[Drip] Authenticating DTLS with HHITs in DRIP
Robert Moskowitz <rgm@labs.htt-consult.com> Mon, 23 November 2020 16:43 UTC
Return-Path: <rgm@labs.htt-consult.com>
X-Original-To: tm-rid@ietfa.amsl.com
Delivered-To: tm-rid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCA623A0A3D for <tm-rid@ietfa.amsl.com>; Mon, 23 Nov 2020 08:43:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KDrBLkncjFwj for <tm-rid@ietfa.amsl.com>; Mon, 23 Nov 2020 08:43:03 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53AA73A0A26 for <tm-rid@ietf.org>; Mon, 23 Nov 2020 08:43:03 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 0D5EB6270F for <tm-rid@ietf.org>; Mon, 23 Nov 2020 11:43:02 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id aUBQ9VWp6fpr for <tm-rid@ietf.org>; Mon, 23 Nov 2020 11:42:57 -0500 (EST)
Received: from lx140e.htt-consult.com (unknown [192.168.160.29]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id E1217626D6 for <tm-rid@ietf.org>; Mon, 23 Nov 2020 11:42:56 -0500 (EST)
To: "tm-rid@ietf.org" <tm-rid@ietf.org>
From: Robert Moskowitz <rgm@labs.htt-consult.com>
Message-ID: <23d958e3-2853-0eed-4d8e-0bf159c48c67@labs.htt-consult.com>
Date: Mon, 23 Nov 2020 11:42:49 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tm-rid/-R1rwjVfL8iwhPsWkl-eus_jU-E>
Subject: [Drip] Authenticating DTLS with HHITs in DRIP
X-BeenThere: tm-rid@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Drone Remote Identification Protocol <tm-rid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tm-rid/>
List-Post: <mailto:tm-rid@ietf.org>
List-Help: <mailto:tm-rid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tm-rid>, <mailto:tm-rid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 16:43:05 -0000
The 'P' in DRIP includes protocols used to support use of UAS Remote ID. Currently two drafts contain proposed protocols for DRIP: draft-moskowitz-drip-crowd-sourced-rid draft-moskowitz-drip-secure-nrid-c2 DTLS is one of the security mechanisms presented in these drafts The registration protocol still needs to be developed as well, and it too may use DTLS (and/or TLS for Operator/Pilot registration). The question here is how to authenticate DTLS with HHITs. Currently, X.509 (rfc8002 style) is the only defined container for HHITs within DTLS. These are 'easy' to create within a HHIT registration process. But they are 'big' and this may be an issue in some constrained communication channels. What will it take to directly support HHITs for DTLS authentication? RFC7250 provides a mechanism for using the HI, but this is inadequate. The authentication process needs the hierarchy in a trusted method. For now I am going to write the drafts to use 8002-styled X.509 certs. But I am asking people to work out a 'simpler' DTLS authentication mechanism that can use HHITs and/or the HDA 132 byte RID registration attestation (but still needed to be wrapped in an OID). Now back to writing text for drip-arch sec 4.... Bob
- [Drip] Authenticating DTLS with HHITs in DRIP Robert Moskowitz