Re: [T2TRG] RESTful Design & Security

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 08 March 2017 14:14 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE6C8129698 for <t2trg@ietfa.amsl.com>; Wed, 8 Mar 2017 06:14:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KGWsiGh0ioVo for <t2trg@ietfa.amsl.com>; Wed, 8 Mar 2017 06:14:06 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4B23129472 for <T2TRG@irtf.org>; Wed, 8 Mar 2017 06:14:05 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx002 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MDhba-1d2hNQ2PvS-00H4kg; Wed, 08 Mar 2017 15:13:58 +0100
To: Göran Selander <goran.selander@ericsson.com>, Michael Richardson <mcr+ietf@sandelman.ca>
References: <c15a387f-9dd3-987e-2901-b86fd8f60108@gmx.net> <10144.1488908366@obiwan.sandelman.ca> <952c4a16-174f-2457-1f11-8f733e738f90@gmx.net> <D4E5582E.78797%goran.selander@ericsson.com> <ac6d1edc-e884-726e-9b70-1d26f917ea33@gmx.net> <D4E599A4.7891E%goran.selander@ericsson.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <054b4b83-2034-d5a3-9f0f-e395bdb7cd8f@gmx.net>
Date: Wed, 08 Mar 2017 15:13:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <D4E599A4.7891E%goran.selander@ericsson.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="32GW4DPLFX0XM07BgAKcl09htknsm7Tq3"
X-Provags-ID: V03:K0:uNaMKbJJFfaED5bH2rM/57Kil/rW1PJFmt/xLg2gOnLRGjyKhlE nG3U/flp5soi2S55JORoJmpYgD4Dc8WHWR2Q3Zl7XWFHnWR+V4BVGuzWS79iG9B1e2bMnAt LmKxa6t2W+xexuFxepGA+4OlClV/N8pUYxHHb2zBVsY6ahd8nK0Jo7AHi9KG/Cyu4UiTBeD uwI/rzj0C9y/pkjBIApAA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:Skoqs+1ZMPY=:Dw+7lNjavbyKeAgdRafiCO 4hFHpZYZJ2d7GdcN/gwBjyE+p977hrp9Hf/CWkylxWI+SZiWxxLoD1KPozNeHzQMqJAw77IWZ CN6qWKTG4gj5BwmP8CSWWNQzIVdpAwt8MkpoQ+tDKRcHYzNdaHTwh2CKSTYgBo3zkEtDxfhw3 1jC9vN5nLC5u0aBvmywtY2z5/naxLFhYg/DQaLW6324aL9PH26KNH0tqOFCtEKSHN7RECNOkm ZQbq7RQgV4S8vYt/hTxOjbMBA1wHI799/LmMPvgz8y2q+zMHGv7S7BL5odVFJiABTQdnYYgQ/ EYtCpTWP650oGtp1C3QdZMRRnFJh9+BmM+x9VVTPsZlYkP/CSzTJd2BP9eskKuOG6bsm2eWsF 8pAsvtHEE2lIP4xd6zNoJS6Iz47hOjJGodwc19lDtb5N1Oaf4z/JWSrivj3yetJ9/KxO3iA9O 1cJygFbf0elTxWYPBQIacuAR+CI4pYggOJwtpGKJJ4MEqPP1FBX/6vtk/VkFf/3nQVVQO4y35 4DJ8dPVd3q3K2w8lqkWyHD7tM5ivFNXbMfYmcvB+WubxyI7rkDqjZv6srN9QPvT74DUjLSfSR 9dyJ4w2+ikIX4GbzkHn/pgRs1guyv6GTOJCn44UeTndVOAS2ezo21YFFEdRMdgkbpC4syEBwW x2v6yOoNEjes9eelY05mOTCeJXUnik9CUdPKkqkF0ST0YluUfjfPxa9taogp6vTBPrjB7OxqQ pMR++FTT4hDFg2EKH/HlWxAc07DOhJhs1fKKn/ug/2b7BzwQQHdeNv9cZVU=
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/DRyjWakvmhEH-YvsJfBv7C57MRk>
Cc: "t2trg@irtf.org" <T2TRG@irtf.org>
Subject: Re: [T2TRG] RESTful Design & Security
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 14:14:08 -0000

Hi Goeran,

On 03/08/2017 11:31 AM, Göran Selander wrote:
> Hi Hannes,
> 
> On 2017-03-08 11:17, "Hannes Tschofenig" <hannes.tschofenig@gmx.net> wrote:
> 
>> I had initially planned to provide a response addressing each of your
>> points but I guess it is time for me to realize that you do not care
>> about the challenges we encounter in our deployments.
> 
> I am interested in the challenges you meet in your deployments. But if
> OSCOAP doesn’t address your issues it doesn’t mean that it is useless,
> which is the impression I have got (right or wrong) from your previous
> inputs to the IETF on the topic.

When Michael said that OSCOAP is the solution for end-to-end security I
had to respond. Either Michael is not aware of the limitations or they
do not matter for his use cases.

But more generally, there are two ways to do standardization:

Approach A: Let a thousand flowers bloom
Approach B: Try to minimize the number of solutions

We seem to be more and more focused on approach A. This has the benefit
that both the leadership and the folks working on the specifications are
happy. Unfortunately, there is a price to pay in the future when
companies end up having lots of solutions to choose from. They are
confused and fewer products are interoperable as a result. This is not
necessarily a new situation since we have seen the results also in other
security areas.

Ciao
Hannes