Re: [Dtls-iot] IP Addresses in Certificates
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 15 July 2015 18:17 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75E321A90BC for <dtls-iot@ietfa.amsl.com>; Wed, 15 Jul 2015 11:17:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5dmI6wsp47TN for <dtls-iot@ietfa.amsl.com>; Wed, 15 Jul 2015 11:17:49 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6D501AD061 for <dtls-iot@ietf.org>; Wed, 15 Jul 2015 11:17:49 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 05D97E1AF for <dtls-iot@ietf.org>; Wed, 15 Jul 2015 14:34:12 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 04C5563AEC; Wed, 15 Jul 2015 14:17:48 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id E270B63AD9 for <dtls-iot@ietf.org>; Wed, 15 Jul 2015 14:17:48 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "dtls-iot@ietf.org" <dtls-iot@ietf.org>
In-Reply-To: <55A63EEF.7010608@gmx.net>
References: <55A63EEF.7010608@gmx.net>
X-Mailer: MH-E 8.6; nmh 1.3-dev; GNU Emacs 24.4.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Wed, 15 Jul 2015 14:17:48 -0400
Message-ID: <3253.1436984268@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/Xwq8au_oqfP7K7n9R0UIv0EyMPI>
Subject: Re: [Dtls-iot] IP Addresses in Certificates
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 18:17:51 -0000
Hannes Tschofenig <hannes.tschofenig@gmx.net> quoted (I think) Stephen Farrel as saying: > (5) 6.3: Forgetting CoAP for the moment, surely this profile will be > used with devices that only have (possibly bogon) IP addresses and that > want to have those in certs. I do get that how to handle that well is > not very clear, esp. for certs for e.g. 192.168.0.1, but shouldn't it > really be covered by this profile? Hanness> https://tools.ietf.org/html/draft-fossati-core-certmode-rd-names-01 Reading this document.... I think that is indeed a must have document. Let's take this out of the IoT space for a moment. Ever turned on a Dell/HP/IBM/Supermicro server that has an "Integrated Lights Out"/iDrac/ServiceProcessor/IPMI interface? Basically this is a small embedded system on the motherboard that speaks http(s), and lets' you manage the server remotely. There are is also APIs into it, and you can do things like install the machine, reboot it, etc. Such systems could easily come with a built-in "Manufacturer Installed Certificate" (aka "MIC", which is sadly, a really confusing TLA), except that the machine will almost always be addressed by IP address, which will either be SLAAC or RFC1918, and will seldom ever have a name ever, and certainly won't have a name when first installed. I see section 3.2.3 would let one have a SubjectAltName that looks like: eui-64+01-23-45-67-89-ab-cd-ef or, I guess equally: eui-48+00-28-21-a7-5e-27 if my browser location tab were to say https://[somemagicsyntax/eui-48+00-28-21-a7-5e-27] then we could dispense with a bunch of inappropriate security warnings. Your document would help very much. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates FOSSATI, Thomas (Thomas)
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Michael StJohns
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Michael StJohns
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson