Re: [core] Endpoint Client Name / Endpoint Name in RD draft
Jim Schaad <ietf@augustcellars.com> Fri, 20 April 2018 23:38 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D4E812D950 for <core@ietfa.amsl.com>; Fri, 20 Apr 2018 16:38:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T1oCoRB_HHqm for <core@ietfa.amsl.com>; Fri, 20 Apr 2018 16:38:08 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E655112D94F for <core@ietf.org>; Fri, 20 Apr 2018 16:38:07 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 20 Apr 2018 16:35:35 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: "'Kovatsch, Matthias'" <matthias.kovatsch@siemens.com>, 'Christian Amsüss' <christian@amsuess.com>, consultancy@vanderstok.org
CC: core@ietf.org
References: <CB28DFEA-5F9E-4C35-BD86-A37AC5C122C9@tzi.org> <ca2b6038e911d93e15e57763836a1d09@xs4all.nl> <20180413151121.GC20765@hephaistos.amsuess.com> <011701d3d4f0$46255e50$d2701af0$@augustcellars.com> <4EBB3DDD0FBF694CA2A87838DF129B3C01EF5D0D@DEFTHW99EL4MSX.ww902.siemens.net>
In-Reply-To: <4EBB3DDD0FBF694CA2A87838DF129B3C01EF5D0D@DEFTHW99EL4MSX.ww902.siemens.net>
Date: Fri, 20 Apr 2018 16:37:55 -0700
Message-ID: <001a01d3d900$9d919eb0$d8b4dc10$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGj/JiRAqK9XDLfxtiMvvF/yumPWgJTFtjfAZ8yAZgDEqV66wHvlhSppCJjYbA=
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/aKQQP7bw1j0SSBiOPET_Ge8gB6I>
Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2018 23:38:11 -0000
> -----Original Message----- > From: Kovatsch, Matthias <matthias.kovatsch@siemens.com> > Sent: Friday, April 20, 2018 8:46 AM > To: Jim Schaad <ietf@augustcellars.com>; 'Christian Amsüss' > <christian@amsuess.com>; consultancy@vanderstok.org; 'Carsten Bormann' > <cabo@tzi.org> > Cc: 'Hannes Tschofenig' <Hannes.Tschofenig@arm.com>; core@ietf.org > Subject: AW: [core] Endpoint Client Name / Endpoint Name in RD draft > > Dear list > > > "ep" is an application-defined identifier for the registered endpoint. It is a > parameter for registration, but also a target attribute that will have the same > value. The RD must store the "ep" parameter for each registered endpoint > and attach it as target attribute to all the corresponding links it returns. As > Peter stated, when "ep" is not unique, the client must also provide "d", > which must be processed similarly by the RD. > > As target parameter, it is used during lookup. Applications will use the > application-defined identifier, not a handle generated by the RD, not the > security context. When a commissioning tool is registering an endpoint, the > security context is also different from the endpoint's security context, and > hence it cannot be used as endpoint identifier. > > As a result, "ep" must not be removed. > > I think "ep", just like the other registration parameters that are also target > attributes, should receive its own sub-section with a proper definition and > explanation. > > > Related to this is the proper definition of "ins", which unfortunately was > moved over to the core-rd-dns-sd draft. "ins" is used to distinguish resources > with the same "rt". Originally, it was used for resource within the same > device (e.g., > </t1>;rt=temperature;ins=indoor,</t2>;rt=temperature;ins=outdoor). By > now, it often is assumed to require global uniqueness. I claim that this is not > required when "ep" is used correctly. Using a hierarchy of "d" -> "ep" -> "ins" > provides more flexibility than making "ins" globally unique. "ins" can still have > a global meaning (cf. indoor vs outdoor), but it should be re-usable for all > resources with similar instance semantics. Uniqueness is achieved through > "d" and "ep". > > I think "ins" should become part of the RD draft again to be defined together > with "d" and "ep", as they are part of a larger discovery framework. If "ins" does not need to be handled in a special manner by the RD, then I would see no reason for it to be part of the RD draft. Both "ep" and "d" are treated in a special manner as the pair is required to be globally unique in the RD. This is not a true statement for the "ins" attribute even in the core-rd-dns-sd draft. Jim > > > Best wishes, > Matthias > > > > > -----Ursprüngliche Nachricht----- > > Von: core [mailto:core-bounces@ietf.org] Im Auftrag von Jim Schaad > > Gesendet: Sonntag, 15. April 2018 21:31 > > An: 'Christian Amsüss'; consultancy@vanderstok.org; 'Carsten Bormann' > > Cc: 'Hannes Tschofenig'; core@ietf.org > > Betreff: Re: [core] Endpoint Client Name / Endpoint Name in RD draft > > > > > > > > > -----Original Message----- > > > From: core <core-bounces@ietf.org> On Behalf Of Christian Amsüss > > > Sent: Friday, April 13, 2018 8:11 AM > > > To: consultancy@vanderstok.org; Carsten Bormann <cabo@tzi.org> > > > Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; core@ietf.org > > > Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft > > > > > > On Mon, Apr 09, 2018 at 10:04:07AM +0200, peter van der Stok wrote: > > > > > I am curious what we lose if we remove this identifier altogether. > > > > > The only thing that comes to my mind is a debugging capability > > > > > where you might want to test your system without any security > protocol. > > > > > > > > Probably, I completely misunderstand your suggestion. > > > > Registrations in the RD need identification so that they can be > > > > changed, removed , updated, etc... > > > > > > Well, the manipulation (change, removal, update) already happens > > > independently of the endpoint name or domain; that is just bound to > > > the registration resource. > > > > > > In the current text, we allow that the endpoint name is not given at > > > registration time if it is explicitly configured and the RD can > > > recognize the endpoint by its security context. > > > > > > > Registrations are identified by the (ep, d) pair, unique within a given RD. > > > > Removing ep identifier will force you to find another identifier > > > > for a registration......... > > > > and you are back to square 1 it seems. > > > > > > In any authenticated context, that can identifier can be the security > context. > > > How that can be expressed at lookup is an open question. > > > An endpoint name string can be what glues those together. > > > > > > On Mon, Apr 09, 2018 at 10:14:54AM +0200, Carsten Bormann wrote: > > > > The argument seems to be that if a client holds an authorization > > > > to register at an RD, that authorization may imply a specific > > > > endpoint name. (I’m not sure that is always true, as the > > > > authorization may be based on a claim that does not happen to > > > > provide an obvious candidate for that.) > > > > > > > > To discuss this further, we’ll need to discuss authorization > > > > models for RD access. Maybe high time in any case… > > > > > > > > > Could everybody maybe sketch how they'd express the permissions they > > > would like to set on their RDs? > > > > > > > > > I'll start with some arbitrary ones that might be useful (at least > > > with some help from Cunningham's Law): > > > > > > TrustTheWebCAs: "This RD accepts any registration, provided who > > > registers can present a X509 certificate chain to my system > > > certificates that carries a Common Name or Subject Alternative Name > > > that matches the host name they give in their con". > > > > TrustTheWebCAs + GodBit: This RD accepts any registration, provided > > who registers can present an X509 certificate chain to my system > certificates that carries a common or alternative name (or maybe an EKU) > that matches to the God criteria. > > > > > > > > RequireEKU: "Like TrustTheWebCAs, and if it wants to set an endpoint > > > type (et=), that must be justified by an Extended Key Usage in the > certificate." > > > > I would probably generalize this rule to - The RD may extract > > additional information from the certificate beyond the naming to either > enforce or supplement attributes set such as endpoint types or domains. > > > > > > > > EPFromACE: "This RD uses /reg/${domain}/${endpoint} as registration > URIs. > > > An endpoint can only register if it holds an ACE-AIF token to POST > > > to that resource issued by my Authorization Server (AS)." > > > > EPFromACE2: This RD uses /reg?ep=${endpoint}&d=${domain} as > > registration URIs. An endpoint can only register if it holds an ACE- > > AIF token to POST to that resource issued by my Authorization Server (AS). > The token may contain values for fields in the URI-queries which are to be > either enforced, or set if not present in the registration request. Examples > are ep, d, et. > > > > > > > > PNFromACE: "This RD allows registration of arbitrary endpoints, but > > > advertising an at=... (registration) or ol=... (link) attribute (see > > > core-protocol-negotiation) requires that that value is contained in > > > an ACE token from my AS." > > > > RSFromACE: This RD allows registration of endpoints, but restricts the > > resources that can be registered. All resources registered must be filtered > by matching one of a number of patterns potentially with values that can be > defaulted in. > > > > Jim > > > > > > > > > > > Best regards > > > Christian > > > > > > -- > > > To use raw power is to make yourself infinitely vulnerable to greater > powers. > > > -- Bene Gesserit axiom > > > > _______________________________________________ > > core mailing list > > core@ietf.org > > https://www.ietf.org/mailman/listinfo/core
- [core] Endpoint Client Name / Endpoint Name in RD… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Jaime Jiménez
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Jim Schaad
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Jaime Jiménez
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Jim Schaad
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… Carsten Bormann
- Re: [core] Endpoint Client Name / Endpoint Name i… Christian Amsüss
- Re: [core] Endpoint Client Name / Endpoint Name i… Jim Schaad
- Re: [core] Endpoint Client Name / Endpoint Name i… Kovatsch, Matthias
- Re: [core] Endpoint Client Name / Endpoint Name i… Jim Schaad
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Kovatsch, Matthias
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Kovatsch, Matthias
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig