IETF Logo Mail Archive

Re: [Atlas] Application Transport LAyer Security (ATLAS) Charter Text

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 31 January 2018 17:01 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: atlas@ietfa.amsl.com
Delivered-To: atlas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD548131891 for <atlas@ietfa.amsl.com>; Wed, 31 Jan 2018 09:01:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MgnfrFq8D2Br for <atlas@ietfa.amsl.com>; Wed, 31 Jan 2018 09:01:51 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0052.outbound.protection.outlook.com [104.47.0.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02EA412D869 for <Atlas@ietf.org>; Wed, 31 Jan 2018 09:01:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dNeiKmzqeSdp8VtCFBrMvo6nsZqx5S0YH8LSxzGYn84=; b=FqHiJozZYQj3Q1rucCymop7I/g2zRVej1W/wLhdJPv/zf7k1hIXndoELEEAW0cDZBsncSc7PisYAlPlp5WtWfZ7TOpudONsIsdaVtwHrUbwqHozxbDmiPh1/j4CLmB15h6jLGdQxAqMIquCAXMNs4gFUskJCxkZEaK3jJ/KGPqE=
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com (10.167.90.148) by AM4PR0801MB1490.eurprd08.prod.outlook.com (10.168.5.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.444.14; Wed, 31 Jan 2018 17:01:03 +0000
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::b863:80d:692b:e64b]) by AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::b863:80d:692b:e64b%14]) with mapi id 15.20.0444.016; Wed, 31 Jan 2018 17:01:04 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Abhijan Bhattacharyya <abhijan.bhattacharyya@tcs.com>, "Atlas@ietf.org" <Atlas@ietf.org>
Thread-Topic: [Atlas] Application Transport LAyer Security (ATLAS) Charter Text
Thread-Index: AQHTmoudAYJBDpybZkaxdIBZCCIMsaOOGVWQ
Date: Wed, 31 Jan 2018 17:01:03 +0000
Message-ID: <AM4PR0801MB2706A1B1B8ADC5BBF1E8967FFAFB0@AM4PR0801MB2706.eurprd08.prod.outlook.com>
References: <OF24348B03.E06D1C0A-ON65258226.00420284-65258226.00423E0A@tcs.com>
In-Reply-To: <OF24348B03.E06D1C0A-ON65258226.00420284-65258226.00423E0A@tcs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.119.5]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0801MB1490; 7:28A6EH0pJoo5h8Xa6phBX1kln3Q7ACQ3+tEqz4u+LOifPi6ke65UXQM6W5Og5igZqChH7x8SFkIkK3O242B2qk2Jrxy81zNGMFms2qC0zN7WGnMo1+ZqDplAYHL3MqLHui+m1ytlZu6LWGQOnvJIuTejzH3WYvXoJCg1U9H8nVpqcGPa688K7rhcQYmm3GxwtAKRp8jmP5vIYc9orR/sZT7/okF+/LV8+lvLmms21u+6gerNsBbfUhzUnRo2oNIo
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: d84ce5ad-ce86-41f6-b477-08d568cc3683
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:AM4PR0801MB1490;
x-ms-traffictypediagnostic: AM4PR0801MB1490:
x-microsoft-antispam-prvs: <AM4PR0801MB1490847EA739985398CE97C4FAFB0@AM4PR0801MB1490.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(192374486261705)(80129823123378)(114017886912203)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(10201501046)(3231101)(2400082)(944501161)(93006095)(93001095)(3002001)(6055026)(6041288)(20161123564045)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011); SRVR:AM4PR0801MB1490; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0801MB1490;
x-forefront-prvs: 056929CBB8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39380400002)(366004)(376002)(396003)(39860400002)(346002)(40434004)(189003)(199004)(110136005)(229853002)(25786009)(2906002)(478600001)(10710500007)(7110500001)(3280700002)(316002)(606006)(15650500001)(53386004)(86362001)(6246003)(2420400007)(74316002)(2900100001)(7736002)(2950100002)(6436002)(6116002)(790700001)(66066001)(3846002)(5250100002)(966005)(2501003)(5890100001)(3660700001)(14454004)(76176011)(105586002)(33656002)(5660300001)(186003)(7696005)(59450400001)(8936002)(6506007)(9686003)(68736007)(106356001)(54896002)(97736004)(102836004)(72206003)(236005)(26005)(99286004)(55016002)(81166006)(53546011)(81156014)(53936002)(8676002)(9326002)(6306002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0801MB1490; H:AM4PR0801MB2706.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 0bnLOzRyTRqwd2lTKGBm+TUtdlAQrUtc4CvMHXlgF8WAzc8+8hPCCHDLLKWyyhBzh6lbPQuDSOqRHg1WErsSFQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_AM4PR0801MB2706A1B1B8ADC5BBF1E8967FFAFB0AM4PR0801MB2706_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d84ce5ad-ce86-41f6-b477-08d568cc3683
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jan 2018 17:01:03.8917 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0801MB1490
Archived-At: <https://mailarchive.ietf.org/arch/msg/atlas/bu5y_xDgpNzKWEoTwX0J9Jjb6WY>
Subject: Re: [Atlas] Application Transport LAyer Security (ATLAS) Charter Text
X-BeenThere: atlas@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Application Transport LAyer Security <atlas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/atlas>, <mailto:atlas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/atlas/>
List-Post: <mailto:atlas@ietf.org>
List-Help: <mailto:atlas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/atlas>, <mailto:atlas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jan 2018 17:01:55 -0000

Hi Abhijan,

Thanks for your feedback!

Remarks below:

From: Abhijan Bhattacharyya [mailto:abhijan.bhattacharyya@tcs.com]
Sent: 31 January 2018 13:04
To: Atlas@ietf.org
Cc: Hannes Tschofenig
Subject: Re: [Atlas] Application Transport LAyer Security (ATLAS) Charter Text

Hi Hannes,

I went through the draft charter text. Some points that I would like to jot down (please pardon me in case I am raising something that has already been discussed. I was not there in Singapore, so unaware of the discussions on ground):

1) I would second this initiative. It is necessary for moving towards a more 'flat' stack structure to gain more application level control for IoT and low-latency use cases.
Do you think the current charter text (and/or the strawman solutions) capture your goal to a sufficient extend already?

2) When we say Application Layer TLS, we essentially infer "Application Layer" as a generic term. The OSI Session Layer concepts have to be incorporated into the Application Layer.

The term "Application Layer TLS" may be misleading since "ordinary" TLS already protects the application layer. I am open to suggestions for better terms.

So, are we talking about a generic set of requirements that every individual Application Layer need to follow in order to enable the underlying Record Layer in the Transport to function properly?

The standardization effort is very minimal here. I believe the biggest issue is to understand the difference in use. There are two things that could be standardized here:

1)      A place where we put the TLS/DTLS payloads (for the different protocols over which we "tunnel" the TLS / DTLS messages).

2)      A way to use the key extractor to derive keying material for use with another payloads, such as the JOSE or COSE.

The reason I am highlighting this point is because, the implementation of how the Session Layer feature is implemented will differ amongst different candidate Application Protocols because the semantics are not same. For example CoAP semantics and HTTP semantics are different. So, there will be architectural differences in different version of App Layer TLS. So, probably we need to put some text that clears the objective.
That's true. HTTP, CoAP and other protocols would require a different description and a different "place" where we put those TLS/DTLS payloads.


3) While we say that the group will re-use the existing TLS handshake protocol probably we need to be a little bit more elaborate in the line of point (2) above. I think, probably we would like to keep the existing implementation of TLS record-structure intact.

Yes, we would like to re-use existing implementations. Our early implementation efforts indicate that this is possible. Mark and I worked on mbed TLS; Owen, Richard, and Max worked on OpenSSL.

So, that defines the requirements / exact deliverables out of the session establishment exercise. Now, if we take the example of the draft that we submitted earlier (draft-bhattacharyya-dice-less-on-coap-00 ), we actually followed the similar philosophy. (i) We learned first what are the required inputs to run the record layer functions and what are the security and performance constraints. (ii) Then we tried to see how we achieve that in a resource efficient manner. (iii)This led to a generic handshake design without caring about the exact application protocol on which it is to be implemented. (iv) Then the concept is implemented using the confirmable semantics of CoAP.

Your work is obviously very helpful and the BOF and IMHO this mailing list are the appropriate place are the right place to share this experience. As such, I would recommend that you refresh your document and, if you have additional information, add it in version -01.


So, probably we can put some more clarity on the expected outcome which will bring out the expectations out of the "modern key exchange protocol" and why/how it should be designed with "re-use of the existing TLS handshake".

Let me think about how we could capture this in the charter text. I am trying to keep the balance between providing sufficient information to understand the high level goal of the group vs. precluding discussions.


Ciao
Hannes


Thank  you.

With Best Regards
Abhijan Bhattacharyya
Associate Consultant
Scientist, TCS Research
Tata Consultancy Services
Building 1B,Ecospace
Plot -  IIF/12 ,New Town, Rajarhat,
Kolkata - 700160,West Bengal
India
Ph:- 033 66884691
Cell:- +919830468972
Mailto: abhijan.bhattacharyya@tcs.com<mailto:abhijan.bhattacharyya@tcs.com>
Website: http://www.tcs.com
____________________________________________
Experience certainty. IT Services
Business Solutions
Consulting
____________________________________________

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email