IETF Logo Mail Archive

Re: [Atlas] Charter Text

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 06 February 2018 16:32 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: atlas@ietfa.amsl.com
Delivered-To: atlas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7C2E12E873 for <atlas@ietfa.amsl.com>; Tue, 6 Feb 2018 08:32:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.92
X-Spam-Level:
X-Spam-Status: No, score=-0.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uM4fOHtpYCx5 for <atlas@ietfa.amsl.com>; Tue, 6 Feb 2018 08:32:54 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0066.outbound.protection.outlook.com [104.47.2.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF4F112D82E for <atlas@ietf.org>; Tue, 6 Feb 2018 08:32:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=SzDwM/LP7jIenHettEBXMfg1zQz31LKRW9+LDBq0mfU=; b=Xp5L0Kvg5Efy4qqrUVTzAkTmuc4GrUPV/y2I3Eev/BvAki41NMed+BVm/aLQAVS0cTwA6H80MhUi4V2Ncc15hGBIYVBJUKT1Xm/3KKef3pmJZ9hUZ0sCsqSpwZu3sBMJ7zcCXQVaddlDDZDJ9+VQCRtlHY0kp+g4wFuN3pSWd4U=
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com (10.167.90.148) by AM4PR0801MB1604.eurprd08.prod.outlook.com (10.168.6.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.464.11; Tue, 6 Feb 2018 16:32:51 +0000
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::b863:80d:692b:e64b]) by AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::b863:80d:692b:e64b%14]) with mapi id 15.20.0464.015; Tue, 6 Feb 2018 16:32:50 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>, "Salz, Rich" <rsalz@akamai.com>, Carsten Bormann <cabo@tzi.org>
CC: "atlas@ietf.org" <atlas@ietf.org>
Thread-Topic: [Atlas] Charter Text
Thread-Index: AdOfKeYW6yeRFqRbQSOHRJKvG3bKxAABazEAAAxpOgAAAYAAgAAALWnw
Date: Tue, 06 Feb 2018 16:32:50 +0000
Message-ID: <AM4PR0801MB2706405E48680B708A477D41FAFD0@AM4PR0801MB2706.eurprd08.prod.outlook.com>
References: <AM4PR0801MB27068EB6FF489F4EE5A14040FAFD0@AM4PR0801MB2706.eurprd08.prod.outlook.com> <BB42A0A6-9491-4E53-928C-148D4B00D762@tzi.org> <0DE1D01D-EDD0-46CC-9545-F3D0D7CF16D5@akamai.com> <7a3a5b7e0a5c4d788e3e5d6aaa4884b7@XCH-RCD-012.cisco.com>
In-Reply-To: <7a3a5b7e0a5c4d788e3e5d6aaa4884b7@XCH-RCD-012.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [88.214.161.126]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0801MB1604; 7:xDU4uH9TFAZxKbfgvAHB3/mZk4kvkKjPS1UokTxddzbLIU0XhzA6oO148pynKEFAe7nukg1sV/jXZ2Pd5AmJSccSsw4c8/2vgU4vLD/JnN61N2tDpM1jo9A5T5VnYAb73c7fPChTH/jRyDmlmR5yD3hJqJoYYfw0acYY/SHFazy1F6G+sDUlQ9R/mLLwS++0arT9zPOEA4lHd+xkobBD1rhfUVxrgkuEJ4lurYNp6eqLOqzkAfDlN0dDwayE+ygz
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: b85532bb-c545-4224-3f4c-08d56d7f43a9
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:AM4PR0801MB1604;
x-ms-traffictypediagnostic: AM4PR0801MB1604:
x-microsoft-antispam-prvs: <AM4PR0801MB1604C4E42AB26E7FDD6FA70FFAFD0@AM4PR0801MB1604.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(180628864354917)(278428928389397)(192374486261705)(95692535739014)(21748063052155)(10436049006162);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(3231101)(2400082)(944501161)(6055026)(6041288)(20161123560045)(20161123562045)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:AM4PR0801MB1604; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0801MB1604;
x-forefront-prvs: 0575F81B58
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(39380400002)(346002)(396003)(366004)(376002)(40434004)(199004)(189003)(14454004)(229853002)(6506007)(606006)(2900100001)(33656002)(66066001)(93886005)(97736004)(6436002)(7736002)(54896002)(99286004)(53936002)(6306002)(3846002)(102836004)(9686003)(6116002)(55016002)(790700001)(186003)(106356001)(53546011)(236005)(105586002)(478600001)(7696005)(2950100002)(6246003)(3280700002)(81156014)(3660700001)(110136005)(76176011)(74316002)(26005)(5890100001)(5250100002)(966005)(72206003)(86362001)(59450400001)(81166006)(316002)(2906002)(25786009)(8676002)(5660300001)(4326008)(68736007)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0801MB1604; H:AM4PR0801MB2706.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: ffGKZklGei8teXq/VQA5Ayj7JN+VqsShQbRtZ7kPiTk5jkvQPScuUcRkRQ49ZCkvFFmD370iiaQlPeIVOTV5bg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_AM4PR0801MB2706405E48680B708A477D41FAFD0AM4PR0801MB2706_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b85532bb-c545-4224-3f4c-08d56d7f43a9
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Feb 2018 16:32:50.5001 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0801MB1604
Archived-At: <https://mailarchive.ietf.org/arch/msg/atlas/veoxrn0n4XyB3kdZwJyEN_h0_7U>
Subject: Re: [Atlas] Charter Text
X-BeenThere: atlas@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Application Transport LAyer Security <atlas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/atlas>, <mailto:atlas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/atlas/>
List-Post: <mailto:atlas@ietf.org>
List-Help: <mailto:atlas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/atlas>, <mailto:atlas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2018 16:32:58 -0000

Rich, HTTPS solves different problem than ATLS. I hope the use cases in the most recent draft version make this clearer.

Ciao
Hannes

From: Owen Friel (ofriel) [mailto:ofriel@cisco.com]
Sent: 06 February 2018 16:26
To: Salz, Rich; Carsten Bormann; Hannes Tschofenig
Cc: atlas@ietf.org
Subject: RE: [Atlas] Charter Text

ATLS over HTTPS is one of the key use cases we are trying to address, specifically for bootstrapping trust in middleboxes, which is a problem we encounter today.

https://tools.ietf.org/html/draft-friel-tls-atls-00#section-3.1


From: Atlas [mailto:atlas-bounces@ietf.org] On Behalf Of Salz, Rich
Sent: Tuesday 6 February 2018 15:43
To: Carsten Bormann <cabo@tzi.org<mailto:cabo@tzi.org>>; Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Cc: atlas@ietf.org<mailto:atlas@ietf.org>
Subject: Re: [Atlas] Charter Text

I think HTTP is not something to work on, as HTTPS exists and this will only cause confusion.  Something more applicable might be SNMP or CoAP.


From: Carsten Bormann <cabo@tzi.org<mailto:cabo@tzi.org>>
Date: Tuesday, February 6, 2018 at 4:48 AM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Cc: "atlas@ietf.org<mailto:atlas@ietf.org>" <atlas@ietf.org<mailto:atlas@ietf.org>>
Subject: Re: [Atlas] Charter Text

I still believe Jun 2018 is an impossible target, more so for BLE work. (and it's not "smart" any more).
Sent from mobile

On 6. Feb 2018, at 10:08, Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>> wrote:
Application Transport LAyer Security (ATLAS)
============================================

# Charter for Working Group

## Background

The Transport Layer Security (TLS) protocol has been a hugely successful security protocol and it is used by developers to secure connection-oriented as well as connection-less transport protocols. Under the hood, both TLS and DTLS consist of sub-protocols, namely the handshaking protocols and the record protocol. The handshaking protocols offer an authenticated key exchange protocol that establishes the necessary keys and parameters for protecting application data via the record protocol. Years have been spent in improving both protocols and particularly the more sophisticated handshaking protocols. The IETF TLS working group published many extensions and ciphersuites so that TLS can be customized for different environment. This flexibility and the availability of source code is appreciated by developers writing web applications, smart phone apps, and also for securing backend communication. With the need to secure embedded devices communicating with the cloud-based infrastructure TLS and DTLS has even found traction in the Internet of Things (IoT) community.

## Problem Statement

TLS and DTLS sit between the transport layer, such as TCP and UDP, and the applications. Hence, TLS and DTLS offer protection of application traffic exchanged between the endpoints of the transport layer. There are, however, deployments where security protection needs to be applied beyond these two transport layer endpoints. Use cases include deployments where proxies terminate connections along the path or where devices transmit data first over a non-IP transport, such as Bluetooth Smart, before IP communication starts at the smart phone towards a cloud-based infrastructure.

While application layer security mechanisms already exist, such as CMS, JOSE, and COSE offering protection of application data those are focused on one-shot message exchanges.
Securing one-shot payloads, such as firmware updates in an IoT context (such as work done in the IETF SUIT working group), is therefore outside the scope of this work.

There is a need to offer application layer security for communication that is session based, i.e., where communication establishment is followed by an exchange of an arbitrary number of application data.  This application layer security mechanism requires authentication of the endpoints, and a modern a key exchange protocol. The result of a positive handshake will lead to the establishment of keying material and negotiated algorithms for confidentiality, integrity and replay protection of application data.

The TLS protocol has also been used in environments not initially anticipated by the TLS authors, such as in EAP-TLS/EAP-TTLS for network access authentication where the TLS handshake is carried over EAP payloads. Furthermore, with DTLS-SRTP the DTLS handshake has been used to establish security associations for protecting RTP. As such, there is also a precedence for embedding TLS in "applications" (whereby EAP would be here the network access authentication application).

## Goal of this Group

This group will develop specifications that define embeddings for different application protocols, such as CoAP, HTTP, and Bluetooth Smart. Such embeddings come with appropriate security considerations. The group will also work on specifications that describe how to deriving keying material for protecting application payloads using JOSE and COSE.

This group will maintain a close relationship with the TLS working group as well as with relevant application and IoT-relevant working groups in the IETF.

# Milestones

May 2018    Adopt "Architecture and Use Case" document as WG item

Jun 2018    Adopt "Application Layer TLS Embedding in HTTP" specification as WG item

Jun 2018    Adopt "Application Layer TLS Embedding in CoAP" specification as WG item

Jun 2018    Adopt "Application Layer TLS Embedding in Bluetooth Smart" specification as WG item

Oct 2018    Submit "Architecture and Use Case" document to the IESG for publication as an Informational Standard.

Nov 2018    Submit "Application Layer TLS Embedding in HTTP" specification to the IESG for publication as an Proposed Standard.

Nov 2018    Submit "Application Layer TLS Embedding in CoAP" specification to the IESG for publication as an Proposed Standard.

Nov 2018    Submit "Application Layer TLS Embedding in Bluetooth Smart" specification to the IESG for publication as an Proposed Standard.

# References:

Currently available proposals include:
- draft-schmertmann-dice-codtls-00
- draft-bhattacharyya-dice-less-on-coap-00
- draft-garcia-core-app-layer-sec-with-dtls-record-00
- draft-friel-tls-atls-00

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
Atlas mailing list
Atlas@ietf.org<mailto:Atlas@ietf.org>
https://www.ietf.org/mailman/listinfo/atlas<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_atlas&d=DwMCaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=njNAxyrfzDwrzrtyETvuLKnCTuH_KmwAYxNHvQM_F68&s=fgZeowldfUecrs7gFM2PNjqexSlQKvtnJ2gHYZ8Hhhk&e=>
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email