Re: [Uta] comments on draft-ietf-uta-tls13-iot-profile-04:
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 05 April 2022 13:14 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 429593A07CF; Tue, 5 Apr 2022 06:14:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=w1mcnRZu; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=w1mcnRZu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tVaES3i5SLwG; Tue, 5 Apr 2022 06:14:17 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0602.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::602]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D1363A230E; Tue, 5 Apr 2022 06:14:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4vDV6PG0JVs5Wm1U1pXz+aPZsbBekfkKtp64tUw6EFw=; b=w1mcnRZuOlzL2Qfj20/xZUmihoQdrJLgzes8FQNeR9FFB8Lr5ABpNPRw012ejPZ1aC3obiLXpo92BDTr5GEltY1VX/TjkZgzaPA4uaeLS99xOSh7wYTxL7IjFEUres7Ag95h8fC8M/c81Zz+VBCwgz463HeqAEjijQFdnZFhH6Y=
Received: from DB8PR06CA0065.eurprd06.prod.outlook.com (2603:10a6:10:120::39) by DB8PR08MB5482.eurprd08.prod.outlook.com (2603:10a6:10:116::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Tue, 5 Apr 2022 13:14:11 +0000
Received: from DB5EUR03FT044.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:120:cafe::68) by DB8PR06CA0065.outlook.office365.com (2603:10a6:10:120::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31 via Frontend Transport; Tue, 5 Apr 2022 13:14:11 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT044.mail.protection.outlook.com (10.152.21.167) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.19 via Frontend Transport; Tue, 5 Apr 2022 13:14:11 +0000
Received: ("Tessian outbound 2d401af10eb3:v118"); Tue, 05 Apr 2022 13:14:11 +0000
X-CR-MTA-TID: 64aa7808
Received: from 863281363310.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id A29AA6BB-BE7A-4546-8843-FB3A719D7DEC.1; Tue, 05 Apr 2022 13:14:05 +0000
Received: from EUR01-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 863281363310.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 05 Apr 2022 13:14:05 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gsHmPNcGp+EneFB/1u7ID15i+JamZYDwLkKnZOegrI4xIzrUYF9nXm806Q9FLFXqpkqAShzazEVPChAbWP4yToGS93kC+SO/tykOmMubD5pH+bH/vpZAY8CIx08yPJWNjM5YhXcTH7Dbo0E/sSsBKWk05nBvBDrw+kaJaW2OojAaaNcWe5leK8aPyAa1qzjHxyzL+r11Z5rCG+tWtVvpFRkUSEF1i0teXYdXohZdGxm2DKbOVQ89IZOEAAS7RjpHHbnr5IO9vCAjjB8nRfCT4yrm+z9bzaZfl9iGraB4jMi47K1+NgW3jAvCkCkeXWxCiUbodOFgDh5GM14VoFJhIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4vDV6PG0JVs5Wm1U1pXz+aPZsbBekfkKtp64tUw6EFw=; b=bihjpylqisWtWeygjZUTxD2lfcjU8fyh3KXCJmdmG2KhCh/dwl2i7El8RIS0ESo0ZLrM36Mx/6rjNMJcMm+BLxwW2QO6qeyLJYEAl9hDkxJnXjlbCfJjrKQgQWCtyf3cYOk15lvXJ3trTDsiYr9Jq2a4XUNpqsbUS5PiYqile6xC6e0/jJf2ubkj0R6KZ2GAKxkM9A5HMQBGPoG8f1R8m6R9KWEfTo7y0lnp+WbLLWpShaiDFwzEjw8jBC/kvqbM/ANRYbcUUjoWK4OjUF7OTLGGJvwJMmMGbSzQjbfxMKew8oDwXRL5Ieg9Bcd4oKEfWEJmjuRhgdHSrszAf/dwwQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4vDV6PG0JVs5Wm1U1pXz+aPZsbBekfkKtp64tUw6EFw=; b=w1mcnRZuOlzL2Qfj20/xZUmihoQdrJLgzes8FQNeR9FFB8Lr5ABpNPRw012ejPZ1aC3obiLXpo92BDTr5GEltY1VX/TjkZgzaPA4uaeLS99xOSh7wYTxL7IjFEUres7Ag95h8fC8M/c81Zz+VBCwgz463HeqAEjijQFdnZFhH6Y=
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com (2603:10a6:10:20d::17) by AM6PR08MB3029.eurprd08.prod.outlook.com (2603:10a6:209:48::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Tue, 5 Apr 2022 13:13:56 +0000
Received: from DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::5896:9eec:b108:9a3]) by DBBPR08MB5915.eurprd08.prod.outlook.com ([fe80::5896:9eec:b108:9a3%6]) with mapi id 15.20.5123.031; Tue, 5 Apr 2022 13:13:56 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "uta@ietf.org" <uta@ietf.org>, "core@ietf.org" <core@ietf.org>, "iotops@ietf.org" <iotops@ietf.org>
Thread-Topic: comments on draft-ietf-uta-tls13-iot-profile-04:
Thread-Index: AQHYQQ8Tl5SCPIlH50OtshMMmqm1sKzhTcWA
Date: Tue, 05 Apr 2022 13:13:56 +0000
Message-ID: <DBBPR08MB59151F2A0B32F20498183743FAE49@DBBPR08MB5915.eurprd08.prod.outlook.com>
References: <59686.1648298525@dooku>
In-Reply-To: <59686.1648298525@dooku>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: AEB3AD913158E44A9714B21F0E971E76.0
x-checkrecipientchecked: true
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-MS-Office365-Filtering-Correlation-Id: 9f2a9c71-f156-4d25-c932-08da17062cd4
x-ms-traffictypediagnostic: AM6PR08MB3029:EE_|DB5EUR03FT044:EE_|DB8PR08MB5482:EE_
X-Microsoft-Antispam-PRVS: <DB8PR08MB548227121633B7516B6835A1FAE49@DB8PR08MB5482.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: xcgcpUH50W+skE1BZADRRi4SF4Iwg6HtvhuLQgCX+0AMhctdHIg4sLUcZ9Cj89jDUMWa06ubo/4R5CCiKmBqtUJu8WEHMK2Hlr+qy4jD+RBe8ugv5uKaLezbTwjhLbmOBs1s4lHgnxKE2hyENQ2Z+mURR6g6E5r2B5TXEaq2De0uRtpKqnysjcjd8v4ndyULKXoNhc+09gJquLoDq3TrLgd8KT+yZmXMdcfMvHjkBx3iX97rtvT6jpbbgmtEX0mfK4UfM3IBzH9WLXcUNaual9o0y0a3PQq1IrYQueFf8EV5JvytaJiuhUzdlA45eKjS81IOCnfI7AdXFxQAtQTXvNzKjq7DI/1Cb/CLJA0aGLAc1T4fMKpd8RGrQ4uolV37kOGxknlZMraAgzh7eiZAp4o8yw+XyHsvxkr7TRpKStx1CuQdlv/E3qAyO/7H3WszN3uVuf3BCKzwvh19dJ5lpq/ZZW3sXkfd+dqhYwurlfELwxVQ4+sC2CDF1qGl7mkho0XuOKeNm1JFqM0P3MmMED2WfKVnPndgNJJKrH1lAxehZtIqkkwoqBUU6dLBzAbn5VTggdWhM0Ebz3ogGNsJnMvgSuimO5JD4TMW3DsSbGyDYE/M6Jr8oYnikQg/VRge3tRybpZGRU9665NZGJYB/LKva4fr12lJRjeDOa1QlZghlyKPfdjAi4G/BgJM1WS9FBK7OHz5253kaeoCu3VTzQ==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB5915.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(508600001)(66476007)(66446008)(64756008)(76116006)(38100700002)(7696005)(6506007)(8676002)(53546011)(66556008)(66946007)(186003)(26005)(9686003)(55016003)(33656002)(66574015)(71200400001)(83380400001)(122000001)(110136005)(52536014)(2906002)(86362001)(38070700005)(5660300002)(316002)(8936002); DIR:OUT; SFP:1101;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB3029
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT044.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 04bf44ab-94f3-426f-922a-08da17062405
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: rv0PUXao+dtUokxBfMk5rcWvIOeIE1rWxAmumkYnalAqgsQY/eJ0tPMG+SgWXGwImqwxzUeeuJd0+G4xe1MLTfbcstXQRCga7SGjDoYmUC8DR6nhp8NbTpdVkyAQ4CluWqteQgO53TR3L35MhEDleFSIJpIpg0d8DFSddxyfWOcqGLkJvW8O9uH9Zw9dW7yJrBPtTtDvXq22OJwuRSGznRtEotPTIkXpdz/m7GBq7lYKj5ek4YordG+YhuZBrzX/2lnV1TmWJ+sIkgqO3GLGc2CbfpnH9+JMUMhaHQGEQFL9pvo8RdSR3pC1HQyL7g3043tH5lwJbginnfEU5BNxLl8lZWTROuEAKp05VqbOFVyg9S9qFlsxgLCKahav0vVOS4rsIGs51oHT6tMhR1PTgOBd559P9awsi5aFuZMlhdyHGUHspU3YCwC+YlAsV2n5rglA1aT0rs7yJuVaPYaaVXmW/GYLWtEDgUcGI+7ZX7J9tozUDxerikM0HJPwUjAA4EMVSdaIb+bel9mjxI1S8TfXUNDp4xJ/AdCjHAzs1Xw6Ccs3vDFxcoQzOIv+cdv9Qi0nTq6tbPASX0krVgVyFxoKx4YxARk+TzezvHTpvrod9LPrOBmpyOuuTVSe2RL8MSqfEsiL0/nm7mfbgdkiQlxZY8lWj3tkpbkYfy7gRrWuIx+IeJK2+JvbHQtE8mG5
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230001)(4636009)(40470700004)(46966006)(36840700001)(336012)(26005)(186003)(53546011)(70586007)(36860700001)(83380400001)(47076005)(70206006)(40460700003)(8936002)(2906002)(66574015)(86362001)(81166007)(450100002)(52536014)(33656002)(5660300002)(8676002)(356005)(110136005)(82310400005)(508600001)(316002)(7696005)(9686003)(6506007)(55016003); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Apr 2022 13:14:11.5575 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 9f2a9c71-f156-4d25-c932-08da17062cd4
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT044.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB5482
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/eYVFLqTZrH7xNp6M5q8kzcowFlc>
Subject: Re: [Uta] comments on draft-ietf-uta-tls13-iot-profile-04:
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2022 13:14:23 -0000
Hi Michael, Thanks for your review. Let me provide you my remarks below. -----Original Message----- From: Michael Richardson <mcr+ietf@sandelman.ca> Sent: Saturday, March 26, 2022 1:42 PM To: uta@ietf.org; core@ietf.org; iotops@ietf.org Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com> Subject: comments on draft-ietf-uta-tls13-iot-profile-04: I read draft-ietf-uta-tls13-iot-profile-04 today. Thank you Hannes for presenting it at IOTOPS. To be, it is precisely this kind of thing that IOTOPS was created for. 1) I feel that the 4.25 Too Early allocation for CoAP could use a bit more explanation, and probably there needs to be some more clear review at CORE. (maybe it already happened and I missed it?) Reading through the lines, it appears that a server that can't handle early data needs to send an error code. But such a server probably doesn't know about the error code. I would have thought it should just hang on to the data until the (D)TLS negotiation is complete. I'm also concerned that this requires too much cross-layer communication between DTLS layer and CoAP layer. [hannes] With the design we are following the corresponding design of HTTP. Thomas has sent a mail already to solicit feedback. 2) A long thread at LAMPS two years suggests that the term "Intermediate CA" applies only to cross-certification authoritiy bridges, and the term "Subordinate CA" should be used. That this is consistent with history going back to RFC4949. [hannes] We can note in the terminology section that the terms "Intermediate CA" and "Subordinate CA" are used interchangeably in this document because with regards to this document the distinction is not relevant. 3) While section 10 on SNI does not say *how* to use DoH or DPRIVE to provide for confidentiality of names that are looked up, a naive use of DoH with Google/Cloudflare/etc. by IoT devices would be a problem for almost all enterprises that wish to filter the DNS used by IoT devices, and to use DNS canaries to identify malware. Given that such an involved discussion is not in scope for this document, it might be better just to refer to the ADD WG without mentioning specific solutions. I am, in general, not convinced that encrypted SNI serves any purpose for most IoT devices. [hannes] Major IoT service providers have cared about hiding client identity information by utilizing session resumption in TLS 1.2 to accomplish what is now available in TLS 1.3 with earlier encryption of handshake messages. While I personally haven't heard anyone asking for SNI encryption yet, I expect the same companies who cared about hiding the client identifiers to also take a look at the SNI encryption. While there are pros and cons of using these mechanisms, I am only suggesting to reference ongoing IETF work. Companies then need to decide whether a specific solution matches their requirements. 4) section 15 There is much discussion about what goes into the certificates. I didn't really understand why that is in this document. Validation of server certificates is well covered in RFC6125, I think. [hannes] In my experience, validation of server certificates has been a source of confusion in IoT and RFC 6125 does not talk about the use of IoT protocols like CoAP and MQTT. I have seen various companies and organizations creating their own profiles of RFC 6125 in the past, which has resulted in the text of this section. Validation of client certificates (whether factory provisioned IDevIDs, or locally enrolled LDevIDs) is a topic that I care a lot about, and this text is inadequate. As the (industrial) IoT market embraces IDevID certificates, there is some concern that different markets will put different requirements on IDevID contents. So far it does not appear that anyone has created a situation where a single (fat) IDevID certificate couldn't be used in a variety of market verticals, the concern remains. It was my intention to introduce a document about this issue. I think that it's something that only the IETF can do. Perhaps that would fit into this UTA document, or perhaps parts of this section 15 goes into another document. [hannes] This section was difficult to write because - there are lots of different IoT verticals, - companies often do not want to share information about what they do in their deployments, and - there are many different identifier formats. It would, of course, be worthwhile to ask around again to see what current deployments are using. I could check the public documentation of major IoT service providers to get this process started. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Uta] comments on draft-ietf-uta-tls13-iot-profil… Michael Richardson
- Re: [Uta] comments on draft-ietf-uta-tls13-iot-pr… Thomas Fossati
- Re: [Uta] comments on draft-ietf-uta-tls13-iot-pr… Michael Richardson
- Re: [Uta] comments on draft-ietf-uta-tls13-iot-pr… Thomas Fossati
- Re: [Uta] comments on draft-ietf-uta-tls13-iot-pr… Hannes Tschofenig
- Re: [Uta] [Iotops] comments on draft-ietf-uta-tls… Michael Richardson