IETF Logo Mail Archive

Re: [Dtls-iot] IP Addresses in Certificates

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 11 August 2015 10:50 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25D0D1A8711 for <dtls-iot@ietfa.amsl.com>; Tue, 11 Aug 2015 03:50:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8pAzI6v7tTnu for <dtls-iot@ietfa.amsl.com>; Tue, 11 Aug 2015 03:50:11 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 957881A870F for <dtls-iot@ietf.org>; Tue, 11 Aug 2015 03:50:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 52E3BBE80; Tue, 11 Aug 2015 11:50:10 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lMbZw2EB2zOx; Tue, 11 Aug 2015 11:50:10 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 0F9A2BE8E; Tue, 11 Aug 2015 11:50:10 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1439290210; bh=paU8+ZBZ/mcXkLQSvg/9aDPj39cbHMmhKk752lsss0I=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=XDXZCm/xZVpEgQ112oqsABJX5yQXTqV8t6zvbXb9UxFrRxOUHtzub8GikTm3/FPvY fr19XjHvbdJkjVMt/1VjyXHudBvMhuhAb4TmX94l2+8hDiYvA4RVGYTb2UkXxdE87c 9EwA3esoLitajFyMDJoD6PDT4BDofCy3PAEaZAh8=
Message-ID: <55C9D35D.60307@cs.tcd.ie>
Date: Tue, 11 Aug 2015 11:50:05 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Michael StJohns <msj@nthpermutation.com>
References: <55A63EEF.7010608@gmx.net> <55A641EC.4030203@cs.tcd.ie> <D1D3F9D5.31B15%thomas.fossati@alcatel-lucent.com> <trinity-5e418e2e-726a-4c31-8498-634e598fb57e-1438786484782@3capp-gmx-bs46> <55C23E1B.5050300@cs.tcd.ie> <55C2687F.8050004@nthpermutation.com> <55C4BEE5.5080107@gmx.net> <55C7F80B.5020501@cs.tcd.ie> <55C9D1BC.70500@gmx.net>
In-Reply-To: <55C9D1BC.70500@gmx.net>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="8ctB5xBXkghIQDGB4hPA5omEiKkmXatN5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/6nY48LkhVrkwzAGxgJOij7Y5Ha4>
Cc: dtls-iot@ietf.org
Subject: Re: [Dtls-iot] IP Addresses in Certificates
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 10:50:13 -0000


On 11/08/15 11:43, Hannes Tschofenig wrote:
> Hi Stephen,
> 
>> OTOH, there will be devices whose only visible identifier is an IP
>> address, right? If so, and if certificates/DTLS are to be of use with
>> such devices... then what? I do think some variety of "we" ought try
>> to address this problem.
> 
> I don't think that there are devices that have no other identifiers than
> IP addresses. For example, if a device has a network interface it will
> also have a MAC address. 

My hope is that 802 move more and more towards non-static or random
MAC addresses.

> There will also be an application sitting on
> top of the stack that might introduce identifiers.

Sure, they "might" :-) And if they do, then for sure there shouldn't
be any reason to put an IP address for such a device in a certificate.

My point is that there will be devices where the IP address is the
only reliably-present publicly (maybe public==on-LAN here) visible
identifier and where we'd like to use (D)TLS to talk to that device.
And we have no guidance for that case, and we do have a bunch of
gotchas and pitfalls.

> 
> Even beacons have identifiers (although they are not identifying
> individual devices themselves).
> 
> As a software / hardware engineer you will have to figure out what
> hardware components and what firmware you put on the device. As such, it
> is useful to think about these types of things early, which the document
> should be able to do.

Again, I'm not saying this document ought say what to do about
a certificate for 10.0.0.1. But again "we" probably should think
about that for some definition of "we" that is a subset of the
IETF I reckon. (Unless someone else has done a good job already
in which case that's fine.)

S.

> 
> Ciao
> Hannes
> 
> 
> 
> _______________________________________________
> dtls-iot mailing list
> dtls-iot@ietf.org
> https://www.ietf.org/mailman/listinfo/dtls-iot
>

v2.23.0 | Report a Bug | By Email