Re: [Emu] [Ace] [core] Proposed charter for ACE (EAP over CoAP?)

2020-12-09 Thread Michael Richardson 

Dan Garcia  wrote:
> EAP can be used in the context of IoT for authentication.

But, to what end?

1) If it is onboarding a new device, then there is no connectivity until after 
authentication.
   so you can't use CoAP, you have to use 802.1x, or some equivalent, or
   create a system such as draft-ietf-6tisch-minimal-security.
   Which does use CoAP and OSCORE already.

2) If it for application authentication, then you need to use EAP to setup
   MSK for later use by a context.
   We do this in IKEv2, (D)TLS already.

So the only left would be OSCORE, yet you write "could", as if it was an 
afterthought.

Tell me what is your application?  What will be impossible if we don't do
this work?

--
Michael Richardson. o O ( IPv6 IøT consulting )
   Sandelman Software Works Inc, Ottawa and Worldwide






signature.asc
Description: PGP signature
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] [core] [Ace] Proposed charter for ACE (EAP over CoAP?)

2020-12-09 Thread Carsten Bormann 
On 2020-12-09, at 14:28, Christian Amsüss  wrote:
>
> follow CoRE best practices

Indeed; for instance, we “RESTified” documents in ACE before (and they not just 
became ideologically correct, but also plain better).

Grüße, Carsten



signature.asc
Description: Message signed with OpenPGP
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] [Ace] Proposed charter for ACE (EAP over CoAP?)

2020-12-09 Thread Christian Amsüss 
Hello ACE,

On Thu, Dec 03, 2020 at 01:20:08PM +, Daniel Migault wrote:
> It seems ACE to me that ACE could be home for such a document. I am
> wondering if emu core or any other WG believe there is a better place
> for it.

If nothing else, I'd be curious to see EAP-over-CoAP this sketched out;
interactions with NOOB. (The "film a blinking LED to get mutual
authentication" sounds particularly promising).

Care would need to be taken to follow CoRE best practices (not that we'd
have a good set of standard recommendations, but at least on concrete
points we usually manage consensus), both because anything built on CoAP
coming from the IETF will be seen as something of a reference example,
and also to leverage its full optimization potential. CCs to core when
this is put on the agenda for ACE interims might be a good idea.

Go for it :-)

Christian

-- 
Es ist nicht deine Schuld, dass die Welt ist, wie sie ist -- es wär' nur
deine Schuld, wenn sie so bleibt.
(You are not to blame for the state of the world, but you would be if
that state persisted.)
  -- Die Ärzte


signature.asc
Description: PGP signature
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] [Ace] [core] Proposed charter for ACE (EAP over CoAP?)

2020-12-09 Thread Alexander Pelov 
Dear all,

I support the inclusion of EAP-over-CoAP to the charter.

We've done work on this particular item in the past, and we've identified
the need for it in many places.. but unfortunately the draft didn't have a
proper "home" and things never advanced much. Use-cases we've seen include
places where EAP is a MUST, there is support for CoAP, but no support for
the specific FOO technology.

I am confident that it will bring value to the IOT ecosystem and that ACE
is the right home for this draft.

Cheers,
Alexander


On Wed, Dec 9, 2020 at 12:46 PM Dan Garcia  wrote:

>  Hi Michael,
>
> EAP can be used in the context of IoT for authentication. To transport EAP
> from the IoT device we need a light EAP lower-layer. This would be CoAP.
> Morover, according to EAP key management framework, keys are exported to
> protect the link and the EAP lower-layer itself. So yes, OSCORE could be
> used for that kind of protection.
>
>  Another aspect, it is that the use case we consider is the case where an
> IoT device is trying to access a security domain under the control of a
> “controller” that is connected to a backend AAA infrastructure, which acts
> as EAP authenticator.
>
>  Best Regards.
> El 07/12/2020 a las 23:09, Michael Richardson escribió:
>
> Could someone point to a use case for "EAP over CoAP" please?
> Is the goal to key an OSCORE context, or what?
>
> --
> ]   Never tell me the odds! | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works|IoT architect   [
> ] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails
> [
>
>
>
> ___
> Ace mailing listAce@ietf.orghttps://www.ietf.org/mailman/listinfo/ace
>
> ___
> Ace mailing list
> a...@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] [Ace] [core] Proposed charter for ACE (EAP over CoAP?)

2020-12-09 Thread Dan Garcia 

 Hi Michael,

EAP can be used in the context of IoT for authentication. To transport 
EAP from the IoT device we need a light EAP lower-layer. This would be 
CoAP. Morover, according to EAP key management framework, keys are 
exported to protect the link and the EAP lower-layer itself. So yes, 
OSCORE could be used for that kind of protection.


 Another aspect, it is that the use case we consider is the case where 
an IoT device is trying to access a security domain under the control of 
a “controller” that is connected to a backend AAA infrastructure, which 
acts as EAP authenticator.


 Best Regards.

El 07/12/2020 a las 23:09, Michael Richardson escribió:

Could someone point to a use case for "EAP over CoAP" please?
Is the goal to key an OSCORE context, or what?

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works|IoT architect   [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[


___
Ace mailing list
a...@ietf.org
https://www.ietf.org/mailman/listinfo/ace
___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] Working Group Last Call for draft-ietf-emu-eap-noob-02

2020-12-09 Thread Eduardo Ingles (UM) 

Hi all,

I have worked with EAP-NOOB and implemented a constrained version for 
Contiki (https://github.com/eduingles/coap-eap-noob). I exposed some 
issues on the list such as adding support for P-256 and clarifying the 
text on waiting exchange and the authors have addressed my issues. The 
draft now has P-256 as one of the curves. I support it and I think it is 
ready for publication.


Best regards,
Eduardo Inglés

El 22/11/2020 a las 0:31, Joseph Salowey escribió:
At  IETF 109 meeting there was support for moving EAP-NOOB forward.  
The chairs and authors believe the document is ready to progress so 
this starts the working group last call for EAP-NOOB [1].   Please 
review the document and send comments to the list by December 11, 
2020.  Statements of support or opposition are welcome especially if 
accompanied with reasons for the position.


Thanks,

Joe

[1] https://datatracker.ietf.org/doc/draft-ietf-emu-eap-noob/ 




___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu


--
Eduardo Inglés Sánchez
eduardo.ing...@um.es

Department of Information and Communication Engineering
Faculty of Computer Science
University of Murcia
30100 Murcia, Spain

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu

Re: [Emu] [core] [Ace] Proposed charter for ACE (EAP over CoAP?)

2020-12-09 Thread Dan Garcia 

Hi Josh,

Thanks for the support.

At first sight, I would say that, from the perspective of a very 
constrained devices and networks, it would be better to directly design 
an EAP lower-layer based on CoAP without introducing any intermediate 
layer.



Best Regards,
Dan.

On 7/12/20 16:50, josh.howl...@gmail.com wrote:


I support this; although I am curious in Dan’s opinion as to whether 
GSS on top of CoAP is also worth considering, as a way of leveraging 
the GSS EAP and other mechanisms (such as Kerberos).


Josh

*From:*Emu  *On Behalf Of *Göran Selander
*Sent:* 07 December 2020 14:08
*To:* Laurent Toutain ; Daniel 
Migault 
*Cc:* EMU WG ; c...@ietf.org WG (c...@ietf.org) 
; a...@ietf.org
*Subject:* Re: [Emu] [core] [Ace] Proposed charter for ACE (EAP over 
CoAP?)


+1.

(The recently updated ACE charter should cover this work.)

Göran

On 2020-12-03, 20:03, "core" > wrote:


Hi,

I think it is important to have EAP on top of CoAP, as Dan said it fit 
well with the last charter item.


Laurent

On Thu, Dec 3, 2020 at 2:20 PM Daniel Migault 
> wrote:


CCing emu, core

It seems ACE to me that ACE could be home for such a document. I am 
wondering if emu core or any other WG believe there is a better place 
for it.


Regarding ACE I am wondering what is the WG opinion about adding this 
item to the ACE charter.


Yours,

Daniel



From: Ace mailto:ace-boun...@ietf.org>> on 
behalf of Dan Garcia mailto:dan.gar...@um.es>>


Sent: Thursday, December 3, 2020 6:10 AM

To: a...@ietf.org  >


Subject: [Ace] Proposed charter for ACE (EAP over CoAP?)

Dear all:

Regarding the new charter, since ACE is considering the definition of 
CoAP transport for CMPv2 
(https://tools.ietf.org/html/draft-msahni-ace-cmpv2-coap-transport-00 
), 
we were wondering whethere it could also consider specifying EAP 
(Extensible Authentication Protocol) over CoAP.


In this sense, we proposed this some time ago and we have 
implementations about this.


https://datatracker.ietf.org/doc/html/draft-marin-ace-wg-coap-eap-06 



https://www.mdpi.com/1424-8220/16/3/358 



https://www.mdpi.com/1424-8220/17/11/2646 



The usage of CoAP can provide a very light and link-layer independent 
(we even tested in LoRa networks) EAP lower-layer (transport for EAP) 
suitable for IoT enviroment. We believe this would be really useful 
since EAP provides flexibility for the authentication and it is a 
well-known protocol.


Therefore, we would like to propose the following modification to the 
charter:


"The Working Group will examine how to use Constrained Application 
Protocol (CoAP) as a transport medium for certificate enrollment 
protocols, such as EST and CMPv2, as well as a transport for 
authentication protocols such as EAP, and standardize them as needed."


This modification does not necessarily mean the adoption of our draft. 
After all, we completely understand that this would happen only if 
there is an interest in the WG. Nevertheless, we would like to avoid 
that the charter is a barrier later if there is interest in the WG to 
work in this transport of EAP over CoAP:


Any opinion about this?

Best Regards.

El 18/11/2020 a las 8:08, Daniel Migault escribió:

Hi,

Please find the proposed charter we agreed on during the interim 
meeting. If you would like to propose any change, please use the 
following URL by November 25:


https://docs.google.com/document/d/1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY/edit?usp=sharing 
 
>


Yours,

Daniel

The Authentication and Authorization for Constrained Environments 
(ace) WG has defined a standardized solution framework for 
authentication and authorization to enable authorized access to 
resources identified by a URI and hosted on a resource server in 
constrained environments.


The access to the resource is mediated by an authorization server, 
which is not considered to be constrained.


Profiles of this framework for application to security protocols 
commonly used in constrained environments, includ