IETF Logo Mail Archive

Re: [Dtls-iot] IP Addresses in Certificates

"Hannes Tschofenig" <Hannes.Tschofenig@gmx.net> Wed, 05 August 2015 14:54 UTC

Return-Path: <Hannes.Tschofenig@gmx.net>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE8A81B2E7D for <dtls-iot@ietfa.amsl.com>; Wed, 5 Aug 2015 07:54:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Level:
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q4Yb5XkDwIPu for <dtls-iot@ietfa.amsl.com>; Wed, 5 Aug 2015 07:54:54 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ABAD1B2E7A for <dtls-iot@ietf.org>; Wed, 5 Aug 2015 07:54:54 -0700 (PDT)
Received: from [217.140.96.140] by 3capp-gmx-bs46.server.lan (via HTTP); Wed, 5 Aug 2015 16:54:44 +0200
MIME-Version: 1.0
Message-ID: <trinity-5e418e2e-726a-4c31-8498-634e598fb57e-1438786484782@3capp-gmx-bs46>
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
To: "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com>
Content-Type: text/html; charset="UTF-8"
Date: Wed, 05 Aug 2015 16:54:44 +0200
Importance: normal
Sensitivity: Normal
In-Reply-To: <D1D3F9D5.31B15%thomas.fossati@alcatel-lucent.com>
References: <55A63EEF.7010608@gmx.net> <55A641EC.4030203@cs.tcd.ie>, <D1D3F9D5.31B15%thomas.fossati@alcatel-lucent.com>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K0:IRIbh7ZeAk4O0CCZgji0SCSF/6aoPqGgnKjOjadBjRA Qr8cd8cRlJp3G+hT3DQWL8pGGyFR8lqF3JSiwoqQYJ2CA9PcEy vZd7qdrtssr+Af0qLADRr11jRsuf58MzcwyAGzk4EJMMQMYwZD eh38pCDSJUfVWymXwoFMa3qgL8oD6pH2M9hca8O5pTsEpEY8jn 0DhudZhKpYxDWyHCM72aSrGOQI7sTmmBb7LdqnqOt6UDN26gYU 1QLsH/MWtx6jzYsxZDz5czvxqSuV9j2392xUP7Sh1ZnOONwU0h lvrhSQ=
X-UI-Out-Filterresults: notjunk:1;V01:K0:2EIT7dWgrQo=:tApAuW59RbaAhzWh52ARei md+fv2TGQSewI++x88N9T4yWeKM+19+UULGVR/hpVW1Oml4Lcu6W1CoT9PYGrGiCPmS22sCSV DazoqtnGzg2Ztt01Ef5K67BLLi2OpD/R56jT6/V4p0RrUYr7xrP86Z1oqIjV62qtBI0SNqoPg uBLXCtIZBM12uVDrreE4cCMq2+kyt4ctAD4nWtdEBsOsofmj9nrPycKRNplVBhw4CUpEze4w6 Fm7WVxPG2Zv9jD62iXh3sLqWma3nQp1f+cmBloyWdRh0SHFH1ycRsDCe2cobIsPPul0wwmZnd zQ8VON/DE0K5pE2W4SJZUnjJCWOEClbelRRfXk48RaxxlfagoIclp/I1nz6IF4ai45Wt1Paov c83Qz8FRIPtGU9JRpsj2l+qWeoz5o+mgmfTFNXtMYbfB6OYqaAtBYWYHFixlbbnacVF/pa0+u lh5Por/LLg==
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/fpu6E8DYneN0UBWgO7oFUZ_X81I>
Cc: "dtls-iot@ietf.org" <dtls-iot@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [Dtls-iot] IP Addresses in Certificates
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 14:54:56 -0000

Hi Stephen, 
 
reading through this issue again I believe you could help us further explain what we could recommend in the document. 
 
Currently, we are saying that folks shouldn't use IP addresses in certificates and in the email below Thomas mentioned one reason for doing so. I also pointed to a separate draft we have been working on to explore the topic further (see <draft-fossati-core-certmode-rd-names-01>). 
 
Ciao
Hannes
Gesendet: Dienstag, 21. Juli 2015 um 14:16 Uhr
Von: "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com>
An: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Hannes Tschofenig" <hannes.tschofenig@gmx.net>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>
Betreff: Re: [Dtls-iot] IP Addresses in Certificates
Hi Stephen,

On 15/07/2015 12:20, "dtls-iot on behalf of Stephen Farrell"
<dtls-iot-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote:
>Hiya,
>
>On 15/07/15 12:07, Hannes Tschofenig wrote:
>> Stephen wrote:
>>
>> (5) 6.3: Forgetting CoAP for the moment, surely this profile will be
>> used with devices that only have (possibly bogon) IP addresses and that
>> want to have those in certs. I do get that how to handle that well is
>> not very clear, esp. for certs for e.g. 192.168.0.1, but shouldn't it
>> really be covered by this profile?
>
>I should also have mentioned link-local addresses too I guess.

v6 link-local make sense as stable identifiers, but they'd be equivalent
to EUI-64 (which is what 6.3.2 requires for the use case where all the
secure communication happens on the same subnet), only a few bytes larger
than their EUI counterpart.

Other kinds of IP addresses aren't long-term/stable enough to be put in a
certificate -- which is in line with the recommendation we give in CoAP
[https://tools.ietf.org/html/rfc7252#section-9.1.3.3" target="_blank" rel="nofollow">https://tools.ietf.org/html/rfc7252#section-9.1.3.3].

Cheers, t

_______________________________________________
dtls-iot mailing list
dtls-iot@ietf.org
https://www.ietf.org/mailman/listinfo/dtls-iot" target="_blank" rel="nofollow">https://www.ietf.org/mailman/listinfo/dtls-iot

v2.23.0 | Report a Bug | By Email