Re: [Dtls-iot] Last Call: <draft-ietf-dice-profile-14.txt> (TLS/DTLS Profiles for the Internet of Things) to Proposed Standard
Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 08 September 2015 19:23 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C69DD1B3EED; Tue, 8 Sep 2015 12:23:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pegeFW0jd6NP; Tue, 8 Sep 2015 12:23:48 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34B251B34B1; Tue, 8 Sep 2015 12:23:48 -0700 (PDT)
Received: from [192.168.10.169] ([213.235.249.182]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MLB89-1ZZ7NQ1CSH-000L28; Tue, 08 Sep 2015 21:23:46 +0200
To: g_e_montenegro@yahoo.com, "ietf@ietf.org" <ietf@ietf.org>
References: <20150821135235.25559.80688.idtracker@ietfa.amsl.com> <501751451.1263191.1441322498338.JavaMail.yahoo@mail.yahoo.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Enigmail-Draft-Status: N1110
Message-ID: <55EF35BC.9000609@gmx.net>
Date: Tue, 08 Sep 2015 21:23:40 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <501751451.1263191.1441322498338.JavaMail.yahoo@mail.yahoo.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="gC1lv3Kl8qeI1vq95g70I03DRPugHxLFe"
X-Provags-ID: V03:K0:6JMdqP9VXvrHMlyjxBnV5C3taZLepSFNTDrDoGOAezpQlaUw/IG 1vbWgZSiXkKF1yamGJs37bZImU2lm6VU+h4Bf/m1WoHx8ugZhlgee0m8WtSloJwxHW8s+hA wbK8kXLLaWDR5DvJ6bo0NxiF4qvcXR2xL74lALrHov/XgYHaSmdVPUflEHGX3DxN5MuJhTF PGTt0qThOwnTC+IwPV4fQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:9MVHWGYm+Kw=:tSxgCPTMXNqDFO6MGKf9Gt EGe1SkGrC78UEXZDZ6QHSiCXFjHvGGrbWl3Gq2UP5+pLNiLOEaMszwLMxto9xZeEwlX6AYdLY 4EFRjJwCX4tpFjr9lbJty1Oz0DLDyYD5cVEJyV1ldk4aExROMkN9VwjWVlXSpcTe3jIQ0446B 6BPc1iFaUMNjsWHByIFOOsMnbWlSZBE8hM45jXPaH9UeDoAa9Ko3t+UY5QRf7OrS455vXZhQP N8Mlssh39VorPmzAUEv5w7HsPZeqcKv9FH8f5l+UhcqmqnV2Ux03VGL1XqbKfpUtYWFPqyhdi sENXL2+FxqWtJtYWAE/0BQrk9SOv/qVZkT55FkpWNE1g1O/d/tVcQfJjmnu4CK8OTs1f1favO zC6sxb28K7aZ8l0/bNkNdBX7XXO7IfeMoe2lDVxWzE+2P7n48SWIfFkK3IHjmLvdU+tHCh0pw 8Sl2f1jalWUq6mAMWwlCG1sZltKK95Ta2asu5HS91FQtD0C4Op3PeMhGWl7u/R5YHtefhNtuz GyDVvH/NA8fZv7MBPAGE8Fu3KwS6cKgHhadIS/GMf6pjkySXsolm75mW50Qxv67u1dmXgsrBj i8UEscPRMyNa+VjPx6KEyDqxWAJR2JyP8mpsHe5ftrgKwBJp/Y5421STn22G+IgjkasXnfw1C 0K9oZybPEFy/t8XarrJOzLp6neDZX98IzCHfPW1pP0ISTWSGKF8FVWbOHvgmdvZi0C/FkrB8b /8En7kw3JBBee5iz
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/dkI32GmkCsKyjBhIHqU7iGsG0W0>
Cc: "dtls-iot@ietf.org" <dtls-iot@ietf.org>
Subject: Re: [Dtls-iot] Last Call: <draft-ietf-dice-profile-14.txt> (TLS/DTLS Profiles for the Internet of Things) to Proposed Standard
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2015 19:23:50 -0000
Hi Gabriel, thanks for your review comments. I am OK with the proposed text changes. A minor remark regarding the stacks used in IoT devices: In the stacks I have seen the developer has the possibility to include or exclude certain features using preprocessor directives. Even if you have the ability to re-use a TLS/DTLS stack on devices that have nothing to do with IoT and have no code size restriction you will typically have to remove features for an IoT device to keep the code size at a reasonable level. I am, of course, aware of devices that have very few limitations in terms of processing speed, RAM, and flash size. The boundaries between IoT devices and non-IoT devices is certainly fuzzy. Ciao Hannes On 09/04/2015 01:21 AM, g_e_montenegro@yahoo.com wrote: > Overall, looks good, thanks for this work. I do have some comments. > > Not sure if these are "substantive comments" as requested, but after > some discussion with some collegues we'd like to point out issues with > some of the normative language. > > In particular, we suggest modifying the language here: > > Hence, RFC 7366 and RFC 6066 are not applicable to this > specification and MUST NOT be implemented. > > Whereas CCM and AEAD ciphers in general render RFC7366 moot, a MUST NOT > on implementation is too strong (i.e., from the intro, “This document > does not alter TLS/DTLS specifications”) and potentially damaging: the > same stack could be used for scenarios outside of IoT, where RFC7366 > could still provide some benefit. As for RFC6066, a blanket statement > saying it “MUST NOT implement” is not only wrong, it is also > contradictory with other statements within this draft which recommend > other parts of RFC6066. Instead, the language should limit itself to the > specific extension of RFC6066. > > Also, with other extensions the doc does not prohibit *implementation*, > but recommends against it or against its use (by using "NOT > RECOMMENDED"). So I’d change the above text to something like: > > In https://tools.ietf.org/html/draft-ietf-dice-profile-14#section-15: > OLD: > Hence, RFC 7366 and RFC 6066 are not applicable to this > specification and MUST NOT be implemented. > NEW: > Hence, RFC 7366 and the Truncated MAC extension of RFC 6066 are > not applicable to this > specification and are NOT RECOMMENDED. > > Similarly, in > https://tools.ietf.org/html/draft-ietf-dice-profile-14#section-10 my > suggestion would be: > OLD: > This TLS/DTLS profile MUST NOT implement TLS/DTLS layer compression. > NEW: > TLS/DTLS layer compression is NOT RECOMMENDED by this TLS/DTLS > profile. > > thanks, > > Gabriel > > > > On Friday, August 21, 2015 6:53 AM, The IESG <iesg-secretary@ietf.org> > wrote: > > > > > The IESG has received a request from the DTLS In Constrained > Environments > WG (dice) to consider the following document: > - 'TLS/DTLS Profiles for the Internet of Things' > <draft-ietf-dice-profile-14.txt> as Proposed Standard > > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > ietf@ietf.org <mailto:ietf@ietf.org> mailing lists by 2015-09-04. > Exceptionally, comments may be > sent to iesg@ietf.org <mailto:iesg@ietf.org> instead. In either > case, please retain the > beginning of the Subject line to allow automated sorting. > > Abstract > > > A common design pattern in Internet of Things (IoT) deployments is > the use of a constrained device that collects data via sensor or > controls actuators for use in home automation, industrial control > systems, smart cities and other IoT deployments. > > This document defines a Transport Layer Security (TLS) and Datagram > TLS (DTLS) 1.2 profile that offers communications security for this > data exchange thereby preventing eavesdropping, tampering, and > message forgery. The lack of communication security is a common > vulnerability in Internet of Things products that can easily be > solved by using these well-researched and widely deployed Internet > security protocols. > > > > > The file can be obtained via > https://datatracker.ietf.org/doc/draft-ietf-dice-profile/ > > IESG discussion can be tracked via > https://datatracker.ietf.org/doc/draft-ietf-dice-profile/ballot/ > > > No IPR declarations have been submitted directly on this I-D. > > > > > > > _______________________________________________ > dtls-iot mailing list > dtls-iot@ietf.org > https://www.ietf.org/mailman/listinfo/dtls-iot >
- [Dtls-iot] Last Call: <draft-ietf-dice-profile-14… The IESG
- Re: [Dtls-iot] Last Call: <draft-ietf-dice-profil… g_e_montenegro
- Re: [Dtls-iot] Last Call: <draft-ietf-dice-profil… Hannes Tschofenig
- Re: [Dtls-iot] Last Call: <draft-ietf-dice-profil… Gabriel Montenegro