Hi Hannes, It is interesting to note that during the last 6 months there seems to be very little activity to encourage discussion or reviews of the drafts which actually are in scope of the current ACE charter. For example, what do people think about the overlaps between the two publish-subscribe profiles (draft-sengul-kirby-ace-mqtt-tls-profile vs. draft-palombini-ace-coap-pubsub-profile)? Instead, you as co-chair of ACE encourage the WG to discuss two drafts about certificate enrolment, a topic which is not even mentioned in the current charter.
As co-author of one of the drafts in the subject of this mail I of course welcome the discussion, but it is important that this thread does not to distract the ACE WG from working according to its charter on its missed milestones. Now for the topic of comparing the certificate enrolment drafts. draft-vanderstok-ace-coap-est proposes a very natural and significant optimization of EST adapted to the established security setup for CoAP, and I fully support that. There are overlapping authors between the drafts, so clearly the drafts should not be seen in opposition to each other. My view of the potential contribution with draft-selander-ace-eals (which is a first sketch we made in the spring, and which I recently stepped in revision just to keep alive) is twofold: 1. It discusses the generalisation of EST to application layer security. The enrolment procedure in EST is in principle not dependent on what layer authentication takes place, provided there is security end-to-end between the endpoint making the enrolment request and the endpoint providing the certificate. As we know, there are common IoT settings where security on transport layer does not go end-to-end because of gateways or proxies or because of change of underlying layers, which is the reason for proposing this complement on the application layer. As to the actual enrolment procedure, it may well be the same in both cases of transport layer security or application layer security. 2. In a second independent component (section 3.2), the ACE framework is applied to authorise and provide keys to the endpoints involved in the enrolment, after which the very same enrolment procedure can take place. This shows a more lightweight key establishment than with a key exchange protocol (such as the DTLS handshake or EDHOC) with fewer and smaller messages, and less public key operations, all of which are favourable properties in constrained environments. The implicit question posed by draft-selander-ace-eals is the following: If we are considering one IoT variant of EST (draft-vanderstok-ace-coap-est) should we also consider other variants using the same enrolment procedure, which can be applied to a wider range of IoT use cases and/or which are more favourable in settings with constrained IoT devices? Göran On 2017-09-13 17:42, "Ace on behalf of Hannes Tschofenig" <[email protected] on behalf of [email protected]> wrote: >Hi all, > >in previous IETF meetings we had presentations on these two documents >and it appears that there is an overlap. So far we haven't had a lot of >discussions on these proposals on the list but since there seems to be >interest from the folks attending the IETF meetings I am recommending to >have a discussion about the direction we should go with this work. > >Any thoughts? > >Ciao >Hannes > >_______________________________________________ >Ace mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/ace _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
