IETF Logo Mail Archive

Re: [Ace] WGLC for draft-ietf-ace-coap-est - optimization for embedded devices

Esko Dijk <esko.dijk@iotconsultancy.nl> Wed, 23 January 2019 09:48 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E94F4128BCC for <ace@ietfa.amsl.com>; Wed, 23 Jan 2019 01:48:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.032
X-Spam-Level:
X-Spam-Status: No, score=-2.032 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancynl.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OsdFZX6v936P for <ace@ietfa.amsl.com>; Wed, 23 Jan 2019 01:48:45 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130137.outbound.protection.outlook.com [40.107.13.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7630123FFD for <ace@ietf.org>; Wed, 23 Jan 2019 01:48:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancynl.onmicrosoft.com; s=selector1-iotconsultancy-nl; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=e40kXCxqU+yfLEdyT7BNUzSErUe+l2JLSP53sv7Z3OA=; b=MY80mAReIb2fXr8ohC8F52L0G57rcezbyLBJ/FXTIWbfTDJ3+R864BUcR7G8y3piOMW6MZ9L5drUd4zizNCFsNHQ9Y74rdGAPi8PW4JO9ugCwtNKLQpLC7nJQvkjrabMZQCjSJBn4pvInTsXVcWzRzcb7+3uGhrmo/868W+cGJU=
Received: from DB6P190MB0054.EURP190.PROD.OUTLOOK.COM (10.172.229.12) by DB6P190MB0229.EURP190.PROD.OUTLOOK.COM (10.172.230.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1558.17; Wed, 23 Jan 2019 09:48:40 +0000
Received: from DB6P190MB0054.EURP190.PROD.OUTLOOK.COM ([fe80::2d19:ef79:d153:7627]) by DB6P190MB0054.EURP190.PROD.OUTLOOK.COM ([fe80::2d19:ef79:d153:7627%6]) with mapi id 15.20.1558.016; Wed, 23 Jan 2019 09:48:40 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] WGLC for draft-ietf-ace-coap-est - optimization for embedded devices
Thread-Index: AdSzANDF7SgGt3HDRj6nI+AEfU6Y+Q==
Date: Wed, 23 Jan 2019 09:48:40 +0000
Message-ID: <DB6P190MB0054743FDD8DB32669C5BB23FD990@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=esko.dijk@iotconsultancy.nl;
x-originating-ip: [2001:1c02:3101:4800:1dc1:ad6e:2d30:44a5]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB6P190MB0229; 6:8vtnBQDeKssKCXCe6YQl6E69qvwtkW2lM1ydnRWTolRVtiN6H++SwYn/YBtzIlk0MWlDnzS4EGmZivghyERBwvTsF2t70naCg+oVcip+s4NQpQasVo7RZF3gpbNXGNaxjGyEnz7kG54eFVPc2eyKmBD/2Azh2jn28hOcp1d1geeSFpOmvQbKoZjSgJzazZmXtqe3csrmdYIBoIMAFCNCwnDsGlt/LEylNfOW5K793jbJq+UECTJzb0qzKO/8yBUs0qiN0SA2litw8Rckd5sV5WzUnoMHRrl9SWZR4KHU0YCJwuASda2kP9uJzINYkoFcpWKso9CMKPNZa4PpR9nJMonZYRB/9SmJOVZ0CNCqCXdoTqtjbebAdfLaSZfzPQtUjW6LLEHcAy8hChBMODan+uSSTUudCT/4aC9E65P6CTLMtGujDJ1LQxVNF3+g9Drfm04rZba5huZ5VYea1Ruf6Q==; 5:WLHfiXVpcL3PCsOYAteXfy+I0hbBXtN1w2rL6TXXtQ0i3BYA1Aa8WxQw376BbpuOhKtMFukzu5GEHfF7lzDN9Apfazt7XN9jDDaghaWDl9wTtk29tBIbZ9LoHPVoaYRmbdbHLmaeYrm8emxOmscXvX6GIYcBB8MjPGQf6RQzB4FLbQe/O/Yqfk7K/aH+HtmnavT68fDKc3W2xNcaOqsuLg==; 7:deMkeFj8E73fK8RxFZJGL1jczEwT274dkLSZoee9fWpeZFoqLdj4sOE58cIYoaNGVv4vKjY7xtSf1o5Av15u0zIzeN1R7/vZnu8Om0b0CCkSndYBCuc5mx1Gnz/i6UIric9hTEH4DRBplmAGnBCHUw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: b0a32e6f-aa54-43c8-decc-08d68117f467
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(5600110)(711020)(4605077)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7153060)(7193020); SRVR:DB6P190MB0229;
x-ms-traffictypediagnostic: DB6P190MB0229:
x-microsoft-antispam-prvs: <DB6P190MB02291D2E4F0DAB27A33E5A08FD990@DB6P190MB0229.EURP190.PROD.OUTLOOK.COM>
x-forefront-prvs: 0926B0E013
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39830400003)(366004)(136003)(396003)(346002)(199004)(189003)(13464003)(6916009)(33656002)(86362001)(68736007)(316002)(7696005)(6436002)(5640700003)(99286004)(6116002)(508600001)(229853002)(966005)(106356001)(14454004)(9686003)(55016002)(105586002)(2351001)(6306002)(305945005)(8676002)(7736002)(6246003)(53936002)(1730700003)(46003)(71190400001)(71200400001)(74316002)(97736004)(81156014)(486006)(81166006)(25786009)(44832011)(476003)(14444005)(2906002)(74482002)(186003)(2501003)(256004)(8936002)(6506007)(53546011)(102836004); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6P190MB0229; H:DB6P190MB0054.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: iotconsultancy.nl does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: /jx2H6e6tM2/ziELrusBPRDlp4KKiU4iiC+Bn1h4jgz2hh24ZBX/iIL7VVWYTNxQIJ6/g7kSzdmpb1vruVmuJZ75vzzR2pjQXFXVkAsrkSaQbciycvr8jLS7sRxcQHecGCo+7BCtQEdUSX8QcFi+zyCPUVNKMHr2iTuGfh/WhN4AXl5E3+SjP22s1noKVdH0V4J0VQ/mGGiKBg/f87dyh3jD8NqgBiWtqsDy4ma/dZ7qkTTGRsOl5sjy7c6zIQazGizXeJEkde+POftdAQmBzifYQueFmgvyx3Gr/xzbWBkhl051uDnz7QTsN6tO9NPZDQfTi6cXBM8vDdHdLpnh9e+DQkTPYunJS6cmjTWMvJH03hTqMSajkY+a56Jl9LjdA0/Larwii9CjvGgCtZytv5dFZm5M92XS1/kH4o6EIeI=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-Network-Message-Id: b0a32e6f-aa54-43c8-decc-08d68117f467
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jan 2019 09:48:40.2932 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P190MB0229
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Q4nv8gKUAKAWyXciAYgNQFFa1gM>
Subject: Re: [Ace] WGLC for draft-ietf-ace-coap-est - optimization for embedded devices
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jan 2019 09:48:48 -0000

Dear ACE WG & authors,

My main comment on this draft is based on recent experience with an embedded implementation. In the draft, the content format "application/pkcs7-mime;smime-type=certs-only" is used to transport a single certificate back to the client. However, in the embedded implementation crypto library there is no support for parsing this format, but there is support for parsing X.509v3 (application/pkix-cert). See e.g. https://tls.mbed.org/api/group__x509__module.html for an embedded API that can parse CSR and certs, but not PKCS#7.

Therefore the X.509 format seems better to use; also given that 
1) the signing of data that the PKCS#7 S/MIME envelope provides is useless because the DTLS session is already end-to-end protected and the certificate is already signed; and 
2) RFC 7030 requires that only one certificate, the  generated one, is carried in the /simple(re)enroll response so that a container format for multiple certificates is not really needed here.

So to reduce code size for embedded implementations it would be very beneficial if the EST Server would support an additional content format:
application/pkix-cert  (see RFC 5280)

The client can request this format using the CoAP Accept Option; by default if no Accept Option given the EST server would return application/pkcs7-mime;smime-type=certs-only.
What do you think about this addition? I believe that adding this would make the EST-over-Coaps protocol an ideal fit to common embedded SW stacks.

Furthmore I found these two issues that need to be addressed:

Section 5.4: "The equivalent CoAP error code to use in an EST-coaps responses are 2.04 ..." -> 2.04 is a success code, not an error.

Section 5.6: "According to section 5.2.2 of [RFC7252], a slow server can acknowledge the request with a 2.31 code" -> 2.31 is not specified in RFC 7252.

Best regards
Esko Dijk

-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of Jim Schaad
Sent: Monday, January 14, 2019 05:03
To: ace@ietf.org
Subject: [Ace] WGLC for draft-ietf-ace-coap-est

The chairs believe that the EST over CoAP draft is nearing the point it should be sent to the IESG for publication.  We are therefore going to have a Working Group Last Call on this document.  WGLC will until 29th of this month.  Please review the document and send comments both positive and negative to the list about its state.

Jim & Roman


_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email