Re: [Ace] draft-ietf-ace-cmpv2-coap-transport-00.txt - do not mention V" of CMP in the document
David von Oheimb <David.von.Oheimb@siemens.com> Thu, 11 March 2021 17:11 UTC
Return-Path: <David.von.Oheimb@siemens.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 471283A1503 for <ace@ietfa.amsl.com>; Thu, 11 Mar 2021 09:11:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lna2ioVutAD7 for <ace@ietfa.amsl.com>; Thu, 11 Mar 2021 09:10:58 -0800 (PST)
Received: from gecko.sbs.de (gecko.sbs.de [194.138.37.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AA133A1541 for <ace@ietf.org>; Thu, 11 Mar 2021 09:10:56 -0800 (PST)
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 12BHArpK020462 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 11 Mar 2021 18:10:53 +0100
Received: from [139.22.42.253] ([139.22.42.253]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id 12BHAqe0017128; Thu, 11 Mar 2021 18:10:52 +0100
To: Mohit Sahni <mohit06jan@gmail.com>
Cc: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>, "ace@ietf.org" <ace@ietf.org>, Andreas Kretschmer <Andreas.Kretschmer@siemens.com>
References: <AM0PR10MB24186B276EBD30EE32A7A87BFE969@AM0PR10MB2418.EURPRD10.PROD.OUTLOOK.COM> <CAEpwuw167FdJzQYLK2ZV0B_6=2edV+wj9zKDnpbiN-0aTgNL=g@mail.gmail.com>
From: David von Oheimb <David.von.Oheimb@siemens.com>
Message-ID: <4f9d9e3f-be6a-9fe7-40b2-1f018df1742a@siemens.com>
Date: Thu, 11 Mar 2021 18:10:52 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <CAEpwuw167FdJzQYLK2ZV0B_6=2edV+wj9zKDnpbiN-0aTgNL=g@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------88DD0E99C0EA41BDF3B1B8A1"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/tZHVW2vtliB4ZOmcw6mnj3UVxCg>
Subject: Re: [Ace] draft-ietf-ace-cmpv2-coap-transport-00.txt - do not mention V" of CMP in the document
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Mar 2021 17:11:06 -0000
Hi Mohit, thanks a lot for providing that draft. It looks very good already. Good point by Hendrik to replace "CMPv2" by "CMP" since the version really does not matter here. I'd suggest dropping the hyperlinked reference from the abstract and a couple of further adaptations to the abstract, such that it becomes This document specifies use of the Constrained Application Protocol (CoAP) for transferring Certificate Management Protocol (CMP) messages. It details the respective option mentioned in the Lightweight CMP Profile. CMP defines the interaction between various PKI entities for certificate enrollment and management. CoAP is an HTTP-like client-server protocol for use in constrained devices in IoT space. Further mostly very minor improvement suggestions are given below. Cheers, David Section 1: transport -> transfer (several times) encryption of messages -> protection of messages between CAs -> between RAs Section 2: PKIMesssage -> PKIMesssages I do not understand what you want so say here: > An EE MUST verify the configured Root CA > certificate against the Root CA certificate of the discovered entity Likely you meant: An EE MUST verify the certificate of the discovered entity against a configured trust anchor (Root CA certificate) The URI's for CoAP resources should start -> The only difference is that the URIs for CoAP resources MUST start should return a "2.05 Content" -> MUST return a "2.05 Content" (or are there other options in case of success?) application/pkixcmp -> "application/pkixcmp" for the possible changes -> for potential changes Block Wise -> Block-Wise (in title of 2.6) Block Wise -> block-wise (in body of 2.6) header body and optional fields -> header, body, protection, and extraCerts including many optional and potentially bulky fields outgoing interface -> interface (because this may also happen for responses) maybe leave out? that are exchanged between EEs and RAs or CAs maybe weaken?: mode MUST be used -> mode SHOULD be used then, it -> then it Proxy opens -> the proxy opens maybe leave out? from EEs to RAs or from EEs to CAs Section 3: the encryption and authentication of the messages but in cases when -> protecting message contents, in case 7.1 and 7.2 -> 7.2 and 7.3 (for draft 03 at least) overhead of using DTLS connection -> overhead of setting up DTLS connections Sections 4 and 5: CoAP to HTTP -> CoAP-to-HTTP (several times) significant changes -> changes Announcements Messages -> announcement messages MUST be positioned -> SHOULD be positioned (else the recommendation given next makes no sense) between CAs and RAs -> between RAs and CAs UDP based -> UDP-based (two times) CoAPs to HTTPS -> CoAPS-to-HTTPS HTTPS protocol, -> HTTPS. however client SHOULD be configured to trust the CA certificate used by proxy to sign the Man in the Middle (MITM) certificate for certificate chain validation -> The client SHOULD be configured with a trust anchor suitable for validating the DTLS server certificate used by the proxy I doubt if the paragraph > However, the CoAP protocol which > uses UDP as layer 4 transport is vulnerable to many issues due to the > connectionless characteristics of UDP itself. The Security > considerations for CoAP protocol are mentioned in the [RFC7252 <https://tools.ietf.org/html/rfc7252>]. > Using a CoAP to HTTP proxy mitigates some of the risks as the > requests from the EE's can terminate inside the trusted network and > will not require the server to listen on a UDP port making it safe > from UDP based address spoofing, Denial of Service, and amplification > attacks due to the characteristics of UDP. makes sense because, as you wrote before, CMP is already self-contained in terms of security. Therefore I think it should be sufficient to say for instance: Therefore security issues of CoAP due to using UDP do not carry over to the CMP layer except for the vulnerability to Denial-of-Service attacks. Section 6: content-type application/pkixcmp -> content type "application/pkixcmp". On 10.03.21 19:44, Mohit Sahni wrote: > Hi Hendrik > Thanks for the update, I will make changes to remove the CMP version > references from the document. I think we can exclude CMPv1 from the > scope as it will obsolete soon. > > Thanks > Mohit > > On Fri, Mar 5, 2021 at 9:36 AM Brockhaus, Hendrik > <hendrik.brockhaus@siemens.com> wrote: >> Mohit >> >> >> >> We introduced V3 of CMP in draft-ietf-lamps-cmp-updates-08 Section 2.15. The version of CMP is not relevant to the CoAP transport, I guess. Therefore, I suggest to remove references to the CMP version from your draft, especially from the title. If you want to exclude CMP V1 as specified in RFC 2510 from the scope of your draft, this is fine with me as well. >> >> >> >> Hendrik
- [Ace] draft-ietf-ace-cmpv2-coap-transport-00.txt … Brockhaus, Hendrik
- Re: [Ace] draft-ietf-ace-cmpv2-coap-transport-00.… Mohit Sahni
- Re: [Ace] draft-ietf-ace-cmpv2-coap-transport-00.… David von Oheimb
- Re: [Ace] draft-ietf-ace-cmpv2-coap-transport-00.… David von Oheimb
- Re: [Ace] draft-ietf-ace-cmpv2-coap-transport-00.… Brockhaus, Hendrik
- Re: [Ace] draft-ietf-ace-cmpv2-coap-transport-00.… Mohit Sahni
- Re: [Ace] I-D Action: draft-ietf-ace-cmpv2-coap-t… David von Oheimb
- Re: [Ace] I-D Action: draft-ietf-ace-cmpv2-coap-t… Mohit Sahni