[Uta] IoT profile - input needed
Thomas Fossati <Thomas.Fossati@arm.com> Wed, 10 February 2021 22:02 UTC
Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01E093A151B for <uta@ietfa.amsl.com>; Wed, 10 Feb 2021 14:02:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=JzHL4T2L; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=JzHL4T2L
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JkA9lKWaz7o6 for <uta@ietfa.amsl.com>; Wed, 10 Feb 2021 14:02:55 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2060.outbound.protection.outlook.com [40.107.22.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38A993A0CFF for <uta@ietf.org>; Wed, 10 Feb 2021 14:02:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mgxo+cy9DEZv+FNAgbU0KpwShnFLHXP98zjZAaKAE5g=; b=JzHL4T2L9qKkw4G/vU7AiDShiOel9Ov2sc6B+q51HBML0upLEs5cDg514PfyYsQJBEnWbLowALXTp01gHpO3RnpTbcUeKkNNewJjrPZc0H1jazrywE9riI0qKSdGfGJ0aEyVsLdzTByyE0KLEPhje27mIXLN+O6XVenBGUOqHDc=
Received: from AM6PR04CA0051.eurprd04.prod.outlook.com (2603:10a6:20b:f0::28) by VI1PR0802MB2510.eurprd08.prod.outlook.com (2603:10a6:800:ad::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.24; Wed, 10 Feb 2021 22:02:52 +0000
Received: from AM5EUR03FT006.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:f0:cafe::f8) by AM6PR04CA0051.outlook.office365.com (2603:10a6:20b:f0::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.27 via Frontend Transport; Wed, 10 Feb 2021 22:02:52 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT006.mail.protection.outlook.com (10.152.16.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.25 via Frontend Transport; Wed, 10 Feb 2021 22:02:51 +0000
Received: ("Tessian outbound 4d8113405d55:v71"); Wed, 10 Feb 2021 22:02:51 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 71488540d68c3e0e
X-CR-MTA-TID: 64aa7808
Received: from 7d483d3b0300.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id C1048414-18C0-43BD-AB0D-80E51BFA725C.1; Wed, 10 Feb 2021 22:02:46 +0000
Received: from EUR03-AM5-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 7d483d3b0300.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 10 Feb 2021 22:02:46 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h+Yg2upuDQZPI9UnHbtDkD18O1B3FPUehinq6oualdpPL0lLIYcM/ks6VAw7hQ/NnLLziqv/qS5WWcIbBHWzH16Zp+flJQVYgbhYaaiUezlJmg5IJyrvGdh4LOTE18uIm9FkBVT2ixpdCsLQUjUg5ej234q9/wQoylJakpBqkdfC9nVhIfxfPG4LiSou3FcPnnEAs7HxD3FqEsBKE+vHCl6jV+OibVgXc6b96uy1155jzAjU/i/8FkQI27BRhER5nlbbZvxhsk/OXKJ+hjZWm76CawawbvFybWltCfPaSWaIVmqrpPS7v+r5FWrlbKXsQYe0BxkfDBnJLqBoFMP+1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mgxo+cy9DEZv+FNAgbU0KpwShnFLHXP98zjZAaKAE5g=; b=nA++gs/oIKQvBYgcv7JnmO3z4uhbE1sayDw41X26+fcnO/ppsfpqvoZzLbSJ5eX+LRMK5NsGYnPzH4CCpm3L1A2e/1oG5aw/mqWYubgqHfAjVJwBj4Cv7kcuWAVaI1RrD3kTRG4rNSaJkTTK5ISEaxqq+GkryYasouYs6rhCktZ/Yv3Y2eZi3HeuMOGMaoGhANTWr5rqsUHcePEQfJhTFHY+//XzHb9jM5++3FGME0mcfermqnYJy6FKYjNJv30BQ3LXVflj4f4XziIckXSnhUeMTSXvayWgQANKsqkZAj8o6sIGo0GnW3gmuymc98rBjDLqp+nqHfhk2BANJwkjUQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mgxo+cy9DEZv+FNAgbU0KpwShnFLHXP98zjZAaKAE5g=; b=JzHL4T2L9qKkw4G/vU7AiDShiOel9Ov2sc6B+q51HBML0upLEs5cDg514PfyYsQJBEnWbLowALXTp01gHpO3RnpTbcUeKkNNewJjrPZc0H1jazrywE9riI0qKSdGfGJ0aEyVsLdzTByyE0KLEPhje27mIXLN+O6XVenBGUOqHDc=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by DBBPR08MB4555.eurprd08.prod.outlook.com (2603:10a6:10:cb::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.23; Wed, 10 Feb 2021 22:02:42 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::1f5:375c:310f:7df5]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::1f5:375c:310f:7df5%4]) with mapi id 15.20.3825.030; Wed, 10 Feb 2021 22:02:34 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: "uta@ietf.org" <uta@ietf.org>
CC: Thomas Fossati <Thomas.Fossati@arm.com>
Thread-Topic: IoT profile - input needed
Thread-Index: AQHW//huMS0wOSZT00W1p8utTVsVow==
Date: Wed, 10 Feb 2021 22:02:33 +0000
Message-ID: <AC3DF76D-B24E-4907-822A-FDA4225A91FB@arm.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
Authentication-Results-Original: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
x-originating-ip: [82.12.10.179]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: c890ad09-bfe2-4009-e1b1-08d8ce0f9c9c
x-ms-traffictypediagnostic: DBBPR08MB4555:|VI1PR0802MB2510:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <VI1PR0802MB2510172C00F6A7DF1BB17D6D9C8D9@VI1PR0802MB2510.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: UVlLfaNB5Z0w9D8Ur31Qsowuhfb/d2pnNzsTqgvgkXNfFURYekruLq/HFWf9uXpGTiRb97waIK8BHWGFVquGtcGZbXM0zTbMGYBkfI+Bou+PlsCejEeAc8u0G1LiSXUoE/6HmDJ07yj1vwW7Ty1OmoKRmt3KGiOYc8aM5dsdAoHbArpjfQr/d0vCeXQc9r0wrU3beny2wL86TFT0JchP10ysCjbMR8x7nSOcw/yO4Tl4HKVoP/Km1jmoMJOwgyq53bFl/TFCBF8WKHdbSLh5e5LntPFdXeblWDGl0H52z6xbrXV/I0h0OGV8/x/OKz1PvoM+CeFsyH3k9wV5mss5HwD+IHwzhDwRKX3w+WRKJZ0tNzfx5+0SoLBmh3Bk2VN6Grf0MlX30Z7A/uvXOnPz0eONPde31WzFH8EJ+TrkBvESxYkSri0AEa/s+QsSlVgyYztsPFPOLUiO70hA1vtCVqQRpcAwb/XlZeZ5KqFiaiWsXr4abFf9ZdmXrSK3sympd/5B8Eqr3gxB1UFWwoQspdbq1paE7fSTX4CCImPAy9N4DbwqYBgr7iJ6+CfX91xaX94/FdcGKq6XoYsSaRBYrQ==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(346002)(39860400002)(366004)(376002)(66946007)(64756008)(8676002)(2616005)(76116006)(316002)(8936002)(66446008)(66556008)(66476007)(26005)(91956017)(6486002)(33656002)(2906002)(86362001)(36756003)(71200400001)(6506007)(5660300002)(186003)(478600001)(4326008)(83380400001)(6512007)(6916009)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: tqyLzJojQtqwgcFE/EgWjQReuNgvs1wrbRb3MvTvQzqxzEjnoEu6rw8jHFmKhhfENtUAR5RZ7cpdFKZTS/yh6OH/+WAA11sEd9YI0TryK9Pk7J1Oak+ZQrG4lf8JJftJfIZhSN4ZtSWkth/uvaimG9ZT+ewtJEZL6jDjkgeG8xkIYkdt83ha3wCLMQXfTQFN5LItuiikcNAVXdfvewLg+kM/KmpE2SqJrpY6yCJe1cquQFhD5Mbm4MFM0md3u2eQbBFmpX0ZkyFs6qJz8PoStO1dMi/Zx2+B09tkwPJ36TQuTHc3T4TmmTEF+WXBj7S0rNmOlMjDn0cZjgXQ8maaxkmgxlSJNxmhL94iDaWc+iuQmy/Av0VsmMcKoi0NlBJhS92mAIIpKwiDqYJD07ghMKL5JY6gHBJMfeMVo7WXeGnc0mXgsPr0XThqpFft7nbAQqljOBeSd8hEobqMKWBKr9DiiaooXdGaq2cBy1hB4r5d8Q3J5vGfYNW+yAQ25l0yH/kfGG7J9Nt/T3sZ0y1xAGe3HojnW0j4Pe1VYFcG49PQ6czqOzdw5SP1NP8Z2nz4ebgGV5mIjAWJkMyDRZSZ8nAoIS+D+2+F6HIVcNVTWEoznIMhOpbWvr23oZmaFT+KzEf67hlgD36OV7QYvJm2XBhbdcty8t/vRqAnsSmz/Ft9Di/GeqzXnPq/6wApZC5lWAo1htDLKNGTkbyxsBY3PT4BTvZRlH4okXW6YAKeVYL5wWEYtLEquSP4vu7I5NC0Wdi/qk2Mir7iyoF/1v/p+yWbUqaeaLUB2IHTeTntZLFgNa/IBt2mPCu+dH3FZaoi2xXpch+GmlAb+UZozGBE46jb0hoWGzXJYndhBln5TPl1mKHw8AegbdXP5YFyIv9JA8A70Dv5/9BO3Gim/XJr5xGzvCpb+TiYCNZxeiWhI980m6UhRZPPVTRhybiYwGLPej4ZtZukC4f0xN7NbLzCF/wL5J6GC3gZVH1VUeFELgkTDDSvSgU/7q8c4+yOq3TcDhiXNWD7YZOmam7MoCT3DKqwph33tP/PzzKdg61FvNH7Y3ugzps8+HoKZTHI+r8fKzs1rL/jIMYqajvh6t80AoY9rl1eARy/7beuyg66BKnIva6edaXR01ECOU3TzqTLYDVv/J2+6UYhIIMEiS6t59JQ0gbJyg4YKauEOxBkmTAtIA3Qf0H200ENLB/fWnUj4S67kkfeFqf81fUfZQIw6uGmXzGqtuYl0gqX7yQQD3jf9hy1Fp6PbEtyr6zrEZK2KxpPZmrW9IBru/f+sD7l5HacAi0h55OrJ4OAvbL3ebq2OvOCq7kRO3djuxas7Ipf
Content-Type: text/plain; charset="utf-8"
Content-ID: <CECF36A7DDC42F46918EE89CBD493BBA@eurprd08.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB4555
Original-Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT006.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 7a9a8e45-0505-46f8-3684-08d8ce0f9275
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: HMz5NTT9C9xU4kevi9gh04+b7LXXa3HoD6HtCQsXd9RP1w/HiwcN8XrZOCH8N//dGzLKti5zsuomZmIZ/cEgUGASpbPGw/rrJVLTD+0bLiOmdbyV376+lzBtOFJ7dQb9+NyvU1g9JjbeRKTuIgA/ZqT+WR2hSUbmVw1ctik0B0foVv9UZk2PuK1JlA/YsnTockMs5eDkyQUgJr1G+l4R/3hxXh4/mlTgLGP5zZm5bQxdO7fAjTi8xU9olZRGLAKfOSxOW3d24fcHHgGioVu1k951LxEnGlRY8WeprSs9HauT4OTg9sSx1JD4+p+VRxMl7gnWYY4HzLZsf/LgzIPZY/mldA3Y092p3J7nScfBeRdrR6rpamGw4OApFg2BvzkoafaTZXaqAPpjXl2JxEx6WcYVr8iNkOszHIm3Ri+PZyRdRt3NHWukrcVGCjMITex6WH5+cgrytinWiu70BTXmp/unIZGiXobcp0dgRNf9PvvQWPjkkXd8irJHFRNwojVOFKFI6i9E5Dc4fefbxT3aOu7K5PKl7/3gYfLqxtyU8fjgwjynYIZ6JH5HDu4MwS4VU1C2+z1F7JNgZvi8DM5KyMAvr66+akxsOgwcYCM5cNnDxpJmlMesQPtJKcEAYnK7xyVD5w5THwABVbGfCkxbvSS+Vtat0pBkEhaS9nwOrAk=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(136003)(346002)(376002)(39860400002)(396003)(36840700001)(46966006)(6512007)(70586007)(8936002)(6506007)(47076005)(6486002)(2616005)(86362001)(82310400003)(4326008)(2906002)(5660300002)(33656002)(8676002)(6916009)(316002)(83380400001)(36756003)(81166007)(26005)(356005)(478600001)(336012)(70206006)(36860700001)(82740400003)(186003); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Feb 2021 22:02:51.9693 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c890ad09-bfe2-4009-e1b1-08d8ce0f9c9c
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT006.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0802MB2510
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/J3tkc60BYh_Zt4ymm4f6BqIhEUA>
Subject: [Uta] IoT profile - input needed
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2021 22:02:58 -0000
Hi, all, We are updating the IoT profile draft and wanted to gather some input on the following three topics: 1. Reliance on SW updates for certificate status information instead of CRLs and OCSP 7925 Section 4.4.3 says: For certificate revocation, neither the Online Certificate Status Protocol (OCSP) nor Certificate Revocation Lists (CRLs) are used. Instead, this profile relies on a software update mechanism to provision information about revoked certificates. This still looks like a sensible approach, but it's worth checking whether practice has deviated from the assumption. If so, it's also probably better to strengthen it a bit and make it an explicit recommendation. 2. Requirements on serial number randomness 7925 Sec. 4.4.4 (Table 1) has: serialNumber | Positive integer unique per certificate. which is a bit too terse (is it unique within a given CA? If so, this is vanilla 5280 which is probably not worth restating) and, most importantly, it says nothing about entropy. Should we have something here about recommending at least 64 bit, similar to the CA/B baseline requirements? 3. Requirements on cert naming RFC 7925 Sec. 4.4.2 says: For client certificates, the identifier used in the SubjectAltName or in the leftmost CN component of subject name MUST be an EUI-64. This looks problematic as it's at the same time too rigid - the MUST doesn't permit deviation - and too loose, glossing over the details of how the EUI-64 is actually encoded. When used in the CN, i.e., as printable string, it looks like it's sensible to assume that the IEEE guidelines for EUI-64 apply (the usual "01-23-...-cd-ef" or "0123...cdef"), and that might be the case for the SAN as well, stuffing it into a dNSName. Does that sound reasonable? Are you aware of any other practice? We should drop the MUST as it doesn't make a lot of sense to constrain a deployment WRT to its naming conventions. Besides, other standards have emerged or gained traction in the IoT space that require populating the SAN differently (e.g., GSMA eUICC uses registeredID, IEEE DevID uses otherName of type hardwareModuleName). Let us know. We plan to incorporate any feedback and submit a new version in the next couple of weeks. Cheers, thank you very much! IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Uta] IoT profile - input needed Thomas Fossati