[Iotops] comments on draft-ietf-uta-tls13-iot-profile-04:
Michael Richardson <mcr+ietf@sandelman.ca> Sat, 26 March 2022 12:42 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D0CB3A0933; Sat, 26 Mar 2022 05:42:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l4iHKjQ30I6n; Sat, 26 Mar 2022 05:42:12 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEC933A08C6; Sat, 26 Mar 2022 05:42:08 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [62.218.44.74]) by relay.sandelman.ca (Postfix) with ESMTPS id BBDDB1F458; Sat, 26 Mar 2022 12:42:06 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id BC2DB1A01DE; Sat, 26 Mar 2022 13:42:05 +0100 (CET)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: uta@ietf.org, core@ietf.org, iotops@ietf.org
cc: hannes.tschofenig@arm.com
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 26 Mar 2022 13:42:05 +0100
Message-ID: <59686.1648298525@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/hHSsRJgMHBGVBI2aJqKl8cQiwSo>
Subject: [Iotops] comments on draft-ietf-uta-tls13-iot-profile-04:
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Mar 2022 12:42:18 -0000
I read draft-ietf-uta-tls13-iot-profile-04 today. Thank you Hannes for presenting it at IOTOPS. To be, it is precisely this kind of thing that IOTOPS was created for. 1) I feel that the 4.25 Too Early allocation for CoAP could use a bit more explanation, and probably there needs to be some more clear review at CORE. (maybe it already happened and I missed it?) Reading through the lines, it appears that a server that can't handle early data needs to send an error code. But such a server probably doesn't know about the error code. I would have thought it should just hang on to the data until the (D)TLS negotiation is complete. I'm also concerned that this requires too much cross-layer communication between DTLS layer and CoAP layer. 2) A long thread at LAMPS two years suggests that the term "Intermediate CA" applies only to cross-certification authoritiy bridges, and the term "Subordinate CA" should be used. That this is consistent with history going back to RFC4949. 3) While section 10 on SNI does not say *how* to use DoH or DPRIVE to provide for confidentiality of names that are looked up, a naive use of DoH with Google/Cloudflare/etc. by IoT devices would be a problem for almost all enterprises that wish to filter the DNS used by IoT devices, and to use DNS canaries to identify malware. Given that such an involved discussion is not in scope for this document, it might be better just to refer to the ADD WG without mentioning specific solutions. I am, in general, not convinced that encrypted SNI serves any purpose for most IoT devices. 4) section 15 There is much discussion about what goes into the certificates. I didn't really understand why that is in this document. Validation of server certificates is well covered in RFC6125, I think. Validation of client certificates (whether factory provisioned IDevIDs, or locally enrolled LDevIDs) is a topic that I care a lot about, and this text is inadequate. As the (industrial) IoT market embraces IDevID certificates, there is some concern that different markets will put different requirements on IDevID contents. So far it does not appear that anyone has created a situation where a single (fat) IDevID certificate couldn't be used in a variety of market verticals, the concern remains. It was my intention to introduce a document about this issue. I think that it's something that only the IETF can do. Perhaps that would fit into this UTA document, or perhaps parts of this section 15 goes into another document. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Iotops] comments on draft-ietf-uta-tls13-iot-pro… Michael Richardson
- Re: [Iotops] [Uta] comments on draft-ietf-uta-tls… Thomas Fossati
- Re: [Iotops] [Uta] comments on draft-ietf-uta-tls… Michael Richardson
- Re: [Iotops] [Uta] comments on draft-ietf-uta-tls… Thomas Fossati
- Re: [Iotops] comments on draft-ietf-uta-tls13-iot… Hannes Tschofenig
- Re: [Iotops] comments on draft-ietf-uta-tls13-iot… Michael Richardson