IETF Logo Mail Archive

Re: [TLS] bootstrapping of constrained devices (was: Re: Should TLS 1.3 use an augmented PAKE by default?)

Michael Sweet <msweet@apple.com> Fri, 21 March 2014 12:26 UTC

Return-Path: <msweet@apple.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E9471A0983 for <tls@ietfa.amsl.com>; Fri, 21 Mar 2014 05:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.748
X-Spam-Level:
X-Spam-Status: No, score=-4.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y_WuBM9M2lbk for <tls@ietfa.amsl.com>; Fri, 21 Mar 2014 05:26:14 -0700 (PDT)
Received: from mail-out.apple.com (mail-out.apple.com [17.151.62.49]) by ietfa.amsl.com (Postfix) with ESMTP id D87871A0969 for <tls@ietf.org>; Fri, 21 Mar 2014 05:26:14 -0700 (PDT)
MIME-version: 1.0
Received: from relay4.apple.com ([17.128.113.87]) by mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTP id <0N2S00B7FD7511T0@mail-out.apple.com> for tls@ietf.org; Fri, 21 Mar 2014 05:26:05 -0700 (PDT)
X-AuditID: 11807157-f79aa6d0000017b2-39-532c2fdd975e
Received: from orrisroot.apple.com (orrisroot.apple.com [17.128.115.106]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by relay4.apple.com (Apple SCV relay) with SMTP id 50.3F.06066.DDF2C235; Fri, 21 Mar 2014 05:26:05 -0700 (PDT)
Received: from [17.153.37.122] (unknown [17.153.37.122]) by orrisroot.apple.com (Oracle Communications Messaging Server 7u4-24.01 (7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTPSA id <0N2S00LULD7E1A40@orrisroot.apple.com> for tls@ietf.org; Fri, 21 Mar 2014 05:26:05 -0700 (PDT)
Content-type: multipart/signed; boundary="Apple-Mail=_9B214BC4-DC20-4895-88DF-E456C23EC046"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Michael Sweet <msweet@apple.com>
In-reply-to: <532B9B65.4030708@gmail.com>
Date: Fri, 21 Mar 2014 08:26:02 -0400
Message-id: <8FD78E18-C3C7-4085-9E3F-8B60B20F2CB5@apple.com>
References: <53288C43.9010205@mit.edu> <5328B6DF.8070703@fifthhorseman.net> <5328C0C8.9060403@mit.edu> <6b79e0820d349720f12b14d4706a8a5d.squirrel@webmail.dreamhost.com> <CALCETrUz8zCBHiq42GTnkkSaBcpA5pjSvk6kwwPjzn+MtBKMgA@mail.gmail.com> <e38419e3ada3233dbb3f860048703347.squirrel@webmail.dreamhost.com> <CALCETrVgJxfdCxZqc9ttHHNKHm-hdtGbqzHvsQ-6yd5BK=9PDw@mail.gmail.com> <67BAC033-2E23-4F03-A4D9-47875350E6B5@gmail.com> <532B0EAA.5040104@fifthhorseman.net> <8D8698DF-5C06-4F2A-8994-E0A36A987D6D@vpnc.org> <532B1739.80907@fifthhorseman.net> <CADrU+d+GkGU1Da3W6xGuOq4qvd40DdT6+sO6WEZeEag7Q1OiVQ@mail.gmail.com> <532B9B65.4030708@gmail.com>
To: Rene Struik <rstruik.ext@gmail.com>
X-Mailer: Apple Mail (2.1874)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrDLMWRmVeSWpSXmKPExsUi2FCcpXtXXyfY4PcbAYtP57sYHRg9liz5 yRTAGMVlk5Kak1mWWqRvl8CV8fj/NPaCh5MYK9b/X8ncwPintouRk0NCwERi1o4GFghbTOLC vfVsILaQwBQmiUVfzSDsBUwSLWsYQWxhgVKJP6tus4LYvAJ6EmfO/mLvYuTiYBaYwijRsPw0 E0iCTUBN4vekPrAiTgFNiU3HFoEtYBFQleiafJsZxGYWsJN4/3EGO8QgG4kTV06wggwSEpjK KvG4+zFYkYiAusT83bPZIK6TlXj0oYllAiP/LCTLZyFbPgtscJLE7I+v2SFsbYllC18zQ9h6 Ei+b3mER15W4uG4SI4RtKvHk7XY2CNta4uecR1BxRYkp3Q/ZFzByrWIUKErNSaw00UssKMhJ 1UvOz93ECI6HwvAdjP+WWR1iFOBgVOLhreTUDhZiTSwrrsw9xKgCNOLRhtUXGKVY8vLzUpVE eOW0dIKFeFMSK6tSi/Lji0pzUosPMUpzsCiJ8z41AuoUSE8sSc1OTS1ILYLJMnFwSjUwNm08 Uzz38o8CV1m9OTzXLn1oUq8su7ck/s+vC2f/zf9bUOz6du/Lq2br614u/mtWuVbQQ/0M/w6B PolLKfvcFHwFGa0+B07ZVNQ81XHbpqfhB5KcYmy9Jk9tSTt+9Lm+VKOtywYGlaXaem8dr/Gd fHFSL4rFeJ/I1q0Gf+UmGU8oY/VgZmm8pMRSnJFoqMVcVJwIALOHYZiPAgAA
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/4sJgqhMD7YnbJBKppsOBeNWAxIg
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] bootstrapping of constrained devices (was: Re: Should TLS 1.3 use an augmented PAKE by default?)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 12:26:17 -0000

Rene,

Installing device certificates during manufacturing is not a simple process - the factory would need to act as a CA or would need to have a supply of certificates that matches whatever identifiers are used by the devices.  Not to mention how you'd manage revocation if the root was compromised...


On Mar 20, 2014, at 9:52 PM, Rene Struik <rstruik.ext@gmail.com> wrote:

> Hi Robert:
> 
> Wouldn't it be much easier to embed device certificates with constrained devices at manufacturing? This may do away with need       to store info that is not public on servers.
> 
> If you could provide some links to discussions in "IoT community groups" interested in this, that would help.
> 
> Best regards, Rene
> 
> ==
> There is a lot of interest in the IoT community in using some form of PAKE in conjunction with DTLS (or TLS with EAP) for authenticating commissioning/bootstrapping of IoT devices onto IoT networks
> 
> On 3/20/2014 1:21 PM, Robert Cragie wrote:
>> It should be remembered that TLS is used in places other than web browsers - the existence of the DICE WG is testament to this. There is a lot of interest in the IoT community in using some form of PAKE in conjunction with DTLS (or TLS with EAP) for authenticating commissioning/bootstrapping of IoT devices onto IoT networks. I realise this is different to the original proposition in this thread but wanted to draw this to the attention of the WG nevertheless.
>> 
>> Robert
>> 
>> On 20 Mar 2014 12:28, "Daniel Kahn Gillmor" <dkg@fifthhorseman.net> wrote:
>> On 03/20/2014 12:18 PM, Paul Hoffman wrote:
>> > As an important note, you did not define "we" above. A few possible expansions would be:
>> >
>> > - The TLS WG, where this thread currently lives, does not get to define Web UI without a charter change.
>> >
>> > - The HTTPbis WG has not asked the TLS WG to take over this work, nor has it embraced anything like it.
>> >
>> > - The IETF doesn't do this kind of work as a whole body.
>> >
>> > - The IAB (of which none of us are part of the "we") might take the topic on and suggest ways which the IETF might do the work.
>> 
>> yep, thanks for the clarification.  I actually meant "we" in the broad
>> sense of "the community of people who care about making communications
>> on the web more secure", which includes groups you didn't even mention
>> above, like web site designers, systems administrators, etc.
>> 
>> It's still on-topic here (despite the broad scope implied above) because
>> the TLS WG does have a role to play, by considering the merits of
>> proposals like http://tools.ietf.org/html/draft-thomson-tls-care, as
>> well as considering alternatives that deal with this particular use case.
>> 
>> >> option (A) is seriously hard, maybe impossible given the state of the
>> >> web.  option (B) is terrible.
>> >
>> > Exactly right, for any value of "we".
>> 
>> :(
>> 
>>         --dkg
>> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>> 
>> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> 
> 
> -- 
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair

v2.23.0 | Report a Bug | By Email