IETF Logo Mail Archive

[T2TRG] RESTful Design & Security

Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 06 March 2017 17:00 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 812D112989C for <t2trg@ietfa.amsl.com>; Mon, 6 Mar 2017 09:00:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d8pATnUUOckP for <t2trg@ietfa.amsl.com>; Mon, 6 Mar 2017 09:00:03 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E5E71294FB for <T2TRG@irtf.org>; Mon, 6 Mar 2017 09:00:00 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx002 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MD9NE-1cUSOX319Y-00GWky for <T2TRG@irtf.org>; Mon, 06 Mar 2017 17:59:57 +0100
To: "t2trg@irtf.org" <T2TRG@irtf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <c15a387f-9dd3-987e-2901-b86fd8f60108@gmx.net>
Date: Mon, 06 Mar 2017 17:59:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="hd7wfHBQvE1vKHXfFpIfPq71MaPaIqq1F"
X-Provags-ID: V03:K0:3/82rgTvHrBjmWJi8UXcH6TW3FZYuPucQNsGl10azL4nNRI0Hh2 e5yAoT5YJwpJUy650L2ZYeDdh3oJz8kvtWZ0+y1hasA9mS7QnVF7RVaLZPz04kkHgXy/D8W r704XerHRMuSudPyjAtlxmdrcrZMe4pKkkJtHLuLPt0l86jEaalW8E5arikf02vgxHkfNKs H72cXIKqZOLS/ce5Lupdw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:3DFoJdNB++U=:gVBkF3t+AhInu/YDLbMDSq qFpEbULNxCEUcRdViVcDdB/c55XCfFR8UaNIC5mJ1XmlcetRUHXgXDvfLML79ucTkQ6W1ZHya GvNVAN5OIJlN9mGJy/03Ft+JMUy9ggnrVjzRcvgPRQNCfye1+HeQmDlx1GJ6Ph2aKF4VU3zkk +AwKFm+I73rQNqauKsArUXb/xk0unk0BYNPV9e0EKGVgNusBDewP88JkncznfirgDSDVZYT0/ CspSa7dsSYLWNbrNQqylI8DWTOPx8jI1emYVKjQ0vF5kfGqjSzRNxBqOvzZS7p1CHe9TdONyl pgwIxku2kTHUlKw/IceP8szKWSKgtr8jHhC8770B49iYi1yO9Twzs1mgXC1JddpDg+40qy9Cv +/TyQPJoXKVYuhknivAEraGEP30XMo87wBUsuAfHBvTqVrspjGItVyVsXkUPIZ7DHu+yri0ej Xu3yJSjhiSuERIQyj2+JeR0JeRCt1J+1aTfhGqMwatGnVxMIkAXHhbzYCueu3mb/N4XXMOp+B OkvfyPX6E91vp230dcnJVB1jlTQ2F1yzujd8vOqZTmAHYQHxl/qy6hWGuNdvR6km1bDeqOGeH AEZQoyP7MsZR7VDEe574UM/PgYN6hESLLxP/oMASrtLyKz5a2SKJk2NSGNCAnhyASydpKILEP aeAgUqkAZF7SSbgRR6FS/8BjxPmHH/az0kSTOfKdzFF/ZQqRz5Y4jIP4sM3p6d/mxUnmsz0fo mVZnDR8B+eUW//9S1phmt9Ugm3Wrz53B98aDcMHTmt9W3f5+WaZTfrBVaZ4=
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/0M2TncTzTBLguFVf2X93BEmNFsY>
Subject: [T2TRG] RESTful Design & Security
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 17:00:05 -0000

Hi all,

reading through
https://tools.ietf.org/html/draft-keranen-t2trg-rest-iot-03 I was
wondering whether there are some thoughts regarding security protection.

From the web we know that TLS goes very well with RESTful designs.

However, when dealing with intermediaries in the IoT space, such as it
happens with interconnecting different IoT islands, RESTful protocols
appear to run into challenges.

The challenge is quite simple: an application layer security for a
RESTful protocol has to protect some (or must?) header fields.
Intermediaries often change or, in case of a protocol translation from
one IoT technology to another one, completely rebuild header fields.
This breaks application layer security mechanisms.

Needless to say that these challenges have also been observed in other
protocols as well, such as HTTP and even SIP.

What is the story for providing application layer security?

Ciao
Hannes

v2.23.0 | Report a Bug | By Email