Re: [Ace] est-coaps clarification on /att and /crts
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 12 December 2018 16:01 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B0AF130E5F; Wed, 12 Dec 2018 08:01:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.36
X-Spam-Level:
X-Spam-Status: No, score=-3.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f7MRG92Uwz9v; Wed, 12 Dec 2018 08:01:16 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40040.outbound.protection.outlook.com [40.107.4.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC097130E78; Wed, 12 Dec 2018 08:01:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K775lBOs9TkLpemjUhiW2XBLPku/RVrgu30J/iIaXRo=; b=OLjnHrBH4Kkcbie3L8KUESnO5Ru6FhKytg+EXsX/xmgyddMh8jpDcgGGUSK1vKQAmqGK4e+nodpQ146E2bGQA1CPieOX4I8FfceOXWbdHNUB6p3zJC9rs3VnQbioOBTSrFzHge1cIrWBD3mDVcckYZS4rYBo5tfTyZsonKLX9zU=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1503.eurprd08.prod.outlook.com (10.167.210.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1404.19; Wed, 12 Dec 2018 16:01:12 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::2056:1db1:e01:4670]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::2056:1db1:e01:4670%3]) with mapi id 15.20.1404.026; Wed, 12 Dec 2018 16:01:12 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "ace@ietf.org" <ace@ietf.org>, "anima@ietf.org" <anima@ietf.org>
CC: Peter van der Stok <stokcons@bbhmail.nl>, "Max Pritikin (pritikin)" <pritikin@cisco.com>
Thread-Topic: est-coaps clarification on /att and /crts
Thread-Index: AQHUkca4BtLnIlFbhEGGxTZ2pBjVOKV7Q0YQ
Date: Wed, 12 Dec 2018 16:01:12 +0000
Message-ID: <VI1PR0801MB2112BE91B53B96FEB3C35E80FAA70@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <c07a0c0ecb5d48c4aed2595ab8cbef5c@XCH-ALN-010.cisco.com> <3831.1544545763@localhost> <47b9e5cbf7e64fad91a9fc79e83e392c@XCH-ALN-010.cisco.com> <27594.1544566907@localhost> <e5c042393be24304b0275ed07ea6ba2b@XCH-ALN-010.cisco.com>
In-Reply-To: <e5c042393be24304b0275ed07ea6ba2b@XCH-ALN-010.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [217.140.106.27]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1503; 6:qpXhigW1CzCFsOXfdhV01yZk9/ezPSdVXrhy2gg+RpOVds6DnvmTp3xJSI4Cz06yi1TY0qdtDiASmEr0vmFc5p0lsDw1r1g2obRKy23Q2DwKP3/Ec6vB+LquOQO7nDIkOMAV0MDHMmRJdllneOr7A+SZ0wqODe//+CM1/RPnK+1a4P4vCH/RzGxk2FwEaF/7e4KOstOi8aF3kmYEgLTSBbLN39vdegiEdj7M0oiFUXHoRS6Axjw9FK6sex0NsXrbz5iJLQiYUCYNXZLJ1NOt3tCTwQOIu7xoCfS/VvR1EDbtzrhjdoLbJhN8xUL98scHFUv8iKmY6I0vCUjqfR21/djWgIjr7M1ipX2gUf/rlHETB54Plchd0BoC51+OEIwzK2F/Q/l7QLMVUUALakEugH3hMc1G86coSjqsrKILQeitigxxvEBWkBa4//axF49NVxjnVvCDlsnThYeupS/dTQ==; 5:786I35Nixfnwk3HjzyFE/kttq/LYEMIZE6RzArYhtnywt6gsSibufEuuWGlSJ1QqOD9FwpRmp7yq4uBB1qCGu/+UVWdPMo5jBbFBxJBqCvBMwz5P05LIISlOHhJOfnaNtqU3gVdpbkqjWYgwOr1xUNv8wpyWGOpTMUJVI4gmWPs=; 7:9uCnX9KrCAxaWoEFWQ4jte6N5OqUGwbZA3VV8Dw3ybFXEJw6BC7v5bQpQbp4HdD/eJYK8osn1bwnO+Yu3alZCwiztXtKsBzwjOmzBemTlKq5vp/RBcMHT8PTlXE4YdqDsdIjn0qe/xFLZJ8jiADBlg==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 10aa4913-7ec9-4d9c-e63d-08d6604b0a02
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1503;
x-ms-traffictypediagnostic: VI1PR0801MB1503:
x-microsoft-antispam-prvs: <VI1PR0801MB1503206A8835D4B69900C1C8FAA70@VI1PR0801MB1503.eurprd08.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230017)(999002)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3231472)(944501520)(52105112)(3002001)(93006095)(93001095)(6055026)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(20161123558120)(20161123564045)(201708071742011)(7699051)(76991095); SRVR:VI1PR0801MB1503; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1503;
x-forefront-prvs: 0884AAA693
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(396003)(366004)(39860400002)(136003)(376002)(40434004)(199004)(189003)(8936002)(305945005)(256004)(8676002)(5660300001)(4326008)(11346002)(6436002)(476003)(81166006)(76176011)(229853002)(486006)(25786009)(446003)(71200400001)(86362001)(74316002)(99286004)(93886005)(2906002)(71190400001)(3846002)(7696005)(316002)(68736007)(54906003)(6116002)(14454004)(81156014)(110136005)(106356001)(66066001)(33656002)(105586002)(97736004)(2501003)(5024004)(55016002)(7736002)(9686003)(53936002)(6246003)(72206003)(478600001)(186003)(26005)(6506007)(102836004)(14444005); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1503; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 3BgQM3S5Cmhwl53aB+Gpe1Y/ZgPUPxNk91sk4BEIBxNzZQGqU2+DvVydAjeI4yb0RoPtP1p4koHqAG5KlQYRtdjo1V2BCwo7ZNM9AdGAQvo8aP5YvNXRM4Y1zl3eJHmb9c4XM2F1ff63gofSjvvwfgpiMLyyt0Gj/vJw/BBTcZQGXgDZz0MC3UwLU2rMNfxc+JSais2LG2NOrGbnX0LVVcAsgy3T0wD0POYrTcoL1dQagOztIPC3BIAtCvBMSfTG9Qhp6gbxwFXQrk3An8Oy7qte5vvhHxuheKfNu5BQHvuL68qmw7Y8zMHsrcvOcUm/
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 10aa4913-7ec9-4d9c-e63d-08d6604b0a02
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Dec 2018 16:01:12.4688 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1503
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ywwC3GtYZBKNuNRroUF0yJYqc04>
Subject: Re: [Ace] est-coaps clarification on /att and /crts
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Dec 2018 16:01:36 -0000
Hi Panos, Hi Michael, > We want all our clients to be authenticated by DTLS before they start loading up our RF network. > I'm not suggesting that the DTLS be skipped, I'm suggesting that the client certificate presented might be meaningless to the EST server. I am curious what security model you have in mind? If you don't do client authentication then you are essentially issuing certificates to an anonymous entity. This feels like a very bad idea, particularly since the CA is supposed to assert the identifier of the client via the certificate. What am I missing here? Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Ace] est-coaps clarification on /att and /crts Michael Richardson
- Re: [Ace] est-coaps clarification on /att and /cr… Jim Schaad
- Re: [Ace] est-coaps clarification on /att and /cr… Panos Kampanakis (pkampana)
- Re: [Ace] est-coaps clarification on /att and /cr… Michael Richardson
- Re: [Ace] est-coaps clarification on /att and /cr… Michael Richardson
- Re: [Ace] est-coaps clarification on /att and /cr… Max Pritikin (pritikin)
- Re: [Ace] est-coaps clarification on /att and /cr… Panos Kampanakis (pkampana)
- Re: [Ace] est-coaps clarification on /att and /cr… Hannes Tschofenig
- Re: [Ace] est-coaps clarification on /att and /cr… Panos Kampanakis (pkampana)
- Re: [Ace] est-coaps clarification on /att and /cr… Jim Schaad
- Re: [Ace] est-coaps clarification on /att and /cr… Michael Richardson
- Re: [Ace] [Anima] est-coaps clarification on /att… Michael Richardson
- Re: [Ace] est-coaps clarification on /att and /cr… Michael Richardson