Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt

Esko Dijk <> Mon, 20 May 2019 06:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2236C120134; Sun, 19 May 2019 23:31:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cIdHJEdGCs5i; Sun, 19 May 2019 23:31:30 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E5082120041; Sun, 19 May 2019 23:31:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-iotconsultancynl-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Bg4xAMWbTc7q0HoeoGDXyEIsxiRWOHqHlg0hFuqCZF0=; b=zAREjpboMY0aTi0hW7Hl8mwkmZxNZp0DyAbUwC7syaMgWBWuvNOvzFCpdMp62wGZZB1XhO2NTuO1PAAPls524Psk/w3MLNzoxZqmLvjKcXtvQE/ktWVJXdmoZB0KXw6zs7ChesrvszCC6VomYuw8yASoH7L3WTwnh0kwQz3eYTw=
Received: from DB6P190MB0054.EURP190.PROD.OUTLOOK.COM ( by DB6P190MB0149.EURP190.PROD.OUTLOOK.COM ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1900.18; Mon, 20 May 2019 06:31:25 +0000
Received: from DB6P190MB0054.EURP190.PROD.OUTLOOK.COM ([fe80::c46d:5ae5:fe3e:ca20]) by DB6P190MB0054.EURP190.PROD.OUTLOOK.COM ([fe80::c46d:5ae5:fe3e:ca20%8]) with mapi id 15.20.1900.020; Mon, 20 May 2019 06:31:25 +0000
From: Esko Dijk <>
To: "Panos Kampanakis (pkampana)" <>, "" <>
CC: "" <>
Thread-Topic: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt
Thread-Index: AQHVDMWjkc1/UB/X3EaGxntG4OXylKZvcuOAgAQcGnA=
Date: Mon, 20 May 2019 06:31:25 +0000
Message-ID: <DB6P190MB005480059C7AC6C165475F7CFD060@DB6P190MB0054.EURP190.PROD.OUTLOOK.COM>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US, nl-NL
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3e656467-ec67-4952-37fe-08d6dcecc883
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(7168020)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:DB6P190MB0149;
x-ms-traffictypediagnostic: DB6P190MB0149:
x-ms-exchange-purlcount: 6
x-microsoft-antispam-prvs: <DB6P190MB0149778F77A9002A7DC3533AFD060@DB6P190MB0149.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 004395A01C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(366004)(39830400003)(396003)(136003)(53754006)(13464003)(189003)(199004)(14454004)(74482002)(74316002)(446003)(11346002)(6246003)(26005)(186003)(2906002)(53936002)(25786009)(86362001)(8676002)(81156014)(81166006)(8936002)(7736002)(229853002)(476003)(305945005)(486006)(4326008)(44832011)(55236004)(508600001)(52536014)(76176011)(71200400001)(71190400001)(6116002)(6506007)(6436002)(3846002)(53546011)(102836004)(2501003)(7696005)(110136005)(316002)(66556008)(64756008)(256004)(14444005)(6306002)(966005)(33656002)(99286004)(66574012)(5660300002)(66476007)(9686003)(66446008)(55016002)(76116006)(66066001)(68736007)(73956011)(66946007); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6P190MB0149; H:DB6P190MB0054.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: JN6D+cF/QNZtgeWx+G1VrEiJotx3dXTBRRyBAYOpHgQHD4i025ShYkRqu0Cf6sMDAqNpxyzGfG37G8y4dT6RZcEJVtzVMNfsQswIGir2nQYBOcbT4D0QfXUBYt/ExD0qczb58/V4VALXCOVTPITLlPgRdVov5LnCHMgb9F1fCxJFwr4em6a8lbCx6WGIZjaOLwOZzHZyghz/BiKbyX5IQMJqDs5IIbkDeYT1pJW+ABzUoVtjWC6YFCIUMjAN7h18mg/EKmED9nRZzksfbJBf/Ag7jgfkdqXMs9A0GX4tyDtzyMj3s5MqJaQKH/QXE45Ds94jMggDF26fvWZvSrT2yFjVir+Uv26Swokh7ark+1SH2uhKaH2JEvNIJrN2riD9wb/zml3Xc1VM1LWH9F0jrl1LvG46cznG0ULXarVzatQ=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3e656467-ec67-4952-37fe-08d6dcecc883
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 May 2019 06:31:25.2658 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P190MB0149
Archived-At: <>
Subject: Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 May 2019 06:31:33 -0000


A few comments I had still on the discovery section - sorry to be late post-WGLC with this:

- page 10 bottom mentions "management data" - should say "management resources", or "EST resources" perhaps?
- page 10 bottom: " Upon success, the return payload will contain the root resource of the EST resources." - this is not true, since only the individual supported resources are returned. The root (e.g. "/est" in the examples) can be deduced from the response but it is never returned as one link format entry.
- page 11 top: the example is only correct for a secure (coaps://) discovery GET request, I think this could be mentioned in text or indicated in the request line.
- page 11 bottom requirement: " The client SHOULD use resource discovery when he is unaware of the available  EST-coaps resources." - when an EST server is known, this requirement does not really apply since the server always supports .well-known EST resources.  So I read it as doing an RD discovery or multicast CoAP discovery if the client doesn't known the EST server address.  Hope this is clear enough in the text and intended?
- page 11 bottom: "he supports" -> "it supports"
- page 11 bottom: " It is up to the implementation to choose its resource paths” -> seems not really the case, because the root resource structure is forced by the specification. It could have been designed as free choice (because it can be discovered anyway) but it is not.

Best regards

-----Original Message-----
From: Ace <>; On Behalf Of Panos Kampanakis (pkampana)
Sent: Friday, May 17, 2019 17:36
Subject: Re: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt

Hi all, 

This latest update addresses feedback while in WGLC" 
- the comments by Hannes and Esko related to RNG and server-side key gen. It aims to prevent misunderstandings that random numbers are not needed any more if server-side key gen is used. 
- the nits with "/crt" instead of "/crts" pointed out by Esko. 

The diff is here 


-----Original Message-----
From: Ace <>; On Behalf Of
Sent: Friday, May 17, 2019 11:31 AM
Subject: [Ace] I-D Action: draft-ietf-ace-coap-est-11.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Authentication and Authorization for Constrained Environments WG of the IETF.

        Title           : EST over secure CoAP (EST-coaps)
        Authors         : Peter van der Stok
                          Panos Kampanakis
                          Michael C. Richardson
                          Shahid Raza
	Filename        : draft-ietf-ace-coap-est-11.txt
	Pages           : 48
	Date            : 2019-05-17

   Enrollment over Secure Transport (EST) is used as a certificate
   provisioning protocol over HTTPS.  Low-resource devices often use the
   lightweight Constrained Application Protocol (CoAP) for message
   exchanges.  This document defines how to transport EST payloads over
   secure CoAP (EST-coaps), which allows constrained devices to use
   existing EST functionality for provisioning certificates.

The IETF datatracker status page for this draft is:

There are also htmlized versions available at:

A diff from the previous version is available at:

Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at

Internet-Drafts are also available by anonymous FTP at:

Ace mailing list

Ace mailing list