Re: [Iot-onboarding] [Secdispatch] DANE IOT proposed outcome
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 26 November 2020 22:17 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD3963A005D for <iot-onboarding@ietfa.amsl.com>; Thu, 26 Nov 2020 14:17:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.401
X-Spam-Level:
X-Spam-Status: No, score=-1.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZP0lqM2d87jg for <iot-onboarding@ietfa.amsl.com>; Thu, 26 Nov 2020 14:17:49 -0800 (PST)
Received: from mail-yb1-f170.google.com (mail-yb1-f170.google.com [209.85.219.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68AB63A003E for <iot-onboarding@ietf.org>; Thu, 26 Nov 2020 14:17:49 -0800 (PST)
Received: by mail-yb1-f170.google.com with SMTP id s8so2781940yba.13 for <iot-onboarding@ietf.org>; Thu, 26 Nov 2020 14:17:49 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IkjGTcYveHxBmUZ4r/PIcuDYlApzP3yE7hafZZda1Mo=; b=BBMeT3+h5S5p9AcRwEtPY1yYONtUNHciQeVvKfkbfKwg5XrzNuSVD2bBzLzhnY3TQ8 61SuZvcmslxly1LLYyfAbEt+3MhZnkPz/r+PpPxkqSwTBlSjuVDWxms+LB/usfiOFKFa DvI4zLfABzF2Qnc+UwiHClZOHXc7GWsypw74FSj7xVb+d+uOIz4IBqJiyYUNM70bKGPp yQFMqBZ0X5r+m/IY2sIRSVAp+yeTBayu+plU9LCTf0wT4HFnNqzQpySrU22/2aw8p8ox ZQmYSzTSnmo1wi55KTar0xT9A622g+gS/t4+fQZzrpjtnhaNg2NtVIyjR3A0xgL59gre qZhg==
X-Gm-Message-State: AOAM532KvfKXB2ggHy+pVkvBcjl+kCON7cwZoZrW6v1UZeA0UeTcRny8 bviNo5EIUiaZKPCXhUdGB0QWYhzODgQwmcHmL0Q=
X-Google-Smtp-Source: ABdhPJxThkKt5fnm1pcZ/pgyC2PqHXwF0vstgOMRJeHkyKAv5NH+WPJq2aRdhkz5OOL4erz5WWfY5YrdlePp6artABU=
X-Received: by 2002:a25:1e43:: with SMTP id e64mr7496980ybe.273.1606429068627; Thu, 26 Nov 2020 14:17:48 -0800 (PST)
MIME-Version: 1.0
References: <2786E31F-2A4F-4901-8ECC-7AEF4B4D81E2@cisco.com> <b178d5066d6b4371a59ffe59bb6d6447@huawei.com> <3353.1606420713@localhost>
In-Reply-To: <3353.1606420713@localhost>
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 26 Nov 2020 17:17:37 -0500
Message-ID: <CAMm+Lwh8S0gCS_GhV7fRkznhNTT9VXACaPYXC4fJ0zcmx1SsJw@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "Panwei (William)" <william.panwei@huawei.com>, Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fe138905b509e922"
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/8OobNGy8pAb7Qam-0SJ_knt_v04>
Subject: Re: [Iot-onboarding] [Secdispatch] DANE IOT proposed outcome
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2020 22:17:51 -0000
Lets break this down. Does the proposed solution work with existing Browsers? If yes, fine. But since this is DANE based, it can't be. So we have to modify the browser. So the question to ask is: Is this the best solution that involves modifying the browser? I don't care how much effort went into DANE, that is really inconsequential when we consider the cost of modifying billions of browsers that are in use. PKIX is a really lousy match for IoT requirements. It is designed to authenticate organizations and people within organizations. Hence it begins with the assumption credentials expire and must be renewed on a regular basis. That is a bad starting point for IoT. But DNS is rather worse, the time scale is even shorter because it is set by the need to push out service configuration changes. And the number of IoT customers who have access to DNS configurations is a small part of the target market. And DNS names expire every year and require a paid renewal. This is going backwards, not forwards. DANE has had plenty of time to prove itself useful. At this point it is time to declare that it has lost any claim to own this space. It is time to ask if other people have a better idea. Including the people who were repeatedly told they were not welcome to participate in DANE because they had different ideas.
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Eliot Lear
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Toerless Eckert
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Eliot Lear
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Toerless Eckert
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Eliot Lear
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Panwei (William)
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Eliot Lear
- [Iot-onboarding] Confusing terminology was Re: [S… Mohit Sethi M
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Mohit Sethi M
- Re: [Iot-onboarding] Confusing terminology was Re… Eliot Lear
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Mohit Sethi M
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Shumon Huque
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Phillip Hallam-Baker
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Dan Harkins
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Phillip Hallam-Baker
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Phillip Hallam-Baker
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Michael Richardson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson
- Re: [Iot-onboarding] [Secdispatch] DANE IOT propo… Ash Wilson