> -----Original Message-----
> From: Ace <ace-boun...@ietf.org> On Behalf Of Hannes Tschofenig
> Sent: Wednesday, December 12, 2018 8:01 AM
> To: Panos Kampanakis (pkampana) <pkamp...@cisco.com>; Michael
> Richardson <mcr+i...@sandelman.ca>; ace@ietf.org; an...@ietf.org
> Cc: Peter van der Stok <stokc...@bbhmail.nl>; Max Pritikin (pritikin)
> <priti...@cisco.com>
> Subject: Re: [Ace] est-coaps clarification on /att and /crts
>
> Hi Panos, Hi Michael,
>
> > We want all our clients to be authenticated by DTLS before they start
loading
> up our RF network.
> > I'm not suggesting that the DTLS be skipped, I'm suggesting that the
client
> certificate presented might be meaningless to the EST server.
>
> I am curious what security model you have in mind? If you don't do client
> authentication then you are essentially issuing certificates to an
anonymous
> entity. This feels like a very bad idea, particularly since the CA is
supposed to
> assert the identifier of the client via the certificate.
>
> What am I missing here?
Hannes,
What you are missing is that the question is not about issuing the
certificate. That is going to require client authentication. What is being
looked at is getting the list of trust anchors or the template for a
certificate request based on an anonymous client.
Jim
>
> Ciao
> Hannes
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
recipient,
> please notify the sender immediately and do not disclose the contents to
any
> other person, use it for any purpose, or store or copy the information in
any
> medium. Thank you.
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
