IETF Logo Mail Archive

Re: [Dtls-iot] IP Addresses in Certificates

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 07 August 2015 14:21 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79BED1B2DA3 for <dtls-iot@ietfa.amsl.com>; Fri, 7 Aug 2015 07:21:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Axx2fCIFMrF4 for <dtls-iot@ietfa.amsl.com>; Fri, 7 Aug 2015 07:21:33 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E05B1A0358 for <dtls-iot@ietf.org>; Fri, 7 Aug 2015 07:21:33 -0700 (PDT)
Received: from [192.168.131.133] ([80.92.114.74]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0LztHH-1Ykp343gp9-0154WM; Fri, 07 Aug 2015 16:21:30 +0200
Message-ID: <55C4BEE5.5080107@gmx.net>
Date: Fri, 07 Aug 2015 16:21:25 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Michael StJohns <msj@nthpermutation.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <55A63EEF.7010608@gmx.net> <55A641EC.4030203@cs.tcd.ie> <D1D3F9D5.31B15%thomas.fossati@alcatel-lucent.com> <trinity-5e418e2e-726a-4c31-8498-634e598fb57e-1438786484782@3capp-gmx-bs46> <55C23E1B.5050300@cs.tcd.ie> <55C2687F.8050004@nthpermutation.com>
In-Reply-To: <55C2687F.8050004@nthpermutation.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="gk9X0VGthMOvJftVNU7iul254dewE8qLd"
X-Provags-ID: V03:K0:4TZIft9UwYiVabH+0R1VOXyduIkwUhzyCaGv+DESqTLeWRz1d7n 1RMGT7Yi6xzXv6Lpwl+pgmFI+MGmZdEXWT8k3cCG9HGAJHqgZDytZB5u4hsdMVELIWu8+U1 fs+YovnPvtcPGftY0LS/KLy7b9U/p6eFO5GyxPkgk5hlIFjQEzfLGzLH+vUUC9kFjSb6pme WBNV4moIw6Ky8DFr8CaBA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:3bQnvA/fnqE=:0QHqkndXxpu+kbxy6W0C5/ 9wEouvRNQZfbtcPyYFicDC2VWw6nx6nYddearvCFQBLpAiiZhFpNfCX3F5qAjDl9JSl/DxWs2 +RWy2oWsTEQYdYrUFhb3XjoTtQ9mEicJgKvy7NhBCwXDe8qR6u3rMf0lQZDhRR6YmiuzcShtB t/450COeDl8s1Y1pn/EuLVBsGXU1RHMzvGxZjScWAU7RrubPByGJO604tXgXgOd84yrW8Fa1d Ex/SwDWJdNrVrsHq1UbKMVFwY4hUzpgs45/xillAr09jdCygcM3KyhxuTep4w+lEF55qSPsyd k2oVHonxld09EJSGABFzqhogBZtCym1a/eYlqQm3noJdvSbb6NiTDor+fMeG3RJvVoGfY7Nfk kv0yjQtW6jcRlZirjCLSeM2nUV9f89D2QIF6vntuoiM59o4syRc6PkTfhD44LFqPivZijl8Df vb3MDlDQhI5xfCBYo9G2FOUUrw5ANdC/XoRXUyndYxu69KwU0w910FphWPGS8mtSSlL7771Uh WZ/AsFc476h1dI74WHwEM0CmjcbJfUZpN0OXiTYrUZV0zaj2guZBQaxzUizhZffCKo7rJImp/ Ov66tUTmLsjFtgWvJw0IFDmo30BQco8Syfjk7TL+S8cjklk7RrYmushbIVCXMymWAVm4ag4fY 6iQ85BuCqu55smp47wHXZ8tH3puIH9AimEONZ5UenpCHOsYBwrAD6Z0RWODa552rvz/6u1RW+ lotafA4Bn2QlBHkD
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/oM464Vnxs5a3NOKM_VQ5cSeDtQU>
Cc: dtls-iot@ietf.org
Subject: Re: [Dtls-iot] IP Addresses in Certificates
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Aug 2015 14:21:36 -0000

Hi Mike, Hi Stephen,

I don't understand why we should make any recommendations for how to use
IP addresses in certificates.

IP addresses in certificates are not useful for end devices since their
IP addresses is most likely not known during manufacturing nor does it
add any security value.

Regarding IEEE 802.1AR I don't believe it recommends using IP addresses
in certificates either.

Ciao
Hannes

On 08/05/2015 09:48 PM, Michael StJohns wrote:
> Hi Stephen et al.
> 
> I'm coming in on this fairly late (2 weeks) so let me try and muddy the
> waters:
> 
> IEEE 802.1AR is a good source for ideas of how to deal with certificates
> and small devices.   In the case of Zigbee Smart Energy 2.0 for example,
> we use their concepts of LDevID  (Locally significant) and IDevID
> (Initial) device identifiers.  The latter is what gets built into the
> device and SEP2.0 uses the SubjectAltName hardwareModuleName in RFC4108
> as the manufactured in name for the device.  The attachment of a
> certificate to MAC address or even IP address by the manufacturer has a
> number of issues that are painful to address and that don't usually add
> to the security of the system.  (e.g. the handle of the name mostly
> isn't important to the underlying protocols in IOT and the relationship
> between an entity and its IP or MAC generally isn't a necessary
> consideration for trust between entities given certificates - same
> reason that client certificates for TLS rarely have IP addresses in
> them, but do have human personal names or email addresses).
> 
> Ideally you want a mapping between what's on the certificate inside the
> device and what's on the label outside - so that humans can basically
> type things in (or barcode them or....) during installation.  I might
> expect a local trust center to issue an LDevID based on the (manual?)
> acceptance of IDevID, and the LDevID *could* contain an IP address as a
> SubjectAltName, but I don't think we've gone that deep and most folk
> balk at running a Mini-CA in their home.
> 
> So I think your recommendation of "future work needed" is probably more
> correct than "IP certificates needed".
> 
> Later, Mike
> 
> 
> 
> 
> 
> On 8/5/2015 12:47 PM, Stephen Farrell wrote:
>> Hiya,
>>
>> On 05/08/15 15:54, Hannes Tschofenig wrote:
>>> Hi Stephen,
>>> reading through this issue again I believe you could help us further
>>> explain
>>> what we could recommend in the document.
>> Assuming that it'd be a bunch of work to recommend how to best
>> handle certificates for devices that will only ever have a bogon
>> IP address, I guess the best for now is to just say that that work
>> is not (yet) done and hence this document makes no recommendation.
>>
>> Seem ok? (And yes it could be that the current text on that
>> is just fine, I didn't go look back right now)
>>
>> S.
>>
>>> Currently, we are saying that folks shouldn't use IP addresses in
>>> certificates
>>> and in the email below Thomas mentioned one reason for doing so. I
>>> also pointed
>>> to a separate draft we have been working on to explore the topic
>>> further (see
>>> <draft-fossati-core-certmode-rd-names-01>).
>>> Ciao
>>> Hannes
>>> *Gesendet:* Dienstag, 21. Juli 2015 um 14:16 Uhr
>>> *Von:* "FOSSATI, Thomas (Thomas)" <thomas.fossati@alcatel-lucent.com>
>>> *An:* "Stephen Farrell" <stephen.farrell@cs.tcd.ie>, "Hannes Tschofenig"
>>> <hannes.tschofenig@gmx.net>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>
>>> *Betreff:* Re: [Dtls-iot] IP Addresses in Certificates
>>> Hi Stephen,
>>>
>>> On 15/07/2015 12:20, "dtls-iot on behalf of Stephen Farrell"
>>> <dtls-iot-bounces@ietf.org on behalf of stephen.farrell@cs.tcd.ie>
>>> wrote:
>>>   >Hiya,
>>>   >
>>>   >On 15/07/15 12:07, Hannes Tschofenig wrote:
>>>   >> Stephen wrote:
>>>   >>
>>>   >> (5) 6.3: Forgetting CoAP for the moment, surely this profile
>>> will be
>>>   >> used with devices that only have (possibly bogon) IP addresses
>>> and that
>>>   >> want to have those in certs. I do get that how to handle that
>>> well is
>>>   >> not very clear, esp. for certs for e.g. 192.168.0.1, but
>>> shouldn't it
>>>   >> really be covered by this profile?
>>>   >
>>>   >I should also have mentioned link-local addresses too I guess.
>>>
>>> v6 link-local make sense as stable identifiers, but they'd be equivalent
>>> to EUI-64 (which is what 6.3.2 requires for the use case where all the
>>> secure communication happens on the same subnet), only a few bytes
>>> larger
>>> than their EUI counterpart.
>>>
>>> Other kinds of IP addresses aren't long-term/stable enough to be put
>>> in a
>>> certificate -- which is in line with the recommendation we give in CoAP
>>> [https://tools.ietf.org/html/rfc7252#section-9.1.3.3].
>>>
>>> Cheers, t
>>>
>>> _______________________________________________
>>> dtls-iot mailing list
>>> dtls-iot@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dtls-iot
>>>
>> _______________________________________________
>> dtls-iot mailing list
>> dtls-iot@ietf.org
>> https://www.ietf.org/mailman/listinfo/dtls-iot
>>
> 
> _______________________________________________
> dtls-iot mailing list
> dtls-iot@ietf.org
> https://www.ietf.org/mailman/listinfo/dtls-iot

v2.23.0 | Report a Bug | By Email