Re: [Anima-bootstrap] [Anima] Voucher signing method

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 26 April 2017 15:36 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91D9E12EC7F; Wed, 26 Apr 2017 08:36:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xLiiGNm5Lg6O; Wed, 26 Apr 2017 08:36:48 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0ED52130133; Wed, 26 Apr 2017 08:36:40 -0700 (PDT)
Received: from dooku.sandelman.ca (cl-27.chi-03.us.sixxs.net [IPv6:2604:8800:100:1a::2]) by relay.sandelman.ca (Postfix) with ESMTPS id C50EE1F8EE; Wed, 26 Apr 2017 15:36:38 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 79986598; Wed, 26 Apr 2017 11:36:34 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: consultancy@vanderstok.org
cc: "Max Pritikin (pritikin)" <pritikin@cisco.com>, anima-bootstrap@ietf.org, anima@ietf.org
In-reply-to: <5b19d45c2e756292e6ae85bd2dc00ea1@xs4all.nl>
References: <AD8F4360-02A4-4F22-9695-5A5CF2F6F8F0@cisco.com> <5b19d45c2e756292e6ae85bd2dc00ea1@xs4all.nl>
Comments: In-reply-to peter van der Stok <stokcons@xs4all.nl> message dated "Wed, 19 Apr 2017 09:01:04 +0200."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Wed, 26 Apr 2017 11:36:34 -0400
Message-ID: <3764.1493220994@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-bootstrap/0kpimepEjHpyui1FAcrgD-FHBRY>
Subject: Re: [Anima-bootstrap] [Anima] Voucher signing method
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 15:36:51 -0000

peter van der Stok <stokcons@xs4all.nl> wrote:
    > thanks for the examples.  During IETF98, I was the one to speak up in
    > favour of #pkcs7; One reason only: It is transported by EST that is
    > used by BRSKI.  All the code is already present.  Doing JWS/COSE or
    > JWT/CWT needs additional code.  I am sensitive to the payload size
    > argument though.

I disagree with your argument.

a) it's not TLS even if TLS has to do many similar things.  The TLS data
   packet/frame format is not just a series of PKCS7 payloads...
   So for many implementers, it means reaching down into their PKIX library
   and learning new things.  For some, this may mean switching TLS libraries.
   There is work there for the developers.
   {I've been down this path, which is how I produced the PKCS7 object Max
   decoded}

   Also, if on the client, one has an ASN1-free (or very lite) RPK TLS
   implementation, I think that one can implement BRSKI while short-cutting
   much of the ASN1 parsing that EST appears to need.

b) if you replace DTLS with OSCOAP, then the argument goes in the other
   direction.

c) On the Registrar level, the TLS may well be done in the framework, or
    in an entirely different process [That in itself is a challenge].
    This is because the TLS is done at the web load balancer level, while
    the application code runs inside an application code (django, rails,
    j2ee, node.js) framework.

d) Ditto for the MASA.

    > But, suppose the JWS or JWT is adopted to reduce the payload, where
    > will the optimizations stop?  Will you envisage to optimize the EST
    > payloads as well?

Not in BRSKI as produced by ANIMA.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-