brockhaus, Hendrik <hendrik.brockhaus@siemens.com>
Subject: [Ace] Call for adoption draft-msahni-ace-cmpv2-coap-transport-01

 

Hello Ace WG,

I am presenting the draft-msahni-ace-cmpv2-coap-transport-01 to be adopted by ACE WG. This document supplements the "Lightweight CMP Profile" draft (https://tools.ietf.org/html/draft-brockhaus-lamps-lightweight-cmp-profile-03) which specify the modifications to the CMPv2 protocol for it to be used efficiently by the constrained devices for PKI operations. 

 

I discussed this draft in IETF-108 ACE session and the need for the recharter of ACE WG in order to adopt this draft, to which we had a consensus. Please state your opinion on whether this draft should be adopted by ACE WG. 

 

Link to the draft https://datatracker.ietf.org/doc/draft-msahni-ace-cmpv2-coap-transport/ 

 

Regards,

Mohit Sahni