Re: [Ace] Certificate processing for MQTT
Cigdem Sengul <cigdem.sengul@gmail.com> Thu, 05 December 2019 10:42 UTC
Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B56E1200FF; Thu, 5 Dec 2019 02:42:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dh74B-yUmd8V; Thu, 5 Dec 2019 02:42:03 -0800 (PST)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54A14120026; Thu, 5 Dec 2019 02:42:03 -0800 (PST)
Received: by mail-qt1-x82d.google.com with SMTP id p5so3030698qtq.12; Thu, 05 Dec 2019 02:42:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=n12xqTVWTj/TIX7MS7XSOSO/M/arrZLn02pajxjXcz4=; b=qss+5EQCnvoyY1eYuHMTMmdD00bkTmYIxLSCoTs3Dw4eyBFDn2OkSoB5NPtfaQibTY wNUzovc84S7HIEXi9qyvVkb2YGJVap3XoddV9Mv/7pHN8uyXOjZjgJ8BconKzvJz9157 wmjRYJjzOTS4ASn32dklw06E+qwzT8JXlzSxftnOBiTZ3xM2uAUumv6xTrP3SmwiEV+2 UD5R3oSjhjmW0HnUCDQJSfsSSYDCuOendBLirwvZdpqi6Yu4H9d/EeFN4C6oWCvC4bY5 TiZL0rzAtr1LtlLLNFGsjsYk9xxltRf80k9/LC5fC0y8vLENfoED4Hh5DKf1S4ni7Xgo y1pg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=n12xqTVWTj/TIX7MS7XSOSO/M/arrZLn02pajxjXcz4=; b=pu6LUsAMBF4vG69XCbo2ffFsXX5ClJ0WWM7qwK9C0RApFmeK9YVWwHTLIIrYmnohhU ojuj3EwsFX2fjVleAvFB29HvUZb1lPbpw8XeFwX5Oet2eGrlLEyMWRE6EILrLZkVoyZs XKd8OJ3U+2O0+pvqF5uVf0EiPDMUjijPXjbLr9OrzqCXAGwZso0ex1uQwEXUH+SLxYdu 8wdsC9G2MecNG9o3rcT2CP+Q2VY7E8TBcEnOKTAsKCareJyeEImhdbDz4A3B6F/3/ZEL 3/Oky6duZC56aKYVu6PJCn0NRNJr7gHgUe6cCSB4ugABLITN29E6OBcpoYabt5i5K6y6 NTyA==
X-Gm-Message-State: APjAAAUPJXfwnT5fCAm8lqEvGfVqs/L9at66Bp2GVf/VYlfrP8lGla1k mMoh0LdjtczckpAv1D83D96TmbTPRW3kZTnWXBWAmOalqD0=
X-Google-Smtp-Source: APXvYqz/mS9JfP1i3HxtX6puwVE0pTOqJ2xQ6XFjG3G9STPaDMl24pn00xGITkun7bRvZLf6eTFd8TwcyoZTCyq0Uf4=
X-Received: by 2002:aed:2047:: with SMTP id 65mr6973338qta.78.1575542522365; Thu, 05 Dec 2019 02:42:02 -0800 (PST)
MIME-Version: 1.0
References: <02c101d5ab33$f89d5540$e9d7ffc0$@augustcellars.com>
In-Reply-To: <02c101d5ab33$f89d5540$e9d7ffc0$@augustcellars.com>
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Thu, 05 Dec 2019 10:41:51 +0000
Message-ID: <CAA7SwCMvDSMf2Wg511mo1aJif8YVoOVSoYjZzf1SB8+HFRF-aA@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: draft-ietf-ace-mqtt-tls-profile@ietf.org, Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005fcad20598f294b1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/yohI0FGcBbqqR3yjXHzjv-ZB-8U>
Subject: Re: [Ace] Certificate processing for MQTT
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2019 10:42:05 -0000
Hello Jim, Thank you for your email. I am in the process of revising the document for the December update agreed in Singapore, so these comments are extremely helpful. Comments are inline. On Thu, Dec 5, 2019 at 6:19 AM Jim Schaad <ietf@augustcellars.com> wrote: > I got to the point of needing to start producing and validating > certificates > for MQTT and started running into some questions as well as starting to > pickup some odd information that this document does not point to. > > 1. Should probably reference the mqtt(s) URI scheme, I am however somewhat > irritated that it is not a registered scheme with IANA. > Indeed, we used MQTT over TLS to mean MQTTS, though it is not mentioned explicitly in the MQTT v5 OASIS spec, but here: https://github.com/mqtt/mqtt.github.io/wiki/URI-Scheme Do you suggest we reference this? The latest I know: "The URI scheme has been discussed by the technical committee a few times. The proposal was to produce a committee note rather than make it a formal part of the spec." based on this - https://github.com/mqtt/mqtt.github.io/issues/41 I will see if I can find more information from OASIS. 2. Has OASIS done anything sort of document for certificate validation. As > an example is there an OID defined for extended key usage? > This is what is mentioned in the MQTT v5 for authenticating the AS with a certificate: "Implementations providing MQTT service for multiple hostnames from a single IP address should be aware of the Server Name Indication extension to TLS defined in section 3 of [RFC6066] <https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#RFC6066>. This allows a Client to tell the Server the hostname of the server it is trying to connect to." I also found the following information when first writing the draft: https://www.oasis-open.org/committees/download.php/50161/X-MQTT-Security.txt that goes into some detail but did not cite it because it did not look official. However, it at least mentions things like TLS versions and certificate types. > > 3. What should be said about matching data in the response from the AS and > the certificate. What should be said about matching for raw public keys. > I > think that later is easy as it should just match the rs_cnf returned from > the AS, but I don't know what should be said for certificates. > At the moment I have the following text: The Broker MUST be authenticated during TLS handshake. If the Client authentication included TLS:Known(RPK/PSK), then the Broker is authenticated using the respective method. For the other Client Authentication cases, to authenticate the Broker, the client MAY either have the ability to receive and validate a server-side certificate or an RPK from the Broker checked against the 'rs_cnf' parameter in the token. The reason why I did not go into more detail for TLS/certificate use on the server-side, was because MQTT OASIS standard recommends it but does not go into detail (as discussed in the previous points). And my experience with mqtt brokers that they define how to set it up in their config pages: e.g., HiveMQ with BoringSSL https://www.hivemq.com/docs/4.2/hivemq/security.html (HiveMQ is what Edinburgh colleagues are implementing ACE mqtt-tls profile with now). or Mosquitto with OpenSSL https://mosquitto.org/man/mosquitto-conf-5.html https://mosquitto.org/man/mosquitto-tls-7.html My assumption was that for MQTT developers who have opted for a certain MQTT implementation and want to use server-side certificates, they would continue configuring the server-side TLS as they always do, and then use the ACE plugin to do the client authentication/authorisation. > > 4. With the definition of some guidance in COSE, should there be a field > for doing certificates in the rs_cnf - returning a fingerprint not the > entire certificate. > This is interesting - do you mean working with this draft: https://tools.ietf.org/html/draft-ietf-cose-x509-04 Thanks, --Cigdem > > Jim > > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace >
- [Ace] Certificate processing for MQTT Jim Schaad
- Re: [Ace] Certificate processing for MQTT Cigdem Sengul
- Re: [Ace] Certificate processing for MQTT Jim Schaad