Re: [T2TRG] RESTful Design & Security

"Garcia-Morchon O, Oscar" <oscar.garcia-morchon@philips.com> Thu, 09 March 2017 14:32 UTC

Return-Path: <oscar.garcia-morchon@philips.com>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2465129465 for <t2trg@ietfa.amsl.com>; Thu, 9 Mar 2017 06:32:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=philips.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ru7O_uW6E1Px for <t2trg@ietfa.amsl.com>; Thu, 9 Mar 2017 06:32:42 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40134.outbound.protection.outlook.com [40.107.4.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4DC412941E for <T2TRG@irtf.org>; Thu, 9 Mar 2017 06:32:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Philips.onmicrosoft.com; s=selector1-philips-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rbovY0d753yq8UUAzqBBOR4phPgawgNkY27nwa4X9eA=; b=WRssCzJv1yGc+66oBkCGnxlIhvDgdRgnGVxVmjLjt7lGFPJghq95rLLmrLkDBpRTwsCOorm1mOMA9STHm2rP/X5ivRnCws6WTAw95W6EPH37XHgDSFYsxZflTM3ZaWpklMlT19inJS9nr9sdM/yy1RIKfM76vK3KmWtWO8We1x8=
Received: from AM3P122CA0004.EURP122.PROD.OUTLOOK.COM (129.75.100.18) by AM4P122MB0083.EURP122.PROD.OUTLOOK.COM (129.75.167.90) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.12; Thu, 9 Mar 2017 14:32:39 +0000
Received: from DB3FFO11FD030.protection.gbl (2a01:111:f400:7e04::190) by AM3P122CA0004.outlook.office365.com (2603:10a6:221:2::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.12 via Frontend Transport; Thu, 9 Mar 2017 14:32:39 +0000
Authentication-Results: spf=neutral (sender IP is 23.103.247.180) smtp.mailfrom=philips.com; irtf.org; dkim=none (message not signed) header.d=none;irtf.org; dmarc=none action=none header.from=philips.com;
Received-SPF: Neutral (protection.outlook.com: 23.103.247.180 is neither permitted nor denied by domain of philips.com)
Received: from 011-smtp-out.Philips.com (23.103.247.180) by DB3FFO11FD030.mail.protection.outlook.com (10.47.217.61) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.7 via Frontend Transport; Thu, 9 Mar 2017 14:32:39 +0000
Received: from DB5PR9001MB0165.MGDPHG.emi.philips.com (141.251.190.209) by DB5PR9001MB0167.MGDPHG.emi.philips.com (141.251.190.211) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.933.12; Thu, 9 Mar 2017 14:32:38 +0000
Received: from DB5PR9001MB0165.MGDPHG.emi.philips.com ([141.251.190.209]) by DB5PR9001MB0165.MGDPHG.emi.philips.com ([141.251.190.209]) with mapi id 15.01.0933.026; Thu, 9 Mar 2017 14:32:38 +0000
From: "Garcia-Morchon O, Oscar" <oscar.garcia-morchon@philips.com>
To: Eliot Lear <lear@cisco.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
Thread-Topic: [T2TRG] RESTful Design & Security
Thread-Index: AQHSlpstzow5GSCUy0qO2HV2fKAQj6GJplEAgAAQwQCAAAGWgIAAByCAgAAHRICAAPIBgIAARgCAgAASgzCAAAepAIABH7a8
Date: Thu, 09 Mar 2017 14:32:38 +0000
Message-ID: <03443d82f2c94a5cad12978b4a3c54e4@DB5PR9001MB0165.MGDPHG.emi.philips.com>
References: <c15a387f-9dd3-987e-2901-b86fd8f60108@gmx.net> <10144.1488908366@obiwan.sandelman.ca> <952c4a16-174f-2457-1f11-8f733e738f90@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA2F98@DEFTHW99EL4MSX.ww902.siemens.net> <558bae1a-ff84-9fb3-c6bf-021f492e9a04@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA313F@DEFTHW99EL4MSX.ww902.siemens.net> <c85cbfa5-083c-9159-3e01-001b353a3e35@cisco.com> <f33f30cc-9a6d-513d-f20f-620ac4b611e1@gmx.net> <d6c78126308c4f6c94ab4a827d0a8c2e@DB5PR9001MB0165.MGDPHG.emi.philips.com>, <2669c38e-5a7e-e4a4-36d2-9fd9f7966d52@cisco.com>
In-Reply-To: <2669c38e-5a7e-e4a4-36d2-9fd9f7966d52@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [77.168.179.203]
X-MS-Office365-Filtering-Correlation-Id: 67a61fbe-8f6d-4e17-1b35-08d466f9235a
Content-Type: multipart/alternative; boundary="_000_03443d82f2c94a5cad12978b4a3c54e4DB5PR9001MB0165MGDPHGem_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: DB5PR9001MB0167.MGDPHG.emi.philips.com
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:23.103.247.180; IPV:NLI; CTRY:; EFV:NLI; SFV:NSPM; SFS:(10019020)(39850400002)(39410400002)(39450400003)(39840400002)(39860400002)(2980300002)(24454002)(55904004)(377454003)(199003)(189002)(85714005)(13464003)(374574003)(9170700003)(7736002)(229853002)(108616004)(4326008)(24736003)(50986999)(76176999)(38730400002)(33646002)(7906003)(606005)(54356999)(53936002)(3846002)(102836003)(106466001)(7696004)(6116002)(512934002)(8936002)(8676002)(84326002)(6306002)(31430400001)(53546006)(5660300001)(236005)(106116001)(105586002)(93886004)(2950100002)(81166006)(6246003)(189998001)(2900100001)(15650500001)(356003)(2906002)(55016002)(54896002)(66066001)(86362001)(19627405001); DIR:OUT; SFP:1102; SCL:1; SRVR:AM4P122MB0083; H:011-smtp-out.Philips.com; FPR:; SPF:Neutral; MLV:sfv; A:1; MX:1; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; DB3FFO11FD030; 1:OjScVTHrBP6K6jZdiKjBhNTk0yF/2iVoOmZLVYpkgpf5UF7Zd33uSJ9b/m9523WkNO/nbCKpTwBqcbVBMCxC89XorJ1IamTIjYv5GP6ikfjF9YzMrhPV8HxHs96+0STUq02nESP+p0VZzWuniq6WX+ik5aiX86ybhzAVELIGVqtFHE95vzkg/T6sIb/wCU23a87chULSisklgwjBKElHQy8Dd7zP7ClS1z9B6Nk8oRTd8cce+udGpmEbTjg9SkJ/HtoNPeOxTKRchRwlw4Uha52x9HJ4IireCsyooK/UtHHvi2K3cpYEzQHsooaRjEv/krxb2m9Zwdc9aw+4JK7NxJxKmY00Tjr/Ht/DWSE+ZCMz9PM+acOp0OnbmCwpQ/Kn3v8ak7pX6KwMUwRiqxO5+30alEgWW/tHeHelwWCp7PWjUZdXnjaoAwz5g3+iA8qvmEeYLhtDX8Hnv/MxDLKEiMZ4Ja/EgMMC47dzHIUr6n6e9oig9V9UQAEWkmLK5MbeAvZH7UTpETV4cXY6I/wxjXKaAumdyHZoVxib9L9tzvWIFKJgxI/aKc70i7HsX2nm
X-CrossPremisesHeadersPromoted: DB3FFO11FD030.protection.gbl
X-CrossPremisesHeadersFiltered: DB3FFO11FD030.protection.gbl
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:AM4P122MB0083;
X-Microsoft-Exchange-Diagnostics: 1; AM4P122MB0083; 3:4AcObSfxiqWQ6v738nAbUwvHKJ5vpjNOamKtpQb5IfLtYajOQL6c8Gb0DO7p2k59g4dbTTC3KdYZQJixTWi7UsHheH2r1Nj9X9H0mT+61fpeZm9leDxf1e0ek2PfWi0vNcJrynENt1ViXXKCH+Q2us1eW/u5CSYDcFJKuo/MCDiSRHTKyOtSeKCIepFIYPjoK7RPFl/hXrlA7QkvgFJOvMVxrkqyDc6XrVacn0hTJFMkS0oh0T5eW36c11mWQzzyGLCFNm9NavyHBvgibPOVO8gmrZZB9x65njo0YJcrDAmOiFayH6FX8WiWX3bXWk7ItAUhgdAHIer1DnV01PxpgJSQUL6+RDBm9HLckJFLTIM=; 25:VZd6ebqOeWYnwtNksIs04lxWMdYLP+NKMTcX0+XZs8YUQFg83SbC38qGCpJdPl+RV4Em0w8J+u5kaL0emxFogpSwUNaMMkTv6DhENfad+2NulNsAXYoGVvUmrPES0T4AZUIyoQwuTduhReEqtdIHoeK7TSNZWsEpfteKjaXxb87WeEDzyULzR7MkOg1JI5vp8QAwo2dTh9Jckt93u7zhkPi958a8D24k28pFB37Jcv3aqg55hChnZ8UgzHGPF0SRc1J6S2ah/L+8kib0abkWVnkPrXrkqOIYeWT8Wlj6SFlNgk3nRhc8zeejsT3h5y32kScR1wYXyzayVK1uhVOxbLoZB6ekW0ITZ4ERTWb6P9KzdfCJ/wDh58ZbTbcIBDUazDUlkJd6ukEHnwAHYX/+8M3bI1axLQfar7Hi4cnSjZg2uCowBkd5djZYkvXjvgojfXNc9V9zYW5pMMZ3ZatqPg==
X-Microsoft-Exchange-Diagnostics: 1; AM4P122MB0083; 31:zX5KNRdr3LNp5eI1sj3z8xdQzGGTsqbJQSGVDZ9vZQTDaXT8njvkuwEDRnF6RwT/RknNrF8x7c7W4Y0YG0hUO8d7uCEA+2gCI8b25v9cKtTIDC/0GYe5GRIg5JAIAIyzurc5ClyXXSqn/sSmGTtqh0OAH5xqPHCxSmuUxLC7GQkvIj+jiM1LKUCQ5KcSF6lffVj7o5h6FRxGUENi7pWNc9Wx5RvibGl7AEBHYPs9GLxJ1d+4MqaLTvNvNIihvPieWaqOpr3EJoCNEP5/A6YrRr69hUwFtfZ6YnB/9I89O0Q=; 20:1UBOTwNWQJdNUGy21hwroC8xuNaichL664jKj7dHRcI6qy9l45EAg1aAUneBazcEA5KDVmObS9itYox9TFhklujr5X3pCcs/3WViw2GqSBP30qPSAz3F+PiH3sh1h2emZL2k7Rer9aqIHdaSmsakEujZT0s1SQ4l6m+TBjWMt07f6TIjqoGvv/sNHo4oMP8XiQwr3OzjqHCzkqXtQLWrJAAs1a6Bxflxe8iQn6YOYg89wZaAaZ540KlLPYYj2tSAbwOm2fv5vR18kA8y3yAMuraWVVJD7ciMJcN4MvM3vqVsIvnrUW8ahYoxs6r+ZjtgchleX+gCFL6qLS5XOaxJVS4a6JwxjRkM4AN+hsM7CuS1pfnRfl7b5Bdg8a3Ybj/4mjuO8qmpKctYwogQc0VM9r9slts1j3LvJH2ktC3iYYFYW6XaJ9PJP0TfGE1wmf6clv6+uaNiK61pRSZGcNKzlOVcP4m3kcqVgq9PcXHH7bZsQldmFM24Xf8h1FWE06fa
X-Microsoft-Antispam-PRVS: <AM4P122MB0083EE6F22749742949AC091C8210@AM4P122MB0083.EURP122.PROD.OUTLOOK.COM>
X-Exchange-Antispam-Report-Test: UriScan:(192374486261705)(248736688235697)(95692535739014)(126837547833334);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(2401047)(8121501046)(13016025)(5005006)(13018025)(3002001)(10201501046)(6055026)(6041248)(20161123564025)(20161123555025)(20161123560025)(20161123558025)(20161123562025)(6072148); SRVR:AM4P122MB0083; BCL:0; PCL:0; RULEID:; SRVR:AM4P122MB0083;
X-Microsoft-Exchange-Diagnostics: 1; AM4P122MB0083; 4:qwq9XCI7OsKiVmw7y3IXaJcnYw8/azngIVQ4NJ3lQYhLmsxsqXeQVHt89mC1cwEhS/yizZsDKr3SEtWRb7hA9bIgJ+isyq2yg22Wg4ejNBoNDiWq6Cugtb/DuEeX55cnV1NHX7AoHY8czXMKn2K3Qyn3jzDRV1FbXTbWE5T+i60IAAOmmkymlKOBm5SUACn+56tnBAlBSWVapDBpVZ+NIlfwoy72PtL/xwl3oa6MFq+2ZERoABBW18laiMiTv8Wf+XB+xji1ytliG/Q2bKtJo0v0gs5PlHAf+QEydGGWGkl2jaME0s4PhxShf8bsb4Jq9f50aMefL7rEuaCMx4mYE5FyFbQb0Prj/yteDSphFt3bfENQSN3OS86fft1Pf5nGi2kb1f1DyatHa+HtDj1wqfddqa6dhcqPLiy6POaGQKdlabtY1tSJxDxZZyXVE9nnzb402LRbI+4Ce8Q4URHCmHu5lV8Ls1fR1IRK+MmUkaMT2SCcL/N97gyiLYxeE2n6hUlSnRW5czkjSV0hXxMiQCIGJooH7qKhuy7JSGtVmyyh+Mw3mA9sUobkodZ4lKe2vUfvAee9ji8l9bL2TklDJNY7oP2gfvm2Tc2tm5589j15bo6Ss4o8injzEtpJav+sNZMR4z+yegotrfA7Hw/uJ5ZkM4QJtvohAAzSAMMHIAifUeOKtEv/H7rCJuupi65M3EP3XE62qaoBpPzIjNohrjaJFe2b1+QhrG0oaApJjei8DtCQaHxnM7tYqzuZzu62RmPY4gtxRJeDmz5lOC6t7zQanOcwa1KbR6H6xHPxoEE=
X-Forefront-PRVS: 0241D5F98C
X-Microsoft-Exchange-Diagnostics: 1; AM4P122MB0083; 23:3g5/EOsRWoTGdoK6Gpz6Qu8xuvJ5FR0lMiEbW85taznK7EXLFn4pZdJ1nh36flhr8xy6sV6OBUiFO6laYjN0o+Pyj8tQA4MC8yqfXASzWDNj2KAU+l4Fu6tl8wA2h7NFAaGOiM0NfQ8QVL6XYz51ZXhimlwkr4VaCRjDVp8rgbUhX6br2c0/6vdw1kKN5zR6GOtSsiFYGkJ7gUxeeZPEl15H1zaHKu5cciz1w7WDJw2XPU9YgBZ76VSkgm4zvHlaKwNEC7/pZ4MlueYfklb7fSFBmxTQ8ozB65k+SFxgUicDhFTQIlVFqU3lhV5ubxe4LYW+E8ihX4u2mdFYTMR9dSE0ZPOo/mzWvpRWz1wRJgeBeugaSQt99HqUp923gpDT+AOu1Whv+vSyub/kOcptF5WKX1JjbRbSEOEgh4rZeW0NAH7DDjKcVw1Hahs2CLCHTA5YCpweQ7lV9pddJmu32qWoFOPyv6dCfuVBizQ5d3V485aZ6yrTABsBDdlmAC/qbpvizM+d/KeOiwzBfRGDVwpjDq7aXgptNM28aXQft+wgxOFOlxbmhzNXuPQgGES3jFAFD4vM9aYgeEUwNbRW25l6OzR2/1amlZcQ69G7cocS1hqEvl27v0PYWq8LLQkmhg3TBmjbSdR7VJuR3Fgts/8be7+Xy4nrxNvtzZF2aZpiGnS3oXX9us8pozaP9TKIWalLo+7kXrfZcBJk27VowSu27oCLr2Gvw2BPbK6Dh1KJZ96L5x8PcRcvfEdauMjd32bhp+FH+kbsZDzEIILo1mjbc2AQoZxkedN4+2X/FaMUsXVztL/mlTiL6t6hXeMZwRf1CvUyxMRie/W7QKs5fvRyfBG5V64+Wr78AL+nxajxHT09mDeIup3HSM8AtngnTDLpQ91ip4nx3OKrsLFbQ3I72dsRQbj2y+pn6937x07OP7vNVbGs+CLz+KXFfp9zvs6LbLe8bsdSv+XgC+KpMbsaAwT0cFm5iw8RaMWj06pXH6pnJuYSMR6pJvXBOGIvBCkCPFp65ZPzrsD+e7YHdlKnX9BqQo/S2hlb3hgdPP8AdDUEErjsxnPC3OE8R6dWQ89bPaHQTLLilT/2gcTIeyIhTWl4wjv2Ao0vX5KxA5xflUs+MPnidGqwR1/6riJXmp9M+/J+5IdWQeSj7VXq4nnwIEBTk3s3FiibJJxjg72RMomuoIaTzp/lyIgLNeTo2GlyS696kSdR8E5hYtf8vgfpcL9UD6hL7y0WGhmER1dxW38NCqjdBKMLei13SLvOQvaMaIJBLpxczHk8wlk1W3cREtYqzJHO4LmyZxVwBjKtSH4k7PRYqI9riy0Ya8qD492Eqtc3JJpydp/ReP082UYExGiiJoAlxaKhsLDBkq76/RR/GEFFXYhzvJG2K27y
X-Microsoft-Exchange-Diagnostics: 1; AM4P122MB0083; 6:MOUT1rKiydm81zr3jml0pMoIX89hKjr3PCK/kzsNS/DTEXQ0e8XlS8IGr0JpyhbMJYlKaFGkq/5TcsZiSSlrLtnQEMrNdT2JpqxXisscHV8mmjlPJBHVVyTp/Hjae1x/Nfe1CMStUWe5+hGeCuHSVk/VtySWvI6L9s2BHJ2ER5pkrf1U6twl0M5PD6kE4deO0kfheVzK6E5qSZxGIQVTJXVbW38soFKEQOoWxDvqsUCnAZl0Bip6y0kxSXynyOIZc4W6S4Kp7/k+VbT8krp2cA54FcZSoC1SWoEIotOSfEcKcag35aIkJyexDRJG5MAHO0ENhNc5X301OM4iUwf/NvZFUQZZpxSFherVtRerbngc4EbTDlkvyT94XZXgnLKsR70IYNhq8HpOTJ+m6lNDvcHpFUpJozLu3crhPSCd9+w=; 5:lEw9z1yvyDD/GPxqguMR358X0rMtdOKIIjI3bTXn9b7Y3ouF+VteUjlWB86iZfS/r+uOoSg9AIgwVtQ5rAyO2mTmKMHpgK0e82Hp2E73wwlTiLi+yYMXRSl5a8inKFoVc9HtJHuVNI2B6U9VLOyjUw==; 24:+ii8hBW14m/nlNUH4wnYjEKl8wh8FyvApEPDW6m2zdrJuissqKuHZj/Y3U7Fk/eykhkZxqx7hxgPPCsWUmE0A+pusDtaQlRvussWuKMuHF4=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; AM4P122MB0083; 7:kHTuXZJwZgxiTpIWa0l/zfyegB4MuQonfuO50+sfQuBuQVAUxfmj8EvdHStFs4WH4sqW5qH+uObrYGDM6XEDUrCpWNazYBP0e9I1se/z2ReWlVwDsO+Sr1aNF0rsnXEeNEQnapFpEcUhx3LNE+cpfgAsKJozPolTUmVHTclaZqvg1nHDbwhLjeALbv3e0CZPo26OhAqtZsAMoj2O+cg+1pdernf9aD74c1szIIn2dX2w9e5M5PP5IWSvPbl9+6eQHSa5X2t2vgKvrZy8O93Aa2qiN2AcfGFJa9Kr3gYeFqeyWTmRfKZG5Y9JF389udGFNx2j86JqsngQpsJMA9zmFQ==
X-OriginatorOrg: philips.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Mar 2017 14:32:39.1924 (UTC)
X-MS-Exchange-CrossTenant-Id: 1a407a2d-7675-4d17-8692-b3ac285306e4
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=1a407a2d-7675-4d17-8692-b3ac285306e4; Ip=[23.103.247.180]; Helo=[011-smtp-out.Philips.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4P122MB0083
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 04
X-MS-Exchange-CrossPremises-AuthSource: DB5PR9001MB0165.MGDPHG.emi.philips.com
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-originalclientipaddress: 77.168.179.203
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-MS-Exchange-CrossPremises-AVStamp-Service: 1.0
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0;
X-OrganizationHeadersPreserved: AM4P122MB0083.EURP122.PROD.OUTLOOK.COM
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/ef1qfcysP07ypnvL3sdPowHh5C4>
Cc: "T2TRG@irtf.org" <T2TRG@irtf.org>
Subject: Re: [T2TRG] RESTful Design & Security
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2017 14:32:45 -0000

Hi Eliot,


i believe that your two examples (fridge and car) describe a system (fridge and car) within a larger system (smart home or V2X). More complex scenarios exist.


You could analyze such scenarios by decomposing the larger system into subsystems (domains) and applying the security considerations to each of the domains in which the "smart things or smart components" in that domain talk to each other.


Does this help you further?Would you analyze this in a different way? Do you think that this explanation should be included in the our document?


Cheers, Oscar.

________________________________
From: Eliot Lear <lear@cisco.com>
Sent: Wednesday, March 8, 2017 4:46 PM
To: Garcia-Morchon O, Oscar; Hannes Tschofenig; Kovatsch, Matthias; mcr+ietf@sandelman.ca
Cc: T2TRG@irtf.org
Subject: Re: [T2TRG] RESTful Design & Security


Oscar,

That's a great document.  In some ways, it's really several documents all rolled up into one.  But Let me ask some leading questions:

  *   Is my network-connected refrigerator a Thing or a component?
  *   Is the thermostat in my network-connected refrigerator a Thing or a component?
  *   Is my network-connected car a Thing or a component?
  *   Is the engine that sits on the CAN bus a Thing or a component?

What distinguishes a Thing from a component and when do your security considerations apply, and when do they not?

Eliot

On 3/8/17 4:31 PM, Garcia-Morchon O, Oscar wrote:

Hi Hannes,

the document " draft-irtf-t2trg-iot-seccons-01" summarizes protocols.  But I do not think that we do this happily but seriously. Summarizing existing protocols/work is one of the goals of the document.

The document also acknowledges that devices have different capabilities and requirements, also in terms of security. In my view, this fits with the idea of minimum requirements. It would be great to have your input on your use cases and your views on minimum assumptions in different deployment scenarios/security capabilities of different types of devices.

Cheers, Oscar.


-----Original Message-----
From: T2TRG [mailto:t2trg-bounces@irtf.org] On Behalf Of Hannes Tschofenig
Sent: Wednesday, March 8, 2017 3:13 PM
To: Eliot Lear <lear@cisco.com><mailto:lear@cisco.com>; Kovatsch, Matthias <matthias.kovatsch@siemens.com><mailto:matthias.kovatsch@siemens.com>; mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>
Cc: T2TRG@irtf.org<mailto:T2TRG@irtf.org>
Subject: Re: [T2TRG] RESTful Design & Security

Hi Eliot,

this would indeed be a good conversation to have. I have tried to trigger it a couple of times in context of the IoT device classes but it is very hard to get people to state what their minimum assumptions are.

I believe it has to do with the type of standardization approach we are exercising today and this gives us a hard time to describe the big picture of how the various building blocks are supposed to work together. In fact, the picture becomes extremely complex and fragmented since there are just so many options while at the same time we envision super constrained devices. The T2TRG security document
(draft-irtf-t2trg-iot-seccons-01) confirms this and happily talks about normal IPsec/IKE, diet IPsec, HIP, MIKEY, OSCOAP, JOSE, COSE, etc. etc.

Ciao
Hannes

On 03/08/2017 11:02 AM, Eliot Lear wrote:


Matthias,

I think the key question that everyone seems to be dancing around is this:

What is an Internet host in the context of IoT?  What are the minimum
qualities it must possess?  I don't mean this to be a vote, but more
of a law of physics sort of thing.  For instance, does a host have a
secure unique identity?  What capabilities must it have?  I would
expect them to be very few, but there are assuredly some...

Eliot


On 3/7/17 8:36 PM, Kovatsch, Matthias wrote:


Fair enough.

Yes, I am on this IoT Directorate. I would say a large fraction of
the T2TRG participants has been arguing that the Internet of Gateways
is not a good approach. Your security-related summary proves this point.

I personally don't see end-to-end security happening if we keep
mixing application protocols, keep using black-magic middleboxes, and
keep using proprietary interfaces at the device level. We need
something end-to-end (or T2T) for end-to-end security.

Best wishes
Matthias



Sent from my phone, limitations might apply.

-----Original Message-----
*From:* Hannes Tschofenig [hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>]
*Received:* Tuesday, 07 Mar 2017, 20:10
*To:* Kovatsch, Matthias (CT RDA NEC EMB-DE)
[matthias.kovatsch@siemens.com<mailto:matthias.kovatsch@siemens.com>]; mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>
[mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>]
*CC:* T2TRG@irtf.org<mailto:T2TRG@irtf.org> [T2TRG@irtf.org<mailto:T2TRG@irtf.org>]
*Subject:* Re: [T2TRG] RESTful Design & Security

Hi Matthias,

I know that this is a research group and everyone can create whatever
they want.

We briefly talked about security at the IoT directorate conference
call and I would be interesting to hear what works and what does not
work for others.

Ciao
Hannes


On 03/07/2017 07:45 PM, Kovatsch, Matthias wrote:


On big propaganda tour? :P

Regards
Matthias


Sent from my phone, limitations might apply.

-----Original Message-----
*From:* Hannes Tschofenig [hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>]
*Received:* Tuesday, 07 Mar 2017, 19:39
*To:* Michael Richardson [mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>]
*CC:* t2trg@irtf.org<mailto:t2trg@irtf.org> [T2TRG@irtf.org<mailto:T2TRG@irtf.org>]
*Subject:* Re: [T2TRG] RESTful Design & Security

OSCOAP does not work when

* you mix protocols,
* use a middlebox for some processing interactions (such as data
aggregation), and
* when one of the protocols is a non-RESTful protocol, such as BLE


or MQTT.


Unfortunately, these the use cases we are facing in current IoT
deployments. For similar reasons we cannot use RFC 8075 either.

Maybe you are seeing different deployment environments.

Ciao
Hannes

On 03/07/2017 06:39 PM, Michael Richardson wrote:


Hannes Tschofenig <hannes.tschofenig@gmx.net><mailto:hannes.tschofenig@gmx.net> wrote:
    > Needless to say that these challenges have also been
observed


in other


    > protocols as well, such as HTTP and even SIP.

    > What is the story for providing application layer security?

OSCOAP seems to be end-to-end to me.

--
Michael Richardson <mcr+IETF@sandelman.ca><mailto:mcr+IETF@sandelman.ca>, Sandelman Software
Works  -= IPv6 IoT consulting =-





_______________________________________________
T2TRG mailing list
T2TRG@irtf.org<mailto:T2TRG@irtf.org>
https://www.irtf.org/mailman/listinfo/t2trg



_______________________________________________
T2TRG mailing list
T2TRG@irtf.org<mailto:T2TRG@irtf.org>
https://www.irtf.org/mailman/listinfo/t2trg


________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.