IETF Logo Mail Archive

Re: [Iotops] [Uta] comments on draft-ietf-uta-tls13-iot-profile-04:

Thomas Fossati <Thomas.Fossati@arm.com> Mon, 04 April 2022 10:02 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C58523A2002; Mon, 4 Apr 2022 03:02:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=XW4McF22; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=XW4McF22
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LWDEt4BC8BYJ; Mon, 4 Apr 2022 03:02:47 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2060d.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1b::60d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CAB23A1B43; Mon, 4 Apr 2022 03:02:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kPt2K9+Tq5ZpPHc/65pg+R4NuKVTBn5KewAuCLN/Ewo=; b=XW4McF22t2Fz8fnvfRxwh3JeYQoyWJPRCR9fNX2xzJJhWBUE1v2aav0k0PPV4dHukQd+7S7l20RVppfEf8cXv4I38zUoPnLoYxusBSrw95X5DX83rt1gc6YZ6/jB1RdREzgy0qFQ2Mc5T17PcRQUQl3y/16CKv1g7Ikghn8MCEw=
Received: from AM6PR0502CA0037.eurprd05.prod.outlook.com (2603:10a6:20b:56::14) by DB8PR08MB5193.eurprd08.prod.outlook.com (2603:10a6:10:e6::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Mon, 4 Apr 2022 10:02:39 +0000
Received: from VE1EUR03FT064.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:56:cafe::9e) by AM6PR0502CA0037.outlook.office365.com (2603:10a6:20b:56::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31 via Frontend Transport; Mon, 4 Apr 2022 10:02:39 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT064.mail.protection.outlook.com (10.152.19.210) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.19 via Frontend Transport; Mon, 4 Apr 2022 10:02:39 +0000
Received: ("Tessian outbound 9613c00560a5:v118"); Mon, 04 Apr 2022 10:02:38 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 03c513e11c488134
X-CR-MTA-TID: 64aa7808
Received: from 771bfa8f1e63.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 8997AACE-5466-4452-88E3-22621556381E.1; Mon, 04 Apr 2022 10:02:32 +0000
Received: from EUR03-DB5-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 771bfa8f1e63.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 04 Apr 2022 10:02:32 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kzFxCZ1aoSEcr/7qtat/yHmaDW3CWcFO14rmVmNw/hzRR/zJWVUaVGTLXHgvMVFHqlqTtCZ2MMIGJt/6Ngjv16QpoLI2T79p4Iu0e2PWGN/Z8xKkNtA3AjD1wKkV8/c4j8aDzBdxA7XG947ivtmIhENv3hobENhk8vaclllLCdZVwxCJtXf6LHK8jTaODE2HKhw6xLi8/QVpZPUmPTHjHkHzeV+BbRgJt+unzI4fTybG8rUFWOvbPno5QYJpAetorvF/S8G7qqNtalaOumaUoaK+nkIhoyVga8040IMt9CKGLgewxLYuB6EXta732BWpFSEf1LbJSoGDCy4zet+OMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kPt2K9+Tq5ZpPHc/65pg+R4NuKVTBn5KewAuCLN/Ewo=; b=S1grLLojBfaBKHzcd4+dlFwM4EIWZVMuLfj8yUurCdc2T/vO9xsG+qMzik7fTBcAsuoJy4VNeXAFQ3mkt0eNEsEakrQt4JXZ4xgu1lNga/DLV63d/VMxywMj69/p4bPmN3A3C2vedNtk5lzXyIluOjFD5zj2zgpcvKP5XyhmpNoWJdLqbhLVYxvxocMjR22Bp4raWWGF1egDc6+M93ioTbmVtDWq8og9ZRBwLEjion4FMzmkKw4DekOl2yf4XR03dZe3Pj4hCfDQ7GN2mhjnoYTMBuvw2gKehzPt/OeH4ODO2rHTZ3V1IoMUToI1tGFP93pxEqvDl8LIX6fj6lP5Qg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kPt2K9+Tq5ZpPHc/65pg+R4NuKVTBn5KewAuCLN/Ewo=; b=XW4McF22t2Fz8fnvfRxwh3JeYQoyWJPRCR9fNX2xzJJhWBUE1v2aav0k0PPV4dHukQd+7S7l20RVppfEf8cXv4I38zUoPnLoYxusBSrw95X5DX83rt1gc6YZ6/jB1RdREzgy0qFQ2Mc5T17PcRQUQl3y/16CKv1g7Ikghn8MCEw=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by DBAPR08MB5734.eurprd08.prod.outlook.com (2603:10a6:10:1aa::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.30; Mon, 4 Apr 2022 10:02:31 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::3855:7d6a:1c7a:3caf]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::3855:7d6a:1c7a:3caf%7]) with mapi id 15.20.5123.031; Mon, 4 Apr 2022 10:02:30 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "uta@ietf.org" <uta@ietf.org>, "core@ietf.org" <core@ietf.org>, "iotops@ietf.org" <iotops@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Thread-Topic: [Uta] comments on draft-ietf-uta-tls13-iot-profile-04:
Thread-Index: AQHYQQ8SXUD3S8GbJUG5aEyBI3Kt16zbZrUbgANCZwCAAOPN+A==
Date: Mon, 04 Apr 2022 10:02:30 +0000
Message-ID: <DB9PR08MB65244E3D456C8B90371BA0E49CE59@DB9PR08MB6524.eurprd08.prod.outlook.com>
References: <59686.1648298525@dooku> <DB9PR08MB652404F2CC3773FA66BC89229CE09@DB9PR08MB6524.eurprd08.prod.outlook.com> <23712.1649016092@localhost>
In-Reply-To: <23712.1649016092@localhost>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-MS-Office365-Filtering-Correlation-Id: 286ca84e-afc0-4cbf-5857-08da16224080
x-ms-traffictypediagnostic: DBAPR08MB5734:EE_|VE1EUR03FT064:EE_|DB8PR08MB5193:EE_
X-Microsoft-Antispam-PRVS: <DB8PR08MB519381F810354F78EB79098B9CE59@DB8PR08MB5193.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: TV+2Zd+Em/7y9JKNkGIEgHBV9t2B9jBSMme52WhcFT2h+VIhOkeA+T8py/HYc2o6HT9fWpM+p+kDOYvNst/UeE5FvLFgfXmSS/yy64NH9Dfalxp3AHEHsgvy2/H//7nDqzxpGapUip4phsI+9PRiDSfx3NbY++5Dsd1qeRzMwTEhp1Br5CpocDUrYaeQE5JegqKzwxFefzEg4FYZBQoNxxdjJ6dMzGp+gVho+fTRzU+KxbT8l8qVN/fhbNTpry7adBQU39c28ZvzVj5zR3+eP74jkp0u5n2JTbg5arw3+yyeSS2kj4IKKL66EeaACVSNwk6QK/pQOfiPnFjqMjQjEzDJqWB5Fi+HpzUd6x2ezVr4RwTXAGTkKhhRE1YoolqVKKbGtyHLGFHFWMhyNNsb9Gbef8tjQmrjqmY3FcV0DUaAbULtL1SveMggIw000r6Mc8rwWY2C7q23Zwe6A5Q7+9oGw/2gAoQKlyh1QXrH9etixm9enSd0SgvEKDMI4HKn+MPNRhpiS9Qw9ErwJVu+tKrIfLmkOERtT/nANDPGW2fCl//s6EYsKGoBk5QpiRUiDaVSJJzJHVz7f7YOTK1EJ0hl/bUJRTgMZ7xkZsmrFnc05RD8SPUtqk91DDI/SwVDZhMkZdyFzq3gtf1WCta/CHgS1FAhuVTOpFI+deXhDzK4KeW+HIT9SuC37RxCGSuRxUmcq5zJxv61t4rFp5sGJw==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(8936002)(86362001)(38070700005)(508600001)(83380400001)(33656002)(53546011)(6506007)(7696005)(9686003)(26005)(186003)(52536014)(110136005)(66556008)(66446008)(64756008)(8676002)(55016003)(38100700002)(5660300002)(2906002)(71200400001)(76116006)(91956017)(316002)(6636002)(66946007)(66476007)(122000001); DIR:OUT; SFP:1101;
Content-Type: multipart/alternative; boundary="_000_DB9PR08MB65244E3D456C8B90371BA0E49CE59DB9PR08MB6524eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR08MB5734
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT064.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 4c83795e-b55e-471f-ef61-08da16223b38
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 4R0moFovhUy2YSn51au386SNf6EmkJ7PiCFfgd8qI5ZPSz2Se0oiyZ+Efh+pf7VrEcmezgjzoFL1fYhoLJrfbNwzhJs+YpSi7aJONp5lFSSlAwtrYWcrbT9jC+oLgQnSsTktdrCqzw7CPoaGTfqH6vkgMCCTuy2v+mILP/wm8wtRs2QDAlJ5uXU4cS+KYYL5lp19U/V0meMWMOaJB9xA0VHkvi1yG+RER/f6kOk0BD0igHtA0rFBbrRnqaIg5styKfxGmNzXYY1n3FX3oOiQ3J0tquFPtRI0nxzFYNFjnTYgb7HfJPwJBx7fSusZDPfuPHj+wuGijygE91cCzh2dKXRnQQTWGfffNBBIhc2zmCAFyKGZ5wUw6Vwft5SzM8w0PvpJLusbxn+z/FKyuTF3J4POX60+uPGFxegpccCkvLQQPjGnCWbXVMmrw3akhYXacq/7Gfq/2uDlE/nfKGezuobqffrA8WRYKRyHrDjn0PM0UA/UJD0EbvyDLbhY8ZEIs4kr86MpM8Dq1x8E2yuM8og/oDR88LV3yBN+/Dlos/6m6+pzG5QQDDFi8kukjSIjsGFiItDNTtSDEY2TlqMWqzECr9OQ3XyUY51d4rlfexUhM1Byc1aihBnrVvYKfPcMXhNXYzs3IKchrtTqBap18b/F/25TEY1ghn2OMvYZi+YX4sOYK8oBl5fhhlv043sI
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230001)(4636009)(40470700004)(46966006)(36840700001)(8676002)(110136005)(47076005)(83380400001)(70206006)(70586007)(81166007)(86362001)(316002)(6636002)(356005)(36860700001)(508600001)(450100002)(33656002)(40460700003)(336012)(82310400004)(5660300002)(8936002)(53546011)(52536014)(7696005)(6506007)(186003)(9686003)(26005)(55016003)(2906002); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Apr 2022 10:02:39.1011 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 286ca84e-afc0-4cbf-5857-08da16224080
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT064.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB5193
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/FjT4Nb-efODVDiwcCpX3aoHPqmg>
Subject: Re: [Iotops] [Uta] comments on draft-ietf-uta-tls13-iot-profile-04:
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2022 10:02:55 -0000

> On 03/04/2022, 21:01, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote:
> Thomas Fossati <Thomas.Fossati@arm.com> wrote:
>     >> Reading through the lines, it appears that a server that can't
>     >> handle early data needs to send an error code.  But such a
>     >> server probably doesn't know about the error code.
>
>     > The option is marked critical so if the server does not
>     > understand, it will reject with 4.02.  If it understands it and
>     > does not want to serve the resource (say, because there is some
>     > associated state change) it will reject with 4.25 (or whatever
>     > number IANA will assign to this response code).  In either
>     > cases, the client will not repeat an "early data" request for
>     > that resource.
>
> Okay, I understand this.
> I wonder if this is significant enough a feature that it justifies the
> complexity in the client.

This is a good question, which at the end of the day is for CoRE to
decide.  RFC8446 says "Application protocols MUST NOT use 0-RTT data
without a profile that defines its use." so this is a gap that we are
trying to bridge for CoAP here, based on existing experience with HTTP.
If the CoRE community doesn't feel this feature is relevant, or they
want to punt for now to gather more experience, it's totally fine.  We
could drop Section 14 and possibly resume it later in a separate doc.  I
suspect the fact that DTLS 1.3 has not been published yet may be a
reason for things moving slower than anticipated in this area.

>     >> I'm also concerned that this requires too much cross-layer
>     >> communication between DTLS layer and CoAP layer.
>
>     > It doesn't seem the case to me: the indication is carried within
>     > the CoAP request so it just flows end to end from an application
>     > endpoint to the other.  But maybe I am missing something.  Can
>     > you unpack your concern a bit more?
>
> The DTLS layer has to pass the early data up to the CoAP layer so that
> it can reject with 4.02.
> If it can do that, then it can probably just be coded to process early
> data.
> In my server side, the DTLS layer is buried down in openssl C code,
> while the CoAP layer is in ruby.

The thing is that this feature is enabled on a per-resource basis, so it
needs to bubble up.  It can't be handled transparently by the lower bits
of the stack.

>     >> Validation of client certificates (whether factory provisioned
>     >> IDevIDs, or locally enrolled LDevIDs) is a topic that I care a
>     >> lot about, and this text is inadequate.
>     >>
>     >> As the (industrial) IoT market embraces IDevID certificates,
>     >> there is some concern that different markets will put different
>     >> requirements on IDevID contents.  So far it does not appear
>     >> that anyone has created a situation where a single (fat) IDevID
>     >> certificate couldn't be used in a variety of market verticals,
>     >> the concern remains.
>     >>
>     >> It was my intention to introduce a document about this issue. I
>     >> think that it's something that only the IETF can do.  Perhaps
>     >> that would fit into this UTA document, or perhaps parts of this
>     >> section 15 goes into another document.
>
>     > This looks to me like it'd be a great addition to this document.
>     > I've opened [4]; we can discuss about scope there if you want.
>
> I'm concerned about slowing your document down too much, but perhaps
> the timing is okay, and it might also help in getting external to the
> IETF review of this profile.
>
> When/if we are ready, I think that DANCE should be asked to review.
>
> but, yes, let's discuss more.
> I'll try to send some proposed text in the next two weeks.
> Even if it doesn't go into this document, then it might form the basis
> of another document.

+1

Let's give it a try, if it explodes we still have a fall back.

Cheers



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email