Re: [T2TRG] RESTful Design & Security
Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 08 March 2017 09:26 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1C081293F0 for <t2trg@ietfa.amsl.com>; Wed, 8 Mar 2017 01:26:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2fRm8FN0_2Yb for <t2trg@ietfa.amsl.com>; Wed, 8 Mar 2017 01:26:11 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23BD412943F for <T2TRG@irtf.org>; Wed, 8 Mar 2017 01:26:05 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx001 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MgbTj-1cwlL61Jrz-00NwmR; Wed, 08 Mar 2017 10:25:51 +0100
To: "Simpson, Robby (GE Energy Connections)" <robby.simpson@ge.com>, "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
References: <c15a387f-9dd3-987e-2901-b86fd8f60108@gmx.net> <10144.1488908366@obiwan.sandelman.ca> <952c4a16-174f-2457-1f11-8f733e738f90@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA2F98@DEFTHW99EL4MSX.ww902.siemens.net> <558bae1a-ff84-9fb3-c6bf-021f492e9a04@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA313F@DEFTHW99EL4MSX.ww902.siemens.net> <0216378E-8976-4D4E-A307-AEE5FD00BDA6@GE.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <24aded2f-738f-2518-ccc3-9a21eec5d879@gmx.net>
Date: Wed, 08 Mar 2017 10:25:48 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <0216378E-8976-4D4E-A307-AEE5FD00BDA6@GE.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="BHMRguBPPpGT81c6cjo5H5KTN3F3DnphQ"
X-Provags-ID: V03:K0:camYaTghNWcADNMVu7SmLPn8YJqnLr5K9hyShG/sGQ2uzXhLYv2 i4EqPg4QLUvnq+4fMI6rKmY9QWM0jPPqBoDwvWiZlSt1Bsqv0yZP1zod7FDT4dnpEcIs5Rm NcctGyjdEb9PAsY8KEDRAFhCDeT69nr1YzElhYLnG0DtMHVU+2nBjZxHIR9hRv7X7nC16YS IOloRxLF+3Ixo5i6+8dCA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:/DBhjjHx/jo=:NXkOu2TugW4dhSgI1SOWVj M+qLovqsU1FfooX2RRjHYsD/hd3kLq5L7HjmdpUAjG5OlW4KcdCmUGsF5fP1qz7SaQnfjwhVr zlCkUXbovFUFnZ0P63YsvXuwP/kWUYqxJCl7tynqqgAovB5xgCyx7LcnuTfpmwRItdDB31muv RSYbrKbwabUla8RTq+/sA6zAVuahQhsiWQ5HehQdbesub2vOVnmZ+magwAFR8xdxW1UhG5V9K 7w7GceUdSG0s+q/dgXy/zFAXBfjaNO77A1MmLY6ghEasOK7OjHAHy+hArusNEW8ON6I9lm5in TDQQp4Tfofx97vBdYcbPlny8GaBmkud0whU3Fjv+tj7cYTlqPFLqwEivvAMPOLyTI7LRCOjKB NBLq0EtuuBWudGWbnosEl0r2/YVLrnDXmkmLvvM9ZRsFbPwzN4bfNq7UtWmn5Ih5lrHiXVYEt qe8nGh0WtYejfzytOjF98qG9GoKQD+WMc/661ROU72ipVyuF/sUNP8Pnmov/g1J84RSuYzi3v VxGA0rhFc4I0c/sxabVaHSGtX25cBYeALVo8t+n4FNMYndFNN+N3Ln/WBzS7wpGjQ8KXPzedv Jm1ZnKjGgULWOVmxv0Qnh7aXZW38OhzFKqTIkGpUbWqG1MYl5cobktf7QWpTTFYWu2bYrfL/r lw1de69AAAU3gZ1euMyQa5GYPURYHOjLr3+OZ2HQn76uuPc8UNubatpQfLythlSEPyomLiGDA 3KkOGYY60J3O4/LMSv8d/GgAlHV9KbUV0DXfDNSuv7mN3BsW3XotVkEhfbo=
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/udupDIKwn2JQIJmKo3P2327mzOk>
Cc: "T2TRG@irtf.org" <T2TRG@irtf.org>
Subject: Re: [T2TRG] RESTful Design & Security
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 09:26:13 -0000
Thanks for the pointer to the document, Robby. I wasn't aware of this spec and I have to gain a better understanding of why JOSE/COSE isn't applicable but it is certainly a worthwhile path to explore. Ciao Hannes On 03/07/2017 08:47 PM, Simpson, Robby (GE Energy Connections) wrote: > Personally, I’m a big fan of end-to-end and think that is the correct > approach. > > > > However, pragmatically, I realize this is not always possible. > > > > I haven’t followed it for a while, but there was some activity in > httpbis at one point for resource/object-level security > (https://tools.ietf.org/wg/httpbis/draft-ietf-httpbis-encryption-encoding/). > If we limit the discussion to protocols that support content codings > (e.g., HTTP and CoAP), then I would think defining a coding that > specifies the resource-level security aspects would achieve quite a lot > and would be able to preserve aspects through protocol conversion. > > > > - Robby > > > > > > Robby Simpson, PhD > > System Architect > > GE > > Grid Solutions > > M: +1 404 219 1851 > > Robby.Simpson@GE.com > > > > > > *From: *T2TRG <t2trg-bounces@irtf.org> on behalf of "Kovatsch, Matthias" > <matthias.kovatsch@siemens.com> > *Date: *Tuesday, March 7, 2017 at 2:36 PM > *To: *"hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, > "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca> > *Cc: *"T2TRG@irtf.org" <T2TRG@irtf.org> > *Subject: *EXT: Re: [T2TRG] RESTful Design & Security > > > > Fair enough. > > Yes, I am on this IoT Directorate. I would say a large fraction of the > T2TRG participants has been arguing that the Internet of Gateways is not > a good approach. Your security-related summary proves this point. > > I personally don't see end-to-end security happening if we keep mixing > application protocols, keep using black-magic middleboxes, and keep > using proprietary interfaces at the device level. We need something > end-to-end (or T2T) for end-to-end security. > > Best wishes > Matthias > > > > Sent from my phone, limitations might apply. > > -----Original Message----- > *From:* Hannes Tschofenig [hannes.tschofenig@gmx.net] > *Received:* Tuesday, 07 Mar 2017, 20:10 > *To:* Kovatsch, Matthias (CT RDA NEC EMB-DE) > [matthias.kovatsch@siemens.com]; mcr+ietf@sandelman.ca > [mcr+ietf@sandelman.ca] > *CC:* T2TRG@irtf.org [T2TRG@irtf.org] > *Subject:* Re: [T2TRG] RESTful Design & Security > > Hi Matthias, > > I know that this is a research group and everyone can create whatever > they want. > > We briefly talked about security at the IoT directorate conference call > and I would be interesting to hear what works and what does not work for > others. > > Ciao > Hannes > > > On 03/07/2017 07:45 PM, Kovatsch, Matthias wrote: >> On big propaganda tour? :P >> >> Regards >> Matthias >> >> >> Sent from my phone, limitations might apply. >> >> -----Original Message----- >> *From:* Hannes Tschofenig [hannes.tschofenig@gmx.net] >> *Received:* Tuesday, 07 Mar 2017, 19:39 >> *To:* Michael Richardson [mcr+ietf@sandelman.ca] >> *CC:* t2trg@irtf.org [T2TRG@irtf.org] >> *Subject:* Re: [T2TRG] RESTful Design & Security >> >> OSCOAP does not work when >> >> * you mix protocols, >> * use a middlebox for some processing interactions (such as data >> aggregation), and >> * when one of the protocols is a non-RESTful protocol, such as BLE or MQTT. >> >> Unfortunately, these the use cases we are facing in current IoT >> deployments. For similar reasons we cannot use RFC 8075 either. >> >> Maybe you are seeing different deployment environments. >> >> Ciao >> Hannes >> >> On 03/07/2017 06:39 PM, Michael Richardson wrote: >>> >>> Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: >>> > Needless to say that these challenges have also been observed in other >>> > protocols as well, such as HTTP and even SIP. >>> >>> > What is the story for providing application layer security? >>> >>> OSCOAP seems to be end-to-end to me. >>> >>> -- >>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works >>> -= IPv6 IoT consulting =- >>> >>> >>> >> >> >> >> _______________________________________________ >> T2TRG mailing list >> T2TRG@irtf.org >> https://www.irtf.org/mailman/listinfo/t2trg > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.irtf.org_mailman_listinfo_t2trg&d=DwMF-g&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=4w13vdCVEUj_vaCSQNdKRf25O0P4iaVn04ElXLrB_ak&m=k7IqC4lOSBeG5yZT3lwAYgfq7isPTJ1x7lhosU4sI0U&s=6FyGiDTW-U31FpvuMwpkVdhppH4XLcvlAPPiMqvTUIo&e=> >> >
- [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Ari Keränen
- Re: [T2TRG] RESTful Design & Security Michael Richardson
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Kovatsch, Matthias
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Kovatsch, Matthias
- Re: [T2TRG] RESTful Design & Security Simpson, Robby (GE Energy Connections)
- Re: [T2TRG] RESTful Design & Security Kovatsch, Matthias
- Re: [T2TRG] RESTful Design & Security Göran Selander
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Carsten Bormann
- Re: [T2TRG] RESTful Design & Security Carsten Bormann
- Re: [T2TRG] RESTful Design & Security Eliot Lear
- Re: [T2TRG] RESTful Design & Security Carsten Bormann
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Göran Selander
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- [T2TRG] The Many Headed Hydra Nightingale, J. Stephen (Fed)
- Re: [T2TRG] The Many Headed Hydra Carsten Bormann
- Re: [T2TRG] RESTful Design & Security Garcia-Morchon O, Oscar
- Re: [T2TRG] RESTful Design & Security Eliot Lear
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Mohit Sethi
- Re: [T2TRG] RESTful Design & Security Garcia-Morchon O, Oscar
- Re: [T2TRG] RESTful Design & Security Hasan Derhamy
- Re: [T2TRG] RESTful Design & Security Eliot Lear