Re: [Dtls-iot] Current dtls-iot charter text

Hi Don, Sye Loong, Zach, all,

Indeed CRL and OCSP are far too heavyweight for a constrained environment. Hence my attempt to create a solution that delegates revocation and authorisation checking to a trusted and more capable intermediary.

The proposed OCSP-lite protocol (we still need a better name for this) is the protocol between the constrained device and the intermediary; the intermediary can then perform the more advanced revocation/authorisation checks.

Anyway I think it is too early to discuss the technical solution, after all we are only in the charter drafting phase. But I do think that revocation/authorisation is an essential part in a security system, and should be given due attention in the WG from the beginning.

Best regards,
Bert

-----Original Message-----
From: dtls-iot-bounces@ietf.org [mailto:dtls-iot-bounces@ietf.org] On Behalf Of Don Sturek
Sent: 2013年6月12日 3:29
To: Keoh, Sye Loong; paduffy@cisco.com; dtls-iot@ietf.org
Subject: Re: [Dtls-iot] Current dtls-iot charter text - discuss...

Hi Sye Loong,

We (the ZigBee Alliance) are not currently working on revocation issues
since our focus is on network joining.   We don't use revocation on our
identity (device) certificates since these certificates are just for
authentication.

For authorization, we expect additional certificates to be used (provided
by service providers, utilities, etc.).  These certificates need to have
CRL or OCSP, however, these processes are a bit heavyweight for the
devices we are using.

Don

On 6/11/13 11:57 AM, "Keoh, Sye Loong" <sye.loong.keoh@philips.com> wrote:

>Thanks for the Clarification Don and Paul.
>
>Indeed, this is a good area of investigation. However, are we too early
>to explore revocation issues in this BOF? I had the impression that this
>BOF/WG aims to investigate the use of DTLS for IoT applications, or at
>least getting DTLS to run "comfortably" together with CoAP would be the
>primary goal of this activity and revocation is rather independent of
>this, isn't it?
>
>BTW, Is there any plan in Zigbee-IP or Zigbee Alliance to investigate
>Revocation issue?
>
>cheers
>Sye Loong
>________________________________________
>From: dtls-iot-bounces@ietf.org [dtls-iot-bounces@ietf.org] on behalf of
>Don Sturek [d.sturek@att.net]
>Sent: Monday, June 10, 2013 7:02 PM
>To: paduffy@cisco.com; dtls-iot@ietf.org
>Subject: Re: [Dtls-iot] Current dtls-iot charter text - discuss...
>
>To add onto what Paul wrote......
>
>ZigBee IP supports white lists/ black lists for network admission but we
>leave it up to the application as to how these lists are created/managed.
> As Paul noted, OCSP or CRL on device certificates is not a scalable
>solution (and in many cases not even desired......)
>
>To back up Paul's suggestion, it would be great to see this as an area of
>investigation in dlts-iot (or whatever the name becomes!)
>
>Don
>
>
>On 6/10/13 9:34 AM, "Paul Duffy" <paduffy@cisco.com> wrote:
>
>>Zigbee IP does not mandate use of CRLs or OCSP for device certificates
>>(in IEEE 802.1AR-speak ... the UDevID). Supporting these mechanisms for
>>device certificates on constrained devices and networks, at mass scale,
>>is highly problematic.
>>
>>Definitely an area for investigation.
>>
>>
>>On 6/10/2013 4:48 PM, Keoh, Sye Loong wrote:
>>> Hi Bert,
>>>
>>> Do you know whether the current IoT Deployments, such as Zigbee-IP
>>>checks the revocation list? Do you foresee Revocation a potentially
>>>serious problem in the future when devices are being replaced,
>>>compromised, and when reselling them?
>>>
>>> Cheers
>>> Sye Loong
>>>
>>> -----Original Message-----
>>> From: dtls-iot-bounces@ietf.org [mailto:dtls-iot-bounces@ietf.org] On
>>>Behalf Of Bert Greevenbosch
>>> Sent: vrijdag 7 juni 2013 3:56
>>> To: Zach Shelby; dtls-iot@ietf.org
>>> Subject: Re: [Dtls-iot] Current dtls-iot charter text - discuss...
>>>
>>> Hi all,
>>>
>>> I think the following draft fits in the discussion of DTLS-IOT:
>>> http://datatracker.ietf.org/doc/draft-greevenbosch-tls-ocsp-lite/
>>>
>>> This is quite an early approach to tackling the
>>>revocation/authentication issue in a scalable way. Section 4 discusses
>>>some requirements.
>>>
>>> The draft certainly is to be seen as work in progress, but it addresses
>>>an issue that requires due attention.
>>>
>>> Best regards,
>>> Bert
>>>
>>>
>>> -----Original Message-----
>>> From: dtls-iot-bounces@ietf.org [mailto:dtls-iot-bounces@ietf.org] On
>>>Behalf Of Zach Shelby
>>> Sent: 2013年6月4日 21:58
>>> To: dtls-iot@ietf.org
>>> Subject: Re: [Dtls-iot] Current dtls-iot charter text - discuss...
>>>
>>> I know there are several people working on new I-Ds related to this
>>>activity, please let us know what you are working on and if any help is
>>>needed.
>>>
>>> On Jun 3, 2013, at 10:23 PM, Stephen Farrell
>>><stephen.farrell@cs.tcd.ie> wrote:
>>>
>>>> Existing work
>>>>
>>>> http://www.ietf.org/id/draft-hartke-core-codtls-02.txt
>>>> http://www.ietf.org/id/draft-tschofenig-lwig-tls-minimal-02.txt
>>>> http://www.ietf.org/id/draft-keoh-lwig-dtls-iot-01.txt
>>>> http://www.ietf.org/id/draft-keoh-tls-multicast-security-00.txt
>>>> http://www.ietf.org/id/draft-ietf-tls-oob-pubkey-07.txt
>>>>
>>>>http://www.ietf.org/id/draft-jennings-core-transitive-trust-enrollment-
>>>>0
>>>>1.txt
>>> Regards,
>>> Zach
>>>
>>> --
>>> Zach Shelby, Chief Nerd, Sensinode Ltd.
>>> http://www.sensinode.com @SensinodeIoT
>>> Mobile: +358 40 7796297
>>> Twitter: @zach_shelby
>>> LinkedIn: http://fi.linkedin.com/in/zachshelby
>>> 6LoWPAN Book: http://6lowpan.net
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> dtls-iot mailing list
>>> dtls-iot@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dtls-iot
>>>
>>> ________________________________
>>> The information contained in this message may be confidential and
>>>legally protected under applicable law. The message is intended solely
>>>for the addressee(s). If you are not the intended recipient, you are
>>>hereby notified that any use, forwarding, dissemination, or reproduction
>>>of this message is strictly prohibited and may be unlawful. If you are
>>>not the intended recipient, please contact the sender by return e-mail
>>>and destroy all copies of the original message.
>>>
>>> _______________________________________________
>>> dtls-iot mailing list
>>> dtls-iot@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dtls-iot
>>> .
>>>
>>
>>_______________________________________________
>>dtls-iot mailing list
>>dtls-iot@ietf.org
>>https://www.ietf.org/mailman/listinfo/dtls-iot
>
>
>_______________________________________________
>dtls-iot mailing list
>dtls-iot@ietf.org
>https://www.ietf.org/mailman/listinfo/dtls-iot
>
>________________________________
>The information contained in this message may be confidential and legally
>protected under applicable law. The message is intended solely for the
>addressee(s). If you are not the intended recipient, you are hereby
>notified that any use, forwarding, dissemination, or reproduction of this
>message is strictly prohibited and may be unlawful. If you are not the
>intended recipient, please contact the sender by return e-mail and
>destroy all copies of the original message.
>

_______________________________________________
dtls-iot mailing list
dtls-iot@ietf.org
https://www.ietf.org/mailman/listinfo/dtls-iot