IETF Logo Mail Archive

[Lake] Re: LAKE proposed charter

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 08 October 2025 16:01 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: lake@mail2.ietf.org
Delivered-To: lake@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B144C6F7A0B7 for <lake@mail2.ietf.org>; Wed, 8 Oct 2025 09:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.688
X-Spam-Level:
X-Spam-Status: No, score=-1.688 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_TVD_MIME_EPI=0.01] autolearn=no autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=fail (2048-bit key) reason="fail (body has been altered)" header.d=sandelman.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iEjlw9C91KlY for <lake@mail2.ietf.org>; Wed, 8 Oct 2025 09:01:54 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 660286F7A0B0 for <lake@ietf.org>; Wed, 8 Oct 2025 09:01:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 1094138E89; Wed, 8 Oct 2025 12:01:54 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavis, port 10024) with LMTP id DeXug6Fkr_25; Wed, 8 Oct 2025 12:01:53 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1759939312; bh=Hz7ZKE39EDfs1alnxuC/GHnHXoV/q4LbjU4UdWVUJrQ=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=ZN1D+BBZj0Q4VSSyeft9sJCXN5goeXAN5CbWSpZzLIGpK0YOOaOAhR5Je9Z/nazFk wIj8lx5MY/mXIQHIHHeiIh1zbxN4unyN0HSFQgkOHSESI2iXhjF1eNLvhXslm8ft52 15r6CNI0vRIapgFtzotBZSv/GpOOwI/rENdH7/EpQ4iKL4Kz3I19Jy3V4fn0vv2Xn/ EgxW57P2kFNXwjDdlNHy8tY1hpWFrOozWu89V1nYzCaHNVxhC32+tN5fNKmjHbX+ef cMDT7JGHbnYlAFzJEGBcy+bOZ41Czll9szcLRGjJR+vsbJw00+2cRN1xrgwn09A7ML 2Q2Q7aTEoRdHQ==
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 811D438E8A; Wed, 8 Oct 2025 12:01:52 -0400 (EDT)
Received: from obiwan.sandelman.ca (obiwan.sandelman.ca [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 7C6271B8; Wed, 8 Oct 2025 12:01:52 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: =?utf-8?B?TWFsacWhYSBWdcSNaW5pxIc=?= <malisa.vucinic@inria.fr>
In-Reply-To: <5BE9E2BC-80E9-4D84-AFFF-FE447D9C87F5@inria.fr>
References: <AFC19DC8-BFC1-4DF7-A4E8-BB005CE988E1@inria.fr> <GVYP280MB04647FE3CAF6D8E937802B26991AA@GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM> <A23F2AC1-59E9-449F-8EF0-358A857B503A@inria.fr> <GVYP280MB04641F41564C86C5637A6D3999E6A@GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM> <5BE9E2BC-80E9-4D84-AFFF-FE447D9C87F5@inria.fr>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 08 Oct 2025 12:01:52 -0400
Message-ID: <8645.1759939312@obiwan.sandelman.ca>
Message-ID-Hash: MLYAEC37OGEVT6AENDLNGJZN2W47WTTU
X-Message-ID-Hash: MLYAEC37OGEVT6AENDLNGJZN2W47WTTU
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Marco Tiloca <marco.tiloca@ri.se>, "lake@ietf.org" <lake@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Lake] Re: LAKE proposed charter
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/j0Z2Ava6nhO9cw_7qM4krE0Gr-o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Owner: <mailto:lake-owner@ietf.org>
List-Post: <mailto:lake@ietf.org>
List-Subscribe: <mailto:lake-join@ietf.org>
List-Unsubscribe: <mailto:lake-leave@ietf.org>

Mališa Vučinić <malisa.vucinic@inria.fr> wrote:
    > The deadline above has expired, we have not received sufficient
    > feedback on the charter to proceed. We will be extending the deadline
    > for another week from today, please get back to us with any feedback on
    > the proposed charter or simply expressing support by Wednesday,
    > 15-October-2025 AoE.

I read the re-chartering text: I have no objections.

My understanding is that some certificate validity/revocation mechanism
(whether constrained OCSP or something else) is no longer in the charter?
Call me skeptical about real utility of CRLs and OCSP, period.
OCSP-staples are slightly more useful, yet...

Geoff Houston has a talk about this at the big-I Internet.
On the small, if you need such a mechanism, then I think there are better
architectures.

If devices have to connect to a coordinator-like device regularly to update a
CRL, do OCSP, or update their OCSP-staple, then one could equally do
Kerberos, which when constrained, which we did in *ACE*..
So, as a relying party (a RS) I don't care if some IoT device is still called
52172a0d-1681-4555-944a-452614e536e3 or not.
I care if some key is still *authorized* to do operation XYZ.

To that end, the only time the device identity matters is during onboarding,
and there, it only matters to the extent that I have a non-counterfeit device
from a manufacturer I was expected.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.34.0 | Report a Bug | By Email | System Status