Re: [TLS] bootstrapping of constrained devices
Anders Rundgren <anders.rundgren.net@gmail.com> Fri, 21 March 2014 03:56 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63F211A0919 for <tls@ietfa.amsl.com>; Thu, 20 Mar 2014 20:56:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XrXXYvOpo4xx for <tls@ietfa.amsl.com>; Thu, 20 Mar 2014 20:56:08 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) by ietfa.amsl.com (Postfix) with ESMTP id 835121A0918 for <tls@ietf.org>; Thu, 20 Mar 2014 20:56:08 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id hm4so174974wib.2 for <tls@ietf.org>; Thu, 20 Mar 2014 20:55:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=hESjoREWXKH6fQzetp6M3lsCdCzJqmlaH2UrpTpWHEg=; b=E1VAuw3NDnJIHp/hwcHL9Sr12jcicoSJTujhcsSP7zt6hlKKi9/CkQR02dzlFCpWRy StMgJD+YSnVoq6A4dJKxrRsD/wXQVkXsbi6wUFv7eAmJw5CyGALHbWqUsXbDuOJtoJQP LY/R3SJQ9n3KqwHl0BCQy/FuPlnd3Q4oAMqiHHNuRs94RDH0362fZIFJh44XytC+1jjH P1gnuccN2RPqRJ/UEKqqkEDSpMDaDpxVBtmXEJaOyO/FBRyQbLwR5uuP7CBZa1aYoUg2 aHj7sN6POR+LYWSBnv+V0yjS1z/qG+tbh107l0eOHV9c9l0NTEFdYiNnBd3LjOZIk8DD JH3Q==
X-Received: by 10.180.98.165 with SMTP id ej5mr345581wib.33.1395374158794; Thu, 20 Mar 2014 20:55:58 -0700 (PDT)
Received: from [192.168.1.99] (188.110.176.95.rev.sfr.net. [95.176.110.188]) by mx.google.com with ESMTPSA id fs4sm1128433wib.11.2014.03.20.20.55.57 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 20 Mar 2014 20:55:58 -0700 (PDT)
Message-ID: <532BB846.2030300@gmail.com>
Date: Fri, 21 Mar 2014 04:55:50 +0100
From: Anders Rundgren <anders.rundgren.net@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Rene Struik <rstruik.ext@gmail.com>, robert.cragie@gridmerge.com, "'tls@ietf.org'" <tls@ietf.org>
References: <53288C43.9010205@mit.edu> <5328B6DF.8070703@fifthhorseman.net> <5328C0C8.9060403@mit.edu> <6b79e0820d349720f12b14d4706a8a5d.squirrel@webmail.dreamhost.com> <CALCETrUz8zCBHiq42GTnkkSaBcpA5pjSvk6kwwPjzn+MtBKMgA@mail.gmail.com> <e38419e3ada3233dbb3f860048703347.squirrel@webmail.dreamhost.com> <CALCETrVgJxfdCxZqc9ttHHNKHm-hdtGbqzHvsQ-6yd5BK=9PDw@mail.gmail.com> <67BAC033-2E23-4F03-A4D9-47875350E6B5@gmail.com> <532B0EAA.5040104@fifthhorseman.net> <8D8698DF-5C06-4F2A-8994-E0A36A987D6D@vpnc.org> <532B1739.80907@fifthhorseman.net> <CADrU+d+GkGU1Da3W6xGuOq4qvd40DdT6+sO6WEZeEag7Q1OiVQ@mail.gmail.com> <532B9B65.4030708@gmail.com>
In-Reply-To: <532B9B65.4030708@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/477x2ZnB3jNtrRq62xm9xBhkin8
Subject: Re: [TLS] bootstrapping of constrained devices
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 03:56:10 -0000
On 2014-03-21 02:52, Rene Struik wrote: > Hi Robert: > > Wouldn't it be much easier to embed device certificates with constrained devices at manufacturing? This may do away with need to store info that is not public on servers. +1 way to go > > If you could provide some links to discussions in "IoT community groups" interested in this, that would help. > > Best regards, Rene > > == > There is a lot of interest in the IoT community in using some form of PAKE in conjunction with DTLS (or TLS with EAP) for authenticating commissioning/bootstrapping of IoT devices onto IoT networks > > On 3/20/2014 1:21 PM, Robert Cragie wrote: >> >> It should be remembered that TLS is used in places other than web browsers - the existence of the DICE WG is testament to this. There is a lot of interest in the IoT community in using some form of PAKE in conjunction with DTLS (or TLS with EAP) for authenticating commissioning/bootstrapping of IoT devices onto IoT networks. I realise this is different to the original proposition in this thread but wanted to draw this to the attention of the WG nevertheless. >> >> Robert >> >> On 20 Mar 2014 12:28, "Daniel Kahn Gillmor" <dkg@fifthhorseman.net <mailto:dkg@fifthhorseman.net>> wrote: >> >> On 03/20/2014 12:18 PM, Paul Hoffman wrote: >> > As an important note, you did not define "we" above. A few possible expansions would be: >> > >> > - The TLS WG, where this thread currently lives, does not get to define Web UI without a charter change. >> > >> > - The HTTPbis WG has not asked the TLS WG to take over this work, nor has it embraced anything like it. >> > >> > - The IETF doesn't do this kind of work as a whole body. >> > >> > - The IAB (of which none of us are part of the "we") might take the topic on and suggest ways which the IETF might do the work. >> >> yep, thanks for the clarification. I actually meant "we" in the broad >> sense of "the community of people who care about making communications >> on the web more secure", which includes groups you didn't even mention >> above, like web site designers, systems administrators, etc. >> >> It's still on-topic here (despite the broad scope implied above) because >> the TLS WG does have a role to play, by considering the merits of >> proposals like http://tools.ietf.org/html/draft-thomson-tls-care, as >> well as considering alternatives that deal with this particular use case. >> >> >> option (A) is seriously hard, maybe impossible given the state of the >> >> web. option (B) is terrible. >> > >> > Exactly right, for any value of "we". >> >> :( >> >> --dkg >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org <mailto:TLS@ietf.org> >> https://www.ietf.org/mailman/listinfo/tls >> >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > > > -- > email: rstruik.ext@gmail.com | Skype: rstruik > cell: +1 (647) 867-5658 | US: +1 (415) 690-7363 > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Should TLS 1.3 use an augmented PAKE by def… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Anders Rundgren
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Ryan Sleevi
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Peter Sylvester
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Andy Lutomirski
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Paul Hoffman
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yoav Nir
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Daniel Kahn Gillmor
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Robert Cragie
- [TLS] bootstrapping of constrained devices (was: … Rene Struik
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices (w… t.petch
- Re: [TLS] bootstrapping of constrained devices (w… Michael Sweet
- Re: [TLS] bootstrapping of constrained devices Anders Rundgren
- Re: [TLS] bootstrapping of constrained devices (w… Max Pritikin (pritikin)
- Re: [TLS] bootstrapping of constrained devices (w… Don Sturek
- Re: [TLS] bootstrapping of constrained devices Robert Cragie
- Re: [TLS] bootstrapping of constrained devices Watson Ladd
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Paterson, Kenny
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] Should TLS 1.3 use an augmented PAKE by… Yaron Sheffer
- Re: [TLS] bootstrapping of constrained devices Feng Hao
- Re: [TLS] bootstrapping of constrained devices Dan Harkins