I honor Panos opinion and understand that he whishes to have EST as the one and only enrollment protocol. But also after EST, there were further enrollment protocols standardized, e.g., ACME, OPC-UA GDS, SCEP. But I do not want to argue pro or con a specific protocol. I think we have to accept that there are different protocols with different abilities chosen in different verticals.
The point here is, does the group support Mohits draft on specify CoAP transport for CMP. Just to recap the discussion from IETF 108: ---------------------snip--------------------- ### CoAP Transport for CMP - Mohit Sahni - 5:11 JS: This is here for possible adoption, but the WG is not not expected to have expertise in the CMP protocol, but just looking at how the CoAP work is done. DM: Objections to doing this work? No objections registered. DM: Need to re-charter and then adopt. JS: Recharter does not stop us from doing reviews. GS: Reading table of contents - multicast and proxy support MS: Don't use multicast for this. Only used for service discovery. Need to have proxy support to get additional security for servers. GS: This is just a transport draft? MS: Yes. ---------------------snip--------------------- I would appreciate further votes. Hendrik Von: Ace <ace-boun...@ietf.org> Im Auftrag von Panos Kampanakis (pkampana) Gesendet: Montag, 5. Oktober 2020 17:44 An: Mohit Sahni <mohit06...@gmail.com>; Ace Wg <ace@ietf.org> Cc: stripa...@paloaltonetworks.com; saurabh.tripa...@gmail.com; Mohit Sahni <msa...@paloaltonetworks.com>; Brockhaus, Hendrik (T RDA CST SEA-DE) <hendrik.brockh...@siemens.com> Betreff: Re: [Ace] Call for adoption draft-msahni-ace-cmpv2-coap-transport-01 I oppose adoption. IETF in the past has come up with SCEP, CMP, CMC and EST, all of them for the most part doing the same thing with minor differences. I don’t think we need two enrollment protocols to run over COAP. We should not repeat mistakes of the past. In ACE we have EST-coaps which is done. We worked on it because EST was in IEC 62351 and we needed a solution for some COAP usecases. Since then EST-coaps has been picked up by Fairhair and Thread. The argument about L7 protection in CMPv2 could also be satisfied by draft-selander-ace-coap-est-oscore. draft-selander-ace-coap-est-oscore was trying to secure EST over L7 encrypted COSE messages. Additionally, I would argue that L7 proof-of-identity is not a strong advantage in an (L)RA trust model for both EST-coaps and CMPv2-coaps. What is more, having the CA trust all potential manufacturer roots in order to do L7 proof of identity will not be trivial unless the CA is a private one. And in a private CA and (L)RA scenario I don’t know that end-to-end proof or identity is that important. I oppose adoption unless there is a compelling reason why. Also I am not sure where this draft would be implemented and used. If this is just for one or two vendors I don’t think ACE needs to spend the cycles. Thanks, Panos From: Ace <ace-boun...@ietf.org<mailto:ace-boun...@ietf.org>> On Behalf Of Mohit Sahni Sent: Monday, October 05, 2020 3:21 AM To: Ace Wg <ace@ietf.org<mailto:ace@ietf.org>> Cc: stripa...@paloaltonetworks.com<mailto:stripa...@paloaltonetworks.com>; saurabh.tripa...@gmail.com<mailto:saurabh.tripa...@gmail.com>; Mohit Sahni <msa...@paloaltonetworks.com<mailto:msa...@paloaltonetworks.com>>; Brockhaus, Hendrik <hendrik.brockh...@siemens.com<mailto:hendrik.brockh...@siemens.com>> Subject: [Ace] Call for adoption draft-msahni-ace-cmpv2-coap-transport-01 Hello Ace WG, I am presenting the draft-msahni-ace-cmpv2-coap-transport-01 to be adopted by ACE WG. This document supplements the "Lightweight CMP Profile" draft (https://tools.ietf.org/html/draft-brockhaus-lamps-lightweight-cmp-profile-03<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-brockhaus-lamps-lightweight-cmp-profile-03&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7C569aa1028dda403452b908d86945b7d3%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637375095443650434&sdata=%2FuzMYm2UIhbrSarrugX4w50w8%2B0ArPfSP%2BZvY8UcTT4%3D&reserved=0>) which specify the modifications to the CMPv2 protocol for it to be used efficiently by the constrained devices for PKI operations. I discussed this draft in IETF-108 ACE session and the need for the recharter of ACE WG in order to adopt this draft, to which we had a consensus. Please state your opinion on whether this draft should be adopted by ACE WG. Link to the draft https://datatracker.ietf.org/doc/draft-msahni-ace-cmpv2-coap-transport/<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-msahni-ace-cmpv2-coap-transport%2F&data=02%7C01%7Chendrik.brockhaus%40siemens.com%7C569aa1028dda403452b908d86945b7d3%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C1%7C637375095443660389&sdata=TpdqdyKHNxiu1fLAdJxXeot%2BjA9jNV0JVMGJ870H8Ac%3D&reserved=0> Regards, Mohit Sahni
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
