IETF Logo Mail Archive

Re: [core] Conclusion -- Endpoint Client Name / Endpoint Name in RD draft

"Kovatsch, Matthias" <matthias.kovatsch@siemens.com> Mon, 07 May 2018 16:09 UTC

Return-Path: <matthias.kovatsch@siemens.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AE47126DFF for <core@ietfa.amsl.com>; Mon, 7 May 2018 09:09:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.89
X-Spam-Level:
X-Spam-Status: No, score=-6.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7fEq3hjhtvKw for <core@ietfa.amsl.com>; Mon, 7 May 2018 09:09:43 -0700 (PDT)
Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BFC3120726 for <core@ietf.org>; Mon, 7 May 2018 09:09:43 -0700 (PDT)
Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id w47G9cGZ014060 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 7 May 2018 18:09:39 +0200
Received: from DEFTHW99ERIMSX.ww902.siemens.net (defthw99erimsx.ww902.siemens.net [139.22.70.134]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTPS id w47G9LJk030559 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 7 May 2018 18:09:38 +0200
Received: from DEFTHW99ERCMSX.ww902.siemens.net (139.22.70.70) by DEFTHW99ERIMSX.ww902.siemens.net (139.22.70.134) with Microsoft SMTP Server (TLS) id 14.3.389.1; Mon, 7 May 2018 18:09:29 +0200
Received: from DEFTHW99EL4MSX.ww902.siemens.net ([169.254.5.120]) by DEFTHW99ERCMSX.ww902.siemens.net ([139.22.70.70]) with mapi id 14.03.0389.001; Mon, 7 May 2018 18:09:28 +0200
From: "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Mohit Sethi <mohit.m.sethi@ericsson.com>, "core@ietf.org" <core@ietf.org>
Thread-Topic: [core] Conclusion -- Endpoint Client Name / Endpoint Name in RD draft
Thread-Index: AdPmCfncz1IX5t6GRJaeO0C+mMHM9f//4EIAgAAGVoD//8jf8A==
Date: Mon, 07 May 2018 16:09:28 +0000
Message-ID: <4EBB3DDD0FBF694CA2A87838DF129B3C01F36340@DEFTHW99EL4MSX.ww902.siemens.net>
References: <VI1PR0801MB2112B9A4410DA3EDE39183BEFA9B0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <bd85e420-c6ce-3e87-406a-4cd5a4fafaa6@ericsson.com> <VI1PR0801MB21121FAE34CE76841CF6DBE1FA9B0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB21121FAE34CE76841CF6DBE1FA9B0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [139.22.70.17]
Content-Type: multipart/alternative; boundary="_000_4EBB3DDD0FBF694CA2A87838DF129B3C01F36340DEFTHW99EL4MSXw_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/hFIp8JDhL5QydsV91YNyseOFOoo>
Subject: Re: [core] Conclusion -- Endpoint Client Name / Endpoint Name in RD draft
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 May 2018 16:09:46 -0000

Dear Hannes,
dear list

To my knowledge, third-party provisioning functionality is in particular used for lighting systems; maybe Peter can comment on this. I am aware of a few business units that would also want to have this functionality in the RD. Furthermore, I have use cases for Web Things that provide a REST interface, but do not implement RD registration; with the third-party provisioning they can become part of CoRE environments as well.


Making the Endpoint Client Name optional is a good solution in my opinion, when it is clearly defined which security protocol identifiers shall be taken as Endpoint Client Name. I am not even sure if I understand the current "mostly mandatory" correctly). Overall, it would be good to describe the usage of security context well, as there are different possibilities (cf. certificate vs Raw Public Key vs PSK).

Furthermore, the draft is a bit too fuzzy about the authorization, in particular for registration. It feels obvious that also third-party provisioning needs to be authorized to use the Endpoint Client Name to be registered, but hearing Hannes's concerns, it probably should be stated concretely. The role of Domain is also rather implicit here; to my understanding, there can be duplicate Endpoint Client Names as long as they have different Domains.

Kind regards,
Matthias


Von: core [mailto:core-bounces@ietf.org] Im Auftrag von Hannes Tschofenig
Gesendet: Montag, 7. Mai 2018 16:17
An: Mohit Sethi; core@ietf.org
Betreff: Re: [core] Conclusion -- Endpoint Client Name / Endpoint Name in RD draft

I was referring to this functionality: https://tools.ietf.org/html/draft-ietf-core-resource-directory-13#section-5..3.2<https://tools.ietf.org/html/draft-ietf-core-resource-directory-13#section-5.3.2>


From: Mohit Sethi [mailto:mohit.m.sethi@ericsson.com]
Sent: 07 May 2018 15:54
To: Hannes Tschofenig; core@ietf.org<mailto:core@ietf.org>
Subject: Re: [core] Conclusion -- Endpoint Client Name / Endpoint Name in RD draft


Hi Hannes,

Thank you for summarizing the discussion on this important topic thus far.

Could you also very briefly explain what does third-party provisioning mean for you?

--Mohit

On 05/07/2018 04:50 PM, Hannes Tschofenig wrote:
Hi all,

I hope that all the discussion around the endpoint name / endpoint client name have helped to make you think about the security implications of sending an unauthenticated identifier.

I would like to come to a conclusion and here is my attempt.

Since we the RD document also defines the third party provisioning I would suggest to make the endpoint name optional in the draft.

I would also encourage the chairs to find out whether the third party provisioning is actually something in this group has gained some experience with.

Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


_______________________________________________

core mailing list

core@ietf.org<mailto:core@ietf.org>

https://www.ietf.org/mailman/listinfo/core

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email