Just one clarification adoption is not based on vote, but a common understanding this is useful.
Yours, Daniel ________________________________ From: Ace <ace-boun...@ietf.org> on behalf of Brockhaus, Hendrik <hendrik.brockh...@siemens.com> Sent: Wednesday, November 4, 2020 12:38 PM To: Ace Wg <ace@ietf.org>; Panos Kampanakis (pkampana) <pkamp...@cisco.com> Cc: Göran Selander <goran.selander=40ericsson....@dmarc.ietf.org>; Daniel Migault <mglt.i...@gmail.com> Subject: Re: [Ace] Charter discussion Panos, thank you for explaining you position. I understand that you support EST. I already expressed my position and arguments in favor of CMP. :-) As you see the authentication provided by binding the CSR to the TLS handshake as a pro of EST, I see in many environments exactly this as a drawback of EST and a pro of CMP having all needed security on the application layer. I do not see, why this should not be valid when using CoAP instead of HTTP. As already pointed out, I do not believe we can address all requirements out there by one certificate enrollment/management protocol. Important from my perspective is, as Panos also says, there are currently four votes in favor and only one clear vote against the adoption. Or did I miss further votes? Hendrik Von: Ace <ace-boun...@ietf.org> Im Auftrag von Panos Kampanakis (pkampana) Gesendet: Mittwoch, 4. November 2020 04:36 An: Göran Selander <goran.selander=40ericsson....@dmarc.ietf.org>; Daniel Migault <mglt.i...@gmail.com>; Ace Wg <ace@ietf.org> Betreff: Re: [Ace] Charter discussion I support the addition of draft-selander-ace-coap-est-oscore in the Charter as it introduces OSCORE with its advantages in constrained environments for EST which is already standardized in EST-coaps in ACE. As I have said before, I oppose the addition of CMPv2 over COAP in the charter. Summarizing the reasons here again for brevity: - we should not repeat the mistakes of the past and introduce multiple protocols doing the same thing (cert enrollment or management) over COAP unless there is a compelling reason. To answer your other question Daniel, I don’t think we need a new certificate management protocol at this stage. - I am not convinced of the technical advantages of using CMPv2 over COAP in constrained environments. - I have not seen overwhelming support for the draft in the list other than Michael saying “why not” and Steffen and Hendrik (from Siemens) clearly supporting it. Also, minutes from IETF-108 say “DM: Objections to doing this work? No objections registered”. I was not there to oppose, but I would not call that overwhelming active support either. - it is not clear who intends to use and implement the draft. If it is a one or two vendor thing then I don’t think ACE should spend the cycles. I have not seen many people chiming in that want to the draft and are willing to review. Rgs, Panos From: Ace <ace-boun...@ietf.org<mailto:ace-boun...@ietf.org>> On Behalf Of Göran Selander Sent: Tuesday, November 03, 2020 5:06 AM To: Daniel Migault <mglt.i...@gmail.com<mailto:mglt.i...@gmail.com>>; Ace Wg <ace@ietf.org<mailto:ace@ietf.org>> Subject: Re: [Ace] Charter discussion Hi Daniel, and all, Some comments on the proposed charter and your mail, sorry for late response. 1. ”The Working Group is charged with maintenance of the framework and existing profiles thereof, and may undertake work to specify profiles of the framework for additional secure communications protocols” I take it this text covers (should the WG want to adopt): * draft-tiloca-ace-group-oscore-profile * an ACE-EDHOC profile (i.e. the POST /token response and the access token provision information to support authentication with EDHOC, e.g. raw public key of the other party). Such a profile could provide good trust management properties, potentially at the cost of a larger access token etc. Right? 2. ”In particular the discussion might revive a discussion that happened in 2017 [2] - when I was not co-chair of ACE -and considered other expired work such as [3]. Please make this discussion constructive on this thread.” As I remember it, the outcome of this discussion was – in line with the mindset of EST – that it is beneficial to re-use authentication and communication security appropriate for actual use case. If coaps is suitable for a particular use case, then it makes sense to protect also the enrolment procedure with this protocol. But whereas the security protocol is coaps instead of https, the enrolment functionality and semantics should reuse that of EST, possibly profiled for the new setting: [4]. In the same spirit there was support at the meeting [2] to specify protection of EST payloads profiled for use with OSCORE as communication security protocol, together with a suitable AKE for authentication. Following the adoption of EDHOC in LAKE this work has now been revived [5]. IMHO the reasoning above still makes sense. With this in mind, and taking into account recent discussion on the list, perhaps this part of the charter: ”The Working Group will standardize how to use Constrained Application Protocol (CoAP) as a Transport Medium for the Certificate management protocol version 2 (CMPv2). ” should be rephrased or complemented with the reasoning above, for example: The scope of the Working Group includes profiles of the Enrolment over Secure Transport (EST) transported with the Constrained Application Protocol (CoAP)” Thanks Göran [4] https://tools.ietf.org/html/draft-ietf-ace-coap-est<https://protect2.fireeye.com/v1/url?k=e3b2c887-bc29f1c4-e3b2881c-861fcb972bfc-e9c51ac16743ab01&q=1&e=ec9e57b6-0c6f-4f39-a84d-6538bd0dc9e8&u=https%3A%2F%2Feur01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Ftools.ietf.org%252Fhtml%252Fdraft-ietf-ace-coap-est%26data%3D04%257C01%257Chendrik.brockhaus%2540siemens.com%257C27193ea305fb4be4501e08d88072ca26%257C38ae3bcd95794fd4addab42e1495d55a%257C1%257C1%257C637400577806351097%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%26sdata%3DNd0%252B2%252B9QCiQX905x8eeFATC2s5nxgvPElL%252FEd3x9zHc%253D%26reserved%3D0> [5] https://tools.ietf.org/html/draft-selander-ace-coap-est-oscore<https://protect2.fireeye.com/v1/url?k=659ca4de-3a079d9d-659ce445-861fcb972bfc-29faa500f5edd2da&q=1&e=ec9e57b6-0c6f-4f39-a84d-6538bd0dc9e8&u=https%3A%2F%2Feur01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Ftools.ietf.org%252Fhtml%252Fdraft-selander-ace-coap-est-oscore%26data%3D04%257C01%257Chendrik.brockhaus%2540siemens.com%257C27193ea305fb4be4501e08d88072ca26%257C38ae3bcd95794fd4addab42e1495d55a%257C1%257C1%257C637400577806361092%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%26sdata%3DFhwPXjvDW%252Fio6WdTN8ca5sMYx754V7332qxGNjrCdQE%253D%26reserved%3D0> On 2020-10-15, 19:50, "Ace" <ace-boun...@ietf.org<mailto:ace-boun...@ietf.org>> wrote: Hi, I would like to start the charter discussion. Here is a draft of a proposed charter [1]. It seems to be that additional discussion is needed with regard to the last paragraph related certificate management. In particular the discussion might revive a discussion that happened in 2017 [2] - when I was not co-chair of ACE -and considered other expired work such as [3]. Please make this discussion constructive on this thread. The fundamental question is whether we need certificate management at this stage. If the answer is yes, and we have multiple proposals, it would be good to clarify the position of the different proposals and evaluate whether a selection is needed or not before validating the charter. Please provide your inputs on the mailing list before October 30. Of course for minor edits, you may suggest them directly on the google doc. Yours, Daniel [1] https://docs.google.com/document/d/1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY/edit?usp=sharing<https://protect2.fireeye.com/v1/url?k=7754b41f-28cf8d5c-7754f484-861fcb972bfc-a4c99ab0684a00fa&q=1&e=ec9e57b6-0c6f-4f39-a84d-6538bd0dc9e8&u=https%3A%2F%2Feur01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.google.com%252Fdocument%252Fd%252F1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY%252Fedit%253Fusp%253Dsharing%26data%3D04%257C01%257Chendrik.brockhaus%2540siemens.com%257C27193ea305fb4be4501e08d88072ca26%257C38ae3bcd95794fd4addab42e1495d55a%257C1%257C1%257C637400577806371088%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%26sdata%3DWx02SgrYvA%252BBaoqY8Cl6e1jQXY9IzDNSOekqSl7y9cc%253D%26reserved%3D0> <https://protect2.fireeye.com/v1/url?k=4f3d9c3b-118c475b-4f3ddca0-86e2237f51fb-627e48b069462d70&q=1&e=6924b2a6-e7e5-4ec1-a1af-c94637953dc5&u=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY%2Fedit%3Fusp%3Dsharing<https://protect2.fireeye.com/v1/url?k=0aa5fcc1-553ec582-0aa5bc5a-861fcb972bfc-999d471eb771d7cd&q=1&e=ec9e57b6-0c6f-4f39-a84d-6538bd0dc9e8&u=https%3A%2F%2Feur01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fprotect2.fireeye.com%252Fv1%252Furl%253Fk%253D4f3d9c3b-118c475b-4f3ddca0-86e2237f51fb-627e48b069462d70%2526q%253D1%2526e%253D6924b2a6-e7e5-4ec1-a1af-c94637953dc5%2526u%253Dhttps%25253A%25252F%25252Fdocs.google.com%25252Fdocument%25252Fd%25252F1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY%25252Fedit%25253Fusp%25253Dsharing%26data%3D04%257C01%257Chendrik.brockhaus%2540siemens.com%257C27193ea305fb4be4501e08d88072ca26%257C38ae3bcd95794fd4addab42e1495d55a%257C1%257C0%257C637400577806371088%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%26sdata%3DhN20xt76IQDFPFNENNE3kwJgFMWrFgh0N5m5Aib4Mx4%253D%26reserved%3D0>> [2] https://datatracker.ietf.org/doc/minutes-interim-2017-ace-03-201710191300/<https://protect2.fireeye.com/v1/url?k=edf7e7da-b26cde99-edf7a741-861fcb972bfc-cf1ac46197fd50c3&q=1&e=ec9e57b6-0c6f-4f39-a84d-6538bd0dc9e8&u=https%3A%2F%2Feur01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdatatracker.ietf.org%252Fdoc%252Fminutes-interim-2017-ace-03-201710191300%252F%26data%3D04%257C01%257Chendrik.brockhaus%2540siemens.com%257C27193ea305fb4be4501e08d88072ca26%257C38ae3bcd95794fd4addab42e1495d55a%257C1%257C1%257C637400577806381083%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%26sdata%3DoPHqgbrFmyVbHWeXzn4xmQLWh%252FPmXMS%252BpjrTPTWrmGo%253D%26reserved%3D0> [3] https://datatracker.ietf.org/doc/draft-selander-ace-eals/<https://protect2.fireeye.com/v1/url?k=e5138516-ba88bc55-e513c58d-861fcb972bfc-a51690574057d87e&q=1&e=ec9e57b6-0c6f-4f39-a84d-6538bd0dc9e8&u=https%3A%2F%2Feur01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdatatracker.ietf.org%252Fdoc%252Fdraft-selander-ace-eals%252F%26data%3D04%257C01%257Chendrik.brockhaus%2540siemens.com%257C27193ea305fb4be4501e08d88072ca26%257C38ae3bcd95794fd4addab42e1495d55a%257C1%257C1%257C637400577806391076%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C3000%26sdata%3DX4Fe%252B%252Bd0lSti0geRyNzXdINWAx3ym%252FS%252FO2zThQ0icKc%253D%26reserved%3D0> -- Daniel Migault Ericsson
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
