Re: [saag] draft-hallambaker-mesh-udf-02
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 23 April 2019 20:21 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B7AA120344 for <saag@ietfa.amsl.com>; Tue, 23 Apr 2019 13:21:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09J4ArmQjDjV for <saag@ietfa.amsl.com>; Tue, 23 Apr 2019 13:21:02 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3909D12013D for <saag@ietf.org>; Tue, 23 Apr 2019 13:21:01 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [75.98.19.133]) by relay.sandelman.ca (Postfix) with ESMTPS id 251681F457; Tue, 23 Apr 2019 20:21:00 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 8C1D32BF8; Tue, 23 Apr 2019 16:21:10 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Phillip Hallam-Baker <phill@hallambaker.com>
cc: IETF SAAG <saag@ietf.org>
In-reply-to: <CAMm+Lwjux2jUQkN7ZuY-j9XLR-VGb8NbNAvPQuimghhHBL2Pjg@mail.gmail.com>
References: <CA+XWq4HMV=GCQD=0Nb+JjfMMpLXhJQq_1VLThbjJq-_BuUNsOw@mail.gmail.com> <CAMm+Lwjux2jUQkN7ZuY-j9XLR-VGb8NbNAvPQuimghhHBL2Pjg@mail.gmail.com>
Comments: In-reply-to Phillip Hallam-Baker <phill@hallambaker.com> message dated "Mon, 22 Apr 2019 16:22:45 -0400."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 23 Apr 2019 16:21:10 -0400
Message-ID: <31575.1556050870@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/GE9PL9X6KqSaLiNGOl3yvQxJgZc>
Subject: Re: [saag] draft-hallambaker-mesh-udf-02
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2019 20:21:04 -0000
mcr> Phill, I am reading your UDF document with the idea that IoT
mcr> devices on constrained networks can send a reference to an IDevID
mcr> rather than send the IDevID in-band. This would apply to both DTLS and
mcr> also to EDHOC and HIP (such as for 802.15.9 keying).
Phillip Hallam-Baker <phill@hallambaker.com> wrote:
> If we went down that route, we might want to go full throttle and add
> in a code point for a verbatim public key rather than a hash of a
> public key. I have added that to the spec and removed it three times
> because I do not make use of it in the Mesh.
I am not opposed to such a thing, but in my use case I would not use it.
I actually need the strong connection to the manufacturer, and the extensions
that PKIX provides. (Some new CoID would work equally well, but would also be
larger than a raw public key)
> Another capability I left out is the authenticated only Locator
> form. So the browser follows a link, gets back the result and compares
> the fingerprint before accepting it. That could be a useful capability
> for other applications.
The fingerprint is in the link, along with the link?
That seems bigger, and does not help me.
mcr> You have specified rfc3986 rather than 3987, so your URI are not
mcr> internationalized. Is there a reason for that?
> Lack of confidence in my knowledge of the subject material and lack of
> time to get to a sufficient understanding.
> Since the path-abempty of the URI is constrained to be base32 encoded
> text, with punctuation (-/), the only place where there is scope for
> internationalization is authority, that is the DNS name.
I am also not an internationalization expert.
We referenced iauthority in 3987 in draft-ietf-anima-bootstrap-keyinfra
rather than authothority from 3986. This is within a PKIX extension.
Maybe we were wrong.
> If we are forming a QR code, we might as well just use the punycode.
Well that eats up a 30% more bytes, doesn't it? It's not like we have to put
it through an ASCII<->EBCDIC gateway like email.
mcr> Can you advance the use document without the rest of mmm?
> Yes. I have presented the work as a single unit because this is what we
> told the PeP people that we wanted when they came to SECDispatch. But I
> am quite happy to go a-la-carte if people prefer.
> The UDF doc is probably the one that is most easily separated from the
> rest as it doesn't depend on any other part of the Mesh. It does depend
> on draft-hallambaker-web-service-discovery but that is actually just a
> profile of [RFC6763] and [RFC5785].
Can we do that, then?
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [saag] draft-hallambaker-mesh-udf-02 Michael Richardson
- Re: [saag] draft-hallambaker-mesh-udf-02 Phillip Hallam-Baker
- Re: [saag] draft-hallambaker-mesh-udf-02 Nico Williams
- Re: [saag] draft-hallambaker-mesh-udf-02 Michael Richardson