[Dtls-iot] draft-hartke-dice-profile-03
Hannes Tschofenig <hannes.tschofenig@gmx.net> Sun, 16 February 2014 13:23 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 598F31A01F6 for <dtls-iot@ietfa.amsl.com>; Sun, 16 Feb 2014 05:23:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n9qo48D_qNHl for <dtls-iot@ietfa.amsl.com>; Sun, 16 Feb 2014 05:23:32 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id CDAFC1A03EC for <dtls-iot@ietf.org>; Sun, 16 Feb 2014 05:23:31 -0800 (PST)
Received: from [192.168.10.232] ([80.43.126.29]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0MDhny-1WW18T3CPO-00H5He for <dtls-iot@ietf.org>; Sun, 16 Feb 2014 14:23:28 +0100
Message-ID: <5300BBCD.4000809@gmx.net>
Date: Sun, 16 Feb 2014 13:23:25 +0000
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: dtls-iot@ietf.org
X-Enigmail-Version: 1.5.2
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="pMPNmeh6WfJicLqXU5mjuJwuN74pM9VuR"
X-Provags-ID: V03:K0:0MQI2+wZDBwNjo2GzOBxWxYejFN7i3FOx3AfcIde3AzLqHfgVmI NIYP5H+AeQJ5acQg2t0c995b8PnKuFRKeMrsXBmozLcnbYOWUqBQ/f7WVHaUPlrEg6bSBnm EcKJD9lMPBjeFbqwwb9LLTtvYrbcIpQ9MdVQPO/x2/UCP5j5kqZ8abKdg9l9GNjLKkynB1K zxNeJjhATJonknYCRzseA==
Archived-At: http://mailarchive.ietf.org/arch/msg/dtls-iot/gY0p3DB_FwXgCXnn7g3236c6Q5s
Subject: [Dtls-iot] draft-hartke-dice-profile-03
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Feb 2014 13:23:34 -0000
Hi all, on Friday I submitted an updated version of draft-hartke-dice-profile, the DTLS 1.2 profile for IoT. Version 02 of the document only contained an table of contents and the updated version now includes content within the sections. Given the large number of changes to the document I believe it would be beneficial to get some agenda time at the upcoming meeting. I would like to go through the recommendations in the document to solicit feedback from the group. The following questions appear interesting to me: 1) Is the communication model described in Section 2 a good starting point? Are there other communication models the group would like to see discussed? While the focus on unicast communication is likely not to be controversial (since there is a separate document in the charter of the group focused on multicast security with DTLS) there are still many other communication models to focus on even for unicast. 2) Are the recommendations regarding the PSK ciphersuite sound? 3) Are the recommendations for the use of raw public keys appropriate? 4) Are the recommendations for certificate use useful? 5) Section 7 discusses error handling and gives recommendations regarding various error codes. Is this level of detail useful for you? 6) Currently Section 8 recommends session resumption to be implemented and used. The downside of it is the additional RAM and code requirements. On the plus side the improved crypto performance, energy consumption, and lower bandwidth requirement. 7) The document recommends not to use compression at the TLS layer. Is this OK? 8) Section 10 briefly talks about PFS and notes that the PSK ciphersuite does not offer PFS. The downside of PFS is the cost of generating and using Diffie-Hellman crypto. The plus is that is offers additional security features, namely forward secrecy. 9) Section 11 points to the keep-alive extension and ask the question whether it should be used or not. Do people have experience with it? 10) Regarding downgrading attacks this profile argues that I-D.bmoeller-tls-downgrade-scsv does not need to be used. To mitigate the TLS renegotiation attack [RFC5746] the recommendation is made to not use renegotiation at all. 11) Privacy: I have added a discussion about privacy to the document. Some of you might have other suggestions on how to structure the text or other concerns. Smaller issues are: a) How important is the alignment with recommendations given in I-D.sheffer-tls-bcp? (raised in Section 5) b) Should we provide some indication about the level of the certificate hierarchy? (raised in Section 6) c) How much should we focus on CoAP vs. non-CoAP based protocols for use with this DTLS profile? There is also text missing from the draft, namely a discussion about what extension from RFC 6066 to re-use. My current thinking is that we should support the following two extensions: * Client Certificate URLs: With the TLS cached info extension the client can cache server certificate chains but in order to avoid sending the client certificate + chain the certificate URL is ideally suited leading to a significant reduction in message size. * Trusted CA Indication: This allows the client to indicate what trust anchor it has and therefore allows the server to make more informed decisions about what to return to the client. Since the client will only have a few trust anchors the size of data that is sent to the server is small. I think that the Truncated MAC extension is an extension useful to reduce the size of the MAC included in the Record Layer. However, if we use more modern ciphersuites based on the AEAD design then they already offer shorter authentication tags anyway. Hence, I believe we don't need this extension. For the Server Name Indication and the Maximum Fragment Length Negotiation extensions I am not sure. Comments are welcome. Ciao Hannes
- [Dtls-iot] draft-hartke-dice-profile-03 Hannes Tschofenig