Re: [Fud] A few questions / observations

Jim Schaad <ietf@augustcellars.com> Mon, 09 October 2017 21:58 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: fud@ietfa.amsl.com
Delivered-To: fud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32577132193 for <fud@ietfa.amsl.com>; Mon, 9 Oct 2017 14:58:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.699
X-Spam-Level:
X-Spam-Status: No, score=0.699 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=augustcellars.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hDAkmgeexoxb for <fud@ietfa.amsl.com>; Mon, 9 Oct 2017 14:58:33 -0700 (PDT)
Received: from mail4.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 961DC120720 for <fud@ietf.org>; Mon, 9 Oct 2017 14:58:33 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1507586260; h=from:subject:to:date:message-id; bh=qCcZpbSo/R+rPJmiSiQi4W0b7lEfRwaLszd7sw42Yz8=; b=TmhxXchYP98NVj0XCwdzMy6McR0SBXBq9pet583mK8SAQ1PSjmnBEJlQHLxdeD/Obf3i/+Lb+v2 xUEwnJp/6m7wNFzDRQXLpDGj/hiu6fq7iBxfcNPUH/ChKWgyKJ9QZRWjmVz7ComZqrCHTu1YAk8f6 Fis0xKLhBMDGmf988RtxnCXOLWNxjSDADV/OYJoJfI7sb7j/NCW7jhjMflFcAQYNFu1VfhX9LQFvo 6lx7czVS6EoVlnSraIS3kXLY+yEijoiky6NWJ9oj6ssSKvWJOWefJl4gPiRq4CyGE8SeAqcNlzBi1 3aH3KziRkoqQh+JLxoIrqB1LmQiqAyq0vgGA==
Received: from mail2.augustcellars.com (192.168.1.201) by mail4.augustcellars.com (192.168.1.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 9 Oct 2017 14:57:40 -0700
Received: from Hebrews (192.168.1.162) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 9 Oct 2017 14:57:16 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Hannes Tschofenig' <hannes.tschofenig@gmx.net>, <fud@ietf.org>
References: <F0841595-E703-4AFD-A557-4A02E21AD5ED@arm.com> <5D8BA40A-0A70-44BC-B136-6A8946F4A80B@vigilsec.com> <021201d33d4f$8af662b0$a0e32810$@augustcellars.com> <977c55f1-c4aa-3edc-e3e9-0142eec1c783@gmx.net>
In-Reply-To: <977c55f1-c4aa-3edc-e3e9-0142eec1c783@gmx.net>
Date: Mon, 9 Oct 2017 14:58:03 -0700
Message-ID: <009201d34149$b013ebf0$103bc3d0$@augustcellars.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFIzdx4IdoVPeqc3QieDdoEAc8QRQI5vojWAvKo47ECCUOxa6O3Sh8g
X-Originating-IP: [192.168.1.162]
Archived-At: <https://mailarchive.ietf.org/arch/msg/fud/neANMvQfP4mAq3z_GYOjm2bbQhE>
Subject: Re: [Fud] A few questions / observations
X-BeenThere: fud@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: FUD - Firmware Updating Description <fud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/fud>, <mailto:fud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/fud/>
List-Post: <mailto:fud@ietf.org>
List-Help: <mailto:fud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/fud>, <mailto:fud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Oct 2017 21:58:35 -0000


> -----Original Message-----
> From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net]
> Sent: Monday, October 9, 2017 1:40 AM
> To: Jim Schaad <ietf@augustcellars.com>om>; fud@ietf.org
> Subject: Re: [Fud] A few questions / observations
> 
> Hi Jim,
> 
> let me respond to this issue:
> 
> On 10/04/2017 10:29 PM, Jim Schaad wrote:
> > Many of the people that I have talked to are looking at using either
> > raw public keys or pre-shared keys as the authentication mode for
> > doing TLS.  This means that the need for any ASN.1 decoding goes away
> > from TLS and the DER encoder would not be needed on the end product.
> > I think this might be a YMMV statement.
> 
> I guess it depends who you talk to.

I completely agree on that.  It might be a bit higher after the OAuth stuff gets deployed, I don't know

Jim

> 
> As you know, I am co-author of the TLS PSK and the TLS raw public key
> mechanism and as such I had obviously expected (or was hoping for) a
> widespread adoption of those mechanisms since they provide much better
> performance on paper. Since we always hear these stories about limitations
> of these IoT devices we obviously buy into these stories.
> 
> However, our experience at ARM was a bit different. Those companies who
> cared about IoT security tend to be rather conservative and once they decide
> to go for the full-blown IoT solution (which includes a device management
> solution with firmware updates) they want to go for a certificate based
> approach. Of course, there is more overhead but often there are other
> factors that play a role in the decision making. For example, many of these
> companies are interested in reusing their existing infrastructure and
> processes. This might also explain why there is suddenly interest in
> standardizing the EST over CoAP-based certificate management protocol in
> ACE.
> 
> Hence, I believe there is a disconnect between the " optimize like hell"
> and the "I need to deploy something I am familiar with" approaches.
> 
> Ciao
> Hannes