Re: [Dtls-iot] IP Addresses in Certificates
"FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com> Tue, 21 July 2015 12:16 UTC
Return-Path: <thomas.fossati@alcatel-lucent.com>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C24D1A1A54 for <dtls-iot@ietfa.amsl.com>; Tue, 21 Jul 2015 05:16:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zgKQ7ANzeGWm for <dtls-iot@ietfa.amsl.com>; Tue, 21 Jul 2015 05:16:19 -0700 (PDT)
Received: from smtp-fr.alcatel-lucent.com (fr-hpida-esg-02.alcatel-lucent.com [135.245.210.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFE361A1A4D for <dtls-iot@ietf.org>; Tue, 21 Jul 2015 05:16:18 -0700 (PDT)
Received: from fr712usmtp2.zeu.alcatel-lucent.com (unknown [135.239.2.42]) by Websense Email Security Gateway with ESMTPS id 1CBFF7285B2F5; Tue, 21 Jul 2015 12:16:15 +0000 (GMT)
Received: from FR712WXCHHUB03.zeu.alcatel-lucent.com (fr712wxchhub03.zeu.alcatel-lucent.com [135.239.2.74]) by fr712usmtp2.zeu.alcatel-lucent.com (GMO) with ESMTP id t6LCGEmR028124 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 21 Jul 2015 14:16:16 +0200
Received: from FR711WXCHMBA08.zeu.alcatel-lucent.com ([169.254.4.234]) by FR712WXCHHUB03.zeu.alcatel-lucent.com ([135.239.2.74]) with mapi id 14.03.0195.001; Tue, 21 Jul 2015 14:16:15 +0200
From: "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>
Thread-Topic: [Dtls-iot] IP Addresses in Certificates
Thread-Index: AQHQvu6lTNaooH6PIU+dO60aWHwEGZ3cQQkAgAmfKgA=
Date: Tue, 21 Jul 2015 12:16:14 +0000
Message-ID: <D1D3F9D5.31B15%thomas.fossati@alcatel-lucent.com>
References: <55A63EEF.7010608@gmx.net> <55A641EC.4030203@cs.tcd.ie>
In-Reply-To: <55A641EC.4030203@cs.tcd.ie>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.2.150604
x-originating-ip: [135.239.27.40]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C827D3A829A4BE40A44335EF48DE506A@exchange.lucent.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/ApWvy4f8Hsov4chLXgk9bDRQL_U>
Subject: Re: [Dtls-iot] IP Addresses in Certificates
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2015 12:16:20 -0000
Hi Stephen, On 15/07/2015 12:20, "dtls-iot on behalf of Stephen Farrell" <dtls-iot-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote: >Hiya, > >On 15/07/15 12:07, Hannes Tschofenig wrote: >> Stephen wrote: >> >> (5) 6.3: Forgetting CoAP for the moment, surely this profile will be >> used with devices that only have (possibly bogon) IP addresses and that >> want to have those in certs. I do get that how to handle that well is >> not very clear, esp. for certs for e.g. 192.168.0.1, but shouldn't it >> really be covered by this profile? > >I should also have mentioned link-local addresses too I guess. v6 link-local make sense as stable identifiers, but they'd be equivalent to EUI-64 (which is what 6.3.2 requires for the use case where all the secure communication happens on the same subnet), only a few bytes larger than their EUI counterpart. Other kinds of IP addresses aren't long-term/stable enough to be put in a certificate -- which is in line with the recommendation we give in CoAP [https://tools.ietf.org/html/rfc7252#section-9.1.3.3]. Cheers, t
- [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates FOSSATI, Thomas (Thomas)
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Michael StJohns
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Michael StJohns
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson