IETF Logo Mail Archive

Re: [Dtls-iot] IP Addresses in Certificates

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 05 August 2015 16:47 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA3C1B3136 for <dtls-iot@ietfa.amsl.com>; Wed, 5 Aug 2015 09:47:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k5Cm2BLPtVvh for <dtls-iot@ietfa.amsl.com>; Wed, 5 Aug 2015 09:47:25 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDAD41B30E8 for <dtls-iot@ietf.org>; Wed, 5 Aug 2015 09:47:24 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C055ABE88; Wed, 5 Aug 2015 17:47:23 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WCMxfkVra60d; Wed, 5 Aug 2015 17:47:23 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 8E5BABE7C; Wed, 5 Aug 2015 17:47:23 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1438793243; bh=hd1uLsm5leM3SeRXrWUDyNSaA/Ei1cLQV4jUAWHll20=; h=Date:From:To:CC:Subject:References:In-Reply-To:From; b=bgyxL5dSQWjHHQ5Wu81EI6fEiBPnl+Y44p0t0gNafDdPShp32+T+DX18VHPxuEulR R1CJ2PQGYSMck52q2H0NgH8sQjgEwrCOINBdj35XpMmzXtwnOLTFI1owtCFMOs5ftA 9C/ZVNDEDWu2VC9YuzggROcfMmfa2zVimIWMUlSU=
Message-ID: <55C23E1B.5050300@cs.tcd.ie>
Date: Wed, 05 Aug 2015 17:47:23 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com>
References: <55A63EEF.7010608@gmx.net> <55A641EC.4030203@cs.tcd.ie>, <D1D3F9D5.31B15%thomas.fossati@alcatel-lucent.com> <trinity-5e418e2e-726a-4c31-8498-634e598fb57e-1438786484782@3capp-gmx-bs46>
In-Reply-To: <trinity-5e418e2e-726a-4c31-8498-634e598fb57e-1438786484782@3capp-gmx-bs46>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/kpalXsMtC6pDgBqVKZt6FFK45TE>
Cc: "dtls-iot@ietf.org" <dtls-iot@ietf.org>
Subject: Re: [Dtls-iot] IP Addresses in Certificates
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 16:47:27 -0000

Hiya,

On 05/08/15 15:54, Hannes Tschofenig wrote:
> Hi Stephen,
> reading through this issue again I believe you could help us further explain 
> what we could recommend in the document.

Assuming that it'd be a bunch of work to recommend how to best
handle certificates for devices that will only ever have a bogon
IP address, I guess the best for now is to just say that that work
is not (yet) done and hence this document makes no recommendation.

Seem ok? (And yes it could be that the current text on that
is just fine, I didn't go look back right now)

S.

> Currently, we are saying that folks shouldn't use IP addresses in certificates 
> and in the email below Thomas mentioned one reason for doing so. I also pointed 
> to a separate draft we have been working on to explore the topic further (see 
> <draft-fossati-core-certmode-rd-names-01>).
> Ciao
> Hannes
> *Gesendet:* Dienstag, 21. Juli 2015 um 14:16 Uhr
> *Von:* "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com>
> *An:* "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Hannes Tschofenig" 
> <hannes.tschofenig@gmx.net>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>
> *Betreff:* Re: [Dtls-iot] IP Addresses in Certificates
> Hi Stephen,
> 
> On 15/07/2015 12:20, "dtls-iot on behalf of Stephen Farrell"
> <dtls-iot-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie> wrote:
>  >Hiya,
>  >
>  >On 15/07/15 12:07, Hannes Tschofenig wrote:
>  >> Stephen wrote:
>  >>
>  >> (5) 6.3: Forgetting CoAP for the moment, surely this profile will be
>  >> used with devices that only have (possibly bogon) IP addresses and that
>  >> want to have those in certs. I do get that how to handle that well is
>  >> not very clear, esp. for certs for e.g. 192.168.0.1, but shouldn't it
>  >> really be covered by this profile?
>  >
>  >I should also have mentioned link-local addresses too I guess.
> 
> v6 link-local make sense as stable identifiers, but they'd be equivalent
> to EUI-64 (which is what 6.3.2 requires for the use case where all the
> secure communication happens on the same subnet), only a few bytes larger
> than their EUI counterpart.
> 
> Other kinds of IP addresses aren't long-term/stable enough to be put in a
> certificate -- which is in line with the recommendation we give in CoAP
> [https://tools.ietf.org/html/rfc7252#section-9.1.3.3].
> 
> Cheers, t
> 
> _______________________________________________
> dtls-iot mailing list
> dtls-iot@ietf.org
> https://www.ietf.org/mailman/listinfo/dtls-iot
>

v2.23.0 | Report a Bug | By Email