IETF Logo Mail Archive

Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-04

"Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com> Fri, 15 April 2022 15:07 UTC

Return-Path: <hendrik.brockhaus@siemens.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A2133A088F; Fri, 15 Apr 2022 08:07:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XZ4g5vsFHBBh; Fri, 15 Apr 2022 08:07:00 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0601.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::601]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E38123A089A; Fri, 15 Apr 2022 08:06:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eQW7mE7bYKlhRwCAXkz7W86MGNMKlG4DbAVDOP8QGHaPbnSYh1hgJPXB1GNrFS98mTutZrkAcZdczJAQU4aECg57naazcB+mtR+OvNpX6KSBkwFtZtInbObemE5qpnOX0TgxpSkHTTMyCbfNqV57I7CPkPVGFTgs6hdjMKj4sPZCU58ZvK1aonUeUhONhx4e9U/Rq1yxRyweTH2P9k2/8Pm75+vs1YSPUA2e3VAx4TDv2aLANsX+fQeWgF2t8fCubnWRTv4/aVjo+M2g4RfrdknLIQ8P+ywSM1b8J5EDVvwjCpwpAsqzAAM2QS1r4akJyVu5HiTo9ntqQmz1B+1CjQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qiH+4mJ9cqYOQkAnvgHWleF3AdvKs2PGOya8CmQ34BY=; b=Z3oiKA4PRCgx1zIs8cNwFct9gjUTxXU08OhjEC3JT6gnNmNtmPxXfz8CAIyY2q93siSRDNxF41g3Yd8lWLee2daOCFzJexK597cWAiifDvvAM1/RP+GMIWRT4Z2HTZROhRDH0vYj8dPmSW1NbKHpjCWi25/MV9P7cLePjCZgK+xkb88bAyRG0dJ0Qj0IJgVNvbGOSVtks29WLN6jxgrAVKPfdK4U2y+zUuadV7yKhpbNe1H2P6rcQ522oIcIVCnnAfAJGsJSxAyRwIz25mb/4KsQbN5SMshzzV7RTF8HaRwmYvaBcjQPG1xgkXibbtL1aN0Ca8yYobo3m5yd0R+I1w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qiH+4mJ9cqYOQkAnvgHWleF3AdvKs2PGOya8CmQ34BY=; b=EFwC0B/ou6oYO5jWM/cohqrfPMZOkHdZiRtjBdso3ET9dFuhz4TW4VYdiLpjg9phiBNjSygrbo0BUc2nwsD0UP3h1xqLaKiO9vZK77vZ5NVZvMt6tQofopejMZjpoNm95W4h2DhKUGxCPUP+7zsARoHw+Yu253tmxdhI2jp3aJHxGMknplwdnflwrYyxyYTA7Fzp2OhHQmS4c0jXh/pDhURpEaq9eRMg3gPZwFNjvmcU/jhDtBqfKmBlXeBbAWCg6irI2t70Wecw2qkeNqMW0aFK8y5NDGEymzOSYf84mG7f9wCdWliMoNRO83JqDqQ7BrL1sG18CFujCuRzMK89qA==
Received: from DB6PR1001MB1269.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:4:b1::18) by AM7PR10MB3191.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:101::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.20; Fri, 15 Apr 2022 15:06:52 +0000
Received: from DB6PR1001MB1269.EURPRD10.PROD.OUTLOOK.COM ([fe80::11f8:5cc3:17b1:fbfd]) by DB6PR1001MB1269.EURPRD10.PROD.OUTLOOK.COM ([fe80::11f8:5cc3:17b1:fbfd%11]) with mapi id 15.20.5164.020; Fri, 15 Apr 2022 15:06:52 +0000
From: "Brockhaus, Hendrik" <hendrik.brockhaus@siemens.com>
To: Mohit Sahni <msahni@paloaltonetworks.com>
CC: "ace@ietf.org" <ace@ietf.org>, "draft-ietf-ace-cmpv2-coap-transport.all@ietf.org" <draft-ietf-ace-cmpv2-coap-transport.all@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, "stripathi@paloaltonetworks.com" <stripathi@paloaltonetworks.com>
Thread-Topic: [Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-04
Thread-Index: AQHYIdijg+rWSsg3NkKI6FcHtQd2lKyULBiAgAKqQICAWpgQQA==
Date: Fri, 15 Apr 2022 15:06:51 +0000
Message-ID: <DB6PR1001MB1269E35301354C3F0E9E2C22FEEE9@DB6PR1001MB1269.EURPRD10.PROD.OUTLOOK.COM>
References: <20220214192217.GA12881@kduck.mit.edu> <AS4PR10MB5199EC594C9FEEB0744BD4CCFE349@AS4PR10MB5199.EURPRD10.PROD.OUTLOOK.COM> <20220216232919.GG12881@kduck.mit.edu>
In-Reply-To: <20220216232919.GG12881@kduck.mit.edu>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2022-04-15T15:06:49Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=4f85afdd-7979-4654-9325-1e096c517a0c; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 13c3db11-0a3b-4763-6ea0-08da1ef19293
x-ms-traffictypediagnostic: AM7PR10MB3191:EE_
x-microsoft-antispam-prvs: <AM7PR10MB3191AA345370DB6760608BE1FEEE9@AM7PR10MB3191.EURPRD10.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jtbLmkvMtdGB5/RucolvPumtw/sSaM9GjpYRiy7+w6ydUzTjV6e6cxdNkStK0Mzw/e7OO98UVXRL26GLwE8LsXkf0kX4O+nbDxu+O/4pWGSwcN8PzQXT7DOG7cNhmAGSEre+IOy5fAeuFww0ezbdBj+mmU8CWW1xla/uXbk4hzHMee8RG6FRbM18Rxh/RXb1nuT2Egi1cxOGbUVqauvisM79nOom5zlQrx6zSkqWtDrRGr2Mz1GBmdDOwfiizxwqpgrM6Q8mMEvpDkISd7+AC5A3LZAO5H4T6jZ7YhazsRQJW6SoGepsMEf3+MRX1M9fxDMIJoFmtqSvC4oBl6Tu0NC/NUdMw5aNrNSMLwXgYEDBqLSc8Zyj/iOvhh/Kaib2IHwSJGHzenpn6Iv1Nz4eeRxLsK2GWGY3eaIyUYCywPTgetMArem51/bYI6Yh8enA3V+wC4C/QS5o6od9YEmgCTsfj/iAxZ+GjGl59wghRCJkSw3pzaRhrIeX8VRLDbwTjmUIceJh6nNjhoEfZHoUr471O5aniuWV/SeC/Z0t9EeKA9h6HvYSeQBndXZ+FVpgPThsjQbeshHMNIgPjtkz5FzFuW8+yi5XqcC89XdAXhdUA3IcX4g7K2Tffmf78pA+xJaSg+P4hBFeiPfcNZGbZuAqxiZh5aBCKgTR0AyZkgJmN+uHdYUH3OMF0Hv+WSjX71TkSHLZslIkVabhs5hC0KXAxdAB5bsXCyob+u3Y7F/SLoZSbJj49zhN8t/Sn5qE1HytDdjaBZDnT3gSUWiRrmdsAgvR3c3dWKKj1WUIss8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB6PR1001MB1269.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(26005)(186003)(6506007)(122000001)(82960400001)(38100700002)(86362001)(38070700005)(7696005)(33656002)(9686003)(55016003)(83380400001)(30864003)(4326008)(64756008)(45080400002)(5660300002)(66446008)(66556008)(66946007)(8676002)(76116006)(66476007)(2906002)(498600001)(71200400001)(52536014)(8936002)(6916009)(966005)(54906003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: X0OnDXh35fwshrrWtRTbkVtpU/NARgIFRDYG/G60Fz+lnUUsvNdqM05sL6bPtss8RM/05OlzP/O3x65UWicLOOVotRsSjrcOJ6mywClypcTkfzEIkAC5hhlYCLGxDbN3mJ7JmF8uh+SKo30/MTlxs4Ud0boZXVMxxzJhBh3r1e45xXbrYCne9JGg4JSJjqxxPCHxOCxxbQbJlTjFXdjul/CmafWiKzEG2PVVpvOne2h7bprjIieir0l0OHEF3vii873JJgigXAYzNZhgs1MLhTseVQcPTzD6FZrP/8B9NDXQ163x0tReKO1vrkch8RY54+NVl4mP01QXF0/B5Vwgu/zK/8MourgjNK9RHo7ez5jjtPCrV5u2vyYlcb1ZgT4R4SBOOpUkA4/k9uyfMHcd43B7UB1vKKzvToJTLzNN2hPs3bNEoX6BqGEKijSFg78SU3EL4XqW/2jHbw/20VG6HcJa1Wn3fxjRSKdtkKK1njLM8hWbApasPejFfWSGxhBTjRFJmLMSJcPrg8j4ifr8tW6/bhUSHKGS4OBg7iVmipg86YK6efj8ah7GnqQMmKZOK4p1MXQ2CTeJPUe4fPDESbuyZmG3V6uMCY7lCJ74R8m5K/8sSDwMFMA2ZDfSxBh1EpGt1g2vOtk/Alg5XQ9z82hcpeI4D2u8zZAZF2y+jp0CCkDlE1wv4XerFBAb6K5T5LiX61At6pN2LTfjRK01DX/IFj9Wtg6s6jTm08jqzzegCGzjgznMQB4PRfWjXQhIByCIaoHmgc8Wq0cCfEF4dln9b15vYbdRpeS2NZ2GIFqNoaULtQW9xK9Eh1HkexBSPdrM6eeVBUGos5/N/2r2BWjPOYm1B0IxIDL8LvVyjxunpWHOx40VAzLcgCYAyJSVWaZUFaBf1aGK4p8tN4wEALcwkHbHc+jzAlPVEjRucn/KmcA5D+uyA3+JksdGPUh40MwHUna8XsYHxVWixeuZE9wDXzQxWDdhj9ULxhZG4poJ3U281nx71Wnp/aPkKG4J/O4MHGqpHVGljLE1CHoPZMwJMJLvIyRe/4FG2tZO5xo9tsJNIQ/c9qE+5vLP4fgBv5btTQ3L3kVhkxA9SlSYyY7O+yvfSQwTbEoCV2tgPss8qQJtd88cuh0H6f8iaqqnOg+w3xyoi3UMKQ1MYqeAzELOX2iHBjPtsBgHmCybK5KDLLctN4uapZ95JDan26UZpKLi+XbrC5myZrEL4lqciFSAgf5sLmE1r2POCf+yIQ2Xlp5LX7sDuprF9r2TnSWrr9XWzmRb700Pl8jjwuW0gphTpkMLB4BTIEdi4Op24hO+tjR04ONyiCKGJibii8IGZnYTePyHGjS8XvzhZDwZfLM+5wWkhC4pG1w0OKdeb9xWWwt8NNVCd8zgxlUO00eQIqUUV33/xE0tU0YRrWGv9ee2/mBYItoTe8GnM0wvykVy2QtYf/+muXsFVULzEjeguY07zpDFvay+kNG+wHMCE8GLFikCticSDO9B9Ayxw/1Mv6xoIc8+9YqnbvhKc0J7cMyPuDfj4DEfee9V3DCIf2VolmUeuL5cuj29pqk8xEh7XfPrTZw97hJVs28e/2Zvpk6FxoYWHF090Qni9z9V5FEkaW56AOE0ZEG3SlUzdgomWgnJyzYTElCtV6g2FSTyFKyDjdJnZt33yP/YDXxi/W7sMXSqpQfeXD/8EyVpXgmDsbLZosdi50+E9JZoc8DH9tAfLqscB+1ROae9h0vXctw7Wo0cEBKPMbgzWxp8Pe0=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB6PR1001MB1269.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 13c3db11-0a3b-4763-6ea0-08da1ef19293
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Apr 2022 15:06:52.0183 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Hctx3H33S9jNllJ9PfN7ph7vQ7edjkRi3GDJWcvrVwxMCzoqvd9tlAmJ5XfxvskFxaa+Rik/7wvd/yH2DrQ+cCMXtSb4yFYvweyG0A03sxg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR10MB3191
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/wDfHaJ7Du_uPgLi4JxI6YHzO25w>
Subject: Re: [Ace] AD review of draft-ietf-ace-cmpv2-coap-transport-04
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2022 15:07:06 -0000

Mohit

After discussing the issue regarding well-known URI path segments on email and during IETF113 LAMPS meeting, I updated the CMP Updates document reflecting the agreed solution.
The solution is registering a well-known CMP registry. CMP Updates will register the path segment 'p' that is defined to be followed by a CA or certificate profile name.
The path segments for usage with http and coap defining the PKI management operations will be registered by Lightweight CMP Profile.

You can update the CoAP Transfer for CMP draft accordingly and align it with the changes describes above.

If you have any questions, please feel free to contact me.

Hendrik

> Von: Benjamin Kaduk <kaduk@mit.edu>
> Gesendet: Donnerstag, 17. Februar 2022 00:29
> 
> Hi Hendrik,
> 
> On Tue, Feb 15, 2022 at 07:42:31AM +0000, Brockhaus, Hendrik wrote:
> > Ben
> >
> > Thank you for your review and your comment on CMP Updates.
> > I will just comment on the usage of "cmp" well-known URI and leave the other
> comments to the authors of draft-ietf-ace-cmpv2-coap-transport-04.
> 
> Understood.
> 
> I am under a bit of a time crunch preparing for tomorrow's IESG telechat, but
> the short answer is: RFC 7030 is not a good example, but for draft-ietf-ace-
> coap-est it is more important to be consistent with RFC 7030 EST than to use
> regular best practices for well-known URIs.
> 
> A brief look into the history of RFC 7030 reveals that several reviewers took
> objection to the usage of "arbitrary labels" under /.well-known/est in question
> here, including a DISCUSS ballot from Stephen Farrell.
> Unfortunately, (in my assessment) it seems that that position was converted to a
> COMMENT prematurely, as only the question of "how would this even work at
> all" was resolved, and the question of "why does this need to be well-known"
> was not.
> 
> In particular, if you have out-of-band between client and server about what
> "arbitrary label" to use, then there is by assumption a channel that could be used
> to coordinate what URI to use, so the server could just assign a regular URI out
> of the portion of the URI namespace that is wholly under its control (i.e., just the
> toplevel /arbitraryLabel1 would work) in a manner that is compliant with BCP
> 190.  Given this configuration channel there is no need to use a well-known URI
> at all, and re-delegating a portion of the well-known namespace back to the
> hosting server seems to provide little or no value, at the cost of making future
> protocol evolution much more difficult.
> 
> That said, if there is some use case (perhaps a third-party coordinator that does
> not control the server's URI namespace) for remaining under well-known, it is
> safe to specify in the RFC that (e.g.) /.well-known/cmp/local is available for the
> server to use with arbitrary labels underneath it, and ideally what the semantics
> of those labels are.
> My strongest concern is with the intermingling of arbitrary labels at the toplevel
> /.well-known/cmp/ with potential future protocol extensions.  We need to
> retain a well-known namespace fully under the control of the protocol and with
> no risk of conflict to server-operator-assigned names.
> 
> -Ben
> 
> > > Von: Ace <ace-bounces@ietf.org> Im Auftrag von Benjamin Kaduk
> > > Gesendet: Montag, 14. Februar 2022 20:22
> > >
> > > Hi all,
> > >
> > > Jumping right in...
> > >
> > >
> > > I guess this is probably more of a comment on
> > > draft-ietf-lamps-cmp-updates, but since we are duplicating some of
> > > its content I will still call it out as a as a serious concern.  My concern relates
> to the usage of the "cmp"
> > > well-known URI -- we hvae some text in §2.1 that effectively says
> > > that a local site can just put more path segments under that path at
> > > its own discretion, and there's not even any restrictions made on
> > > the structucture of the additional path segments -- the next segment
> > > could be an operational label or a profile label, in the examples
> > > given.  This seems entirely at odds with the purpose of well-known
> > > URIs as per RFC 8615 -- they are to be URIs whose semantics are
> > > entirely specified by a protocol specification and are *not* subject
> > > to local operator control.  While it is possible for a specification
> > > to introduce additional structure under its registered well-known
> > > path, it's expected that the semantics of those subtrees are still
> > > specified by the protocol, and any extensions are to be managed by a
> > > (sub-)registry.  See, for example, §8.3.2 of RFC 8995, that establishes a sub-
> registry for the path components under /.well-known/brski .
> > >
> > > Any changes here will of course need to be synchronized with
> > > draft-ietf- lamps-cmp-updates, but I don't think this draft can go
> > > forward in its current form.
> > >
> > When writing the sections on http and coap transfer in Lightweight CMP
> Profile and CMP Updates I took RFC 7030 as example.
> > RFC 7030 §3.2.2 states
> >    An EST server MAY provide service for multiple CAs as indicated by an
> >    OPTIONAL additional path segment between the registered application
> >    name and the operation path.  To avoid conflict, the CA label MUST
> >    NOT be the same as any defined operation path segment.  The EST
> >    server MUST provide services regardless of whether the additional
> >    path segment is present.  The following are three example valid URIs:
> >
> >    1.
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> > example.com%2F.well-
> known%2Fest%2Fcacerts&amp;data=04%7C01%7Chendrik.b
> >
> rockhaus%40siemens.com%7C8a6420277bd348c6861b08d9f1a42e6c%7C38ae3
> bcd95
> >
> 794fd4addab42e1495d55a%7C1%7C0%7C637806509737370525%7CUnknown%
> 7CTWFpbG
> >
> Zsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn
> 0%
> >
> 3D%7C3000&amp;sdata=Ava58spSAMOM0KnNKIsMy0LR4TDmUpozu7ErsgdlTys
> %3D&amp
> > ;reserved=0
> >
> >    2.
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> > example.com%2F.well-
> known%2Fest%2FarbitraryLabel1%2Fcacerts&amp;data=0
> >
> 4%7C01%7Chendrik.brockhaus%40siemens.com%7C8a6420277bd348c6861b08
> d9f1a
> >
> 42e6c%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637806509737
> 370525%
> >
> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
> I6Ik
> >
> 1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=WV0n8BBfqMY0R9OqCh1TXRV
> 7%2FzPmQT
> > rP5LtD3NY5Nw4%3D&amp;reserved=0
> >
> >    3.
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
> > example.com%2F.well-
> known%2Fest%2FarbitraryLabel2%2Fcacerts&amp;data=0
> >
> 4%7C01%7Chendrik.brockhaus%40siemens.com%7C8a6420277bd348c6861b08
> d9f1a
> >
> 42e6c%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637806509737
> 370525%
> >
> 7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTi
> I6Ik
> >
> 1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=WYjgD3ZJl5V%2BzhMGdTVFSPz
> O1KdV3L
> > CzNOy7GIkAnmE%3D&amp;reserved=0
> >
> > Also draft-ietf-ace-coap-est §5.1 makes use of arbitraryLables
> >    For both types of installations, saving header space is important and
> >    short EST-coaps URIs are specified in this document.  These URIs are
> >    shorter than the ones in [RFC7030].  Two example EST-coaps resource
> >    path names are:
> >
> >    coaps://example.com:<port>/.well-known/est/<short-est>
> >
> > coaps://example.com:<port>/.well-known/est/ArbitraryLabel/<short-est>
> >
> > CMP Updates §3.3 makes use of these examples and adapts them to CMP
> needs renaming arbitraryLable to profileLable. The operationLable is specified in
> Lightweight CMP Profile.
> >    The CMP client needs to be configured with sufficient information to
> >    form the CMP server URI.  This is at least the authority portion of
> >    the URI, e.g.,
> 'https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.exa
> mple.com%2F&amp;data=04%7C01%7Chendrik.brockhaus%40siemens.com%7C
> 8a6420277bd348c6861b08d9f1a42e6c%7C38ae3bcd95794fd4addab42e1495d5
> 5a%7C1%7C0%7C637806509737370525%7CUnknown%7CTWFpbGZsb3d8eyJWI
> joiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C300
> 0&amp;sdata=QirARZYWEWP8Bh3vW2t0hC4cCPuUAQJXXoKPiYSrHKw%3D&amp
> ;reserved=0', or the full operation path
> >    segment of the PKI management entity.  Additionally, OPTIONAL path
> >    segments MAY be added after the registered application name as part
> >    of the full operation path to provide further distinction.  A path
> >    segment could for example support the differentiation of specific
> >    CAs, certificate profiles, or PKI management operations.  A valid
> >    full CMP path can look like this:
> >
> >
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.exa
> mple.com%2F.well-
> known%2Fcmp&amp;data=04%7C01%7Chendrik.brockhaus%40siemens.com%7
> C8a6420277bd348c6861b08d9f1a42e6c%7C38ae3bcd95794fd4addab42e1495d
> 55a%7C1%7C0%7C637806509737370525%7CUnknown%7CTWFpbGZsb3d8eyJ
> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C
> 3000&amp;sdata=sw43ICQHH%2F%2F5VicZWkvmFt1GuKXfAprm6QWfQ63xgOI
> %3D&amp;reserved=0
> >
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.exa
> mple.com%2F.well-
> known%2Fcmp%2FoperationLabel&amp;data=04%7C01%7Chendrik.brockhaus
> %40siemens.com%7C8a6420277bd348c6861b08d9f1a42e6c%7C38ae3bcd9579
> 4fd4addab42e1495d55a%7C1%7C0%7C637806509737370525%7CUnknown%7C
> TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJX
> VCI6Mn0%3D%7C3000&amp;sdata=ZII30%2FXZ%2Blpgf%2BeQ3lXAeMe2ikNyBE
> XkLXs7VGUSJuQ%3D&amp;reserved=0
> >
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.exa
> mple.com%2F.well-
> known%2Fcmp%2FprofileLabel&amp;data=04%7C01%7Chendrik.brockhaus%40
> siemens.com%7C8a6420277bd348c6861b08d9f1a42e6c%7C38ae3bcd95794fd4
> addab42e1495d55a%7C1%7C0%7C637806509737370525%7CUnknown%7CTWF
> pbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6
> Mn0%3D%7C3000&amp;sdata=1FRZmawKgb%2BCC5mxxZ8ENPG9y31Tt5gRxDc
> oRs8xNqI%3D&amp;reserved=0
> >
> > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.e
> > xample.com%2F.well-
> known%2Fcmp%2FprofileLabel%2FoperationLabel&amp;dat
> >
> a=04%7C01%7Chendrik.brockhaus%40siemens.com%7C8a6420277bd348c6861
> b08d9
> >
> f1a42e6c%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C6378065097
> 373705
> >
> 25%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
> CJBTiI
> >
> 6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=WJtAZ3zVq1fiR%2BtEYtodL
> Hx7Y1Y
> > FND1usqu8sK3kCHM%3D&amp;reserved=0
> >
> > The operational labels for usage with http are further specified in Lightweight
> CMP Profile §6.1 (and for coap see §6.2).
> >    PKI management operations SHOULD use URI paths consisting of '/.well-
> >    known/cmp/' followed by an operation label depending on the type of
> >    PKI management operation.
> >
> >    +============================+=====================+=========+
> >    | PKI management operation   |   operation label   | Details |
> >    +============================+=====================+=========+
> >    | Enroll client to new PKI   |   /initialization   | Section |
> >    |                            |                     | 4.1.1   |
> >    +----------------------------+---------------------+---------+
> >    | Enroll client to existing  |    /certification   | Section |
> >    | PKI                        |                     | 4.1.2   |
> >    +----------------------------+---------------------+---------+
> >    | Update client certificate  |      /keyupdate     | Section |
> >    |                            |                     | 4.1.3   |
> >    +----------------------------+---------------------+---------+
> >    | Enroll client using        |         /p10        | Section |
> >    | PKCS#10                    |                     | 4.1.4   |
> >    +----------------------------+---------------------+---------+
> >    | Revoke client certificate  |     /revocation     | Section |
> >    |                            |                     | 4.2     |
> >    +----------------------------+---------------------+---------+
> >    | Get CA certificates        |     /getcacerts     | Section |
> >    |                            |                     | 4.3.1   |
> >    +----------------------------+---------------------+---------+
> >    | Get root CA certificate    |    /getrootupdate   | Section |
> >    | update                     |                     | 4.3.2   |
> >    +----------------------------+---------------------+---------+
> >    | Get certificate request    | /getcertreqtemplate | Section |
> >    | template                   |                     | 4.3.1   |
> >    +----------------------------+---------------------+---------+
> >    | Get CRL updates            |       /getcrls      | Section |
> >    |                            |                     | 4.3.4   |
> >    +----------------------------+---------------------+---------+
> >    | Batching messages          |       /nested       | Section |
> >    |                            |                     | 5.2.2.2 |
> >    | Note: This path element is |                     |         |
> >    | applicable only between    |                     |         |
> >    | PKI management entities.   |                     |         |
> >    +----------------------------+---------------------+---------+
> >
> >                       Table 1: HTTP endpoints
> >
> > May be I missed something. Could you explain where you see the difference
> between the usage of /.well-known/ in RFC 7030 and in CMP Updates and
> Lightweight CMP Profile or why this approach is not appropriate anymore.
> >
> > Hendrik

v2.23.0 | Report a Bug | By Email