IETF Logo Mail Archive

Re: [Ace] ace-coap-est: unclear definition of /.well-known/est URI

Esko Dijk <esko.dijk@iotconsultancy.nl> Tue, 18 September 2018 14:31 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55846130DD2 for <ace@ietfa.amsl.com>; Tue, 18 Sep 2018 07:31:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancynl.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2P8wHSGiyNyL for <ace@ietfa.amsl.com>; Tue, 18 Sep 2018 07:31:34 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20109.outbound.protection.outlook.com [40.107.2.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95EBE130DC1 for <ace@ietf.org>; Tue, 18 Sep 2018 07:31:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancynl.onmicrosoft.com; s=selector1-iotconsultancy-nl; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nECkUNWKXTiCJml3Av5fSQTY+2Ivq5MxsWddxPASohI=; b=gVI2LAYPJ1K0eKZoUftyFuq08fHswq1I5wjjlTUq/+L2vtvgr/+QVEJ29fNTCNnhjrH7HrqwuAc2ju6ohzC36RavKbabp0aqUEkolOv0TVWce2FM6xaoOYkBerKpp3PqkTgMAKLtyXyKPoUVz2i9jHXXzVaGArJ3IMlx8ZqaU7g=
Received: from DB6P190MB0054.EURP190.PROD.OUTLOOK.COM (10.172.229.12) by DB6P190MB0296.EURP190.PROD.OUTLOOK.COM (10.175.242.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1143.17; Tue, 18 Sep 2018 14:31:29 +0000
Received: from DB6P190MB0054.EURP190.PROD.OUTLOOK.COM ([fe80::74a4:5356:e25e:c0b1]) by DB6P190MB0054.EURP190.PROD.OUTLOOK.COM ([fe80::74a4:5356:e25e:c0b1%5]) with mapi id 15.20.1143.017; Tue, 18 Sep 2018 14:31:29 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: ace-coap-est: unclear definition of /.well-known/est URI
Thread-Index: AdRKqeFCUK1AzigFR5qvzUaQ2+R0GgAAdGzwAJTV7HAAalmT4AAs2fUA
Date: Tue, 18 Sep 2018 14:31:29 +0000
Message-ID: <DB6P190MB005441A30B3C3414EFF55D5EFD1D0@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM>
References: <DB6P190MB005479015E3F02D4028541A9FD1B0@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM> <39ff6ec1903c4c3a9d333c41a38a1ad9@XCH-ALN-010.cisco.com> <DB6P190MB00548845B38C0B0DF2380CD1FD180@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM> <fc396115e9a54f80babfe9a9f5ae9e74@XCH-ALN-010.cisco.com>
In-Reply-To: <fc396115e9a54f80babfe9a9f5ae9e74@XCH-ALN-010.cisco.com>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=esko.dijk@iotconsultancy.nl;
x-originating-ip: [2001:1c02:3100:b700:3c57:caa3:f40c:72b1]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB6P190MB0296; 6:LVcC0G+Rp10Asc0nx3ZEbUg/WuhiiHNHVIg2J95YjuaXuQSZsGgZq2V+PJmbs4XE09svqMzxlABie9FP25izNk+FSvuQVRTocujWytytjXEO3ehbJ0d4F6J//HKe1NtZo5YdpGe8pTi+Xu4plX7h6DYA/4hAGtzkbY/I/Nq/GsSSoiJhyEkAGU/KI/HZ6JgPVc/bbpmwhQJqRQt1N8PSrZXLK0t27VR+40WmrQJw6PJtXKqWyt/8t3L4MG3iOf4s1IsfmY+iBUSYg+hX9dKsaG00RGXsdCLQh1cMplrDUGiMkXleCCKuNcbi0ojaH/F5FIloVXSDHncqnkvW4594nC/aozWEhtWZj1mMQEk2pJ3jkLGMilDJiv7TF4ZyyqkvckNAteUa+Oe7e9MCDa+TFhxlkbxsn4qfpuqtFwKjmMdgiVfBxW04QYBKRbRcgYFzz1bOIz5eDaPfmvx6VAvKLw==; 5:ItX25BTEKnKmEndjF3TeFojgQs/vgwJz9pVJ2iuxpa7VM6QxFYRUoMzYBXWwMbwsnODTPlLmDwluYgvi8zbivz/wU0hNm9UhbsvkU8czic91G8715XvGW0+BZCdF+Bd7wu3NhiLdu5FMY13GuD7TKtl6m7HdsFYymjVxrabzXYo=; 7:dr5TQtpGJqdJlPlie7yuR5G2Fqd1OIxuBVF3nlfyz/+E+scF4dtIl6OBX9lJdcMeAhFR6sguniPoz8F9jGB4toCi3f79EWV5VYzUib0JZW2zIJpbaiv65cPc9wyLuPFN3SfrvgziaJyCI5/hEkQYYswYrxxnoTigwHnjAYrc8Tx1JPugdHXzqMdfKtKyyfqeH/Yi/uU++lGrgdte4OpSkDKKkavVu/wQWRBRSUW+7bhrgxc1XvJoIt+HownknRrj
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 8676f217-dc9a-4eba-fb84-08d61d736c28
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(7021125)(8989299)(4534165)(7022125)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:DB6P190MB0296;
x-ms-traffictypediagnostic: DB6P190MB0296:
x-microsoft-antispam-prvs: <DB6P190MB0296CD7DA7011FA62CEA93BBFD1D0@DB6P190MB0296.EURP190.PROD.OUTLOOK.COM>
x-exchange-antispam-report-test: UriScan:(158342451672863)(95692535739014)(79290750141951);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3231355)(944501410)(52105095)(93006095)(93001095)(3002001)(10201501046)(149027)(150027)(6041310)(20161123560045)(20161123562045)(20161123558120)(2016111802025)(20161123564045)(6043046)(201708071742011)(7699050); SRVR:DB6P190MB0296; BCL:0; PCL:0; RULEID:; SRVR:DB6P190MB0296;
x-forefront-prvs: 0799B1B2D7
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(136003)(39830400003)(346002)(376002)(13464003)(199004)(189003)(51914003)(14454004)(316002)(2900100001)(486006)(25786009)(7736002)(8676002)(6506007)(99286004)(256004)(93886005)(2906002)(81166006)(81156014)(44832011)(508600001)(14444005)(305945005)(229853002)(53936002)(476003)(86362001)(106356001)(105586002)(8936002)(5660300001)(97736004)(46003)(6246003)(53546011)(6116002)(102836004)(2501003)(5250100002)(33656002)(74316002)(55016002)(110136005)(446003)(11346002)(9686003)(6436002)(7696005)(68736007)(74482002)(186003)(76176011); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6P190MB0296; H:DB6P190MB0054.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: iotconsultancy.nl does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 7dNXnlFUid3P2UrXX1vCsIPoEJFJChEvJDkWLL3vC51rm/PPRSbWr7Pq+ZIfFdKLRfoPIg/SyE0Y4hgL2HKrXwtihM5HqeJibvRd6UtSc/aJof1WY/qWVv/8+RKwEMSSvUkx3EOdwBy/p31OP53MHs9rxClaLn0Ds9WzbeC3UeouhMXnwg+HNzrwXoMdRrYPfcuOvXd23h3iNwiYRPAmhSXs3H99LaE9Zr1sTdygusgDbWotVeNOoDrKRSdFPy1y2S9xE7XcE8xyuxP3IB32klj/RjM0Yd84Y4Hlh8GwpKvGgy5sZJ05AuyY41mAtYY1aj4h+EyZF1Chbtn+cSv5uL1dWUvLH5OoPmq4gaT6DvI=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-Network-Message-Id: 8676f217-dc9a-4eba-fb84-08d61d736c28
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2018 14:31:29.0611 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P190MB0296
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/_i5AtmhvEJFCnZgPehvGHNBVTH8>
Subject: Re: [Ace] ace-coap-est: unclear definition of /.well-known/est URI
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Sep 2018 14:31:37 -0000

Ok, thanks.

To be fully complete the URIs that can be discovered should also include a port number, as they could be hosted at 5684 or any available UDP port - other than 5683.

   coaps://www.example.com:<port>/<est-root-resource>/<short-est>
   coaps://www.example.com:<port>/<est-root-resource>/ArbitraryLabel/<short-est>

Esko

-----Original Message-----
From: Panos Kampanakis (pkampana) <pkampana@cisco.com> 
Sent: Monday, September 17, 2018 19:12
To: Esko Dijk <esko.dijk@iotconsultancy.nl>; ace@ietf.org
Subject: RE: ace-coap-est: unclear definition of /.well-known/est URI

Hi Esko,
Good point. We made this change to ensure the text is clearer. You will see it in the next iteration.
Thank you, 
Panos

-----Original Message-----
From: Esko Dijk [mailto:esko.dijk@iotconsultancy.nl] 
Sent: Saturday, September 15, 2018 10:30 AM
To: Panos Kampanakis (pkampana) <pkampana@cisco.com>; ace@ietf.org
Subject: RE: ace-coap-est: unclear definition of /.well-known/est URI

Hello Panos,

Thanks - it's clear now that the "ArbitraryLabel" needs to be supported for this use case. The unclarity in the current text comes from the fact that the default /.well-known/est/<short-est> is missing ; which should be supported also as in RFC 7030. Also the usage of the discoverable root URI is missing here.

So we could update the text in Section 5 as follows:

------
The individual EST-coaps well-known server URIs differ from the EST URI by replacing the scheme https by coaps and by specifying shorter resource path names:

   coaps://www.example.com/.well-known/est/<short-est>
   coaps://www.example.com/.well-known/est/ArbitraryLabel/<short-est>

The ArbitraryLabel Path-Segment, if used, SHOULD be of the shortest length possible.

The optional additional EST-coaps server URIs, obtained through discovery of the EST root resource(s), are of the form:

   coaps://www.example.com/<est-root-resource>/<short-est>
   coaps://www.example.com/<est-root-resource>/ArbitraryLabel/<short-est>

------

The suggestion by Peter to add references to the corresponding EST RFC 7030 sections is also good.

Regards
Esko

From: Panos Kampanakis (pkampana) <pkampana@cisco.com>
Sent: Wednesday, September 12, 2018 17:31
To: Esko Dijk <esko.dijk@iotconsultancy.nl>; ace@ietf.org
Subject: RE: ace-coap-est: unclear definition of /.well-known/est URI

Hi Esko,

Thanks for the comment. 

Certificate authorities use the ArbitraryLabel in order to direct the CSR request and issue certificates based on a certain policy / cert profile. For example, if you are ClientX you get label ClientX198282 and when you hit the CA HTTP URI .well-known/est/ ClientX198282/sen the CA knows to use the policy for ClientX in order to issue a certificate. Of course, someone that has deployed an on-prem CA that has the same cert profile for all endpoints will not need an arbitrary label and the default EST namespace is enough.  

So, even though coaps://www.example..com/.well-known/est/<short-est> would work for many cases, we needed to keep the coaps://www.example..com/.well-known/est/ArbitraryLabel/<short-est> as well for cases where the client is getting a cert from a CA that serves more than on cert profiles. We may need to specify that the labl should be as short as possible, even though it is kind of self-explanatory. 

I hope it makes sense.

Panos


From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Esko Dijk
Sent: Wednesday, September 12, 2018 11:10 AM
To: mailto:ace@ietf.org
Subject: [Ace] ace-coap-est: unclear definition of /.well-known/est URI

Dear all/authors of ace-coap-est,

Section 5 of ace-coap-est-05 indicates URI discovery is possible to find the EST functions entry point URI. Also a well-known URI is defined:

coaps://www.example..com/.well-known/est/ArbitraryLabel/<short-est>.

This URI seems more complicated than needed? What if we simply define an always-available well-known URI, usable without any discovery:

coaps://www.example..com/.well-known/est/<short-est>

This re-uses the well-known EST namespace which is exactly defined to do EST functions. So using the short-est names within this namespace should be fine.
It is important that a well-known URI is available that is usable without discovery, just like EST RFC 7030 defines it for https.
The "ArbitraryLabel" only makes the URI longer.

best regards
Esko Dijk

v2.23.0 | Report a Bug | By Email