Re: [core] Conclusion -- Endpoint Client Name / Endpoint Name in RD draft
Mohit Sethi <mohit.m.sethi@ericsson.com> Mon, 07 May 2018 18:00 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A729127AD4 for <core@ietfa.amsl.com>; Mon, 7 May 2018 11:00:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ENj6dlqxv-ca for <core@ietfa.amsl.com>; Mon, 7 May 2018 10:59:57 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E07ED127869 for <core@ietf.org>; Mon, 7 May 2018 10:59:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1525715994; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=2xhHPN1//HFppimwnWkze3rRIruDLa3RvCqOWObFtT8=; b=IgRd7/dtWBbSruWYkBZ7a1daGiQuobHG6Y4nZjfIlhF43xlNIPNYTu7qPJ5ebYKs GKAuZ4Z7TKVTKiUtj//qw0NNXdkjbd0/huI6sT34X7DDjXEchJL66KZO4lQ7pWWF gzhqsHUJAg7/BTZzVKmXoHrGJw+0jslciszROhrOCCM=;
X-AuditID: c1b4fb2d-adbff700000055bf-1f-5af0941a5082
Received: from ESESSHC001.ericsson.se (Unknown_Domain [153.88.183.21]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 63.DD.21951.A1490FA5; Mon, 7 May 2018 19:59:54 +0200 (CEST)
Received: from nomadiclab.fi.eu.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.23) with Microsoft SMTP Server id 14.3.382.0; Mon, 7 May 2018 19:59:53 +0200
Received: from nomadiclab.fi.eu.ericsson.se (localhost [127.0.0.1]) by nomadiclab.fi.eu.ericsson.se (Postfix) with ESMTP id 4E4FD481AB8; Mon, 7 May 2018 20:59:53 +0300 (EEST)
Received: from [127.0.0.1] (localhost [IPv6:::1]) by nomadiclab.fi.eu.ericsson.se (Postfix) with ESMTP id C8970481AA4; Mon, 7 May 2018 20:59:52 +0300 (EEST)
To: "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Mohit Sethi <mohit.m.sethi@ericsson.com>, "core@ietf.org" <core@ietf.org>
References: <VI1PR0801MB2112B9A4410DA3EDE39183BEFA9B0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <bd85e420-c6ce-3e87-406a-4cd5a4fafaa6@ericsson.com> <VI1PR0801MB21121FAE34CE76841CF6DBE1FA9B0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <4EBB3DDD0FBF694CA2A87838DF129B3C01F36340@DEFTHW99EL4MSX.ww902.siemens.net>
From: Mohit Sethi <mohit.m.sethi@ericsson.com>
Message-ID: <aee2b1d8-79fa-f88d-3e66-d5bb09805713@ericsson.com>
Date: Mon, 07 May 2018 20:59:52 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <4EBB3DDD0FBF694CA2A87838DF129B3C01F36340@DEFTHW99EL4MSX.ww902.siemens.net>
Content-Type: multipart/alternative; boundary="------------45D66FA797C5D69B7BE3692A"
Content-Language: en-US
X-AV-Checked: ClamAV using ClamSMTP
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupikeLIzCtJLcpLzFFi42KZGbFdVFdqyocog//PJS32vV3PbHFzxikm i8YJLxgdmD3WzFvD6LFkyU8mj+0nJzEFMEdx2aSk5mSWpRbp2yVwZZw4eI6toGMBY8XFEztY Ghif1XYxcnJICJhILDp5k7WLkYtDSOAIo8S9G1egnO2MEm/vnGcBqRIS2MwosfVhBERiIaPE 6zObmEASwgIhEm0npjKCJEQEtjFKzDvzgxmiajeTxOqHC8Ha2QT0JDrPHWcGsXkF7CUuHN8F ZrMIqEj87lnMDmKLCkRI3Dv/iQ2iRlDi5MwnYL2cQPH5T9vAtjELhEn0P+5hg7DFJW49mc8E 8YSyxIKWRYwQp6pLbO04wDiBUWgWklGzkLTPQtI+i5EDyLaXeLC1DCIsL9G8dTYzhK0vcf3O fVZk8QWM7KsYRYtTi4tz042M9VKLMpOLi/Pz9PJSSzYxAmPo4JbfujsYV792PMQowMGoxMPb n/MhSog1say4MvcQowQHs5IIL5syUIg3JbGyKrUoP76oNCe1+BCjNAeLkjiv3qo9UUIC6Ykl qdmpqQWpRTBZJg5OqQbGBj7TyrZ/HC5pj6vljOb//b/nrGhe0uNZ2xq7fqTb8Wyf7sM6q4hr yvbSHXu+6bofUbsceTz/h56XxwL3hwo6vvU7CybfvLwr+HTe+ymu3m+jrW+V9bifmyg268bD p3wO2iHqi3b6XjhWm/H2TKrF8aWLn2S+qNn64uCcg4m1n6YVSCot+tcaqsRSnJFoqMVcVJwI AOyyLnqdAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/vaZM9dYyMbeIEUrfUzScnNioQyQ>
Subject: Re: [core] Conclusion -- Endpoint Client Name / Endpoint Name in RD draft
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 May 2018 18:00:00 -0000
Hi Matthias, Thanks for bringing forward the use-case. I have implemented an earlier version of the RD. I agree, the current text on "mostly mandatory" leaves much to be desired. And +1 on request for more clear text about different possibilities (cf. certificate vs Raw Public Key vs PSK). --Mohit On 05/07/2018 07:09 PM, Kovatsch, Matthias wrote: > > Dear Hannes, > > dear list > > To my knowledge, third-party provisioning functionality is in > particular used for lighting systems; maybe Peter can comment on this. > I am aware of a few business units that would also want to have this > functionality in the RD. Furthermore, I have use cases for Web Things > that provide a REST interface, but do not implement RD registration; > with the third-party provisioning they can become part of CoRE > environments as well. > > Making the Endpoint Client Name optional is a good solution in my > opinion, when it is clearly defined which security protocol > identifiers shall be taken as Endpoint Client Name. I am not even sure > if I understand the current “mostly mandatory” correctly). Overall, it > would be good to describe the usage of security context well, as there > are different possibilities (cf. certificate vs Raw Public Key vs PSK). > > Furthermore, the draft is a bit too fuzzy about the authorization, in > particular for registration. It feels obvious that also third-party > provisioning needs to be authorized to use the Endpoint Client Name to > be registered, but hearing Hannes’s concerns, it probably should be > stated concretely. The role of Domain is also rather implicit here; to > my understanding, there can be duplicate Endpoint Client Names as long > as they have different Domains. > > Kind regards, > > Matthias > > *Von:*core [mailto:core-bounces@ietf.org] *Im Auftrag von *Hannes > Tschofenig > *Gesendet:* Montag, 7. Mai 2018 16:17 > *An:* Mohit Sethi; core@ietf.org > *Betreff:* Re: [core] Conclusion -- Endpoint Client Name / Endpoint > Name in RD draft > > I was referring to this functionality: > https://tools.ietf.org/html/draft-ietf-core-resource-directory-13#section-5...3.2 > <https://tools.ietf.org/html/draft-ietf-core-resource-directory-13#section-5.3.2> > > *From:*Mohit Sethi [mailto:mohit.m.sethi@ericsson.com] > *Sent:* 07 May 2018 15:54 > *To:* Hannes Tschofenig; core@ietf.org <mailto:core@ietf.org> > *Subject:* Re: [core] Conclusion -- Endpoint Client Name / Endpoint > Name in RD draft > > Hi Hannes, > > Thank you for summarizing the discussion on this important topic thus > far. > > Could you also very briefly explain what does third-party provisioning > mean for you? > > --Mohit > > On 05/07/2018 04:50 PM, Hannes Tschofenig wrote: > > Hi all, > > I hope that all the discussion around the endpoint name / endpoint > client name have helped to make you think about the security > implications of sending an unauthenticated identifier.. > > I would like to come to a conclusion and here is my attempt. > > Since we the RD document also defines the third party provisioning > I would suggest to make the endpoint name optional in the draft. > > I would also encourage the chairs to find out whether the third > party provisioning is actually something in this group has gained > some experience with. > > Ciao > > Hannes > > IMPORTANT NOTICE: The contents of this email and any attachments > are confidential and may also be privileged. If you are not the > intended recipient, please notify the sender immediately and do > not disclose the contents to any other person, use it for any > purpose, or store or copy the information in any medium. Thank you. > > _______________________________________________ > > core mailing list > > core@ietf.org <mailto:core@ietf.org> > > https://www.ietf.org/mailman/listinfo/core > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose > the contents to any other person, use it for any purpose, or store or > copy the information in any medium. Thank you. > > > > _______________________________________________ > core mailing list > core@ietf.org > https://www.ietf.org/mailman/listinfo/core
- Re: [core] Conclusion -- Endpoint Client Name / E… Jim Schaad
- Re: [core] Conclusion -- Endpoint Client Name / E… Peter van der Stok
- Re: [core] Conclusion -- Endpoint Client Name / E… Jim Schaad
- Re: [core] Conclusion -- Endpoint Client Name / E… Peter van der Stok
- Re: [core] Conclusion -- Endpoint Client Name / E… Mert Ocak
- [core] Conclusion -- Endpoint Client Name / Endpo… Hannes Tschofenig
- Re: [core] Conclusion -- Endpoint Client Name / E… Mohit Sethi
- Re: [core] Conclusion -- Endpoint Client Name / E… Hannes Tschofenig
- Re: [core] Conclusion -- Endpoint Client Name / E… Kovatsch, Matthias
- Re: [core] Conclusion -- Endpoint Client Name / E… Mohit Sethi
- Re: [core] Conclusion -- Endpoint Client Name / E… Ludwig Seitz
- Re: [core] Conclusion -- Endpoint Client Name / E… peter van der Stok
- Re: [core] Conclusion -- Endpoint Client Name / E… peter van der Stok
- Re: [core] Conclusion -- Endpoint Client Name / E… Hannes Tschofenig
- Re: [core] Conclusion -- Endpoint Client Name / E… peter van der Stok
- Re: [core] Conclusion -- Endpoint Client Name / E… Hannes Tschofenig
- Re: [core] Conclusion -- Endpoint Client Name / E… peter van der Stok
- Re: [core] Conclusion -- Endpoint Client Name / E… Kovatsch, Matthias
- Re: [core] Conclusion -- Endpoint Client Name / E… Hannes Tschofenig
- Re: [core] Conclusion -- Endpoint Client Name / E… peter van der Stok
- Re: [core] Conclusion -- Endpoint Client Name / E… peter van der Stok
- Re: [core] Conclusion -- Endpoint Client Name / E… peter van der Stok