IETF Logo Mail Archive

Re: [core] Endpoint Client Name / Endpoint Name in RD draft

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 26 April 2018 03:05 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC0A812DA01 for <core@ietfa.amsl.com>; Wed, 25 Apr 2018 20:05:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MlBPhnl--He1 for <core@ietfa.amsl.com>; Wed, 25 Apr 2018 20:05:36 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30049.outbound.protection.outlook.com [40.107.3.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 973891241F3 for <core@ietf.org>; Wed, 25 Apr 2018 20:05:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=v7WKwoA28y2aDjWZuQkEMEwlQo34H5HSXDjGInuXVrU=; b=S6mbW8/wtURyU/P5+guPviuLS2e8/9+J6I0Di0opTaNbI+ahls43P9ULJ8IRMM2mk3Apz0Qrh7Jjyc5MPtQjtUpZneZqfHraFU5w5lCu1lK1DAco+QR5ZTklsiqOOxEvsrxEMrs8IDabM2zx5S3r0929iDLZAgst7XAaXUGodeE=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB2718.eurprd08.prod.outlook.com (10.166.198.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.696.13; Thu, 26 Apr 2018 03:05:32 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::35fb:6e2c:e118:5644]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::35fb:6e2c:e118:5644%17]) with mapi id 15.20.0696.017; Thu, 26 Apr 2018 03:05:32 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>, Jim Schaad <ietf@augustcellars.com>, 'Christian Amsüss' <christian@amsuess.com>, "consultancy@vanderstok.org" <consultancy@vanderstok.org>, 'Carsten Bormann' <cabo@tzi.org>
CC: "core@ietf.org" <core@ietf.org>
Thread-Topic: [core] Endpoint Client Name / Endpoint Name in RD draft
Thread-Index: AQHT0zm23rcsFhLKykKKsIPwEtlWPKQCOhQAgAec7ACAA+NkwIAAmP0AgAF5RCCAAjxVgIAAZE/w
Date: Thu, 26 Apr 2018 03:05:32 +0000
Message-ID: <VI1PR0801MB2112EDC31EEF7BF99AC8686FFA8E0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <CB28DFEA-5F9E-4C35-BD86-A37AC5C122C9@tzi.org> <ca2b6038e911d93e15e57763836a1d09@xs4all.nl> <20180413151121.GC20765@hephaistos.amsuess.com> <011701d3d4f0$46255e50$d2701af0$@augustcellars.com> <4EBB3DDD0FBF694CA2A87838DF129B3C01EF5D0D@DEFTHW99EL4MSX.ww902.siemens.net> <VI1PR0801MB2112D28860DD3E048518C10AFA890@VI1PR0801MB2112.eurprd08.prod.outlook.com> <4EBB3DDD0FBF694CA2A87838DF129B3C01F07CF0@DEFTHW99EL4MSX.ww902.siemens.net> <VI1PR0801MB211293D5B26328AFFC450A3AFA880@VI1PR0801MB2112.eurprd08.prod.outlook.com> <4EBB3DDD0FBF694CA2A87838DF129B3C01F17724@DEFTHW99EL4MSX.ww902.siemens.net>
In-Reply-To: <4EBB3DDD0FBF694CA2A87838DF129B3C01F17724@DEFTHW99EL4MSX.ww902.siemens.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [103.40.135.59]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB2718; 7:DWg/boRYYuB4ZIJGjuCbHp00uoE+YFfbf+z0a7jtE6CXwLxQ7yz2aF7tWewwmDOsjoZ/gCyTB0gx/U/WrrEOM5MCl/PC3q9R/PjVKtw045HjsQjOezM11HzIMcN59JAj28F/HoRaot6CI+D0178S776uqDHFBlCgLv1kUa/N9jL2TFLb1jwBK1xUkGRxNtW93WNNQSXWMAwEeTREOlhA5Q3qOiWQuF+Asy+EAMXv6wjvTf2pikJyvocYH6y+L0wS
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB2718;
x-ms-traffictypediagnostic: VI1PR0801MB2718:
x-microsoft-antispam-prvs: <VI1PR0801MB2718467A1DD3AA43E842DFD0FA8E0@VI1PR0801MB2718.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(180628864354917)(278428928389397)(192374486261705)(126837547833334);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(93006095)(93001095)(3231232)(944501410)(52105095)(6055026)(6041310)(20161123560045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(6072148)(201708071742011); SRVR:VI1PR0801MB2718; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB2718;
x-forefront-prvs: 0654257CF5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(346002)(376002)(39380400002)(366004)(39860400002)(40434004)(13464003)(199004)(189003)(55016002)(72206003)(478600001)(74316002)(4326008)(11346002)(68736007)(6246003)(97736004)(305945005)(476003)(86362001)(25786009)(3660700001)(486006)(14454004)(3846002)(6116002)(446003)(2501003)(229853002)(2906002)(5250100002)(6436002)(5890100001)(2900100001)(3280700002)(106356001)(59450400001)(7736002)(6506007)(26005)(102836004)(316002)(8936002)(53546011)(186003)(93886005)(105586002)(76176011)(33656002)(110136005)(7696005)(81166006)(66066001)(81156014)(8676002)(99286004)(53936002)(5660300001)(9686003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB2718; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: oVG0NFVjTSCg91EV1+6syS5fD03QYTka+d4APHmA2lzR+vgMqZBlGixUvWY2lrcNH0+Ygv9OGCTuT0455yIvL+QwIeCdKIbTbKsUaqE1C+ELmTC4ix4RR2TFaHva7PInzCEYWP2lnyXmzIPHGKwNP0IdEbrcNHBVTOidbeqqfKbqoLrH+V0mNsxTAmEjVUaD
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: cee5cbf2-6e44-4477-0e18-08d5ab2292c5
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cee5cbf2-6e44-4477-0e18-08d5ab2292c5
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Apr 2018 03:05:32.1168 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB2718
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/bnUXUppOWd835ALLbyRA4ryAUPU>
Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Apr 2018 03:05:39 -0000

Hi Matthias,

I have doubts that anyone is using the third party registration functionality for a commissioning tool. Is Siemens or anyone else deploying this functionality? It would be interesting to get this input.

The requirement for applications using Endpoint Client Names that are different from the names in the device certificates/authentication credentials for registration appears fuzzy and not well justified. What identifier do you believe you can put in an endpoint client name but not in a security protocol or what are the needs of an application that cannot be met?

We have been working on LwM2M and have used a subset of the RD functionality for it. Sending an identifier in the security protocol and at the CoAP level (as part of the Endpoint Client Name in the registration) is also wasting bytes on the wire (in addition to the security implications).

Ciao
Hannes

-----Original Message-----
From: Kovatsch, Matthias [mailto:matthias.kovatsch@siemens.com]
Sent: 26 April 2018 03:55
To: Hannes Tschofenig; Jim Schaad; 'Christian Amsüss'; consultancy@vanderstok.org; 'Carsten Bormann'
Cc: core@ietf.org
Subject: AW: [core] Endpoint Client Name / Endpoint Name in RD draft

Dear Hannes

My comment is that your solution to link the Endpoint Client Name to the registration authentication does not work for at least two of the desired use cases:
- A commissioning tool registering a device on its behalf, as the commissioning tool should not have the private keys or similar of the device.
- Applications using Endpoint Client Names that are different from the names in the device certificates/authentication credentials for registration

I fully agree with you, however, that the RD must clearly state that the registering entity must proof that it is authorized to use the Endpoint Client Name it registers. This might have been too implicit so far and there definitely was not enough work to figure this out fully. There are several ways how to do this; I think we should not limit it to just one simple way that breaks at least two use cases. But we can give it, for instance, as minimum MUST when there is no other way to proof authorization to use the Endpoint Client Name for registration.

One more generic way could be to require device and registering entity to be within the same domain, so that "d" can be authenticated. A commissioning tool would need to authenticate its domain, but then can use any Endpoint Client Name within this domain.

Ciao,
Matthias


> -----Ursprüngliche Nachricht-----
> Von: Hannes Tschofenig [mailto:Hannes.Tschofenig@arm.com]
> Gesendet: Dienstag, 24. April 2018 12:49
> An: Kovatsch, Matthias (CT RDA IOT EWT-DE); Jim Schaad; 'Christian Amsüss'; consultancy@vanderstok.org; 'Carsten Bormann'
> Cc: core@ietf.org
> Betreff: RE: [core] Endpoint Client Name / Endpoint Name in RD draft
>
> Hi Matthias
>
> I fear that you are creating security holes that will be very difficult to fix afterwards.
> It just feels that these are "nice ideas" with limited practical
> experience. Very much like the idea of doing the third party registration with the commissioning tool as defined in the RD specification.
>
> Ciao
> Hannes
>
>
> -----Original Message-----
> From: Kovatsch, Matthias [mailto:matthias.kovatsch@siemens.com]
> Sent: 23 April 2018 19:17
> To: Hannes Tschofenig; Jim Schaad; 'Christian Amsüss'; consultancy@vanderstok.org; 'Carsten Bormann'
> Cc: core@ietf.org
> Subject: AW: [core] Endpoint Client Name / Endpoint Name in RD draft
>
> > Von: Hannes Tschofenig [mailto:Hannes.Tschofenig@arm.com]
> > > Applications will use the application-defined identifier, not a handle generated by the RD, not the security context.
> >
> > Who says that? If applications make security decisions based on unauthenticated parameters then they will be toast.
>
> I am not saying they should not authenticate.
> I am saying that the identifier might be different for authorizating
> the registration and lookup by applications. They must be correlatable
> of course; them being the same is a special case, that could be desirable. Yet someone who is authenticated and authorized should be allowed to introduce additional identifiers.
>
> Ciao,
> Matthias
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email