Re: [core] Bootstrap in draft-ohba-core-eap-based-bootstrapping and draft-garcia-core-security

[Hannes Tschofenig <hannes.tschofenig@gmx.net>]

Yoshi, I would also like to add that my comment regarding Bahcet's suggestion for a terminology change does not lower the value of your contribution in any way. 
In fact, I find your document a very interesting discussion contribution regarding the envisioned smart object security architecture. 

Ciao
Hannes

On Jul 13, 2011, at 11:33 AM, Hannes Tschofenig wrote:

> Hi Yoshi, 
> 
> it was a mistake to use the term "bootstrapping" in mobile IPv6 context as well. 
> There was no good reason to create a new term given the existence of already well-established terms. 
> 
> Time to change that.
> 
> Ciao
> Hannes
> 
> On Jul 13, 2011, at 2:13 AM, Yoshihiro Ohba wrote:
> 
>> Hi Hannes, Bahcet,
>> 
>> Please see my comments below.
>> 
>> (2011/07/13 4:25), Behcet Sarikaya wrote:
>>> Hi Hannes (Kelly and Rene who replied to me only),
>>> 
>>> 
>>> Let me clarify.
>>> 
>>> I checked the Wiki page, it is about what I talked, i.e. bootstrapping your PC.
>>> I am OK with it.
>>> 
>>> In Core WG drafts, draft-ohba is about "bootstrapping" CoAP applications,
>>> establishing a secure channel between the CoAP client and CoAP server.
>>> 
>> 
>> Yes.
>> 
>>> As such it assumes a secure IP communication which is what we cover in
>>> draft-sarikaya.
>>> 
>>> I think that establishing a secure channel between the CoAP client and CoAP
>>> server should not be called bootstrapping.
>> 
>> For example, RFC 4640 discuss "bootstrapping MIPv6", and in its abstract:
>> 
>> "A mobile node needs at least the following information: a home
>> address, a home agent address, and a security association with home
>> agent to register with the home agent.  The process of obtaining this
>> information is called bootstrapping."
>> 
>> This means that bootstrapping MIPv6 security is part of bootstrapping
>> MIPv6.
>> 
>> Following the same logic, I think bootstrapping CoAP security can be
>> considered as part of bootstrapping CoAP application.
>> 
>>> 
>>> OTOH, draft-garcia is totally chaotic about "bootstrapping". In Section 3 it
>>> talks about  trust bootstrapping between nodes of
>>>   different vendors. Then it talks about bootstrapping phase/procedures.
>>> Later on they mention the bootstrapping of security keys.
>>> 
>>> Section 5.2 Bootstrapping of a Security Domain
>>> In Section 5.2.2 it tries to give a definition to bootstrapping.
>>> 
>>> My suggestions are:
>>> 
>>> for draft-ohba: please do not use bootstrapping, otherwise your draft is clear
>>> enough.
>> 
>> Since the term bootstrapping is already used for MIPv6 case, I think
>> it can still use the term, but I agree that the draft should say
>> bootstrapping CoAP security instead of bootstrapping CoAP application.
>> 
>> Regards,
>> Yoshihiro Ohba
>> 
>> 
>> 
>>> 
>>> for draft-garcia: This draft talks about so many things. In most places, what it
>>> refers to as bootstrapping and the description match what is covered in the
>>> original document which is draft-sarikaya. I suggest removing all those sections
>>> about bootstrapping because they are mostly repeating what we already had. Stay
>>> with whatever remains and see if it is worth to have such a document.
>>> 
>>> Regards,
>>> 
>>> Behcet
>>> 
>>> 
>>> 
>>>> Hi Behcet,
>>>> 
>>>> I agree with you that the term "bootstrapping" is not very  helpful.
>>>> 
>>>> There are three cases:
>>>> 
>>>> a) Key Distribution and Key  Derivation
>>>> 
>>>> Here an existing keying material is used to derive other  keying material or to
>>>> use securely distribute keying material.
>>>> 
>>>> draft-ohba-core-eap-based-bootstrapping and
>>>> 
>>>> b) Bootstrapping (in  terms of operating systems procedures)
>>>> 
>>>> See description in  http://en.wikipedia.org/wiki/Bootstrapping_%28computing%29
>>>> 
>>>> draft-garcia-core-security  seems to refer to this aspect, I believe.
>>>> 
>>>> c) Establishing initial  keying material in a leap of faith style.
>>>> 
>>>> Example: Bluetooth pairing  protocol
>>>> http://tools.ietf.org/html/draft-pritikin-ttimodel-01 also discusses  these
>>>> aspects.
>>>> 
>>>> Here the terms used are imprinting, pairing, enrollment, and  introduction are
>>>> used to describe
>>>> 
>>>> 
>>>> Ciao
>>>> Hannes
>>>> 
>>>> On Jul 12, 2011,  at 8:08 PM, Behcet Sarikaya wrote:
>>>> 
>>>>> Hi all,
>>>>> It seems  that the word bootstrapping has been used and overused in so many
>>> 
>>>>> drafts (including draft-ohba-core-eap-based-bootstrapping and
>>>>> draft-garcia-core-security) and I suggest that we clarify this.
>>>>> 
>>>>> Colin had a draft on
>>>>> Initial Configuration of Resource-Constrained  Devices
>>>>> called draft-oflynn-6lowapp-bootstrapping submitted on Jan. 2010  in which he
>>>> 
>>>>> defined bootstrapping ashow to initially     configure the network.
>>>>> 
>>>>> Later on we continued this work on where  Colin left
>>>>> indraft-sarikaya-core-sbootstrapping.
>>>>> 
>>>>> I  think that the definition Colin gave to bootstrapping is the right one. It
>>>> 
>>>>> matches with the historical use of bootstrapping in computers: you  bootstrap
>>>> 
>>>>> your computer to initially configure it by a physical action  (pressing a
>>>> button)
>>>> 
>>>>> which loads a small record to the memory which when  executed bootstraps
>>>> (brings
>>>> 
>>>>> the whole OS to the memory) the  system.
>>>>> 
>>>>> Regards,
>>>>> 
>>>>> Behcet
>>>>> _______________________________________________
>>>>> core mailing  list
>>>>> core@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/core
>>>> 
>>>> 
>>> _______________________________________________
>>> core mailing list
>>> core@ietf.org
>>> https://www.ietf.org/mailman/listinfo/core
>>> 
>> 
>> _______________________________________________
>> core mailing list
>> core@ietf.org
>> https://www.ietf.org/mailman/listinfo/core
>