IETF Logo Mail Archive

Re: [Dtls-iot] IP Addresses in Certificates

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 10 August 2015 01:02 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5352E1A1B40 for <dtls-iot@ietfa.amsl.com>; Sun, 9 Aug 2015 18:02:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ROCRvhbpSi9 for <dtls-iot@ietfa.amsl.com>; Sun, 9 Aug 2015 18:02:29 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F6D11A1B3D for <dtls-iot@ietf.org>; Sun, 9 Aug 2015 18:02:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 6DC81BE4D; Mon, 10 Aug 2015 02:02:27 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8QNddKxVxO5t; Mon, 10 Aug 2015 02:02:25 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.29.218]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 2D786BE3E; Mon, 10 Aug 2015 02:02:25 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1439168545; bh=03x5VcabWB3MG2vJo2ArcRiX7JodZy/D4oHoQmuVWpk=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=bUxofs1b9XLSe4gTKrTEPMjQf99jpeVk58KFlSKUxZZlwDnE81xh0TO4so9ucKpXE iQHkci+5fFBvYCW8CwuEODTSZz42+SAd8o3TZjRG0TYc4v8EkeY5ZpGRTdUYJGbqfy nvPT4Zm9t62QqBIw4i6n4Nrh/6HjnZE1YfokyJcM=
Message-ID: <55C7F80B.5020501@cs.tcd.ie>
Date: Mon, 10 Aug 2015 02:02:03 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Michael StJohns <msj@nthpermutation.com>
References: <55A63EEF.7010608@gmx.net> <55A641EC.4030203@cs.tcd.ie> <D1D3F9D5.31B15%thomas.fossati@alcatel-lucent.com> <trinity-5e418e2e-726a-4c31-8498-634e598fb57e-1438786484782@3capp-gmx-bs46> <55C23E1B.5050300@cs.tcd.ie> <55C2687F.8050004@nthpermutation.com> <55C4BEE5.5080107@gmx.net>
In-Reply-To: <55C4BEE5.5080107@gmx.net>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="UfC5wdtvJVniRMCUVEBfX2SKCsuifgKnS"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/OzyG-xISXQcrwD3XJC9J8faLAB0>
Cc: dtls-iot@ietf.org
Subject: Re: [Dtls-iot] IP Addresses in Certificates
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2015 01:02:32 -0000

Hiya,

On 07/08/15 15:21, Hannes Tschofenig wrote:
> Hi Mike, Hi Stephen,
> 
> I don't understand why we should make any recommendations for how to use
> IP addresses in certificates.

For which definition of "we"?

I guess it is maybe wrong to consider the DICE WG doing this, but my
comment was really asking the question and not insisting on a given
answer.

> IP addresses in certificates are not useful for end devices since their
> IP addresses is most likely not known during manufacturing nor does it
> add any security value.

Fair point.

OTOH, there will be devices whose only visible identifier is an IP
address, right? If so, and if certificates/DTLS are to be of use with
such devices... then what? I do think some variety of "we" ought try
to address this problem.

> 
> Regarding IEEE 802.1AR I don't believe it recommends using IP addresses
> in certificates either.

Which is entirely fine. There are definitely better ways of naming
things than with addresses, esp relatively-scoped addresses.


S.

> 
> Ciao
> Hannes
> 
> On 08/05/2015 09:48 PM, Michael StJohns wrote:
>> Hi Stephen et al.
>>
>> I'm coming in on this fairly late (2 weeks) so let me try and muddy the
>> waters:
>>
>> IEEE 802.1AR is a good source for ideas of how to deal with certificates
>> and small devices.   In the case of Zigbee Smart Energy 2.0 for example,
>> we use their concepts of LDevID  (Locally significant) and IDevID
>> (Initial) device identifiers.  The latter is what gets built into the
>> device and SEP2.0 uses the SubjectAltName hardwareModuleName in RFC4108
>> as the manufactured in name for the device.  The attachment of a
>> certificate to MAC address or even IP address by the manufacturer has a
>> number of issues that are painful to address and that don't usually add
>> to the security of the system.  (e.g. the handle of the name mostly
>> isn't important to the underlying protocols in IOT and the relationship
>> between an entity and its IP or MAC generally isn't a necessary
>> consideration for trust between entities given certificates - same
>> reason that client certificates for TLS rarely have IP addresses in
>> them, but do have human personal names or email addresses).
>>
>> Ideally you want a mapping between what's on the certificate inside the
>> device and what's on the label outside - so that humans can basically
>> type things in (or barcode them or....) during installation.  I might
>> expect a local trust center to issue an LDevID based on the (manual?)
>> acceptance of IDevID, and the LDevID *could* contain an IP address as a
>> SubjectAltName, but I don't think we've gone that deep and most folk
>> balk at running a Mini-CA in their home.
>>
>> So I think your recommendation of "future work needed" is probably more
>> correct than "IP certificates needed".
>>
>> Later, Mike
>>
>>
>>
>>
>>
>> On 8/5/2015 12:47 PM, Stephen Farrell wrote:
>>> Hiya,
>>>
>>> On 05/08/15 15:54, Hannes Tschofenig wrote:
>>>> Hi Stephen,
>>>> reading through this issue again I believe you could help us further
>>>> explain
>>>> what we could recommend in the document.
>>> Assuming that it'd be a bunch of work to recommend how to best
>>> handle certificates for devices that will only ever have a bogon
>>> IP address, I guess the best for now is to just say that that work
>>> is not (yet) done and hence this document makes no recommendation.
>>>
>>> Seem ok? (And yes it could be that the current text on that
>>> is just fine, I didn't go look back right now)
>>>
>>> S.
>>>
>>>> Currently, we are saying that folks shouldn't use IP addresses in
>>>> certificates
>>>> and in the email below Thomas mentioned one reason for doing so. I
>>>> also pointed
>>>> to a separate draft we have been working on to explore the topic
>>>> further (see
>>>> <draft-fossati-core-certmode-rd-names-01>).
>>>> Ciao
>>>> Hannes
>>>> *Gesendet:* Dienstag, 21. Juli 2015 um 14:16 Uhr
>>>> *Von:* "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com>
>>>> *An:* "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Hannes Tschofenig"
>>>> <hannes.tschofenig@gmx.net>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>
>>>> *Betreff:* Re: [Dtls-iot] IP Addresses in Certificates
>>>> Hi Stephen,
>>>>
>>>> On 15/07/2015 12:20, "dtls-iot on behalf of Stephen Farrell"
>>>> <dtls-iot-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie>
>>>> wrote:
>>>>   >Hiya,
>>>>   >
>>>>   >On 15/07/15 12:07, Hannes Tschofenig wrote:
>>>>   >> Stephen wrote:
>>>>   >>
>>>>   >> (5) 6.3: Forgetting CoAP for the moment, surely this profile
>>>> will be
>>>>   >> used with devices that only have (possibly bogon) IP addresses
>>>> and that
>>>>   >> want to have those in certs. I do get that how to handle that
>>>> well is
>>>>   >> not very clear, esp. for certs for e.g. 192.168.0.1, but
>>>> shouldn't it
>>>>   >> really be covered by this profile?
>>>>   >
>>>>   >I should also have mentioned link-local addresses too I guess.
>>>>
>>>> v6 link-local make sense as stable identifiers, but they'd be equivalent
>>>> to EUI-64 (which is what 6.3.2 requires for the use case where all the
>>>> secure communication happens on the same subnet), only a few bytes
>>>> larger
>>>> than their EUI counterpart.
>>>>
>>>> Other kinds of IP addresses aren't long-term/stable enough to be put
>>>> in a
>>>> certificate -- which is in line with the recommendation we give in CoAP
>>>> [https://tools.ietf.org/html/rfc7252#section-9.1.3.3].
>>>>
>>>> Cheers, t
>>>>
>>>> _______________________________________________
>>>> dtls-iot mailing list
>>>> dtls-iot@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dtls-iot
>>>>
>>> _______________________________________________
>>> dtls-iot mailing list
>>> dtls-iot@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dtls-iot
>>>
>>
>> _______________________________________________
>> dtls-iot mailing list
>> dtls-iot@ietf.org
>> https://www.ietf.org/mailman/listinfo/dtls-iot
> 
> 
> 
> _______________________________________________
> dtls-iot mailing list
> dtls-iot@ietf.org
> https://www.ietf.org/mailman/listinfo/dtls-iot
>

v2.23.0 | Report a Bug | By Email