IETF Logo Mail Archive

Re: [Lake] [EXT] Re: EDHOC negotiation and errors

Michael Richardson <mcr+ietf@sandelman.ca> Sat, 25 February 2023 21:18 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07049C1BE880 for <lake@ietfa.amsl.com>; Sat, 25 Feb 2023 13:18:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.396
X-Spam-Level:
X-Spam-Status: No, score=-4.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wbq3IUUlDjVw for <lake@ietfa.amsl.com>; Sat, 25 Feb 2023 13:18:28 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF3ECC14CE4F for <lake@ietf.org>; Sat, 25 Feb 2023 13:18:27 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 3EE8F3898F; Sat, 25 Feb 2023 16:49:57 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id uS7Sc29nHv0M; Sat, 25 Feb 2023 16:49:56 -0500 (EST)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 7B7493898E; Sat, 25 Feb 2023 16:49:56 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1677361796; bh=QcwRWWXjrxT7FZYHjbEf3Ca6X3iq7JizXigTkC4QyNg=; h=From:to:Subject:In-Reply-To:References:Date:From; b=QlMWvNuhuw/Kevo1oPRq4bgk+huTHqnHhD5uR4K5Vo4JRrECFsbHxM5FmOFZLgaNH oLx/rwauOKZGf4XYzA4X5NpJRPY92AB0B9KsVp4XSfP7GYT75Roa5vELfxjv+OnBvE ebpscuycAK1BeA/18N9rHY6jXIkXjaY9A+8nCV7X0qOxptNySMNHsBgLYd/xmBl340 XxUm3u6WQaj/rWMq4VVQruIn/rYk1VL0reCPn+7KM95Ev+/Aydee/KgHYrO8j9JvF4 inKpttlo5gEQr7OGhAS6BMVraAj/GfmaY7ed+8l/qtGBwd9y3CQyShdyUxGILRn8O5 VhAr79H/HQrmg==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 7EB45EA; Sat, 25 Feb 2023 16:18:24 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
to: "Sipos, Brian J." <Brian.Sipos@jhuapl.edu>, =?us-ascii?Q?=3D=3Futf-8=3FB=3FR8O2cmFuIF NlbGFuZGVy=3F=3D?= <goran.selander@ericsson.com>, "lake@ietf.org" <lake@ietf.org>
In-Reply-To: <11658.1677348716@localhost>
References: <4d31baf067a94571956ef46efe025805@jhuapl.edu> <PAXPR07MB8844F5F2D059ED1E11EEB6ACF4A59@PAXPR07MB8844.eurprd07.prod.outlook.com> <eaf9618523934b219e890f597ccf6297@jhuapl.edu> <12828.1677014257@localhost> <63885c9bfe864621829800e0cfe43832@jhuapl.edu> <11658.1677348716@localhost>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 25 Feb 2023 16:18:24 -0500
Message-ID: <8842.1677359904@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/RG4LTkOvPzy6z8eBqPOwTy1SLWs>
Subject: Re: [Lake] [EXT] Re: EDHOC negotiation and errors
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Feb 2023 21:18:32 -0000


Michael Richardson <mcr+ietf@sandelman.ca> wrote:
    > Sipos, Brian J. <Brian.Sipos@jhuapl.edu> wrote:
    >> I did have a chance to read through that document and in my case it's a
    >> MANET-like collection of autonomous nodes, where having a certificate
    >> with an appropriate EKU purpose under a trusted CA is sufficient to
    >> join a network.

    > Then I think that your nodes have already onboarded, and you are just
    > connecting to the network.

    > I still think you should use x5u, but use a coap: URL that allows the peer to
    > retrieve the certificate from the host itself.

To follow to my email.

BRSKI(RFC8995) and the draft-selander-lake-authz (which I call
"Ultra-constrained BRSKI")'s goal is to get to the point where each node has
a certificate under a trusted CA.  This *onboarding* is based upon an IDevID
that is **provisioned** at the factory.

How we *Join* a network in this ultra-constrained space is slightly open to
innovation, but using EDHOC to key an OSCORE session, and then using
RFC9031's CoJP to get a symmetric (network) key is the expected path.

Brian, I'm wondering what your process is/will be?


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email