IETF Logo Mail Archive

Re: [core] Endpoint Client Name / Endpoint Name in RD draft

peter van der Stok <stokcons@xs4all.nl> Tue, 24 April 2018 09:27 UTC

Return-Path: <stokcons@xs4all.nl>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A98D124217 for <core@ietfa.amsl.com>; Tue, 24 Apr 2018 02:27:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QncU2-TVjCD1 for <core@ietfa.amsl.com>; Tue, 24 Apr 2018 02:27:44 -0700 (PDT)
Received: from lb1-smtp-cloud7.xs4all.net (lb1-smtp-cloud7.xs4all.net [194.109.24.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5022D126DEE for <core@ietf.org>; Tue, 24 Apr 2018 02:27:44 -0700 (PDT)
Received: from webmail.xs4all.nl ([IPv6:2001:888:0:22:194:109:20:206]) by smtp-cloud7.xs4all.net with ESMTPA id AuEffDOT28U07AuEffqTeL; Tue, 24 Apr 2018 11:27:42 +0200
Received: from 2001:983:a264:1:ecb7:3eb8:e763:ecc4 by webmail.xs4all.nl with HTTP (HTTP/1.1 POST); Tue, 24 Apr 2018 11:27:41 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Date: Tue, 24 Apr 2018 11:27:41 +0200
From: peter van der Stok <stokcons@xs4all.nl>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: consultancy@vanderstok.org, Jaime Jiménez <jaime.jimenez@ericsson.com>, core@ietf.org
Organization: vanderstok consultancy
Reply-To: consultancy@vanderstok.org
Mail-Reply-To: consultancy@vanderstok.org
In-Reply-To: <VI1PR0801MB21126DE7C4287563D1598E86FA890@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <VI1PR0801MB2112B52094B182F5D44C4F64FAA40@VI1PR0801MB2112.eurprd08.prod.outlook.com> <A484D917-677C-4B29-BBAD-DDDE34B50303@ericsson.com> <VI1PR0801MB21128EA2B70DEEE7C5775A62FAA40@VI1PR0801MB2112.eurprd08.prod.outlook.com> <070801d3cc3f$8d59e0c0$a80da240$@augustcellars.com>, <VI1PR0801MB2112FB25797DCB8F546C148DFAA40@VI1PR0801MB2112.eurprd08.prod.outlook.com> <7BA9B091-F489-4ED4-B6EC-5AD7D971D6F7@ericsson.com> <VI1PR0801MB2112A692CB307D213A89DFC8FABB0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <ca2b6038e911d93e15e57763836a1d09@xs4all.nl> <VI1PR0801MB21126DE7C4287563D1598E86FA890@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Message-ID: <c13edc71f916954978b3468d9f5de9c5@xs4all.nl>
X-Sender: stokcons@xs4all.nl
User-Agent: XS4ALL Webmail
X-CMAE-Envelope: MS4wfB/g19ZTRxSEcbkQT2BYrAVuz/BRSU0MFWKQC0FmpeM4C2HyfCdHhKbB2r+c1oyya9EdmrMhvNJn+OgVeEvEUeLpRob9JNZDmrbPlPlK+9akFt61fZfY 5klDgw+vz4VS6fZJZhzoATZ5awOu6n752P5hYTMfkIAfJTA9FFIpZ12/jtO5HW29ULy8NS8Axhq0r4SlMTqeoVc+4LQ5gHTAc6ENCrxu8flsVXo2cjvpj60z vLy0hXZy/1F1bmknJoo9eGg56dpJ1WQEugBUy2skt5s=
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/Uvhs5y94eqEyVDxEg4tYTGnayiI>
Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2018 09:27:47 -0000


Hannes Tschofenig schreef op 2018-04-23 05:08:
> Hi Peter,
> 
> The mailing list discussion reconfirms my worry that people will get
> this wrong and will introduce security vulnerabilities.

Well, I'm one of those getting it wrong, because I did not understand 
the worry.

> 
> I am saying that the security protocol used to protect the
> communication will have an authenticated identifier and this
> identifier then has to be used for identification of the IoT device.
> This identifier will then also be used for lookups .

This I understand. If I do clearly follow, guidelines must be produced 
about the use of authorized RD accesses.
Assume authorized access to the RD, using oauth-authz.
I do surmise that the registration may then return an signed identifier 
instead the path name of the registration.
The signed identifier can be used for updates.
The payload will be encrypted, and thus the actual use of ep, and d can 
be maintained as specified in the lookup, but are hidden to others.

Is that a correct extrapolated suggestion of your comments? probably 
there is a caveat I don't see.

> 
> I am furthermore arguing that the multiple IoT device cannot share the
> same identifier.

sorry, what is a multiple IoT device? one with multiple registrations in 
the RD, or one with multiple links? or....

I agree with Jim that for third party registrations
> we cannot completely get rid of the endpoint client name/endpoint name
> functionality but for the third party registration you are most likely
> using a different approach anyway. I am not sure anyone using the RD
> specification for commissioning tool functionality today since the
> main purpose of the RD document is for something entirely different.

I do not agree with your conclusion. The use of RD is still being 
discussed as far as I know, and
each SDO seems to have its own approach and use cases. The use of a CT 
is completely within scope to my knowledge.


Thanks hannes for your comments.
Looking forward to getting things more precise and understandable for 
me.

Peter

> 
> Ciao
> Hannes
> 
> -----Original Message-----
> From: peter van der Stok [mailto:stokcons@xs4all.nl]
> Sent: 09 April 2018 15:04
> To: Hannes Tschofenig
> Cc: Jaime Jiménez; core@ietf.org
> Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft
> 
>> 
>> I am curious what we lose if we remove this identifier altogether. The
>> only thing that comes to my mind is a debugging capability where you
>> might want to test your system without any security protocol.
> Hi Hannes,
> 
> Probably, I completely misunderstand your suggestion.
> Registrations in the RD need identification so that they can be
> changed, removed , updated, etc...
> Registrations are identified by the (ep, d) pair, unique within a given 
> RD.
> Removing ep identifier will force you to find another identifier for a
> registration.........
> and you are back to square 1 it seems.
> 
> 
> Peter
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose
> the contents to any other person, use it for any purpose, or store or
> copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email