Re: [Fud] A few questions / observations

Hannes Tschofenig <> Mon, 09 October 2017 08:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3B06C134DB4 for <>; Mon, 9 Oct 2017 01:49:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.4
X-Spam-Status: No, score=-5.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BznOUCxBeA_Q for <>; Mon, 9 Oct 2017 01:49:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DB737134D33 for <>; Mon, 9 Oct 2017 01:41:02 -0700 (PDT)
Received: from [] ([]) by (mrgmx103 []) with ESMTPSA (Nemesis) id 0LmJsk-1dRrsQ136A-00a0Ps; Mon, 09 Oct 2017 10:40:24 +0200
To: Jim Schaad <>,
References: <> <> <021201d33d4f$8af662b0$a0e32810$>
From: Hannes Tschofenig <>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <>
Date: Mon, 9 Oct 2017 10:40:22 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <021201d33d4f$8af662b0$a0e32810$>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Provags-ID: V03:K0:B3DnE1atORRi0Nn7skqEVtdu6TQptfLbkWM9OEnYBURvWz9SDbY LSMiwG3uF8hZqfOHVVmE3hZj5+GaHXM8rxD7TKH88w7W4bSM+9KJaL5tUHoSMvamW6HF8Fx BNcHb11qTjZ+R6l7yK/c5Matryigd9cmnyXrQ/fl8rc2D+T1zaFp0FAsRyCIpgXJvX05EAq /4gE/PouIezsUtLvNe3ow==
X-UI-Out-Filterresults: notjunk:1;V01:K0:e+T1q6Elsqc=:pS1kqLy0FIi831VLlV5xbF XoudUH3TZeLEWTite6NluH0ApFLMZSx1T+GL4znmMZGU6nxUwMaeWaq01Il7XTVAg8YTBUpzY iw3YhOzfS0jZxXroOi/d+Elekrf2G8YrMPRgcvQkrfA39zVDfsQep3tWJUVycdTiuLD3epbr3 l1xcfx5G2g7uwUAyK1/8bq1y6PEzUj+gyTX0jOSPCsvQFcyna88BwFv7wNK7jUVoj7vvglxJs i7E9rd0xwWtLEr6M/74q8Z0smJ9QaPaDkb4A8tCYZQ99KYDU/1E1XCNF2V+nMG5cu6TdgSyQL 56YTaWcn/d7AzqXjRVYUKYrShjC09I2KPMH5XsLHU+DIolbSdKO586/AqOL+p4v/Zo8Jtusrq 33pqPU6lck7eIeXbOHd2HbRYW3HVNpBTdmP+oUlrVWMEdosGdVbVwU2pUnYSN4VzkNdmeQmV5 aznW8f6Ao3Hd1Tn+eLcwpKLKMKsMXzswhXqJKoz6h3g1tnx5lQbRYdSrJ5V0lgpOJPoTEDzRl 48CG57QxnLRTxzzQ+5iBx70X2U51QCYAxEd5l5bwzAH8s6nvjzTCKnjlTMmpI++sr706VCo9n LWzPW2Xus/B4VXtPa3Rz7D8Ls3POlUZ+6ymmbo0NHfebdfYoGHr0qh1z03d21mM/1OFHGwPQW h286Czrgen7t01BLYpE3yT4OpHvI8RHEz8H7j+IYoA8xrChZE0i3OAYZE50x7QO1YVlxJQZwY EWkrtk8090iuOzp9qWJDOiCyNuZxzNgP1NZMCclEFxshhUe34ZpNk3LHG63ys1edAadFSJNdO X/7I0E+5J2fwHcCn5kRg+omWZabJJOllQ6rRmH/evvPyr6MueM=
Archived-At: <>
Subject: Re: [Fud] A few questions / observations
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: FUD - Firmware Updating Description <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Oct 2017 08:49:21 -0000

Hi Jim,

let me respond to this issue:

On 10/04/2017 10:29 PM, Jim Schaad wrote:
> Many of the people that I have talked to are looking at using either raw
> public keys or pre-shared keys as the authentication mode for doing
> TLS.  This means that the need for any ASN.1 decoding goes away from TLS
> and the DER encoder would not be needed on the end product.  I think
> this might be a YMMV statement.

I guess it depends who you talk to.

As you know, I am co-author of the TLS PSK and the TLS raw public key
mechanism and as such I had obviously expected (or was hoping for) a
widespread adoption of those mechanisms since they provide much better
performance on paper. Since we always hear these stories about
limitations of these IoT devices we obviously buy into these stories.

However, our experience at ARM was a bit different. Those companies who
cared about IoT security tend to be rather conservative and once they
decide to go for the full-blown IoT solution (which includes a device
management solution with firmware updates) they want to go for a
certificate based approach. Of course, there is more overhead but often
there are other factors that play a role in the decision making. For
example, many of these companies are interested in reusing their
existing infrastructure and processes. This might also explain why there
is suddenly interest in standardizing the EST over CoAP-based
certificate management protocol in ACE.

Hence, I believe there is a disconnect between the " optimize like hell"
and the "I need to deploy something I am familiar with" approaches.