IETF Logo Mail Archive

[Lake] EDHOC negotiation and errors

"Sipos, Brian J." <Brian.Sipos@jhuapl.edu> Mon, 20 February 2023 22:17 UTC

Return-Path: <Brian.Sipos@jhuapl.edu>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E916C1522BD for <lake@ietfa.amsl.com>; Mon, 20 Feb 2023 14:17:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.997
X-Spam-Level:
X-Spam-Status: No, score=-6.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FUZZY_XPILL=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhuapl.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JlGwBTWA5Rr8 for <lake@ietfa.amsl.com>; Mon, 20 Feb 2023 14:16:58 -0800 (PST)
Received: from aplegw01.jhuapl.edu (aplegw01.jhuapl.edu [128.244.251.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDC04C15155E for <lake@ietf.org>; Mon, 20 Feb 2023 14:16:58 -0800 (PST)
Received: from pps.filterd (aplegw01.jhuapl.edu [127.0.0.1]) by aplegw01.jhuapl.edu (8.17.1.19/8.17.1.19) with ESMTP id 31KMGvxA022350 for <lake@ietf.org>; Mon, 20 Feb 2023 17:16:57 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhuapl.edu; h=from : to : subject : date : message-id : content-type : mime-version; s=JHUAPLDec2018; bh=/fHRbE5yIyrai9C7Z5RUE8DHly23j9SEBB8KJQm6lmI=; b=Kdc4FNVgz38TnruZQuI0XcLZKHmTt7gUCGFYJXlvCaSZlNevBIDvW0d1WzT858rmoA8V Gd2e7J6+BSi1vzDYJvdhG2jxjv0fdbPNDNB/ygRaRdZXdBxnBb3tzsU2ytIQXyKH1bpw dBnf/GcLQRLNUk3iN4xkqlsXCyrFCJm13cab+pm4j9aec4hKUWt6nNH6/XoEmG/g5etS sMRzYEnmvz0R8/k6VQ5wWV1wHGzZHQbOtw+zEZMYkAStMqZrmXmx6WVr0X6jRBd1Kz7/ 2AG85cwAoOQKbr3EyLiuHbLbGgCeATv5TrKUwawc1/z2C5qV0++tvyd8oGm5vlKPe5z6 2Q==
Received: from aplex23.dom1.jhuapl.edu (aplex23.dom1.jhuapl.edu [10.114.162.8]) by aplegw01.jhuapl.edu (PPS) with ESMTPS id 3ntrkd9t1h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <lake@ietf.org>; Mon, 20 Feb 2023 17:16:57 -0500
Received: from APLEX21.dom1.jhuapl.edu (10.114.162.6) by APLEX23.dom1.jhuapl.edu (10.114.162.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.21; Mon, 20 Feb 2023 17:16:56 -0500
Received: from APLEX21.dom1.jhuapl.edu ([fe80::20d7:9545:f01e:9b2]) by APLEX21.dom1.jhuapl.edu ([fe80::20d7:9545:f01e:9b2%5]) with mapi id 15.02.1118.021; Mon, 20 Feb 2023 17:16:56 -0500
From: "Sipos, Brian J." <Brian.Sipos@jhuapl.edu>
To: "lake@ietf.org" <lake@ietf.org>
Thread-Topic: EDHOC negotiation and errors
Thread-Index: AdlFcyNJVXSaBcDcS92pLvKgOKYffw==
Date: Mon, 20 Feb 2023 22:16:56 +0000
Message-ID: <4d31baf067a94571956ef46efe025805@jhuapl.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.162.26]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_05DC_01D9454F.21761520"
MIME-Version: 1.0
X-CrossPremisesHeadersFilteredBySendConnector: APLEX23.dom1.jhuapl.edu
X-OrganizationHeadersPreserved: APLEX23.dom1.jhuapl.edu
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.219,Aquarius:18.0.930,Hydra:6.0.562,FMLib:17.11.170.22 definitions=2023-02-20_17,2023-02-20_02,2023-02-09_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/-PSbOYNgRgkUABW3lXzPqcrW-Dk>
Subject: [Lake] EDHOC negotiation and errors
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2023 22:17:03 -0000

Hello,

I've been a long-time user of COSE and more recently have been investigating
the use of EDHOC as a means of key agreement over long- and variable-delay
links. It seems to be quite a good fit to cover the same capabilities of
IPsec IKE and DTLS handshake in a transport-agnostic way. One part that
seems to be missing is a standard way for EDHOC endpoints to negotiate
credential contents.

 

My use case would be optimized if there was a way for an endpoint to include
in the ID_CRED_x an "x5t" parameter by default for terseness with known
peers but be able to have the peer signal back an "unknown credential
referenced" error so that the ID_CRED_x could instead be sent with an entire
"x5chain" which would then be cached on the peer. The distinction here is
"unknown credential referenced" meaning the peer doesn't have the credential
versus "invalid credential type" meaning the peer can't handle the given
type (KID vs. x5t vs. x5u, etc.). The reason for this kind of negotiation is
that the x5t ID would be significantly smaller than the full x5chain.

 

I don't see any earlier mailing list discussion on this topic and there's no
private use or experimental range reserved for the error code registry, so I
don't see any way of communicating these types of negotiation in an
interoperable way. Obviously a follow-on document could make these kinds of
error code allocations with accompanying logic, but this seems like a
'typical' use case for EDHOC on an open network.

Any thoughts?

 

Brian S.

v2.23.0 | Report a Bug | By Email