Re: [ipwave] comments on the TLS certs draft
Alexandre Petrescu <alexandre.petrescu@gmail.com> Fri, 29 March 2019 15:17 UTC
Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: its@ietfa.amsl.com
Delivered-To: its@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D14B51202CE for <its@ietfa.amsl.com>; Fri, 29 Mar 2019 08:17:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.632
X-Spam-Level:
X-Spam-Status: No, score=-2.632 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7zvOhccgSJv for <its@ietfa.amsl.com>; Fri, 29 Mar 2019 08:17:34 -0700 (PDT)
Received: from cirse-smtp-out.extra.cea.fr (cirse-smtp-out.extra.cea.fr [132.167.192.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F0A4120220 for <its@ietf.org>; Fri, 29 Mar 2019 08:17:34 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by cirse-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id x2TFHWlI002030; Fri, 29 Mar 2019 16:17:32 +0100
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 62979203A72; Fri, 29 Mar 2019 16:17:32 +0100 (CET)
Received: from muguet2-smtp-out.intra.cea.fr (muguet2-smtp-out.intra.cea.fr [132.166.192.13]) by pisaure.intra.cea.fr (Postfix) with ESMTP id 49C66200C22; Fri, 29 Mar 2019 16:17:32 +0100 (CET)
Received: from [10.8.68.95] ([10.8.68.95]) by muguet2-sys.intra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id x2TFHVfg008368; Fri, 29 Mar 2019 16:17:32 +0100
To: William Whyte <wwhyte@onboardsecurity.com>
Cc: "its@ietf.org" <its@ietf.org>
References: <e4f79bf5-4b61-73f3-3fef-6080a95d2209@gmail.com> <CAND9ES1n9obVvSi7TrDjPeBYkPLj=K7djQFBhN2+WuoQvNkRZQ@mail.gmail.com>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <483e04fa-8629-dab7-66f6-8eb0bc7a5180@gmail.com>
Date: Fri, 29 Mar 2019 16:17:31 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CAND9ES1n9obVvSi7TrDjPeBYkPLj=K7djQFBhN2+WuoQvNkRZQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: fr
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/its/19wgtJ1eClwse_8FW5cb_idRn_w>
Subject: Re: [ipwave] comments on the TLS certs draft
X-BeenThere: its@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPWAVE - IP Wireless Access in Vehicular Environments WG at IETF <its.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/its>, <mailto:its-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/its/>
List-Post: <mailto:its@ietf.org>
List-Help: <mailto:its-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/its>, <mailto:its-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 15:17:37 -0000
I agree with the statements about deployment expectation and available commercial support, and with the existing sdos and sites asking for this draft. On my side, I work for a few small deployments as well. I need certificates now. Allow me to be specific about my case. I am in France: in order to obtain ITS-specific certificates I got redirected to a French enterprise named IDnomic. It is a great company (presumably part of what you refer to as 'commercial support'). That has a website with ITS described as Object-ID https://www.idnomic.com/object-id/ However, on that web page, there is no button to press to ask a certificate. IDnomic is not like, let's say, I asked a certificate to Let's Encrypt. Let's Encrypt can offer me certificates in an automated manner; and not least important - for free. On the downside, Let's Encrypt certificates are not specific for Vehicular networks. (I suppose Let's Encrypt never heard about ITS extensions to certificates). In this situation, what I do in my deployments, is to generate our own certificates, and sign them by our own CAs created locally. The cars and traffic lights connect to our own openvpn server; they understand each other, because under same authority. Yet, this situation is not something that can scale: I dont want more and more vehicles to connect to my server. It risks becoming a single point of failure. As a side note, I take advantage of this discussion to ask whether there is software implementation, or howto, that allows me to generate easily certificates with ITS extensions described in this draft. I need these now (well, during the following months). Alex Le 29/03/2019 à 13:38, William Whyte a écrit : > Alex, these certs are going to be widely deployed, and there is good > commercial support for them. We have standards organizations and > deployment sites asking for this draft. > > Cheers, > > William > > > On Fri, Mar 29, 2019 at 8:37 AM Alexandre Petrescu > <alexandre.petrescu@gmail.com <mailto:alexandre.petrescu@gmail.com>> wrote: > > draft-tls-certieee1609-02 > > draft-msahli-ipwave-ieee1609-00.txt > > > The certificates are highly necessary for securing IP based > communications in vehicle networks. > > But the conditions of their use may prevent deployment. > > - can I use an open source package to generate now a certificate > with features of these drafts? > > - is there a Certificate Authority that I can ask now to sign them? > > - can I do these two things for free now? > > Because in absence of these conditions, I am highly tempted to use > openvpn and its associated free tools to generate my own CA and my > own certificates to put in the cars I deal with. > > I think in practice several people do just that. > > I think it is a situation that needs to be prevented, because it > means the drafts are not used. > > Alex > > _______________________________________________ > its mailing list > its@ietf.org <mailto:its@ietf.org> > https://www.ietf.org/mailman/listinfo/its > > > > -- > > --- > > I may have sent this email out of office hours. I never expect a > response outside yours.
- [ipwave] comments on the TLS certs draft Alexandre Petrescu
- Re: [ipwave] comments on the TLS certs draft William Whyte
- Re: [ipwave] comments on the TLS certs draft Alexandre Petrescu
- Re: [ipwave] comments on the TLS certs draft William Whyte