Re: [ipwave] RFC8902 - TLS with ITS Certificates, EXPERIMENTAL, and the one PKI and one Internet

Alexandre Petrescu <alexandre.petrescu@gmail.com> Fri, 23 April 2021 11:30 UTC

Return-Path: <alexandre.petrescu@gmail.com>
X-Original-To: its@ietfa.amsl.com
Delivered-To: its@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A8AD3A19E7 for <its@ietfa.amsl.com>; Fri, 23 Apr 2021 04:30:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.633
X-Spam-Level:
X-Spam-Status: No, score=-1.633 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FORGED_GMAIL_RCVD=1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JFusudTJXKDT for <its@ietfa.amsl.com>; Fri, 23 Apr 2021 04:30:24 -0700 (PDT)
Received: from oxalide-smtp-out.extra.cea.fr (oxalide-smtp-out.extra.cea.fr [132.168.224.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 430133A19CC for <its@ietf.org>; Fri, 23 Apr 2021 04:30:23 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by oxalide-sys.extra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 13NBUKWn012514; Fri, 23 Apr 2021 13:30:20 +0200
Received: from pisaure.intra.cea.fr (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 905BE206728; Fri, 23 Apr 2021 13:30:20 +0200 (CEST)
Received: from muguet2-smtp-out.intra.cea.fr (muguet2-smtp-out.intra.cea.fr [132.166.192.13]) by pisaure.intra.cea.fr (Postfix) with ESMTP id 846CA20178B; Fri, 23 Apr 2021 13:30:20 +0200 (CEST)
Received: from [10.14.5.64] ([10.14.5.64]) by muguet2-sys.intra.cea.fr (8.14.7/8.14.7/CEAnet-Internet-out-4.0) with ESMTP id 13NBUKUD021684; Fri, 23 Apr 2021 13:30:20 +0200
To: Mounira MSAHLI <msahli1717@gmail.com>, its@ietf.org
References: <acc0f475-7f7b-bfbe-1099-913f0cef4de6@gmail.com> <01d601d731e3$140e2ed0$3c2a8c70$@eurecom.fr> <0600020f-b6ca-4d6d-2499-817586bc3548@gmail.com> <CAMEeBw9eaPBRT26BqqmXdEpqFzSTGt8w46wmexfg7ax4aRP-pQ@mail.gmail.com> <CAA2OGZCntE+FUtzKwxrsH7i_q70jjZuPoUjRG7cYmEVRHFJU8g@mail.gmail.com> <19dce5f5-8dca-55c2-4d46-bb83046562ab@gmail.com> <CAA2OGZDzWjQkSkn7W3bNC-w8ANk3Do-OdUwpZn9SK3na9afRpA@mail.gmail.com> <CAA2OGZAt+8araN_X_hMdZSpEaNmEZbrXUag8uhR5HALDgUqP4w@mail.gmail.com>
From: Alexandre Petrescu <alexandre.petrescu@gmail.com>
Message-ID: <9ac5851c-ab4c-5876-5138-3a93b0b5a8d5@gmail.com>
Date: Fri, 23 Apr 2021 13:30:20 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <CAA2OGZAt+8araN_X_hMdZSpEaNmEZbrXUag8uhR5HALDgUqP4w@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: fr
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/its/NZ8a_CVIV_qnP1CFRvusYQs6Jmo>
Subject: Re: [ipwave] RFC8902 - TLS with ITS Certificates, EXPERIMENTAL, and the one PKI and one Internet
X-BeenThere: its@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPWAVE - IP Wireless Access in Vehicular Environments WG at IETF <its.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/its>, <mailto:its-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/its/>
List-Post: <mailto:its@ietf.org>
List-Help: <mailto:its-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/its>, <mailto:its-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Apr 2021 11:30:35 -0000

[...]

> You mean the certificate authority. You want to sign CAM with 
> certificate authority ?

Sorry, error of saying.

I did not mean the CA to sign the CAM.

I mean the CA signs the certs it gives me, and I sign the CAM with these
certs.  The receiver verifies using the CA they already have in built-in
in their browsers.

(in some OS like Windows, there is also another list of built-in CAs,
which is coupled tightly with that OS's browser; but that is it: a
built-in list of CAs).

[...]

>>> http://www.scoop.developpement-durable.gouv.fr/
> 
>>> This is not reachable on IPv6.
> 
> 
> You mean the web page of the project or the PKI of the project ?

Thanks for the distinction.  That is a perfect distinctor to formulate
in a wish list, or in a list of requirements:

Both the server and the web page of the project should be reachable on IPv6.

I am not sure which protocol is used to communicate with the CA, maybe
OCSP, maybe others.  But these protocols must all be run on IPv6 for a
CA that supports vehicular networks.  If necessary, they could also be
on IPv4.

For the web page: for me personally, if a website of a trust provider is
available on IPv6 it inspires further trust.

But I am also aware that some websites, including Google, have very
strange behaviour with respect to security when on IPv6.  For example,
if I use the SMTP server on IPv6 on Google it some times complains
saying this is a new device, and makes additional cumbersome security
checks.  It is in fact a new protocol that Google knows very well since
long time (they promote IPv6 since long time now).

These are problems that should not appear in vehicular networks, if
addressed well.

Alex