IETF Logo Mail Archive

Re: [Dtls-iot] IP Addresses in Certificates

Michael StJohns <msj@nthpermutation.com> Wed, 05 August 2015 19:48 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBD7E1A8764 for <dtls-iot@ietfa.amsl.com>; Wed, 5 Aug 2015 12:48:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Level:
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GUPlKzrPpkqH for <dtls-iot@ietfa.amsl.com>; Wed, 5 Aug 2015 12:48:15 -0700 (PDT)
Received: from mail-qg0-f44.google.com (mail-qg0-f44.google.com [209.85.192.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E7671A1B4C for <dtls-iot@ietf.org>; Wed, 5 Aug 2015 12:48:15 -0700 (PDT)
Received: by qgeh16 with SMTP id h16so37963459qge.3 for <dtls-iot@ietf.org>; Wed, 05 Aug 2015 12:48:14 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=fGhjPWj036opov815HyjnmDf8VfOY4ZrXz4M4K6Xy9k=; b=EWfYP43hsVZOVyAjFC9TuTVAM9HgckhD/OAfY4CWX2gHv4ptT1mX3r1uCDQU8wyPjK XnK/nzak0CifvTOFLYHs6TUPueN0BaNUxCqBs907TGlCiWYzMMV7jdvgGElQIKrGjDoE o9tj/nqyABoqUABkaIcDJ4vN4Bl2Bhdk5H4M1NQHs21c6vQd0Xp2Wor5rKBe5TjEAXdk DjwNLb50fu5tYzoVIf/XMgazKGGXf4r1RsU4YoEWK6IP+cMdG9nK6A2EkfxnfZvrjo/l xIAwbHk1sxg/im5EuH1UmfiCYlWXC32p+rk5op/LVndHFQDuvZLEVSct/W6/YG7dKwLK piEQ==
X-Gm-Message-State: ALoCoQlJD+iaS01pyVxcGBd4b4dycwp3pdviIMWcKewEPNkkPLK897jhGLwB/kogutNLmyHXS6PI
X-Received: by 10.140.30.166 with SMTP id d35mr19518043qgd.85.1438804094272; Wed, 05 Aug 2015 12:48:14 -0700 (PDT)
Received: from ?IPv6:2601:148:c000:1bb4:9858:21af:6dd7:5528? ([2601:148:c000:1bb4:9858:21af:6dd7:5528]) by smtp.gmail.com with ESMTPSA id 20sm1920380qkp.39.2015.08.05.12.48.13 for <dtls-iot@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 05 Aug 2015 12:48:13 -0700 (PDT)
To: dtls-iot@ietf.org
References: <55A63EEF.7010608@gmx.net> <55A641EC.4030203@cs.tcd.ie> <D1D3F9D5.31B15%thomas.fossati@alcatel-lucent.com> <trinity-5e418e2e-726a-4c31-8498-634e598fb57e-1438786484782@3capp-gmx-bs46> <55C23E1B.5050300@cs.tcd.ie>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <55C2687F.8050004@nthpermutation.com>
Date: Wed, 05 Aug 2015 15:48:15 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1
MIME-Version: 1.0
In-Reply-To: <55C23E1B.5050300@cs.tcd.ie>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/4oR2qBOSRqWOnk8jFoda6X2o7lU>
Subject: Re: [Dtls-iot] IP Addresses in Certificates
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 19:48:22 -0000

Hi Stephen et al.

I'm coming in on this fairly late (2 weeks) so let me try and muddy the 
waters:

IEEE 802.1AR is a good source for ideas of how to deal with certificates 
and small devices.   In the case of Zigbee Smart Energy 2.0 for example, 
we use their concepts of LDevID  (Locally significant) and IDevID 
(Initial) device identifiers.  The latter is what gets built into the 
device and SEP2.0 uses the SubjectAltName hardwareModuleName in RFC4108 
as the manufactured in name for the device.  The attachment of a 
certificate to MAC address or even IP address by the manufacturer has a 
number of issues that are painful to address and that don't usually add 
to the security of the system.  (e.g. the handle of the name mostly 
isn't important to the underlying protocols in IOT and the relationship 
between an entity and its IP or MAC generally isn't a necessary 
consideration for trust between entities given certificates - same 
reason that client certificates for TLS rarely have IP addresses in 
them, but do have human personal names or email addresses).

Ideally you want a mapping between what's on the certificate inside the 
device and what's on the label outside - so that humans can basically 
type things in (or barcode them or....) during installation.  I might 
expect a local trust center to issue an LDevID based on the (manual?) 
acceptance of IDevID, and the LDevID *could* contain an IP address as a 
SubjectAltName, but I don't think we've gone that deep and most folk 
balk at running a Mini-CA in their home.

So I think your recommendation of "future work needed" is probably more 
correct than "IP certificates needed".

Later, Mike





On 8/5/2015 12:47 PM, Stephen Farrell wrote:
> Hiya,
>
> On 05/08/15 15:54, Hannes Tschofenig wrote:
>> Hi Stephen,
>> reading through this issue again I believe you could help us further explain
>> what we could recommend in the document.
> Assuming that it'd be a bunch of work to recommend how to best
> handle certificates for devices that will only ever have a bogon
> IP address, I guess the best for now is to just say that that work
> is not (yet) done and hence this document makes no recommendation.
>
> Seem ok? (And yes it could be that the current text on that
> is just fine, I didn't go look back right now)
>
> S.
>
>> Currently, we are saying that folks shouldn't use IP addresses in certificates
>> and in the email below Thomas mentioned one reason for doing so. I also pointed
>> to a separate draft we have been working on to explore the topic further (see
>> <draft-fossati-core-certmode-rd-names-01>).
>> Ciao
>> Hannes
>> *Gesendet:* Dienstag, 21. Juli 2015 um 14:16 Uhr
>> *Von:* "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com>
>> *An:* "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Hannes Tschofenig"
>> <hannes.tschofenig@gmx.net>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>
>> *Betreff:* Re: [Dtls-iot] IP Addresses in Certificates
>> Hi Stephen,
>>
>> On 15/07/2015 12:20, "dtls-iot on behalf of Stephen Farrell"
>> <dtls-iot-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote:
>>   >Hiya,
>>   >
>>   >On 15/07/15 12:07, Hannes Tschofenig wrote:
>>   >> Stephen wrote:
>>   >>
>>   >> (5) 6.3: Forgetting CoAP for the moment, surely this profile will be
>>   >> used with devices that only have (possibly bogon) IP addresses and that
>>   >> want to have those in certs. I do get that how to handle that well is
>>   >> not very clear, esp. for certs for e.g. 192.168.0.1, but shouldn't it
>>   >> really be covered by this profile?
>>   >
>>   >I should also have mentioned link-local addresses too I guess.
>>
>> v6 link-local make sense as stable identifiers, but they'd be equivalent
>> to EUI-64 (which is what 6.3.2 requires for the use case where all the
>> secure communication happens on the same subnet), only a few bytes larger
>> than their EUI counterpart.
>>
>> Other kinds of IP addresses aren't long-term/stable enough to be put in a
>> certificate -- which is in line with the recommendation we give in CoAP
>> [https://tools.ietf.org/html/rfc7252#section-9.1.3.3].
>>
>> Cheers, t
>>
>> _______________________________________________
>> dtls-iot mailing list
>> dtls-iot@ietf.org
>> https://www.ietf.org/mailman/listinfo/dtls-iot
>>
> _______________________________________________
> dtls-iot mailing list
> dtls-iot@ietf.org
> https://www.ietf.org/mailman/listinfo/dtls-iot
>

v2.23.0 | Report a Bug | By Email