IETF Logo Mail Archive

Re: [Acme] ACME signature mechanics

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 18 December 2014 13:23 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18F351A88AB for <acme@ietfa.amsl.com>; Thu, 18 Dec 2014 05:23:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ZSLXk-q-B_v for <acme@ietfa.amsl.com>; Thu, 18 Dec 2014 05:23:38 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 405241A1EFF for <acme@ietf.org>; Thu, 18 Dec 2014 05:23:38 -0800 (PST)
Received: from [192.168.131.138] ([80.92.123.25]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0M1F72-1Xm04P1eg4-00tCFK; Thu, 18 Dec 2014 14:23:21 +0100
Message-ID: <5492D548.4010709@gmx.net>
Date: Thu, 18 Dec 2014 14:23:20 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Phillip Hallam-Baker <phill@hallambaker.com>
References: <548FF9E3.1020703@gmail.com> <CAL02cgT9iYqtX2Ui5XQYnj=yeF_QnSkKn-jE0D5d56WMzB5bBg@mail.gmail.com> <CAMm+LwjwG0dPTkByu5WZ_ev3xNxAMwunoc-A_VK4sKPSZXRYDw@mail.gmail.com> <006c01d01a33$2b086890$811939b0$@icloud.com> <CABkgnnWGQarDzpx-3f488OF2w3eyTV1iUr4GWyND+_avRHNZ6w@mail.gmail.com> <004901d01a94$55e9ebe0$01bdc3a0$@icloud.com> <54928827.9030009@gmail.com> <CAMm+Lwifqgt9e_i=froACzGW3bsY05KBiJJFBRJrqJcZrEqN8A@mail.gmail.com> <5492CF1B.7010508@gmx.net> <CAMm+LwgL0j-FjsUv4NSonvHcjJLpSB8JUbNNGmRvyqi37B+K7g@mail.gmail.com>
In-Reply-To: <CAMm+LwgL0j-FjsUv4NSonvHcjJLpSB8JUbNNGmRvyqi37B+K7g@mail.gmail.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="009V8A5RG08GmgITIBtESuxJ4UxcQ0DdE"
X-Provags-ID: V03:K0:IMyLq1jtYYhIMuKiiWQueTwbg/PkQz2cpz1Ow0ZYh9DsRstvojd NhocYgm8ObmMlQpUy3aRSS8DP6VroHcbW7pyDlZs5AOMR3HGSEi0NttvGjeiYRkgFQgqW47 eKDY+aiaFyo8b0YYmCXD3txt911IaOGi4hi0VrCQE+FZ/6XcsbRb2YRM4e8Dy0fUa4sXUZG oBZk2ChnNuTGtMSOfU+LA==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/UUyzhXg0gp8PMCQIfw3jKghPQp0
Cc: Richard Barnes <rlb@ipv.sx>, Martin Thomson <martin.thomson@gmail.com>, "acme@ietf.org" <acme@ietf.org>, Trevor Freeman <trevor.freeman99@icloud.com>, Anders Rundgren <anders.rundgren.net@gmail.com>
Subject: Re: [Acme] ACME signature mechanics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Dec 2014 13:23:41 -0000

Hi Phillip,

we already have a mechanism for issuing certificates to embedded
devices, namely OMA Lightweight M2M. It is already used today.
That specification is a version of the OMA device management protocol
(which is also widely used) but uses different protocols that are more
suitable for the embedded side, such as CoAP and JSON.

Hence, I doubt that this work is something the IoT community is asking for.

Ciao
Hannes

On 12/18/2014 02:17 PM, Phillip Hallam-Baker wrote:
> 
> 
> On Thu, Dec 18, 2014 at 7:56 AM, Hannes Tschofenig
> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> 
>     Hi Phillip,
> 
>     this statement caught my attention:
> 
>     On 12/18/2014 01:33 PM, Phillip Hallam-Baker wrote:
>     > Minimal TLS stacks for embedded devices don't typically do client auth.
>     > See 'minimal'.
> 
>     It depends what devices you are talking about, for what purpose they use
>     TLS/DTLS, and what the overall design pattern of the device is.
> 
>     With the work we are doing in other working groups, such as DICE, we are
>     trying to give guidance on how to use TLS/DTLS for use with  Internet of
>     Things (=small embedded devices) in an effort to bring more
>     (standardized) security protocols into those devices.
> 
>     With that work we are heavily relying on mutual authentication at the
>     DTLS/TLS level.
> 
>     Ciao
>     Hannes
> 
>     PS: I also don't think that the discussion on this list is relevant to
>     embedded devices.
> 
> 
> Why not? 
> 
> Support for embedded devices and the cloud is the main forcing function
> here. We already have mechanisms that support automated certificate
> management, there are dozens. There is little need for these when a
> customer only has one cert and no need for standardization unless the
> customer has multiple CAs which is very rare except for the very largest
> customers.
> 
> The best justification for making ACME an IETF standard as opposed to
> LetsEncrypt going off and doing their own thing like every CA to date is
> that we want to move to an environment where every device uses TLS all
> the time. Internet of Things and Cloud computing are the two forcing
> factors that make a standardized, automated issue scheme essential. 
> 
> 
> I want to be able to unpack my Nest thermostat, plug it in and have it
> grab a certificate from my local cert issue point as part of the
> mechanism by which I grant it access to my home network.
> 
> This is an application layer protocol. It should have authentication at
> the application layer. The reason TLS client auth isn't very useful is
> that client authentication is an application layer concern, not a
> transport layer concern.
> 
> 
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>

v2.23.0 | Report a Bug | By Email