IETF Logo Mail Archive

Re: [T2TRG] RESTful Design & Security

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 08 March 2017 09:26 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1C081293F0 for <t2trg@ietfa.amsl.com>; Wed, 8 Mar 2017 01:26:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2fRm8FN0_2Yb for <t2trg@ietfa.amsl.com>; Wed, 8 Mar 2017 01:26:11 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23BD412943F for <T2TRG@irtf.org>; Wed, 8 Mar 2017 01:26:05 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx001 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MgbTj-1cwlL61Jrz-00NwmR; Wed, 08 Mar 2017 10:25:51 +0100
To: "Simpson, Robby (GE Energy Connections)" <robby.simpson@ge.com>, "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
References: <c15a387f-9dd3-987e-2901-b86fd8f60108@gmx.net> <10144.1488908366@obiwan.sandelman.ca> <952c4a16-174f-2457-1f11-8f733e738f90@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA2F98@DEFTHW99EL4MSX.ww902.siemens.net> <558bae1a-ff84-9fb3-c6bf-021f492e9a04@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA313F@DEFTHW99EL4MSX.ww902.siemens.net> <0216378E-8976-4D4E-A307-AEE5FD00BDA6@GE.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <24aded2f-738f-2518-ccc3-9a21eec5d879@gmx.net>
Date: Wed, 08 Mar 2017 10:25:48 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <0216378E-8976-4D4E-A307-AEE5FD00BDA6@GE.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="BHMRguBPPpGT81c6cjo5H5KTN3F3DnphQ"
X-Provags-ID: V03:K0:camYaTghNWcADNMVu7SmLPn8YJqnLr5K9hyShG/sGQ2uzXhLYv2 i4EqPg4QLUvnq+4fMI6rKmY9QWM0jPPqBoDwvWiZlSt1Bsqv0yZP1zod7FDT4dnpEcIs5Rm NcctGyjdEb9PAsY8KEDRAFhCDeT69nr1YzElhYLnG0DtMHVU+2nBjZxHIR9hRv7X7nC16YS IOloRxLF+3Ixo5i6+8dCA==
X-UI-Out-Filterresults: notjunk:1;V01:K0:/DBhjjHx/jo=:NXkOu2TugW4dhSgI1SOWVj M+qLovqsU1FfooX2RRjHYsD/hd3kLq5L7HjmdpUAjG5OlW4KcdCmUGsF5fP1qz7SaQnfjwhVr zlCkUXbovFUFnZ0P63YsvXuwP/kWUYqxJCl7tynqqgAovB5xgCyx7LcnuTfpmwRItdDB31muv RSYbrKbwabUla8RTq+/sA6zAVuahQhsiWQ5HehQdbesub2vOVnmZ+magwAFR8xdxW1UhG5V9K 7w7GceUdSG0s+q/dgXy/zFAXBfjaNO77A1MmLY6ghEasOK7OjHAHy+hArusNEW8ON6I9lm5in TDQQp4Tfofx97vBdYcbPlny8GaBmkud0whU3Fjv+tj7cYTlqPFLqwEivvAMPOLyTI7LRCOjKB NBLq0EtuuBWudGWbnosEl0r2/YVLrnDXmkmLvvM9ZRsFbPwzN4bfNq7UtWmn5Ih5lrHiXVYEt qe8nGh0WtYejfzytOjF98qG9GoKQD+WMc/661ROU72ipVyuF/sUNP8Pnmov/g1J84RSuYzi3v VxGA0rhFc4I0c/sxabVaHSGtX25cBYeALVo8t+n4FNMYndFNN+N3Ln/WBzS7wpGjQ8KXPzedv Jm1ZnKjGgULWOVmxv0Qnh7aXZW38OhzFKqTIkGpUbWqG1MYl5cobktf7QWpTTFYWu2bYrfL/r lw1de69AAAU3gZ1euMyQa5GYPURYHOjLr3+OZ2HQn76uuPc8UNubatpQfLythlSEPyomLiGDA 3KkOGYY60J3O4/LMSv8d/GgAlHV9KbUV0DXfDNSuv7mN3BsW3XotVkEhfbo=
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/udupDIKwn2JQIJmKo3P2327mzOk>
Cc: "T2TRG@irtf.org" <T2TRG@irtf.org>
Subject: Re: [T2TRG] RESTful Design & Security
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 09:26:13 -0000

Thanks for the pointer to the document, Robby. I wasn't aware of this
spec and I have to gain a better understanding of why JOSE/COSE isn't
applicable but it is certainly a worthwhile path to explore.

Ciao
Hannes


On 03/07/2017 08:47 PM, Simpson, Robby (GE Energy Connections) wrote:
> Personally, I’m a big fan of end-to-end and think that is the correct
> approach.
> 
>  
> 
> However, pragmatically, I realize this is not always possible.
> 
>  
> 
> I haven’t followed it for a while, but there was some activity in
> httpbis at one point for resource/object-level security
> (https://tools.ietf.org/wg/httpbis/draft-ietf-httpbis-encryption-encoding/). 
> If we limit the discussion to protocols that support content codings
> (e.g., HTTP and CoAP), then I would think defining a coding that
> specifies the resource-level security aspects would achieve quite a lot
> and would be able to preserve aspects through protocol conversion.
> 
>  
> 
> - Robby
> 
>  
> 
>  
> 
> Robby Simpson, PhD
> 
> System Architect
> 
> GE
> 
> Grid Solutions
> 
> M: +1 404 219 1851
> 
> Robby.Simpson@GE.com
> 
>  
> 
>  
> 
> *From: *T2TRG <t2trg-bounces@irtf.org> on behalf of "Kovatsch, Matthias"
> <matthias.kovatsch@siemens.com>
> *Date: *Tuesday, March 7, 2017 at 2:36 PM
> *To: *"hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>,
> "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
> *Cc: *"T2TRG@irtf.org" <T2TRG@irtf.org>
> *Subject: *EXT: Re: [T2TRG] RESTful Design & Security
> 
>  
> 
> Fair enough.
> 
> Yes, I am on this IoT Directorate. I would say a large fraction of the
> T2TRG participants has been arguing that the Internet of Gateways is not
> a good approach. Your security-related summary proves this point.
> 
> I personally don't see end-to-end security happening if we keep mixing
> application protocols, keep using black-magic middleboxes, and keep
> using proprietary interfaces at the device level. We need something
> end-to-end (or T2T) for end-to-end security.
> 
> Best wishes
> Matthias
> 
> 
> 
> Sent from my phone, limitations might apply.
> 
> -----Original Message-----
> *From:* Hannes Tschofenig [hannes.tschofenig@gmx.net]
> *Received:* Tuesday, 07 Mar 2017, 20:10
> *To:* Kovatsch, Matthias (CT RDA NEC EMB-DE)
> [matthias.kovatsch@siemens.com]; mcr+ietf@sandelman.ca
> [mcr+ietf@sandelman.ca]
> *CC:* T2TRG@irtf.org [T2TRG@irtf.org]
> *Subject:* Re: [T2TRG] RESTful Design & Security
> 
> Hi Matthias,
> 
> I know that this is a research group and everyone can create whatever
> they want.
> 
> We briefly talked about security at the IoT directorate conference call
> and I would be interesting to hear what works and what does not work for
> others.
> 
> Ciao
> Hannes
> 
> 
> On 03/07/2017 07:45 PM, Kovatsch, Matthias wrote:
>> On big propaganda tour? :P
>> 
>> Regards
>> Matthias
>> 
>> 
>> Sent from my phone, limitations might apply.
>> 
>> -----Original Message-----
>> *From:* Hannes Tschofenig [hannes.tschofenig@gmx.net]
>> *Received:* Tuesday, 07 Mar 2017, 19:39
>> *To:* Michael Richardson [mcr+ietf@sandelman.ca]
>> *CC:* t2trg@irtf.org [T2TRG@irtf.org]
>> *Subject:* Re: [T2TRG] RESTful Design & Security
>> 
>> OSCOAP does not work when
>> 
>> * you mix protocols,
>> * use a middlebox for some processing interactions (such as data
>> aggregation), and
>> * when one of the protocols is a non-RESTful protocol, such as BLE or MQTT.
>> 
>> Unfortunately, these the use cases we are facing in current IoT
>> deployments. For similar reasons we cannot use RFC 8075 either.
>> 
>> Maybe you are seeing different deployment environments.
>> 
>> Ciao
>> Hannes
>> 
>> On 03/07/2017 06:39 PM, Michael Richardson wrote:
>>> 
>>> Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>>     > Needless to say that these challenges have also been observed in other
>>>     > protocols as well, such as HTTP and even SIP.
>>> 
>>>     > What is the story for providing application layer security?
>>> 
>>> OSCOAP seems to be end-to-end to me.
>>> 
>>> --
>>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>>>  -= IPv6 IoT consulting =-
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> _______________________________________________
>> T2TRG mailing list
>> T2TRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/t2trg
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.irtf.org_mailman_listinfo_t2trg&d=DwMF-g&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=4w13vdCVEUj_vaCSQNdKRf25O0P4iaVn04ElXLrB_ak&m=k7IqC4lOSBeG5yZT3lwAYgfq7isPTJ1x7lhosU4sI0U&s=6FyGiDTW-U31FpvuMwpkVdhppH4XLcvlAPPiMqvTUIo&e=>
>> 
>

v2.23.0 | Report a Bug | By Email