Re: [Dtls-iot] IP Addresses in Certificates
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 10 August 2015 01:02 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5352E1A1B40 for <dtls-iot@ietfa.amsl.com>; Sun, 9 Aug 2015 18:02:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ROCRvhbpSi9 for <dtls-iot@ietfa.amsl.com>; Sun, 9 Aug 2015 18:02:29 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F6D11A1B3D for <dtls-iot@ietf.org>; Sun, 9 Aug 2015 18:02:29 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 6DC81BE4D; Mon, 10 Aug 2015 02:02:27 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8QNddKxVxO5t; Mon, 10 Aug 2015 02:02:25 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.29.218]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 2D786BE3E; Mon, 10 Aug 2015 02:02:25 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1439168545; bh=03x5VcabWB3MG2vJo2ArcRiX7JodZy/D4oHoQmuVWpk=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=bUxofs1b9XLSe4gTKrTEPMjQf99jpeVk58KFlSKUxZZlwDnE81xh0TO4so9ucKpXE iQHkci+5fFBvYCW8CwuEODTSZz42+SAd8o3TZjRG0TYc4v8EkeY5ZpGRTdUYJGbqfy nvPT4Zm9t62QqBIw4i6n4Nrh/6HjnZE1YfokyJcM=
Message-ID: <55C7F80B.5020501@cs.tcd.ie>
Date: Mon, 10 Aug 2015 02:02:03 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Michael StJohns <msj@nthpermutation.com>
References: <55A63EEF.7010608@gmx.net> <55A641EC.4030203@cs.tcd.ie> <D1D3F9D5.31B15%thomas.fossati@alcatel-lucent.com> <trinity-5e418e2e-726a-4c31-8498-634e598fb57e-1438786484782@3capp-gmx-bs46> <55C23E1B.5050300@cs.tcd.ie> <55C2687F.8050004@nthpermutation.com> <55C4BEE5.5080107@gmx.net>
In-Reply-To: <55C4BEE5.5080107@gmx.net>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="UfC5wdtvJVniRMCUVEBfX2SKCsuifgKnS"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/OzyG-xISXQcrwD3XJC9J8faLAB0>
Cc: dtls-iot@ietf.org
Subject: Re: [Dtls-iot] IP Addresses in Certificates
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2015 01:02:32 -0000
Hiya, On 07/08/15 15:21, Hannes Tschofenig wrote: > Hi Mike, Hi Stephen, > > I don't understand why we should make any recommendations for how to use > IP addresses in certificates. For which definition of "we"? I guess it is maybe wrong to consider the DICE WG doing this, but my comment was really asking the question and not insisting on a given answer. > IP addresses in certificates are not useful for end devices since their > IP addresses is most likely not known during manufacturing nor does it > add any security value. Fair point. OTOH, there will be devices whose only visible identifier is an IP address, right? If so, and if certificates/DTLS are to be of use with such devices... then what? I do think some variety of "we" ought try to address this problem. > > Regarding IEEE 802.1AR I don't believe it recommends using IP addresses > in certificates either. Which is entirely fine. There are definitely better ways of naming things than with addresses, esp relatively-scoped addresses. S. > > Ciao > Hannes > > On 08/05/2015 09:48 PM, Michael StJohns wrote: >> Hi Stephen et al. >> >> I'm coming in on this fairly late (2 weeks) so let me try and muddy the >> waters: >> >> IEEE 802.1AR is a good source for ideas of how to deal with certificates >> and small devices. In the case of Zigbee Smart Energy 2.0 for example, >> we use their concepts of LDevID (Locally significant) and IDevID >> (Initial) device identifiers. The latter is what gets built into the >> device and SEP2.0 uses the SubjectAltName hardwareModuleName in RFC4108 >> as the manufactured in name for the device. The attachment of a >> certificate to MAC address or even IP address by the manufacturer has a >> number of issues that are painful to address and that don't usually add >> to the security of the system. (e.g. the handle of the name mostly >> isn't important to the underlying protocols in IOT and the relationship >> between an entity and its IP or MAC generally isn't a necessary >> consideration for trust between entities given certificates - same >> reason that client certificates for TLS rarely have IP addresses in >> them, but do have human personal names or email addresses). >> >> Ideally you want a mapping between what's on the certificate inside the >> device and what's on the label outside - so that humans can basically >> type things in (or barcode them or....) during installation. I might >> expect a local trust center to issue an LDevID based on the (manual?) >> acceptance of IDevID, and the LDevID *could* contain an IP address as a >> SubjectAltName, but I don't think we've gone that deep and most folk >> balk at running a Mini-CA in their home. >> >> So I think your recommendation of "future work needed" is probably more >> correct than "IP certificates needed". >> >> Later, Mike >> >> >> >> >> >> On 8/5/2015 12:47 PM, Stephen Farrell wrote: >>> Hiya, >>> >>> On 05/08/15 15:54, Hannes Tschofenig wrote: >>>> Hi Stephen, >>>> reading through this issue again I believe you could help us further >>>> explain >>>> what we could recommend in the document. >>> Assuming that it'd be a bunch of work to recommend how to best >>> handle certificates for devices that will only ever have a bogon >>> IP address, I guess the best for now is to just say that that work >>> is not (yet) done and hence this document makes no recommendation. >>> >>> Seem ok? (And yes it could be that the current text on that >>> is just fine, I didn't go look back right now) >>> >>> S. >>> >>>> Currently, we are saying that folks shouldn't use IP addresses in >>>> certificates >>>> and in the email below Thomas mentioned one reason for doing so. I >>>> also pointed >>>> to a separate draft we have been working on to explore the topic >>>> further (see >>>> <draft-fossati-core-certmode-rd-names-01>). >>>> Ciao >>>> Hannes >>>> *Gesendet:* Dienstag, 21. Juli 2015 um 14:16 Uhr >>>> *Von:* "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com> >>>> *An:* "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Hannes Tschofenig" >>>> <hannes.tschofenig@gmx.net>, "dtls-iot@ietf.org" <dtls-iot@ietf.org> >>>> *Betreff:* Re: [Dtls-iot] IP Addresses in Certificates >>>> Hi Stephen, >>>> >>>> On 15/07/2015 12:20, "dtls-iot on behalf of Stephen Farrell" >>>> <dtls-iot-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> >>>> wrote: >>>> >Hiya, >>>> > >>>> >On 15/07/15 12:07, Hannes Tschofenig wrote: >>>> >> Stephen wrote: >>>> >> >>>> >> (5) 6.3: Forgetting CoAP for the moment, surely this profile >>>> will be >>>> >> used with devices that only have (possibly bogon) IP addresses >>>> and that >>>> >> want to have those in certs. I do get that how to handle that >>>> well is >>>> >> not very clear, esp. for certs for e.g. 192.168.0.1, but >>>> shouldn't it >>>> >> really be covered by this profile? >>>> > >>>> >I should also have mentioned link-local addresses too I guess. >>>> >>>> v6 link-local make sense as stable identifiers, but they'd be equivalent >>>> to EUI-64 (which is what 6.3.2 requires for the use case where all the >>>> secure communication happens on the same subnet), only a few bytes >>>> larger >>>> than their EUI counterpart. >>>> >>>> Other kinds of IP addresses aren't long-term/stable enough to be put >>>> in a >>>> certificate -- which is in line with the recommendation we give in CoAP >>>> [https://tools.ietf.org/html/rfc7252#section-9.1.3.3]. >>>> >>>> Cheers, t >>>> >>>> _______________________________________________ >>>> dtls-iot mailing list >>>> dtls-iot@ietf.org >>>> https://www.ietf.org/mailman/listinfo/dtls-iot >>>> >>> _______________________________________________ >>> dtls-iot mailing list >>> dtls-iot@ietf.org >>> https://www.ietf.org/mailman/listinfo/dtls-iot >>> >> >> _______________________________________________ >> dtls-iot mailing list >> dtls-iot@ietf.org >> https://www.ietf.org/mailman/listinfo/dtls-iot > > > > _______________________________________________ > dtls-iot mailing list > dtls-iot@ietf.org > https://www.ietf.org/mailman/listinfo/dtls-iot >
- [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates FOSSATI, Thomas (Thomas)
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Michael StJohns
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Michael StJohns
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson