Hi Goran and Hannes,
Thanks Hannes, for starting the discussion.
I am glad to contribute to this discussion, as one of the more
interested parties, co-author of est-coaps.
Looking at the charter of ACE, the following sentences seemed of
interest to me.
"As a starting point, the working
group will assume that access to resources at a resource server by a
client device takes place using CoAP and is protected by DTLS. Both
resource server and client may be constrained. This access will be
mediated by an authorization server, which is not considered to be
constrained."
" Note that the initial focus is on CoAP and HTTP
with DTLS and TLS. Other security protocols may be considered as long as
the primary focus is maintained."
It clearly states that for the authorization and authentication coap and
dtls are the first technologies that are investigated followed by other
technologies.
Mapping this approach from authorization to certificate management, The
same text seems valid to me, and I consider the coap-est draft belonging
to the coap-dtls focus and eals draft belonging to other technologies.
They are complementary in my view.
Currently, many manufacturers are happy to use their "finally" working
dtls implementation. They are reluctant to try anything new at this
moment. That motivates the writing of the coap-est draft.
That does not mean that manufacturers will not go over to new technology
in a later stage, once the advantages are clearer, and more experience
has been gained. Neither does it mean that all manufacturers are glued
to their current DTLS implementation.
Although ACE focuses on authentication and authorization, it is the WG
that looks after security for constrained devices, using RESTful
techniques, CoAP and TLS/DTLS; and as such I hope the "certificate
management" drafts fit in.
Looking forward to other reactions on this subject.
Peter
Göran Selander schreef op 2017-09-14 08:47:
Hi Hannes,
Now for the topic of comparing the certificate enrolment drafts.
draft-vanderstok-ace-coap-est proposes a very natural and significant
optimization of EST adapted to the established security setup for CoAP,
and I fully support that. There are overlapping authors between the
drafts, so clearly the drafts should not be seen in opposition to each
other.
The implicit question posed by draft-selander-ace-eals is the
following:
If we are considering one IoT variant of EST
(draft-vanderstok-ace-coap-est) should we also consider other variants
using the same enrolment procedure, which can be applied to a wider
range
of IoT use cases and/or which are more favourable in settings with
constrained IoT devices?
Göran
On 2017-09-13 17:42, "Ace on behalf of Hannes Tschofenig"
<[email protected] on behalf of [email protected]> wrote:
Hi all,
in previous IETF meetings we had presentations on these two documents
and it appears that there is an overlap. So far we haven't had a lot
of
discussions on these proposals on the list but since there seems to be
interest from the folks attending the IETF meetings I am recommending
to
have a discussion about the direction we should go with this work.
Any thoughts?
Ciao
Hannes
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
