Re: [Iotops] comments on draft-ietf-uta-tls13-iot-profile-04:
Michael Richardson <mcr+ietf@sandelman.ca> Mon, 11 April 2022 17:18 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 967E33A0E0D; Mon, 11 Apr 2022 10:18:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bDjEWTDrejOW; Mon, 11 Apr 2022 10:18:33 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E02BB3A0E04; Mon, 11 Apr 2022 10:18:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id D1C2138D05; Mon, 11 Apr 2022 13:30:01 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Dn4bQA-x6iOv; Mon, 11 Apr 2022 13:30:00 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 0BC0538D03; Mon, 11 Apr 2022 13:30:00 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1649698200; bh=hjHu1mJ3xnNY659e1mE4eKU+ZOlGgGmdJ9fB9CgNekc=; h=From:To:Subject:In-Reply-To:References:Date:From; b=6LzzOKUpdy6OJ50dNHJPsBAJ1yjgT3RZdVeJajVoZyoM4L1MxNx+c/u0pW4taVPxh x6Ldbskem6J86y7ZZ2EoorV44MmAjvGgo4nioxpV7YnGYYtDuxMuzAGEHLu/qIRtXN 3buC/aXfUaIKFTk2dk3FILhjmEUwlEeIpMWZEroD+Wfje0RZSj14dssf2aB16784L8 l2ZZC+VESFAgN7Yj7mlzbhGMYChnOLC/zFyZRknpVlzJ3ZeMJ9qNR/MAn5ROrkgHUo wKmu/AduZ0+G1eZ0+xd3fjt1jJXNe//wiVLLCISM/u8eCMC+o9/j/UDbSvIkF6pDyW roKZaAaaUTHEw==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 0D2383F; Mon, 11 Apr 2022 13:18:29 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "uta@ietf.org" <uta@ietf.org>, "core@ietf.org" <core@ietf.org>, "iotops@ietf.org" <iotops@ietf.org>
In-Reply-To: <DBBPR08MB59151F2A0B32F20498183743FAE49@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <59686.1648298525@dooku> <DBBPR08MB59151F2A0B32F20498183743FAE49@DBBPR08MB5915.eurprd08.prod.outlook.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 11 Apr 2022 13:18:29 -0400
Message-ID: <22181.1649697509@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/17m20nfYFl1PKWDKIEzYudpJW_8>
Subject: Re: [Iotops] comments on draft-ietf-uta-tls13-iot-profile-04:
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2022 17:18:40 -0000
Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote: mcr> 2) A long thread at LAMPS two years suggests that the term mcr> "Intermediate CA" applies only to cross-certification authoritiy mcr> bridges, and the term "Subordinate CA" should be used. That this mcr> is consistent with history going back to RFC4949. hannes> [hannes] We can note in the terminology section that the terms hannes> "Intermediate CA" and "Subordinate CA" are used interchangeably hannes> in this document because with regards to this document the hannes> distinction is not relevant. My view is that we have confused people by using them interchangeably, and we should stop doing that. Why not just use subordinate CA then? The relevance has to do with how path validation is managed. mcr> Given that such an involved discussion is not in scope for this mcr> document, it might be better just to refer to the ADD WG without mcr> mentioning specific solutions. I am, in general, not convinced mcr> that encrypted SNI serves any purpose for most IoT devices. hannes> [hannes] Major IoT service providers have cared about hiding hannes> client identity information by utilizing session resumption in hannes> TLS 1.2 to accomplish what is now available in TLS 1.3 with hannes> earlier encryption of handshake messages. While I personally hannes> haven't heard anyone asking for SNI encryption yet, I expect the hannes> same companies who cared about hiding the client identifiers to hannes> also take a look at the SNI encryption. While there are pros and hannes> cons of using these mechanisms, I am only suggesting to reference hannes> ongoing IETF work. Companies then need to decide whether a hannes> specific solution matches their requirements. Yes, what I'm saying is that just reference it. Trying to say much more about ongoing work is a recipe for getting something wrong and having to revise the document late in the process. mcr> 4) section 15 There is much discussion about what goes into the mcr> certificates. I didn't really understand why that is in this mcr> document. Validation of server certificates is well covered in mcr> RFC6125, I think. hannes> [hannes] In my experience, validation of server certificates has hannes> been a source of confusion in IoT and RFC 6125 does not talk hannes> about the use of IoT protocols like CoAP and MQTT. I have seen hannes> various companies and organizations creating their own profiles hannes> of RFC 6125 in the past, which has resulted in the text of this hannes> section. Okay, so either we have to do much more, or we have to do much less here. mcr> As the (industrial) IoT market embraces IDevID certificates, mcr> there is some concern that different markets will put different mcr> requirements on IDevID contents. So far it does not appear that mcr> anyone has created a situation where a single (fat) IDevID mcr> certificate couldn't be used in a variety of market verticals, mcr> the concern remains. mcr> It was my intention to introduce a document about this issue. I mcr> think that it's something that only the IETF can do. Perhaps mcr> that would fit into this UTA document, or perhaps parts of this mcr> section 15 goes into another document. hannes> [hannes] This section was difficult to write because - there are hannes> lots of different IoT verticals, - companies often do not want to hannes> share information about what they do in their deployments, and - hannes> there are many different identifier formats. hannes> It would, of course, be worthwhile to ask around again to see hannes> what current deployments are using. I could check the public hannes> documentation of major IoT service providers to get this process hannes> started. Thomas suggested that this was welcome in this document. I will attempt to write some text to go here. The TL;DR summary is: "don't shoot yourself in the foot" :-) Or, be tolerant of things you don't understand. I agree that it needs a road show to bring this to many other verticals, but I think that ultimately, those other entities are looking to us to give them something to cite. The question is whether the TLS profile is the right place for it. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [Iotops] comments on draft-ietf-uta-tls13-iot-pro… Michael Richardson
- Re: [Iotops] [Uta] comments on draft-ietf-uta-tls… Thomas Fossati
- Re: [Iotops] [Uta] comments on draft-ietf-uta-tls… Michael Richardson
- Re: [Iotops] [Uta] comments on draft-ietf-uta-tls… Thomas Fossati
- Re: [Iotops] comments on draft-ietf-uta-tls13-iot… Hannes Tschofenig
- Re: [Iotops] comments on draft-ietf-uta-tls13-iot… Michael Richardson