I support the addition of draft-selander-ace-coap-est-oscore in the Charter as it introduces OSCORE with its advantages in constrained environments for EST which is already standardized in EST-coaps in ACE.
As I have said before, I oppose the addition of CMPv2 over COAP in the charter. Summarizing the reasons here again for brevity: - we should not repeat the mistakes of the past and introduce multiple protocols doing the same thing (cert enrollment or management) over COAP unless there is a compelling reason. To answer your other question Daniel, I dont think we need a new certificate management protocol at this stage. - I am not convinced of the technical advantages of using CMPv2 over COAP in constrained environments. - I have not seen overwhelming support for the draft in the list other than Michael saying why not and Steffen and Hendrik (from Siemens) clearly supporting it. Also, minutes from IETF-108 say DM: Objections to doing this work? No objections registered. I was not there to oppose, but I would not call that overwhelming active support either. - it is not clear who intends to use and implement the draft. If it is a one or two vendor thing then I dont think ACE should spend the cycles. I have not seen many people chiming in that want to the draft and are willing to review. Rgs, Panos From: Ace <ace-boun...@ietf.org> On Behalf Of Göran Selander Sent: Tuesday, November 03, 2020 5:06 AM To: Daniel Migault <mglt.i...@gmail.com>; Ace Wg <ace@ietf.org> Subject: Re: [Ace] Charter discussion Hi Daniel, and all, Some comments on the proposed charter and your mail, sorry for late response. 1. The Working Group is charged with maintenance of the framework and existing profiles thereof, and may undertake work to specify profiles of the framework for additional secure communications protocols I take it this text covers (should the WG want to adopt): * draft-tiloca-ace-group-oscore-profile * an ACE-EDHOC profile (i.e. the POST /token response and the access token provision information to support authentication with EDHOC, e.g. raw public key of the other party). Such a profile could provide good trust management properties, potentially at the cost of a larger access token etc. Right? 2. In particular the discussion might revive a discussion that happened in 2017 [2] - when I was not co-chair of ACE -and considered other expired work such as [3]. Please make this discussion constructive on this thread. As I remember it, the outcome of this discussion was in line with the mindset of EST that it is beneficial to re-use authentication and communication security appropriate for actual use case. If coaps is suitable for a particular use case, then it makes sense to protect also the enrolment procedure with this protocol. But whereas the security protocol is coaps instead of https, the enrolment functionality and semantics should reuse that of EST, possibly profiled for the new setting: [4]. In the same spirit there was support at the meeting [2] to specify protection of EST payloads profiled for use with OSCORE as communication security protocol, together with a suitable AKE for authentication. Following the adoption of EDHOC in LAKE this work has now been revived [5]. IMHO the reasoning above still makes sense. With this in mind, and taking into account recent discussion on the list, perhaps this part of the charter: The Working Group will standardize how to use Constrained Application Protocol (CoAP) as a Transport Medium for the Certificate management protocol version 2 (CMPv2). should be rephrased or complemented with the reasoning above, for example: The scope of the Working Group includes profiles of the Enrolment over Secure Transport (EST) transported with the Constrained Application Protocol (CoAP) Thanks Göran [4] <https://tools.ietf.org/html/draft-ietf-ace-coap-est> https://tools.ietf.org/html/draft-ietf-ace-coap-est [5] https://tools.ietf.org/html/draft-selander-ace-coap-est-oscore On 2020-10-15, 19:50, "Ace" <ace-boun...@ietf.org <mailto:ace-boun...@ietf.org> > wrote: Hi, I would like to start the charter discussion. Here is a draft of a proposed charter [1]. It seems to be that additional discussion is needed with regard to the last paragraph related certificate management. In particular the discussion might revive a discussion that happened in 2017 [2] - when I was not co-chair of ACE -and considered other expired work such as [3]. Please make this discussion constructive on this thread. The fundamental question is whether we need certificate management at this stage. If the answer is yes, and we have multiple proposals, it would be good to clarify the position of the different proposals and evaluate whether a selection is needed or not before validating the charter. Please provide your inputs on the mailing list before October 30. Of course for minor edits, you may suggest them directly on the google doc. Yours, Daniel [1] https://docs.google.com/document/d/1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDi ptY/edit?usp=sharing <https://protect2.fireeye.com/v1/url?k=4f3d9c3b-118c475b-4f3ddca0-86e2237f51 fb-627e48b069462d70 <https://protect2.fireeye.com/v1/url?k=4f3d9c3b-118c475b-4f3ddca0-86e2237f51 fb-627e48b069462d70&q=1&e=6924b2a6-e7e5-4ec1-a1af-c94637953dc5&u=https%3A%2F %2Fdocs.google.com%2Fdocument%2Fd%2F1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoD iptY%2Fedit%3Fusp%3Dsharing> &q=1&e=6924b2a6-e7e5-4ec1-a1af-c94637953dc5&u=https%3A%2F%2Fdocs.google.com% 2Fdocument%2Fd%2F1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY%2Fedit%3Fusp%3 Dsharing> [2] https://datatracker.ietf.org/doc/minutes-interim-2017-ace-03-201710191300/ [3] https://datatracker.ietf.org/doc/draft-selander-ace-eals/ -- Daniel Migault Ericsson
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace