IETF Logo Mail Archive

Re: [Uta] comments on draft-ietf-uta-tls13-iot-profile-04:

Thomas Fossati <Thomas.Fossati@arm.com> Fri, 01 April 2022 18:18 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 604D13A111F; Fri, 1 Apr 2022 11:18:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=IYOB+4ke; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=IYOB+4ke
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fDR7F95fx1U; Fri, 1 Apr 2022 11:18:06 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-he1eur02on0615.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe05::615]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 051413A1255; Fri, 1 Apr 2022 11:18:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O0PkCzqgaFuvcHlaLv1lgrJK7cwu0MJtxhpjaN2AXBY=; b=IYOB+4keyFW/dFU86uYvadH48WCwmBSnifJ/+o+K9kkTomd+V2xkHEc8uL9RqXFmroApheraGC7+3CcV2Ur5awJsbyb1cZjDS1RKm5b+MhIjdPdzd7KkzMvoDVYnkGRBaWmer3Os1ByOOvKF1u+TFJ0g/k+3PYKzyIHUYiK2rF4=
Received: from AS9PR06CA0347.eurprd06.prod.outlook.com (2603:10a6:20b:466::33) by AM0PR08MB4259.eurprd08.prod.outlook.com (2603:10a6:208:145::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.19; Fri, 1 Apr 2022 18:17:59 +0000
Received: from VE1EUR03FT045.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:466:cafe::47) by AS9PR06CA0347.outlook.office365.com (2603:10a6:20b:466::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.29 via Frontend Transport; Fri, 1 Apr 2022 18:17:59 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by VE1EUR03FT045.mail.protection.outlook.com (10.152.19.51) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.19 via Frontend Transport; Fri, 1 Apr 2022 18:17:58 +0000
Received: ("Tessian outbound 9511859e950a:v118"); Fri, 01 Apr 2022 18:17:58 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 8408f5b99a3c08fa
X-CR-MTA-TID: 64aa7808
Received: from dba2269c0b6f.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 7295113E-D435-46C3-AF11-CBCCC86048C2.1; Fri, 01 Apr 2022 18:17:52 +0000
Received: from EUR05-AM6-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id dba2269c0b6f.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 01 Apr 2022 18:17:52 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TcljTwBh/HxCEmM9J01QCPsmiuy3ve6zYpBHh4gXWID0Ztu9kchuZbXUiF9Kd/IwYMm7wPwVJwD3vM78fI8A2KCn0MKVuwxJJR6bLl1RI2wC9pcMGFCICZP89/sMZLYYLxlFYHZWD+1q3FKHXdGURyjbvi0mmKnbxnqpOzw2NEm6TgTHsVtkpSSc3USAuf9qcqk2QIdyOMZpRWQ0oBS4pJcaGuDx2qOboD//vWGE6rW8j3L5AYNPzN5E4nIiz1FVvskIf+M/lzYNr0E2U5RFSbPagRx0DF5V5bGrlCxHOA2RkD18l1DFVK9b8sgLkRrYJLTQTBKs3yr2s0jeCWabhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=O0PkCzqgaFuvcHlaLv1lgrJK7cwu0MJtxhpjaN2AXBY=; b=lwkTgUA71OIjdTgXkj2IxqcNw1wJyX4wAnWKYWaPdRIWAjoOhtU+jnIU8m0krcIoPiKV07vbaY4XnW9MoEY/cHff0U7NU08QLbJWke3uxcNl9rXMqW9XdeJb7Sft1KOk8SVPbr8mHw7mldz80mjihdqgaa0NFje+R5vwLo7zqiUuxmaNxY6g+4JlYbTTQGA4YzHFLafkVUkWeiivi8t+PnWxBOTy21SqjGzMDBt6QhnBR5Hf1zU1jjvVBkaeo2aXRLESHCVbkf+4gMCE9XQJHIOGeXeh421r4seCgxRcFpmQsMFdQQfxLZjEgM2MVedw1nyWBuxOVKCFepZFpbiymg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O0PkCzqgaFuvcHlaLv1lgrJK7cwu0MJtxhpjaN2AXBY=; b=IYOB+4keyFW/dFU86uYvadH48WCwmBSnifJ/+o+K9kkTomd+V2xkHEc8uL9RqXFmroApheraGC7+3CcV2Ur5awJsbyb1cZjDS1RKm5b+MhIjdPdzd7KkzMvoDVYnkGRBaWmer3Os1ByOOvKF1u+TFJ0g/k+3PYKzyIHUYiK2rF4=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by DB6PR0801MB2117.eurprd08.prod.outlook.com (2603:10a6:4:2e::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.28; Fri, 1 Apr 2022 18:17:49 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::3855:7d6a:1c7a:3caf]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::3855:7d6a:1c7a:3caf%7]) with mapi id 15.20.5123.021; Fri, 1 Apr 2022 18:17:49 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "uta@ietf.org" <uta@ietf.org>, "core@ietf.org" <core@ietf.org>, "iotops@ietf.org" <iotops@ietf.org>
CC: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Thread-Topic: [Uta] comments on draft-ietf-uta-tls13-iot-profile-04:
Thread-Index: AQHYQQ8SXUD3S8GbJUG5aEyBI3Kt16zbZrUb
Date: Fri, 01 Apr 2022 18:17:47 +0000
Message-ID: <DB9PR08MB652404F2CC3773FA66BC89229CE09@DB9PR08MB6524.eurprd08.prod.outlook.com>
References: <59686.1648298525@dooku>
In-Reply-To: <59686.1648298525@dooku>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-MS-Office365-Filtering-Correlation-Id: 6e92082e-adf5-4a4d-f98c-08da140bf3a2
x-ms-traffictypediagnostic: DB6PR0801MB2117:EE_|VE1EUR03FT045:EE_|AM0PR08MB4259:EE_
X-Microsoft-Antispam-PRVS: <AM0PR08MB4259EDD835804F87609FD5409CE09@AM0PR08MB4259.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: AeJc+NkWoEmZfzAwrqBOUpgIKLxlYx5i4NWDAY3zfQdWMrDs8juuqIjBE4CHC2alr8kSJ2jDjJKGLSlf2cluvflWPWTu+dY6VxdGkYzRSpLkxAc+5xIlXXn3RhVOGH9JERzQKIUA9UQ1OgdS6/D6OJw1Imq17Zf2l4A97jsVNMn8mRM/O9yAZO0Kt0sRv6m7Xc+KPQAv3EwUnlcOfu4kgK80m+7u6tIVMp28jAw8SqciTG2G8IDg8KsVLzQKTR4LaulH9u3z1w5sraPrHj8wYk+SDx5gWfpCnG0z0y5MLhIn0q4QXEEKEY8H1tGYX7+K28mvz6NCZSh5InmMGIHL2USh/FsBtijMM3GiKiOzvfkJo4s2hJ22UwJplSmjzQwdLvRzpAFo7LgWjNhl5+sZG/eAdAAlvJwayGC5iNHm4WdNgqTe+kx8lh1Dz4TnPIyZbO7pRt/Gx5Er4xTA6/fFX2R0uqtOoNeMQKE2Spq2rhA9eXnh2FotTSpG1dVGDp99YCVKPIn40+Zo7CMUJZEhXpITVK6p4D4Vvmh2wQAUZJuaF/iwnDDPHCLjRllFGjfmXkjYhSR04gxwofK0U5crifXmxDRxiKFCFzIM7fhBlnRqbXmswf8o4qZTolFypY+gKMEnYDxubz6pu3ggf4fq/lxdayi/7fOmrn5VOzSgCDkk6NAG/O5HZw1BNI7xazgdRDn6T3CSUsRJHYrb1oJGktHr4fVMIM3rX4FZAH794V/lfXA9RoI3C4axDfSm4m9wIK85/RPA5U3MPClwxM4jw8nSBlNjRUTudzoGXxwwMEcHBOYmVh6azuyw7ULA76z+ywua8ZggfTWFbBDg70H/RQ==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(66574015)(52536014)(86362001)(71200400001)(4326008)(66446008)(8676002)(76116006)(64756008)(38070700005)(66476007)(66946007)(66556008)(91956017)(9326002)(186003)(26005)(2906002)(316002)(33656002)(9686003)(7696005)(6506007)(55016003)(5660300002)(8936002)(508600001)(83380400001)(966005)(122000001)(110136005)(38100700002); DIR:OUT; SFP:1101;
Content-Type: multipart/alternative; boundary="_000_DB9PR08MB652404F2CC3773FA66BC89229CE09DB9PR08MB6524eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB2117
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: VE1EUR03FT045.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 645b528f-bc41-4eda-acb5-08da140bedaf
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Zdt5aBZuffHHNeCj6RhEXAGKSBJdDYyWMVns/SzTCA3ZUZD2/GBJ8aAD8uUyzudTRasEQi2bOIhSrtouzNUtdLBlxnLbBxJeiAx1dGKWFPxsEJuXvrH/vJs4nlgDzxjBQGqv1EAQZRyrNIwHzCvEY9LUKdBgPVbzWsql+69Inf/9pIqupKwM4nqGvCYbHZ8UzK345nzJVeLsSQuLUlIGvKJWsYF2LnhVYoLihiBvu2xY4Cvb/OTHbn9dkKoJ1LWIuCU+n18BEa4+kzeqDZaHp8iJImBh169TERrWc0f7KCyUjEdozVO0Ymou2nbR5+cV0abgH5qqbS9xSCXAjGcLoXf0A3OqYvLTDa4q4rum0EaPLu9Ges1u9Xp9GhMTp9F4hhrMPqdHPnqyWyOHn9jQdruINl/+/k34+z/AfR/aCOd9t35rEuxsVGPvwmyRjlh7mKx45SJmVqLt/D5rDn7WpVITMTyTuMzUz4ZQO8Xlg1g0f5lcrK533PyqfKAT0DXYMOUW0ViF1xUTD9yLZ6zq2ZoYd7W02OtVdKC9rdECZTLy0y7x2WULrAT/fG3iHeWWqeRFinvyY4kr2UkY03fI0gRSCyyj/+83fMHno+BNrzmbmlYJ3zzHDYZilePxGCEubh/oMKVZ34cgD9LNNWZgGjfzMia1ORcRgn7VfcC8WvV00vMCjjngQyCCIiIuFI6/qfrAKPyo6ds/oiuO8KYnV2NVyhASGzCLaKkKjBySES43/s6/pQ+CzkqB96Vez627YnUj8FdbMlA5Wy4R3Fj8OdkwWowLIUNBrTqC48L51Ho=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230001)(4636009)(40470700004)(46966006)(36840700001)(40460700003)(82310400004)(2906002)(33656002)(966005)(36860700001)(316002)(356005)(110136005)(6506007)(9686003)(450100002)(70206006)(5660300002)(8936002)(86362001)(26005)(83380400001)(9326002)(52536014)(55016003)(508600001)(4326008)(7696005)(186003)(336012)(70586007)(47076005)(8676002)(66574015)(81166007); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Apr 2022 18:17:58.9055 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e92082e-adf5-4a4d-f98c-08da140bf3a2
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: VE1EUR03FT045.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4259
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/8rZYYFtmvEUyM-OaT0fWroPHdUI>
Subject: Re: [Uta] comments on draft-ietf-uta-tls13-iot-profile-04:
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2022 18:18:11 -0000

Hi Michael,

Thanks a lot for the great input.

> Michael Richardson <mcr+ietf@sandelman.ca> wrote:
>
> 1) I feel that the 4.25 Too Early allocation for CoAP could use a bit
>    more explanation, and probably there needs to be some more clear
>    review at CORE.  (maybe it already happened and I missed it?)

I sent an email to CoRE [1] a while ago to try and get some informed
reviews but no one replied.  I will re-send.

[1] https://mailarchive.ietf.org/arch/msg/core/Dair8lAqEZ1h8xU6jsz053aqcOg/

>    Reading through the lines, it appears that a server that can't
>    handle early data needs to send an error code.  But such a server
>    probably doesn't know about the error code.

The option is marked critical so if the server does not understand, it
will reject with 4.02.  If it understands it and does not want to serve
the resource (say, because there is some associated state change) it
will reject with 4.25 (or whatever number IANA will assign to this
response code).  In either cases, the client will not repeat an "early
data" request for that resource.

>    I would have thought it should just hang on to the data until the
>    (D)TLS negotiation is complete.

That's an implementation choice.

>    I'm also concerned that this requires too much cross-layer
>    communication between DTLS layer and CoAP layer.

It doesn't seem the case to me: the indication is carried within the CoAP
request so it just flows end to end from an application endpoint to the
other.  But maybe I am missing something.  Can you unpack your
concern a bit more?

> 2) A long thread at LAMPS two years suggests that the term
>    "Intermediate CA" applies only to cross-certification authoritiy
>    bridges, and the term "Subordinate CA" should be used.  That this
>    is consistent with history going back to RFC4949.

Noted [2]

[2] https://github.com/thomas-fossati/draft-tls13-iot/issues/20

> 3) While section 10 on SNI does not say *how* to use DoH or DPRIVE to
>    provide for confidentiality of names that are looked up, a naive
>    use of DoH with Google/Cloudflare/etc. by IoT devices would be a
>    problem for almost all enterprises that wish to filter the DNS used
>    by IoT devices, and to use DNS canaries to identify malware.
>
> Given that such an involved discussion is not in scope for this
> document, it might be better just to refer to the ADD WG without
> mentioning specific solutions.
> I am, in general, not convinced that encrypted SNI serves any purpose
> for most IoT devices.

Noted [3]

[3] https://github.com/thomas-fossati/draft-tls13-iot/issues/21

> 4) section 15
>    There is much discussion about what goes into the certificates.  I
>    didn't really understand why that is in this document.  Validation
>    of server certificates is well covered in RFC6125, I think.

Section 15 is an attempt to clean up the cert profile we did in RFC7925.
IIRC, John Mattsson asked for this because 7925 was a bit rough around
the corners and there were a bunch of things that needed clarification.

> Validation of client certificates (whether factory provisioned
> IDevIDs, or locally enrolled LDevIDs) is a topic that I care a lot
> about, and this text is inadequate.
>
> As the (industrial) IoT market embraces IDevID certificates, there is
> some concern that different markets will put different requirements on
> IDevID contents.  So far it does not appear that anyone has created a
> situation where a single (fat) IDevID certificate couldn't be used in
> a variety of market verticals, the concern remains.
>
> It was my intention to introduce a document about this issue. I think
> that it's something that only the IETF can do.  Perhaps that would fit
> into this UTA document, or perhaps parts of this section 15 goes into
> another document.

This looks to me like it'd be a great addition to this document.
I've opened [4]; we can discuss about scope there if you want.

Cheers, thanks again!

[4] https://github.com/thomas-fossati/draft-tls13-iot/issues/22


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email