Re: [Anima] ACE new charter

Daniel Migault <mglt.ietf@gmail.com> Mon, 14 December 2020 17:00 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A204E3A08C5; Mon, 14 Dec 2020 09:00:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.187
X-Spam-Level:
X-Spam-Status: No, score=-0.187 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RVoMFuXcBfac; Mon, 14 Dec 2020 09:00:23 -0800 (PST)
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31EAB3A08D4; Mon, 14 Dec 2020 09:00:23 -0800 (PST)
Received: by mail-ua1-x930.google.com with SMTP id s23so5679555uaq.10; Mon, 14 Dec 2020 09:00:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rQAnvdj/QI+sFitpvnp/PZr2uJQyILU7lCsbTiCEuik=; b=tkgAkrBzvSgBcchTUc5FnWdyJdp5pYCuh+9ayQRAGCi3M7ABo9WPsSxyUYt4YByZTV +aKzkiFdKGUFYCzKhlaJtfWHtsSeOFANROL+hoYcrF8Djn6o4g94M3ae8YcMypCVzoNU 9e4VnbxuEBq5otyJ8sn/MSYoHmKS7O25U1hRK7a5BSq0STfWLR754E7xTgviKVXUktTq DpTQWN/l5EBrQ4VxhSDjlkVDTY4OhI6Qqxs0NoD0S7tsxUEfRhkbO4HgJG/ue3XRLscx jcAHXwxynXaMP5Zoel1oQD0xzoPeuyrear8TsIxAcrCmwDVEVVs26/XYHKAl+1bxJfO1 bUlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rQAnvdj/QI+sFitpvnp/PZr2uJQyILU7lCsbTiCEuik=; b=oa1veA2eX28JQvKE4PgP64lTkfGPZAWJCiTofncllmbLzKS+ZNcPh8iZPAdokfbovW 7Y5BN6OkuGdapsBEd1gmqQDmCCad+k2ANeFp16SNcoAVMQyIxkzqMFXzyaAglV1CrEzy Ls/+wkCe+q2nKfekH6jT1SvH647VT4iUdzWQI953LREF34bYHNA3K+kIeerj6KFEuyqA iN6EW0fIG66dXeSkiMsq+u7C37JIFUTQa6xcRAW0tAZ+YxtjTvW1g7P5uGEqtF0beFc6 vpJICEAWwgjWqV+CR3/Au0TptKOqCZm5/rjuYQJmA3Cv+qnIVf9SM2M75amArfQ5R1Wl gx0A==
X-Gm-Message-State: AOAM531EjkNcDjKkk2sqFGh4x8bY2V7j+LPZ1Wo5fBlj7/mpNieAT/IZ 6NCY87YAzj/j8bayLMSI3xut75875cdtVBFxuefb64kGXrs=
X-Google-Smtp-Source: ABdhPJy6l86p8FhJo2m7g8CO8G3oTyQXjLIBPoHtMwLGg8KRukBUpF6VJBV0GcI8JDRl6D0Ft0rt5dYgGrkiLOA18QI=
X-Received: by 2002:ab0:244f:: with SMTP id g15mr24281731uan.80.1607965222087; Mon, 14 Dec 2020 09:00:22 -0800 (PST)
MIME-Version: 1.0
References: <CADZyTknzZUYFbOwU9YYMHwHm2ZO=8VdAarFMpB6jaTSJ8BMFRQ@mail.gmail.com>
In-Reply-To: <CADZyTknzZUYFbOwU9YYMHwHm2ZO=8VdAarFMpB6jaTSJ8BMFRQ@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 14 Dec 2020 12:00:10 -0500
Message-ID: <CADZyTkmXScnHCvcL9r2Q=AX5SzzhKohhKTzGseiDZa29G421vA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Ace Wg <ace@ietf.org>, SPASM <spasm@ietf.org>, anima@ietf.org, iotops@ietf.org
Content-Type: multipart/alternative; boundary="000000000000dfb20a05b66f9357"
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/NdDKGMxAF1akxKah1IHxweasoKM>
Subject: Re: [Anima] ACE new charter
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 17:00:26 -0000

Hi Ben,

The current proposed charter for ACE is as follows. As soon as the charter
is validated by the IESG, we will start call for adoption - at least for
the CMPv2 and EAP items.


The IESG may find useful that CMPv2 work may also be hosted in LAMPS (which
revisits CMPv2), ANIMA ( which defines CMPv2 as an alternative to EST) or
IOTOPS.

However, the discussion started in LAMPS and it was suggested ACE would be
more appropriated [1] and the current proposed charter has been circulating
on the lamps, anima, iotops mailing list and no concerns have been
raised. We will however make sure , these related WG are informed of our
progress.

EAP work has been coordinated with EMU. In any case, if the work is being
considered in ACE, we will make sure the corresponding WG will follow the
progress.

[1] https://mailarchive.ietf.org/arch/msg/spasm/uyYCf5sMcxg6xoQFcbe1sPxqVLw/

Yours,
Daniel

"""

The Authentication and Authorization for Constrained Environments (ace) WG
has defined a standardized solution framework for authentication and
authorization to enable authorized access to resources identified by a URI
and hosted on a resource server in constrained environments.

The access to the resource is mediated by an authorization server, which is
not considered to be constrained.

Profiles of this framework for application to security protocols commonly
used in constrained environments, including CoAP+DTLS and CoAP+OSCORE, have
also been standardized.  The Working Group is charged with maintenance of
the framework and existing profiles thereof, and may undertake work to
specify profiles of the framework for additional secure communications
protocols and for additional support services providing authorized access
to crypto keys (that are not necessarily limited to constrained endpoints,
though the focus remains on deployment in ecosystems with a substantial
portion of constrained devices).

In addition to the ongoing maintenance work, the Working Group will extend
the framework as needed for applicability to group communications, with
initial focus on (D)TLS and (Group) OSCORE as the underlying group
communication security protocols. The Working Group will standardize
procedures for requesting and distributing group keying material using the
ACE framework as well as appropriated management interfaces.

The Working Group will standardize a format for expressing authorization
information for a given authenticated principal as received from an
authorization manager.

The Working Group will examine how to use Constrained Application Protocol
(CoAP) as a transport medium for certificate enrollment protocols, such as
EST and CMPv2, as well as a transport for authentication protocols such as
EAP, and standardize as needed.
"""

Yours,
Daniel



On Sat, Dec 12, 2020 at 12:37 PM Dan Garcia Carrillo <garciadan@uniovi.es>
wrote:

> Hi Mališa,
>
>
> El 11/12/2020 a las 19:45, Mališa Vučinić escribió:
>
> Hi Dan,
>
>
>
> Thanks for the clarification regarding minimal-security. The points that
> you mention below, e.g. flexible authentication or the fresh generation of
> the PSK, were never in the design scope of our work.
>
>
>
> While I fail to understand what exactly do you plan on using EAP-over-CoAP
> for, I do not object on this work being done in ACE if you are willing to
> spend cycles on it. I do have reservations on the lightweight aspect of
> this, however, considering that the sequence diagram that you depict in
> Fig. 2 in draft-marin-ace-wg-coap-eap-06 spans 3 pages and consumes 2 round
> trips just to get things started! Surely, we can do better?
>
> Yes, we will submit an updated version of the draft.
>
> Best Regards,
>
> Dan
>
>
>
> Mališa
>
>
>
> *From: *Dan Garcia Carrillo <garciadan@uniovi.es> <garciadan@uniovi.es>
> *Date: *Friday 11 December 2020 at 18:41
> *To: *Mališa Vučinić <malisa.vucinic@inria.fr>, Michael Richardson
> <mcr+ietf@sandelman.ca> <mcr+ietf@sandelman.ca>, EMU WG <emu@ietf.org>
> <emu@ietf.org>, "core@ietf.org WG (core@ietf.org)"
> <core@ietf.orgWG(core@ietf.org)> <core@ietf.org> <core@ietf.org>,
> "ace@ietf.org" <ace@ietf.org> <ace@ietf.org> <ace@ietf.org>
> *Cc: *<garciadan@uniovi.es> <garciadan@uniovi.es>
> *Subject: *Re: [core] [Ace] Proposed charter for ACE (EAP over CoAP?)
>
>
>
> Hi Mališa,
>
> My intention was not to turn this conversation into a criticism of your
> work. “deficiencies” was not the most appropriate word.
>
> What we had in mind was a way of providing authentication  to the variety
> of IoT devices with different capabilities, limitations or different types
> of supported credentials. A way of doing that is to provide different
> authentication methods. Since in IoT there are different technologies we
> looked for a link-layer independent solution. Additionally, since some
> technologies are very constrained, we needed a very constrained protocol to
> carry out the process.
>
> EAP provides flexible authentication, and it has EAP Key Management
> Framework which is well specified and working for many years, from which
> you can generate generate a fresh pre-shared key (MSK) dynamically. This is
> even possible if you do not want to interact with AAA infrastructures
> running EAP in standalone mode.  Having said this, another thing that we
> looked into was to give support to large scale deployments. We can ease
> this process with EAP and its interaction with a AAA infrastructure, which
> gains relevance in Industrial IoT and 5G.
>
> All these characteristics can be provided by the use of EAP, if we of
> course have a lightweight EAP lower layer to transport EAP from the IoT
> device. Then we considered the usage of CoAP as EAP lower-layer.
>
> In this sense, we saw minimal security did not fit our view (no potential
> interaction with AAA , flexible authentication, fresh generation of PSK).
> In fact,  the provisioning of the PSK was out of scope.
>
> At some level, we could even consider the work complementary. EAP over
> CoAP could be a way of providing the PSK for the work of minimal security.
>
>
> Best Regards,
> Dan.
>
> El 10/12/2020 a las 18:43, Mališa Vučinić escribió:
>
> Hi Dan,
>
>
>
> Could you be more specific on the point below, what deficiencies do you
> have in mind?
>
>
>
> Mališa
>
>
>
> *From: *core <core-bounces@ietf.org> <core-bounces@ietf.org> on behalf of
> Dan Garcia <garciadan@uniovi.es> <garciadan@uniovi.es>
> *Date: *Thursday 10 December 2020 at 10:06
> *To: *Michael Richardson <mcr+ietf@sandelman.ca> <mcr+ietf@sandelman.ca>,
> EMU WG <emu@ietf.org> <emu@ietf.org>, "core@ietf.org WG (core@ietf.org)"
> <core@ietf.orgWG(core@ietf.org)> <core@ietf.org> <core@ietf.org>,
> "ace@ietf.org" <ace@ietf.org> <ace@ietf.org> <ace@ietf.org>
> *Subject: *Re: [core] [Ace] Proposed charter for ACE (EAP over CoAP?)
>
>
>
> As you comment , draft-ietf-6tisch-minimal-security - offers minimal
> security and has several deficiencies that can be solved by using EAP and
> AAA infrastructures.
>
> -->
>
> -->_______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>


-- 
Daniel Migault
Ericsson

On Mon, Dec 7, 2020 at 1:22 PM Daniel Migault <mglt.ietf@gmail.com> wrote:

> Hi,
>
> The ACE WG though you might be interested in knowing that the current ACE
> charter considers, among other things, working on CMPv2 over CoAP. The
> current charter can be found here [1].
> If you think the work should be done in another WG, please let us know
> before Friday December 11, so we can move the charter forward.
>
> Yours,
> Daniel
>
> [1]
> https://docs.google.com/document/d/1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY/edit?usp=sharing
>
> --
> Daniel Migault
> Ericsson
>


-- 
Daniel Migault
Ericsson