[Secdispatch] draft-selander-lake-reqs-01
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 18 April 2019 11:59 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D074120052 for <secdispatch@ietfa.amsl.com>; Thu, 18 Apr 2019 04:59:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uGUgYKraOo7P for <secdispatch@ietfa.amsl.com>; Thu, 18 Apr 2019 04:59:34 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30059.outbound.protection.outlook.com [40.107.3.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2CB71200A0 for <secdispatch@ietf.org>; Thu, 18 Apr 2019 04:59:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CBeQz9dIq1B7LHF60Ir4QMtxJii5AXvW2J7hsSnZmk8=; b=fOBF16s+GyaSx71jaAWHk5ON/ilpS7B/irZvBRddj8n7cbS6OGncqeLHdvjRF4tW+yEIEhihe8YgmE6Bd14SFheVjiNIq1wk0noxU9VmNW471EEOOnDzNJI6WasQxp6y+cV503jR3KF9r2IS0ekRCuQ3ekE3SZKfn8GxJcV0OXg=
Received: from AM6PR08MB3686.eurprd08.prod.outlook.com (20.178.91.22) by AM6PR08MB3783.eurprd08.prod.outlook.com (20.178.90.77) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.12; Thu, 18 Apr 2019 11:59:31 +0000
Received: from AM6PR08MB3686.eurprd08.prod.outlook.com ([fe80::7025:fc8a:7d0a:cb91]) by AM6PR08MB3686.eurprd08.prod.outlook.com ([fe80::7025:fc8a:7d0a:cb91%3]) with mapi id 15.20.1813.011; Thu, 18 Apr 2019 11:59:31 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: draft-selander-lake-reqs-01
Thread-Index: AdT12xxeCHrZt5W2T7qVHWoUx8oRMQ==
Date: Thu, 18 Apr 2019 11:59:31 +0000
Message-ID: <AM6PR08MB3686AE651F9058B71B9D686EFA260@AM6PR08MB3686.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.121.58]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3bd1eb0e-2d7d-4ba4-a2c1-08d6c3f5512c
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600141)(711020)(4605104)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:AM6PR08MB3783;
x-ms-traffictypediagnostic: AM6PR08MB3783:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <AM6PR08MB3783C301A221AE8FA4EE164CFA260@AM6PR08MB3783.eurprd08.prod.outlook.com>
x-forefront-prvs: 0011612A55
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(366004)(136003)(39860400002)(346002)(396003)(376002)(189003)(199004)(40434004)(14444005)(81166006)(966005)(74316002)(476003)(1730700003)(7736002)(55016002)(26005)(72206003)(316002)(5024004)(6506007)(347745004)(256004)(14454004)(186003)(52536014)(3846002)(71190400001)(102836004)(21615005)(71200400001)(6116002)(86362001)(790700001)(97736004)(5640700003)(99286004)(8676002)(2906002)(606006)(7696005)(66066001)(68736007)(2501003)(6436002)(33656002)(478600001)(8936002)(54896002)(5660300002)(6306002)(9686003)(53936002)(236005)(6916009)(486006)(81156014)(2351001)(9326002)(25786009)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB3783; H:AM6PR08MB3686.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: KsiHBF3Gvj3zG7zPJPw6w8nt89NQmwRDjlhfleAfd9EDNfn0jU8sveMyWy+ydjj7WcRlg3x2Ucg1/A38wzPNWQ7jQLTFiYL7MIw3Zu2u/cUFQScxOfj/mZUqn3ETiDJk7TE0l/cfHWBXzca9BE3iCgMC594tDqSqJTKOUVES7ZwCZ+D0Ha2xt9C2mzdKQq5FXCOrxVUVI2thFVIB56G1EIvWWJepEBdvcM4I6zjT6Sv0OKLIRZ8q3TfFIV5NCXj3vNzKw1ff1XnifPuudtqRVUU34OJaAruaKJkYYp1Ib26WSeFyFiQVZV+0/xBLO9XvOtd6r2enmdMJgx7CNfC79skKQd5c7Pu+yRWpAuOZSMGNX3ccvdyCsppJzr+Jb9o4iF/0VLS21t6Dv5pMkbqN8j+lTnzYR+7sXjW2kBhQb70=
Content-Type: multipart/alternative; boundary="_000_AM6PR08MB3686AE651F9058B71B9D686EFA260AM6PR08MB3686eurp_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3bd1eb0e-2d7d-4ba4-a2c1-08d6c3f5512c
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Apr 2019 11:59:31.4216 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3783
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/xqG6v3nfjVsVy18GR9vx2rhY9cM>
Subject: [Secdispatch] draft-selander-lake-reqs-01
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2019 11:59:36 -0000
Hi Goeran, your draft makes the assumption we need OSCORE and hence a key management protocol for it. It says that it is OSCORE [I-D.ietf-core-object-security<https://tools.ietf.org/html/draft-selander-lake-reqs-01#ref-I-D.ietf-core-object-security>] is a lightweight communication security protocol providing end-to-end security for constrained IoT settings (cf. [RFC7228<https://tools.ietf.org/html/rfc7228>]). Should the draft say something about the weaker privacy properties compared to the DTLS 1.3 record layer? You seem to have forgotten to mention those. Maybe it would also be good to state somewhere that OSCORE is heavier than the DTLS 1.3 record layer (based on the analysis from your co-workers). If we care about the bits over the wire so much we should probably be using the DTLS 1.3 record layer instead. Should it also state somewhere that these "end-to-end security" properties only work under certain conditions? The name "Object Security for ..." may give the uninformed reader the impression that it provides security at the object level but instead it provides "provides end-to-end protection between endpoints communicating using CoAP or CoAP-mappable HTTP" - a kind of message level security. Particularly the CoAP-mappable HTTP part is interesting here because it requires the API on the CoAP side and the API on the HTTP to be semantically equivalent. This does not appear to be the case in many IoT deployments (for good reasons). Just look at the APIs vendors have published. (FWIW I am still waiting to see the API description of the Ericsson IoT device management server. Ours is public and can be found here: https://www.pelion.com/docs/device-management/current/service-api-references/index.html) It might also be a good idea to explore the CoAP proxy functionality again because this is an often claimed area where OSCORE is needed. For those who have not followed the CoAP work it is interesting to know that the design of CoAP and HTTP differs also in the way proxies are used. A TLS connection can traverse an HTTP proxy while in CoAP it terminates there. Maybe it is time to integrate the properties of the HTTP proxy into CoAP? Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- Re: [Secdispatch] draft-selander-lake-reqs-01 Hannes Tschofenig
- [Secdispatch] draft-selander-lake-reqs-01 Hannes Tschofenig
- Re: [Secdispatch] draft-selander-lake-reqs-01 Göran Selander
- Re: [Secdispatch] draft-selander-lake-reqs-01 Göran Selander