IETF Logo Mail Archive

Re: [Secdispatch] EDHOC Summary

Göran Selander <goran.selander@ericsson.com> Wed, 10 April 2019 08:24 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43BA71202D0 for <secdispatch@ietfa.amsl.com>; Wed, 10 Apr 2019 01:24:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.022
X-Spam-Level:
X-Spam-Status: No, score=-1.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aDlisa3WkIST for <secdispatch@ietfa.amsl.com>; Wed, 10 Apr 2019 01:24:02 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30082.outbound.protection.outlook.com [40.107.3.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CB941202CF for <secdispatch@ietf.org>; Wed, 10 Apr 2019 01:24:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cxDdZ9XoDBXLpRgZm29TR2UKpSVDfZXbRuRfIzxJnZA=; b=XPydfc/1xj9kx8ucE8inP2A2DGMsqjqxgG60uE/v+UVXs7RI5lu6kpufGQxHmSo/AwLilqWDC4uI9yD+kzYYo8tIujQS5ZOUsB73yb/jRGC5ED/xypTk6vNjwH4rsrb56tCbSJfVaq+TH4e9FUpYYvMTyheUDKalDzqp+AzmayY=
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com (20.176.166.25) by HE1PR07MB3420.eurprd07.prod.outlook.com (10.170.247.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1792.8; Wed, 10 Apr 2019 08:23:59 +0000
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::c587:c2ec:e227:84fd]) by HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::c587:c2ec:e227:84fd%4]) with mapi id 15.20.1813.003; Wed, 10 Apr 2019 08:23:59 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Martin Thomson <mt@lowentropy.net>, "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] EDHOC Summary
Thread-Index: AdTlTpiwSQddzTDHR8ys25qjhhiyAAJEpqUAAB7BU4AAGzlsAAAPmRGA
Date: Wed, 10 Apr 2019 08:23:59 +0000
Message-ID: <EFBEA5B1-46E0-407F-BB53-9815AEC878A3@ericsson.com>
References: <359EC4B99E040048A7131E0F4E113AFC01B3311A9F@marchand> <012a4798-fc70-4b5d-b0da-373221c95d38@www.fastmail.com> <721B6044-8DA1-4173-BE73-87D37136DFEE@ericsson.com> <8e8873a9-2352-40af-8e60-370012393ccc@www.fastmail.com>
In-Reply-To: <8e8873a9-2352-40af-8e60-370012393ccc@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.1.190326
authentication-results: spf=none (sender IP is ) smtp.mailfrom=goran.selander@ericsson.com;
x-originating-ip: [213.89.213.86]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0d427bda-7439-4172-ac89-08d6bd8de204
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600139)(711020)(4605104)(2017052603328)(7193020); SRVR:HE1PR07MB3420;
x-ms-traffictypediagnostic: HE1PR07MB3420:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <HE1PR07MB3420C5D8440752FA92F5B3C6F42E0@HE1PR07MB3420.eurprd07.prod.outlook.com>
x-forefront-prvs: 00032065B2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(376002)(136003)(366004)(346002)(396003)(189003)(199004)(51444003)(6486002)(106356001)(85202003)(25786009)(53936002)(6512007)(2906002)(6116002)(6436002)(14444005)(186003)(105586002)(256004)(6246003)(6306002)(3846002)(81166006)(66066001)(71190400001)(85182001)(71200400001)(83716004)(8936002)(8676002)(81156014)(229853002)(66574012)(82746002)(93886005)(5660300002)(476003)(36756003)(7736002)(486006)(305945005)(99286004)(58126008)(97736004)(2616005)(446003)(11346002)(14454004)(966005)(86362001)(33656002)(68736007)(316002)(26005)(6506007)(102836004)(2501003)(478600001)(76176011)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3420; H:HE1PR07MB4172.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: yKEkByvjSU6G0702Yv4P589XH4lcCYJYoqSl1DTE1E/SAcLjdzu6SCTyDqlFzFA8FNEvo2+vdsmhEd76l1t6kr6ZLhHMVKq2zQaRluik3K1QhHrCChQglMfoIHmHEwc9tVfoQTXTS0DHbtgeADj7Xy9P+ZEUnJ2W6fHYosFTyko0UmbGaCy+aUsFrFdou7NYQuF/7o3qD6BviC/F5sxSwDimko2riZULTldHhwv7dvgsww47+s1AZe9yU+q+BIrr8oMeaQZbjnqLc2Bl5jZAdNdAXRC5G/vHJpuhKPOhyU60zk0h+3MRDnISZ4D4bKxxErvGhrQYCJwP4r0gMvQR7P6lkHqS6kbi/pzsEPrC/msHBd75P6eysrHQF8hVQ+TvngHrivpQ4hg4VUuJr+gYcfd2xwAmeK0uoknn+kJPYCM=
Content-Type: text/plain; charset="utf-8"
Content-ID: <B852E62EB054804FA9004D32363A9CD1@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0d427bda-7439-4172-ac89-08d6bd8de204
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Apr 2019 08:23:59.7498 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3420
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/BgfRmSRlq45l-ZsJI1b_JZUAxKM>
Subject: Re: [Secdispatch] EDHOC Summary
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2019 08:24:05 -0000

Hi Martin,

Comments inline, slightly overlapping with Carsten's response.

On 2019-04-10, 04:57, "Martin Thomson" <mt@lowentropy.net> wrote:

    On Tue, Apr 9, 2019, at 21:57, Göran Selander wrote:
    > [GS] There seems to be consensus on the summary provided by the 
    > Security ADs, which includes the problem statement.
    
    The entire point of my mail was to contest that point.

[GS] I understand that you do, but not on what grounds. A detailed problem statement is presented, summarized and an overwhelming crowd agree.
     
    > [GS] There is no competing solution to the problem statement. As been 
    > witnessed, people have waited for years for this to progress. Therefore 
    > I don't see anything premature with assuming EDHOC to be a starting 
    > point for the WG. 
    
    So you would prefer to disregard the work done by Eric and Jim completely?

[GS] As has been repeated many times now, we would indeed like to see work on an optimized version of the TLS handshake in the TLS WG. But as that does not comply with the requirements here something else is needed in this case.
     
    > [GS] Concrete targets with numbers have been presented, for example here:
    > https://mailarchive.ietf.org/arch/msg/secdispatch/vNR7nT20fsvYjYXhAPjOpLjZGCU
    
    Presented, yes.  Agreed, no.

[GS] The purpose of the discussion on this mailing list and the process as presented by the security ADs was to enable a technical discussion to reach an agreement on how to dispatch. The technical discussion has been going on this list for months, a summary was presented by the ADs
(https://mailarchive.ietf.org/arch/msg/secdispatch/Kz_6y6Jq4HsWxglsUHafWjXIm0c)
 and no technical argument against has been given within the stipulated time. If that is not agreement, what is?
    
    > [GS] A lightweight AKE on application layer, which this specific WG is 
    > proposed to work on, is actually a missing enabler for constrained 
    > nodes to  "communicate among themselves and with the wider Internet". 
    > Indeed, if the security protocol is too heavy or needs to terminate in 
    > a gateway due to change of transport etc., then end-to-end secure 
    > communication between the endpoints will not take place, thus 
    > preventing "to partake in permissionless innovation".  
    
    I think that you missed my point.  If the goal is to provide an AKE, then any AKE will do.  If the goal is to communicate with other Internet nodes, then you might argue that any AKE will do, but you at least have to consider what existing Internet nodes do in making that call.

[GS] These are different issues. The goal with this work is to enable communication with nodes in constrained node networks and then not just any AKE is feasible. Existing Internet nodes implementing current protocols are not expected to support communication to the most constrained settings. What I wanted to highlight with my comment is that the reference you used presumes end-to-end security to constrained nodes, which is enabled by the lightweight AKE identified in this discussion.


Göran

v2.23.0 | Report a Bug | By Email