Re: [Dtls-iot] IP Addresses in Certificates
"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Wed, 05 August 2015 14:54 UTC
Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE8A81B2E7D for <dtls-iot@ietfa.amsl.com>; Wed, 5 Aug 2015 07:54:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Level:
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q4Yb5XkDwIPu for <dtls-iot@ietfa.amsl.com>; Wed, 5 Aug 2015 07:54:54 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ABAD1B2E7A for <dtls-iot@ietf.org>; Wed, 5 Aug 2015 07:54:54 -0700 (PDT)
Received: from [217.140.96.140] by 3capp-gmx-bs46.server.lan (via HTTP); Wed, 5 Aug 2015 16:54:44 +0200
MIME-Version: 1.0
Message-ID: <trinity-5e418e2e-726a-4c31-8498-634e598fb57e-1438786484782@3capp-gmx-bs46>
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com>
Content-Type: text/html; charset="UTF-8"
Date: Wed, 05 Aug 2015 16:54:44 +0200
Importance: normal
Sensitivity: Normal
In-Reply-To: <D1D3F9D5.31B15%thomas.fossati@alcatel-lucent.com>
References: <55A63EEF.7010608@gmx.net> <55A641EC.4030203@cs.tcd.ie>, <D1D3F9D5.31B15%thomas.fossati@alcatel-lucent.com>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K0:IRIbh7ZeAk4O0CCZgji0SCSF/6aoPqGgnKjOjadBjRA Qr8cd8cRlJp3G+hT3DQWL8pGGyFR8lqF3JSiwoqQYJ2CA9PcEy vZd7qdrtssr+Af0qLADRr11jRsuf58MzcwyAGzk4EJMMQMYwZD eh38pCDSJUfVWymXwoFMa3qgL8oD6pH2M9hca8O5pTsEpEY8jn 0DhudZhKpYxDWyHCM72aSrGOQI7sTmmBb7LdqnqOt6UDN26gYU 1QLsH/MWtx6jzYsxZDz5czvxqSuV9j2392xUP7Sh1ZnOONwU0h lvrhSQ=
X-UI-Out-Filterresults: notjunk:1;V01:K0:2EIT7dWgrQo=:tApAuW59RbaAhzWh52ARei md+fv2TGQSewI++x88N9T4yWeKM+19+UULGVR/hpVW1Oml4Lcu6W1CoT9PYGrGiCPmS22sCSV DazoqtnGzg2Ztt01Ef5K67BLLi2OpD/R56jT6/V4p0RrUYr7xrP86Z1oqIjV62qtBI0SNqoPg uBLXCtIZBM12uVDrreE4cCMq2+kyt4ctAD4nWtdEBsOsofmj9nrPycKRNplVBhw4CUpEze4w6 Fm7WVxPG2Zv9jD62iXh3sLqWma3nQp1f+cmBloyWdRh0SHFH1ycRsDCe2cobIsPPul0wwmZnd zQ8VON/DE0K5pE2W4SJZUnjJCWOEClbelRRfXk48RaxxlfagoIclp/I1nz6IF4ai45Wt1Paov c83Qz8FRIPtGU9JRpsj2l+qWeoz5o+mgmfTFNXtMYbfB6OYqaAtBYWYHFixlbbnacVF/pa0+u lh5Por/LLg==
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/fpu6E8DYneN0UBWgO7oFUZ_X81I>
Cc: "dtls-iot@ietf.org" <dtls-iot@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [Dtls-iot] IP Addresses in Certificates
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 14:54:56 -0000
Von: "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com>
An: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Hannes Tschofenig" <hannes.tschofenig@gmx.net>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>
Betreff: Re: [Dtls-iot] IP Addresses in Certificates
On 15/07/2015 12:20, "dtls-iot on behalf of Stephen Farrell"
<dtls-iot-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote:
>Hiya,
>
>On 15/07/15 12:07, Hannes Tschofenig wrote:
>> Stephen wrote:
>>
>> (5) 6.3: Forgetting CoAP for the moment, surely this profile will be
>> used with devices that only have (possibly bogon) IP addresses and that
>> want to have those in certs. I do get that how to handle that well is
>> not very clear, esp. for certs for e.g. 192.168.0.1, but shouldn't it
>> really be covered by this profile?
>
>I should also have mentioned link-local addresses too I guess.
v6 link-local make sense as stable identifiers, but they'd be equivalent
to EUI-64 (which is what 6.3.2 requires for the use case where all the
secure communication happens on the same subnet), only a few bytes larger
than their EUI counterpart.
Other kinds of IP addresses aren't long-term/stable enough to be put in a
certificate -- which is in line with the recommendation we give in CoAP
[https://tools.ietf.org/html/rfc7252#section-9.1.3.3" target="_blank" rel="nofollow">https://tools.ietf.org/html/rfc7252#section-9.1.3.3].
Cheers, t
_______________________________________________
dtls-iot mailing list
dtls-iot@ietf.org
https://www.ietf.org/mailman/listinfo/dtls-iot" target="_blank" rel="nofollow">https://www.ietf.org/mailman/listinfo/dtls-iot
- [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates FOSSATI, Thomas (Thomas)
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Michael StJohns
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Michael StJohns
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson