Re: [Dtls-iot] Current dtls-iot charter text - discuss...

[Bert Greevenbosch <Bert.Greevenbosch@huawei.com>]

Hi Sandeep,

-=- Quote -=-
I agree that revocation is an important and often neglected topic. However before we can discuss revocation, we first need the DTLS protocol to be capable of being used for most IoT devices and networks. The  I-D submitted yesterday, draft-keoh-dtls-profile-iot-00.txt provides input to kick off this discussion. Once we have a IoT profiled DTLS protocol, we surely should think more seriously on revocation. The charter should focus to first fulfill this initial aim to make DTLS suitable for constrained environments otherwise we might end up spending lot of energy designing revocation techniques without any relevant protocol that would work within a constrained domain.
-=- /Quote -=-

I think we should not neglect revocation until the first phase is over. It is an important issue, and neglecting it now may cost us dearly in the future. For sound security, authentication and revocation are essential.

Best regards,
Bert



-----Original Message-----
From: Kumar, Sandeep [mailto:sandeep.kumar@philips.com] 
Sent: 2013年6月13日 15:20
To: Bert Greevenbosch; Don Sturek; Keoh, Sye Loong; paduffy@cisco.com; dtls-iot@ietf.org; Zach Shelby
Subject: RE: [Dtls-iot] Current dtls-iot charter text - discuss...

Hi Bert

I agree that revocation is an important and often neglected topic. However before we can discuss revocation, we first need the DTLS protocol to be capable of being used for most IoT devices and networks. The  I-D submitted yesterday, draft-keoh-dtls-profile-iot-00.txt provides input to kick off this discussion. Once we have a IoT profiled DTLS protocol, we surely should think more seriously on revocation. The charter should focus to first fulfill this initial aim to make DTLS suitable for constrained environments otherwise we might end up spending lot of energy designing revocation techniques without any relevant protocol that would work within a constrained domain.

Kind regards
Sandeep

Filename:        draft-keoh-dtls-profile-iot
Revision:        00
Title:           Profiling of DTLS for CoAP-based IoT Applications
Creation date:   2013-06-12
Group:           Individual Submission
Number of pages: 14
URL:             http://www.ietf.org/internet-drafts/draft-keoh-dtls-profile-iot-00.txt
Status:          http://datatracker.ietf.org/doc/draft-keoh-dtls-profile-iot
Htmlized:        http://tools.ietf.org/html/draft-keoh-dtls-profile-iot-00


Abstract:
   This document collects various implementation challenges of DTLS on
   embedded systems, and proposes a profile of DTLS for CoAP-based
   Internet of Things (IoT) applications. Specifically, this document
   investigates the application features and functionality of DTLS
   protocol, the fragmentation issue of DTLS Handshake protocol, and the
   complexity of the DTLS Handshake state machine. A RESTful DTLS
   Handshake which relies on CoAP Block-wise Transfer is proposed to
   address the fragmentation issue. The next step is to define a DTLS
   profile for embedded systems.



-----Original Message-----
From: dtls-iot-bounces@ietf.org [mailto:dtls-iot-bounces@ietf.org] On Behalf Of Bert Greevenbosch
Sent: Thursday, June 13, 2013 2:54 AM
To: Don Sturek; Keoh, Sye Loong; paduffy@cisco.com; dtls-iot@ietf.org; Zach Shelby
Subject: Re: [Dtls-iot] Current dtls-iot charter text - discuss...

Hi Don, Sye Loong, Zach, all,

Indeed CRL and OCSP are far too heavyweight for a constrained environment. Hence my attempt to create a solution that delegates revocation and authorisation checking to a trusted and more capable intermediary.

The proposed OCSP-lite protocol (we still need a better name for this) is the protocol between the constrained device and the intermediary; the intermediary can then perform the more advanced revocation/authorisation checks.

Anyway I think it is too early to discuss the technical solution, after all we are only in the charter drafting phase. But I do think that revocation/authorisation is an essential part in a security system, and should be given due attention in the WG from the beginning.

Best regards,
Bert


-----Original Message-----
From: dtls-iot-bounces@ietf.org [mailto:dtls-iot-bounces@ietf.org] On Behalf Of Don Sturek
Sent: 2013年6月12日 3:29
To: Keoh, Sye Loong; paduffy@cisco.com; dtls-iot@ietf.org
Subject: Re: [Dtls-iot] Current dtls-iot charter text - discuss...

Hi Sye Loong,

We (the ZigBee Alliance) are not currently working on revocation issues
since our focus is on network joining.   We don't use revocation on our
identity (device) certificates since these certificates are just for authentication.

For authorization, we expect additional certificates to be used (provided by service providers, utilities, etc.).  These certificates need to have CRL or OCSP, however, these processes are a bit heavyweight for the devices we are using.

Don


On 6/11/13 11:57 AM, "Keoh, Sye Loong" <sye.loong.keoh@philips.com> wrote:

>Thanks for the Clarification Don and Paul.
>
>Indeed, this is a good area of investigation. However, are we too early
>to explore revocation issues in this BOF? I had the impression that
>this BOF/WG aims to investigate the use of DTLS for IoT applications,
>or at least getting DTLS to run "comfortably" together with CoAP would
>be the primary goal of this activity and revocation is rather
>independent of this, isn't it?
>
>BTW, Is there any plan in Zigbee-IP or Zigbee Alliance to investigate
>Revocation issue?
>
>cheers
>Sye Loong
>________________________________________
>From: dtls-iot-bounces@ietf.org [dtls-iot-bounces@ietf.org] on behalf
>of Don Sturek [d.sturek@att.net]
>Sent: Monday, June 10, 2013 7:02 PM
>To: paduffy@cisco.com; dtls-iot@ietf.org
>Subject: Re: [Dtls-iot] Current dtls-iot charter text - discuss...
>
>To add onto what Paul wrote......
>
>ZigBee IP supports white lists/ black lists for network admission but
>we leave it up to the application as to how these lists are created/managed.
> As Paul noted, OCSP or CRL on device certificates is not a scalable
>solution (and in many cases not even desired......)
>
>To back up Paul's suggestion, it would be great to see this as an area
>of investigation in dlts-iot (or whatever the name becomes!)
>
>Don
>
>
>On 6/10/13 9:34 AM, "Paul Duffy" <paduffy@cisco.com> wrote:
>
>>Zigbee IP does not mandate use of CRLs or OCSP for device certificates
>>(in IEEE 802.1AR-speak ... the UDevID). Supporting these mechanisms
>>for device certificates on constrained devices and networks, at mass
>>scale, is highly problematic.
>>
>>Definitely an area for investigation.
>>
>>
>>On 6/10/2013 4:48 PM, Keoh, Sye Loong wrote:
>>> Hi Bert,
>>>
>>> Do you know whether the current IoT Deployments, such as Zigbee-IP
>>>checks the revocation list? Do you foresee Revocation a potentially
>>>serious problem in the future when devices are being replaced,
>>>compromised, and when reselling them?
>>>
>>> Cheers
>>> Sye Loong
>>>
>>> -----Original Message-----
>>> From: dtls-iot-bounces@ietf.org [mailto:dtls-iot-bounces@ietf.org]
>>>On Behalf Of Bert Greevenbosch
>>> Sent: vrijdag 7 juni 2013 3:56
>>> To: Zach Shelby; dtls-iot@ietf.org
>>> Subject: Re: [Dtls-iot] Current dtls-iot charter text - discuss...
>>>
>>> Hi all,
>>>
>>> I think the following draft fits in the discussion of DTLS-IOT:
>>> http://datatracker.ietf.org/doc/draft-greevenbosch-tls-ocsp-lite/
>>>
>>> This is quite an early approach to tackling the
>>>revocation/authentication issue in a scalable way. Section 4
>>>discusses some requirements.
>>>
>>> The draft certainly is to be seen as work in progress, but it
>>>addresses an issue that requires due attention.
>>>
>>> Best regards,
>>> Bert
>>>
>>>
>>> -----Original Message-----
>>> From: dtls-iot-bounces@ietf.org [mailto:dtls-iot-bounces@ietf.org]
>>>On Behalf Of Zach Shelby
>>> Sent: 2013年6月4日 21:58
>>> To: dtls-iot@ietf.org
>>> Subject: Re: [Dtls-iot] Current dtls-iot charter text - discuss...
>>>
>>> I know there are several people working on new I-Ds related to this
>>>activity, please let us know what you are working on and if any help
>>>is needed.
>>>
>>> On Jun 3, 2013, at 10:23 PM, Stephen Farrell
>>><stephen.farrell@cs.tcd.ie> wrote:
>>>
>>>> Existing work
>>>>
>>>> http://www.ietf.org/id/draft-hartke-core-codtls-02.txt
>>>> http://www.ietf.org/id/draft-tschofenig-lwig-tls-minimal-02.txt
>>>> http://www.ietf.org/id/draft-keoh-lwig-dtls-iot-01.txt
>>>> http://www.ietf.org/id/draft-keoh-tls-multicast-security-00.txt
>>>> http://www.ietf.org/id/draft-ietf-tls-oob-pubkey-07.txt
>>>>
>>>>http://www.ietf.org/id/draft-jennings-core-transitive-trust-enrollme
>>>>nt-
>>>>0
>>>>1.txt
>>> Regards,
>>> Zach
>>>
>>> --
>>> Zach Shelby, Chief Nerd, Sensinode Ltd.
>>> http://www.sensinode.com @SensinodeIoT
>>> Mobile: +358 40 7796297
>>> Twitter: @zach_shelby
>>> LinkedIn: http://fi.linkedin.com/in/zachshelby
>>> 6LoWPAN Book: http://6lowpan.net
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> dtls-iot mailing list
>>> dtls-iot@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dtls-iot
>>>
>>> ________________________________
>>> The information contained in this message may be confidential and
>>>legally protected under applicable law. The message is intended
>>>solely for the addressee(s). If you are not the intended recipient,
>>>you are hereby notified that any use, forwarding, dissemination, or
>>>reproduction of this message is strictly prohibited and may be
>>>unlawful. If you are not the intended recipient, please contact the
>>>sender by return e-mail and destroy all copies of the original message.
>>>
>>> _______________________________________________
>>> dtls-iot mailing list
>>> dtls-iot@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dtls-iot
>>> .
>>>
>>
>>_______________________________________________
>>dtls-iot mailing list
>>dtls-iot@ietf.org
>>https://www.ietf.org/mailman/listinfo/dtls-iot
>
>
>_______________________________________________
>dtls-iot mailing list
>dtls-iot@ietf.org
>https://www.ietf.org/mailman/listinfo/dtls-iot
>
>________________________________
>The information contained in this message may be confidential and
>legally protected under applicable law. The message is intended solely
>for the addressee(s). If you are not the intended recipient, you are
>hereby notified that any use, forwarding, dissemination, or
>reproduction of this message is strictly prohibited and may be
>unlawful. If you are not the intended recipient, please contact the
>sender by return e-mail and destroy all copies of the original message.
>


_______________________________________________
dtls-iot mailing list
dtls-iot@ietf.org
https://www.ietf.org/mailman/listinfo/dtls-iot
_______________________________________________
dtls-iot mailing list
dtls-iot@ietf.org
https://www.ietf.org/mailman/listinfo/dtls-iot

________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.