IETF Logo Mail Archive

Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE

Michael StJohns <mstjohns@comcast.net> Thu, 21 July 2016 13:05 UTC

Return-Path: <mstjohns@comcast.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0B1F12DAB2 for <ace@ietfa.amsl.com>; Thu, 21 Jul 2016 06:05:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.987
X-Spam-Level:
X-Spam-Status: No, score=-3.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xq96gSLHhz5 for <ace@ietfa.amsl.com>; Thu, 21 Jul 2016 06:05:37 -0700 (PDT)
Received: from resqmta-ch2-05v.sys.comcast.net (resqmta-ch2-05v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C030712DA28 for <ace@ietf.org>; Thu, 21 Jul 2016 06:04:55 -0700 (PDT)
Received: from resomta-ch2-08v.sys.comcast.net ([69.252.207.104]) by resqmta-ch2-05v.sys.comcast.net with SMTP id QDdJb0vEm2FGMQDepb9UL1; Thu, 21 Jul 2016 13:04:55 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1469106295; bh=7Pw2XTS1wFSESGTokjI0bt3k1G6AcRrx1UWa4iHFQDI=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=cY6A0raxv4S5e+aLjnRUzZx3j4aRYtu2aJ25LhqN8xRFkfng8ahjSZnFMN8uqjuQH I+Z+xm3uoWmPuFpf9R2jvKx/Cj4bdg8rPHHQhCkCjJYBa8NXp20rDwkUrMCLivFjt0 yuvX1XnmTXGal7QrITcrdnuXfsiYKKNIOdwQPYOvAV0RNzWjnvu3E3cNdmgrM5nvWe 2X6uf3r4NWIfpHYqiXwjf3F+RuEE72QZarpAkCqEGrB2V36yY9AVzf2EISmtIMJsAe ZYpvYbQnXmLWN9UKng0MxB8N1e0xToQogQyk2PKzGy9cgFxMs7oHWQzawMrkOu7lBP TutDtDUXZTRnw==
Received: from [IPv6:2001:67c:370:136:f5b6:8aca:fcf6:bf81] ([IPv6:2001:67c:370:136:f5b6:8aca:fcf6:bf81]) by comcast with SMTP id QDedb19BNS9gdQDeibl4JO; Thu, 21 Jul 2016 13:04:53 +0000
To: ace@ietf.org
References: <578F4D59.8050005@gmx.net> <5E393DF26B791A428E5F003BB6C5342AB3716D64@OC11EXPO33.exchange.mit.edu> <23666.1469091857@obiwan.sandelman.ca> <57909559.2000805@tzi.org>
From: Michael StJohns <mstjohns@comcast.net>
Message-ID: <655911d1-927e-56ae-1b73-903ad925ea88@comcast.net>
Date: Thu, 21 Jul 2016 09:04:47 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <57909559.2000805@tzi.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfHPfHjkoDSCmjgV4+MeZxQExFxSYWr3QIkdBt0LOnaZCdM6/ag0jZW/1ap0rI+MURmX8F/4GoDWkRoZB7tASElnxhSOmTUmTPHaOkZdRENqGJfbbaypK 0NnVd2MwcivMBXpo5+DB23P8JhBs6KlqDZ3P8c0P/6Vbq3BQWA8sYGis+tnx9KkpVqaEYDR6mMHBUg==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/oicOyHrdfd7rYDe3C_gXU4I875Q>
Subject: Re: [Ace] Adoption of Low Latency Group Communication Security Work in ACE
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2016 13:05:39 -0000

On 7/21/2016 5:26 AM, Carsten Bormann wrote:
> Michael Richardson wrote:
>> Why will ACE succeed when DICE failed?
> Because DICE tried to hack something into TLS.  That had no support.

Actually, that's not the complete story.  It was one of the things that 
finally killed this off (e.g. DICE was supposed to make a profile of 
DTLS for constrained devices, BUT DTLS didn't already support multicast, 
so its difficult to profile it in...; we have to come up with message 
formats for a DTLS extension)

It wasn't the only thing.  Again, there's a very long record of why this 
was a bad idea in DICE.  It's trivially easy to map each and every one 
of those arguments to why the equivalent thing in ACE is bad.

>
>> Does ACE now have some knowledge or mechanism that DICE couldn't have created
>> because it was out of scope?
> ACE has COSE.

*sigh* If this had any application to the stated lighting problem, then 
sending a COSE message with a public key signed payload to trigger state 
changes would be the solution, not a symmetric group multicast key.

E.g. use section 4 of the 
https://datatracker.ietf.org/doc/draft-ietf-cose-msg/ document.  Do NOT 
use any of the symmetric key sections.

  I've said similar things before, but there continues to be this belief 
from certain folk that its too expensive to do public key cryptography 
for lightbulbs.

So to be clear - yes COSE is useful.  No, it does not actually do 
anything to fix the problem of symmetric key group communications UNLESS 
you stick to the public key sections.

Later, Mike


>
> Grüße, Carsten
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email