Re: [Emu] [Ace] [core] Proposed charter for ACE (EAP over CoAP?)

2020-12-07 Thread Michael Richardson

Could someone point to a use case for "EAP over CoAP" please?
Is the goal to key an OSCORE context, or what?

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works|IoT architect   [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[



signature.asc
Description: PGP signature
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu


Re: [Emu] [core] [Ace] Proposed charter for ACE (EAP over CoAP?)

2020-12-07 Thread josh.howlett
I support this; although I am curious in Dan’s opinion as to whether GSS on
top of CoAP is also worth considering, as a way of leveraging the GSS EAP
and other mechanisms (such as Kerberos).

 

Josh

 

From: Emu  On Behalf Of Göran Selander
Sent: 07 December 2020 14:08
To: Laurent Toutain ; Daniel Migault

Cc: EMU WG ; c...@ietf.org WG (c...@ietf.org) ;
a...@ietf.org
Subject: Re: [Emu] [core] [Ace] Proposed charter for ACE (EAP over CoAP?)

 

+1. 

 

(The recently updated ACE charter should cover this work.)

 

Göran

 

On 2020-12-03, 20:03, "core" mailto:core-boun...@ietf.org> > wrote:

Hi,

I think it is important to have EAP on top of CoAP, as Dan said it fit well
with the last charter item.

 

Laurent

 

 

On Thu, Dec 3, 2020 at 2:20 PM Daniel Migault
mailto:daniel.migault=40ericsson@dmarc.ietf.org> > wrote:

 

 

CCing emu, core

 

It seems ACE to me that ACE could be home for such a document. I am
wondering if emu core or any other WG believe there is a better place for
it. 

 

Regarding ACE I am wondering what is the WG opinion about adding this item
to the ACE charter. 

 

Yours, 

Daniel



From: Ace mailto:ace-boun...@ietf.org> > on behalf of
Dan Garcia mailto:dan.gar...@um.es> >

Sent: Thursday, December 3, 2020 6:10 AM

To: a...@ietf.org   mailto:a...@ietf.org>
>

Subject: [Ace] Proposed charter for ACE (EAP over CoAP?)  

 

Dear all:

 

Regarding the new charter, since ACE is considering the definition of CoAP
transport for CMPv2
(https://tools.ietf.org/html/draft-msahni-ace-cmpv2-coap-transport-00), we
were wondering whethere it could also consider specifying EAP (Extensible
Authentication Protocol) over CoAP.

 

In this sense, we proposed this some time ago and we have implementations
about this.

 

https://datatracker.ietf.org/doc/html/draft-marin-ace-wg-coap-eap-06

https://www.mdpi.com/1424-8220/16/3/358

https://www.mdpi.com/1424-8220/17/11/2646

 

The usage of CoAP can provide a very light and link-layer independent (we
even tested in LoRa networks) EAP lower-layer (transport for EAP) suitable
for IoT enviroment. We believe this would be really useful since EAP
provides flexibility for the authentication and it is a well-known protocol.

 

Therefore, we would like to propose the following modification to the
charter:

 

"The Working Group will examine how to use Constrained Application Protocol
(CoAP) as a transport medium for certificate enrollment protocols, such as
EST and CMPv2, as well as a transport for authentication protocols such as
EAP, and standardize them as needed."

 

This modification does not necessarily mean the adoption of our draft. After
all, we completely understand that this would happen only if there is an
interest in the WG. Nevertheless, we would like to avoid that the charter is
a barrier later if there is interest in the WG to work in this transport of
EAP over CoAP:

 

Any opinion about this?

 

Best Regards.

 

El 18/11/2020 a las 8:08, Daniel Migault escribió:

 

 

Hi,  

Please find the proposed charter we agreed on during the interim meeting. If
you would like to propose any change, please use the following URL by
November 25:

 

https://docs.google.com/document/d/1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDi
ptY/edit?usp=sharing

=1=03ce3af5-6990-40e0-b2b5-255ac5f5dfe0=https%3A%2F%2Fdocs.google.com%
2Fdocument%2Fd%2F1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY%2Fedit%3Fusp%3
Dsharing>

 

 

Yours, 

Daniel

 

The Authentication and Authorization for Constrained Environments (ace) WG
has defined a standardized solution framework for authentication and
authorization to enable authorized access to resources identified by a URI
and hosted on a resource server in constrained environments. 

The access to the resource is mediated by an authorization server, which is
not considered to be constrained.

 

Profiles of this framework for application to security protocols commonly
used in constrained environments, including CoAP+DTLS and CoAP+OSCORE, have
also been standardized.  The Working Group is charged with maintenance of
the framework and existing profiles thereof, and may undertake work to
specify profiles of the framework for additional secure communications
protocols and for additional support services providing authorized access to
crypto keys (that are not necessarily limited to constrained endpoints,
though the focus remains on deployment in ecosystems with a substantial
portion of constrained devices).

 

In addition to the ongoing maintenance work, the Working Group will extend
the framework as needed for 

Re: [Emu] [core] [Ace] Proposed charter for ACE (EAP over CoAP?)

2020-12-07 Thread Göran Selander
+1.

(The recently updated ACE charter should cover this work.)

Göran

On 2020-12-03, 20:03, "core"  wrote:
Hi,
I think it is important to have EAP on top of CoAP, as Dan said it fit well 
with the last charter item.

Laurent


On Thu, Dec 3, 2020 at 2:20 PM Daniel Migault 
mailto:daniel.migault=40ericsson@dmarc.ietf.org>>
 wrote:


CCing emu, core

It seems ACE to me that ACE could be home for such a document. I am wondering 
if emu core or any other WG believe there is a better place for it.

Regarding ACE I am wondering what is the WG opinion about adding this item to 
the ACE charter.

Yours,
Daniel

From: Ace mailto:ace-boun...@ietf.org>> on behalf of Dan 
Garcia mailto:dan.gar...@um.es>>
Sent: Thursday, December 3, 2020 6:10 AM
To: a...@ietf.org mailto:a...@ietf.org>>
Subject: [Ace] Proposed charter for ACE (EAP over CoAP?)

Dear all:

Regarding the new charter, since ACE is considering the definition of CoAP 
transport for CMPv2 
(https://tools.ietf.org/html/draft-msahni-ace-cmpv2-coap-transport-00), we were 
wondering whethere it could also consider specifying EAP (Extensible 
Authentication Protocol) over CoAP.

In this sense, we proposed this some time ago and we have implementations about 
this.

https://datatracker.ietf.org/doc/html/draft-marin-ace-wg-coap-eap-06
https://www.mdpi.com/1424-8220/16/3/358
https://www.mdpi.com/1424-8220/17/11/2646

The usage of CoAP can provide a very light and link-layer independent (we even 
tested in LoRa networks) EAP lower-layer (transport for EAP) suitable for IoT 
enviroment. We believe this would be really useful since EAP provides 
flexibility for the authentication and it is a well-known protocol.

Therefore, we would like to propose the following modification to the charter:

"The Working Group will examine how to use Constrained Application Protocol 
(CoAP) as a transport medium for certificate enrollment protocols, such as EST 
and CMPv2, as well as a transport for authentication protocols such as EAP, and 
standardize them as needed."

This modification does not necessarily mean the adoption of our draft. After 
all, we completely understand that this would happen only if there is an 
interest in the WG. Nevertheless, we would like to avoid that the charter is a 
barrier later if there is interest in the WG to work in this transport of EAP 
over CoAP:

Any opinion about this?

Best Regards.

El 18/11/2020 a las 8:08, Daniel Migault escribió:


Hi,
Please find the proposed charter we agreed on during the interim meeting. If 
you would like to propose any change, please use the following URL by November 
25:

https://docs.google.com/document/d/1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY/edit?usp=sharing
 



Yours,
Daniel

The Authentication and Authorization for Constrained Environments (ace) WG has 
defined a standardized solution framework for authentication and authorization 
to enable authorized access to resources identified by a URI and hosted on a 
resource server in constrained environments.
The access to the resource is mediated by an authorization server, which is not 
considered to be constrained.

Profiles of this framework for application to security protocols commonly used 
in constrained environments, including CoAP+DTLS and CoAP+OSCORE, have also 
been standardized.  The Working Group is charged with maintenance of the 
framework and existing profiles thereof, and may undertake work to specify 
profiles of the framework for additional secure communications protocols and 
for additional support services providing authorized access to crypto keys 
(that are not necessarily limited to constrained endpoints, though the focus 
remains on deployment in ecosystems with a substantial portion of constrained 
devices).

In addition to the ongoing maintenance work, the Working Group will extend the 
framework as needed for applicability to group communications, with initial 
focus on (D)TLS and (Group) OSCORE as the underlying group communication 
security protocols. The Working Group will standardize procedures for 
requesting and distributing group keying material using the ACE framework as 
well as appropriated management interfaces.

The Working Group will standardize a format for expressing authorization 
information for a given authenticated principal as received from an 
authorization manager.

The Working Group will examine how to use Constrained Application Protocol 
(CoAP) as a transport medium for certificate enrollment protocols, such as EST 
and CMPv2, and standardize as needed.




On Tue, Nov 17, 2020 at 6:47 PM Benjamin Kaduk 
mailto:ka...@mit.edu>> wrote:


Thanks for updating the draft charter at [1], Daniel!

I note