Re: [Acme] ACME signature mechanics
Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 18 December 2014 13:23 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18F351A88AB for <acme@ietfa.amsl.com>; Thu, 18 Dec 2014 05:23:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ZSLXk-q-B_v for <acme@ietfa.amsl.com>; Thu, 18 Dec 2014 05:23:38 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 405241A1EFF for <acme@ietf.org>; Thu, 18 Dec 2014 05:23:38 -0800 (PST)
Received: from [192.168.131.138] ([80.92.123.25]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0M1F72-1Xm04P1eg4-00tCFK; Thu, 18 Dec 2014 14:23:21 +0100
Message-ID: <5492D548.4010709@gmx.net>
Date: Thu, 18 Dec 2014 14:23:20 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <548FF9E3.1020703@gmail.com> <CAL02cgT9iYqtX2Ui5XQYnj=yeF_QnSkKn-jE0D5d56WMzB5bBg@mail.gmail.com> <CAMm+LwjwG0dPTkByu5WZ_ev3xNxAMwunoc-A_VK4sKPSZXRYDw@mail.gmail.com> <006c01d01a33$2b086890$811939b0$@icloud.com> <CABkgnnWGQarDzpx-3f488OF2w3eyTV1iUr4GWyND+_avRHNZ6w@mail.gmail.com> <004901d01a94$55e9ebe0$01bdc3a0$@icloud.com> <54928827.9030009@gmail.com> <CAMm+Lwifqgt9e_i=froACzGW3bsY05KBiJJFBRJrqJcZrEqN8A@mail.gmail.com> <5492CF1B.7010508@gmx.net> <CAMm+LwgL0j-FjsUv4NSonvHcjJLpSB8JUbNNGmRvyqi37B+K7g@mail.gmail.com>
In-Reply-To: <CAMm+LwgL0j-FjsUv4NSonvHcjJLpSB8JUbNNGmRvyqi37B+K7g@mail.gmail.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="009V8A5RG08GmgITIBtESuxJ4UxcQ0DdE"
X-Provags-ID: V03:K0:IMyLq1jtYYhIMuKiiWQueTwbg/PkQz2cpz1Ow0ZYh9DsRstvojd NhocYgm8ObmMlQpUy3aRSS8DP6VroHcbW7pyDlZs5AOMR3HGSEi0NttvGjeiYRkgFQgqW47 eKDY+aiaFyo8b0YYmCXD3txt911IaOGi4hi0VrCQE+FZ/6XcsbRb2YRM4e8Dy0fUa4sXUZG oBZk2ChnNuTGtMSOfU+LA==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/UUyzhXg0gp8PMCQIfw3jKghPQp0
Cc: Richard Barnes <rlb@ipv.sx>, Martin Thomson <martin.thomson@gmail.com>, "acme@ietf.org" <acme@ietf.org>, Trevor Freeman <trevor.freeman99@icloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>
Subject: Re: [Acme] ACME signature mechanics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Dec 2014 13:23:41 -0000
Hi Phillip, we already have a mechanism for issuing certificates to embedded devices, namely OMA Lightweight M2M. It is already used today. That specification is a version of the OMA device management protocol (which is also widely used) but uses different protocols that are more suitable for the embedded side, such as CoAP and JSON. Hence, I doubt that this work is something the IoT community is asking for. Ciao Hannes On 12/18/2014 02:17 PM, Phillip Hallam-Baker wrote: > > > On Thu, Dec 18, 2014 at 7:56 AM, Hannes Tschofenig > <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: > > Hi Phillip, > > this statement caught my attention: > > On 12/18/2014 01:33 PM, Phillip Hallam-Baker wrote: > > Minimal TLS stacks for embedded devices don't typically do client auth. > > See 'minimal'. > > It depends what devices you are talking about, for what purpose they use > TLS/DTLS, and what the overall design pattern of the device is. > > With the work we are doing in other working groups, such as DICE, we are > trying to give guidance on how to use TLS/DTLS for use with Internet of > Things (=small embedded devices) in an effort to bring more > (standardized) security protocols into those devices. > > With that work we are heavily relying on mutual authentication at the > DTLS/TLS level. > > Ciao > Hannes > > PS: I also don't think that the discussion on this list is relevant to > embedded devices. > > > Why not? > > Support for embedded devices and the cloud is the main forcing function > here. We already have mechanisms that support automated certificate > management, there are dozens. There is little need for these when a > customer only has one cert and no need for standardization unless the > customer has multiple CAs which is very rare except for the very largest > customers. > > The best justification for making ACME an IETF standard as opposed to > LetsEncrypt going off and doing their own thing like every CA to date is > that we want to move to an environment where every device uses TLS all > the time. Internet of Things and Cloud computing are the two forcing > factors that make a standardized, automated issue scheme essential. > > > I want to be able to unpack my Nest thermostat, plug it in and have it > grab a certificate from my local cert issue point as part of the > mechanism by which I grant it access to my home network. > > This is an application layer protocol. It should have authentication at > the application layer. The reason TLS client auth isn't very useful is > that client authentication is an application layer concern, not a > transport layer concern. > > > _______________________________________________ > Acme mailing list > Acme@ietf.org > https://www.ietf.org/mailman/listinfo/acme >
- [Acme] ACME signature mechanics Manger, James
- Re: [Acme] ACME signature mechanics Richard Barnes
- Re: [Acme] ACME signature mechanics Manger, James
- Re: [Acme] ACME signature mechanics Richard Barnes
- Re: [Acme] ACME signature mechanics Anders Rundgren
- Re: [Acme] ACME signature mechanics Richard Barnes
- Re: [Acme] ACME signature mechanics Anders Rundgren
- Re: [Acme] ACME signature mechanics Anders Rundgren
- Re: [Acme] ACME signature mechanics Nico Williams
- Re: [Acme] ACME signature mechanics Nico Williams
- Re: [Acme] ACME signature mechanics Anders Rundgren
- Re: [Acme] ACME signature mechanics Phillip Hallam-Baker
- Re: [Acme] ACME signature mechanics Nico Williams
- [Acme] Integrated with CSR. Re: ACME signature me… Anders Rundgren
- Re: [Acme] ACME signature mechanics Trevor Freeman
- Re: [Acme] ACME signature mechanics Martin Thomson
- Re: [Acme] ACME signature mechanics Phillip Hallam-Baker
- Re: [Acme] ACME signature mechanics Phillip Hallam-Baker
- Re: [Acme] ACME signature mechanics Nico Williams
- Re: [Acme] ACME signature mechanics Phillip Hallam-Baker
- Re: [Acme] ACME signature mechanics Nico Williams
- Re: [Acme] ACME signature mechanics Phillip Hallam-Baker
- Re: [Acme] ACME signature mechanics Trevor Freeman
- Re: [Acme] ACME signature mechanics Anders Rundgren
- Re: [Acme] ACME signature mechanics Anders Rundgren
- Re: [Acme] ACME signature mechanics Anders Rundgren
- Re: [Acme] ACME signature mechanics Phillip Hallam-Baker
- Re: [Acme] ACME signature mechanics Phillip Hallam-Baker
- Re: [Acme] ACME signature mechanics Hannes Tschofenig
- Re: [Acme] ACME signature mechanics Hannes Tschofenig
- Re: [Acme] ACME signature mechanics Phillip Hallam-Baker
- Re: [Acme] ACME signature mechanics Hannes Tschofenig
- Re: [Acme] ACME signature mechanics Anders Rundgren
- Re: [Acme] ACME signature mechanics Trevor Freeman
- Re: [Acme] ACME signature mechanics Phillip Hallam-Baker
- Re: [Acme] ACME signature mechanics Anders Rundgren
- Re: [Acme] ACME signature mechanics Anders Rundgren
- Re: [Acme] ACME signature mechanics Martin Thomson
- Re: [Acme] ACME signature mechanics Anders Rundgren