From fabrice.hobaya@gmail.com Thu Oct 1 08:50:14 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B40763A6AA0 for ; Thu, 1 Oct 2009 08:50:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.118 X-Spam-Level: X-Spam-Status: No, score=-0.118 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rAPqm00glcY7 for ; Thu, 1 Oct 2009 08:50:13 -0700 (PDT) Received: from mail-bw0-f210.google.com (mail-bw0-f210.google.com [209.85.218.210]) by core3.amsl.com (Postfix) with ESMTP id 97C653A6974 for ; Thu, 1 Oct 2009 08:50:13 -0700 (PDT) Received: by bwz6 with SMTP id 6so243487bwz.37 for ; Thu, 01 Oct 2009 08:51:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=8KqKWgC/3pR04TrxKYBYwRH/UqRvPDWR+Jx4tzISRu0=; b=UGXbNvgZ7wunXG5F3SYeENknihsaAhwZVSmR+WLpJqjAcVx5p6I4nCLrHkXSQak475 EyIJ1ZprpQ1RMb8lR+iP23B9+x2Da8N7gL2aNKLJsThf1EYJ9oxkYHQHHawDNfXrGU75 13wl5AZ8rAMGkqHjwsL28HF2R2gYk3QbqLcJo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type:content-transfer-encoding; b=eZw69d/i8bTTjOTJ0T21DXjCQB67TrM2qyi8gkLQniF+VCQMjIxvOcbD7SVthO0m0B BBWSX8RJ74Ln6z4HDAju1MvcW7exoRM8gxC7AkDxBH2QN/3xqhDSwi3b/qQD/GRUpS4O SgI7bE/w9CEE+8ufsSbi6/Lo1VhTCnkUzdtKc= MIME-Version: 1.0 Sender: fabrice.hobaya@gmail.com Received: by 10.204.156.28 with SMTP id u28mr135647bkw.74.1254412296225; Thu, 01 Oct 2009 08:51:36 -0700 (PDT) Date: Thu, 1 Oct 2009 17:51:36 +0200 X-Google-Sender-Auth: ce6a66cdf2aeb80a Message-ID: <6dd9054d0910010851k592f3f51t54d3a0b3411edcda@mail.gmail.com> From: Fabrice HOBAYA To: hipsec@ietf.org, hiprg@irtf.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Sun, 04 Oct 2009 22:48:07 -0700 Subject: [Hipsec] HIP extension supporting simulataneous mobility X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Oct 2009 15:52:16 -0000 Hi all, FYI, we have recently published a paper on the simultaneous mobility support in HIP. F. Hobaya, V. Gay, E. Robert, "Host Identity Protocol Extension Supporting Simultaneous End-Host Mobility,"ICWMC 2009 pp.261-266, 2009 Fifth International Conference on Wireless and Mobile Communications, August 2009. Comments are welcome. BR, Fabrice. --=20 Fabrice HOBAYA -- PhD student CNES / Thales Alenia Space / T=E9SA +335 34 35 41 12 - from monday to wednesday +335 61 24 73 82 - from thursday to friday fabrice.hobaya@tesa.prd.fr From pascal.urien@gmail.com Fri Oct 16 02:04:26 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2058A3A67E9 for ; Fri, 16 Oct 2009 02:04:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DT0kHUpowQJx for ; Fri, 16 Oct 2009 02:04:25 -0700 (PDT) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.25]) by core3.amsl.com (Postfix) with ESMTP id 3DEC63A67D2 for ; Fri, 16 Oct 2009 02:04:25 -0700 (PDT) Received: by qw-out-2122.google.com with SMTP id 9so575520qwb.31 for ; Fri, 16 Oct 2009 02:04:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=8eItdYKVJG3XYPXCYfijEG54ZoDF2uVpmEQwal0K+5Q=; b=Q6RQYcP9OWw3lC4XE6Ws9p/n24oXkqZjbk2Anr68rmHxKeGOHf/DiUo7vgIBvYXGC/ +Sm2lc0RzSdG6CFhwlXYA7f/Xk6rVfFAfqZDQVNTBpaqzXhVHYWaOLgjxMEStmEYH3m0 L3JT8rMeOwvmq9RnM5G4rb1zSTo2DbpiPjJVg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=Sy1jFHUDyZnJeClpGVPgao/haoL2A3m+Id2IPY5gjCWcxhF07sPKmEtSeiBDb1SpIM qzJMaKNPjyxa85eumoU5UblLiEmLmJB9lu6xs6NsZM8wUezq/nTkzs6BnN93PK3FPsya VyJZ8x78WdCSZKz7B99QMZFAlucHuRrntnNfc= MIME-Version: 1.0 Received: by 10.229.118.6 with SMTP id t6mr205178qcq.39.1255683866483; Fri, 16 Oct 2009 02:04:26 -0700 (PDT) In-Reply-To: <4AB8C26C.5040209@ericsson.com> References: <4AB8C26C.5040209@ericsson.com> Date: Fri, 16 Oct 2009 11:04:26 +0200 Message-ID: <788eb8c40910160204q70956fc0me0a2d1b242d165a6@mail.gmail.com> From: Pascal Urien To: Gonzalo Camarillo , HIP Content-Type: multipart/alternative; boundary=000e0cd5c6cacfdcc3047609ae95 Subject: Re: [Hipsec] Rechartering X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Oct 2009 09:04:26 -0000 --000e0cd5c6cacfdcc3047609ae95 Content-Type: text/plain; charset=ISO-8859-1 Hi Every Body, During the last WG meeting in Stockholm we discuss about a possible WG item addressing HIP for internet of things I would like a slot during the next meeting at Hiroshima, in order to preset the draft draft-urien-hip-iot that tries to start a woork with HIP and IOT Best Regards Pascal Filename: draft-urien-hip-iot Version: 00 Staging URL: http://www.ietf.org/staging/draft-urien-hip-iot-00.txt Title: HIP for IoT Creation_date: 2009-10-16 WG ID: Indvidual Submission Number_of_pages: 6 Abstract: The goal of this document is to analyze issues raised by the deployment of the Internet Of Things, and to propose a framework based on an Identity Layer such as the HIP protocol. --000e0cd5c6cacfdcc3047609ae95 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Hi Every Body,
=A0
During the last WG meeting in Stockholm we discuss about a possible WG= item addressing HIP for internet of things
=A0
I would like a slot during the next meeting at Hiroshima, in order to = preset the draft draft-urien-hip-iot that tries to start a woork with HIP a= nd IOT
=A0
=A0
Best Regards
=A0
Pascal
=A0
=A0
Filename: =A0 =A0 =A0 =A0 =A0draft-urien-hip-iot
Version: =A0 =A0 = =A0 =A0 =A0 00
Staging URL: =A0 =A0 =A0 http://www.ietf.org/st= aging/draft-urien-hip-iot-00.txt
Title: =A0 =A0 =A0 =A0 =A0 =A0 HIP for IoT
Creation_date: =A0 =A0 2009-1= 0-16
WG ID: =A0 =A0 =A0 =A0 =A0 =A0 Indvidual Submission
Number_of_pa= ges: 6
Abstract:
The goal of this document is to analyze issues raise= d by the
deployment of the Internet Of Things, and to propose a framewor= k
based on an Identity Layer such as the HIP protocol.
--000e0cd5c6cacfdcc3047609ae95-- From gonzalo.camarillo@ericsson.com Fri Oct 16 02:37:19 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F1DAE28C1C4 for ; Fri, 16 Oct 2009 02:37:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.866 X-Spam-Level: X-Spam-Status: No, score=-5.866 tagged_above=-999 required=5 tests=[AWL=0.383, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-4AJvKs9yRx for ; Fri, 16 Oct 2009 02:37:19 -0700 (PDT) Received: from mailgw4.ericsson.se (mailgw4.ericsson.se [193.180.251.62]) by core3.amsl.com (Postfix) with ESMTP id EBAB928C1C1 for ; Fri, 16 Oct 2009 02:37:18 -0700 (PDT) X-AuditID: c1b4fb3e-b7bf6ae000005dda-6d-4ad83ed10c9c Received: from esealmw126.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw4.ericsson.se (Symantec Mail Security) with SMTP id 22.A4.24026.1DE38DA4; Fri, 16 Oct 2009 11:37:21 +0200 (CEST) Received: from esealmw128.eemea.ericsson.se ([153.88.254.172]) by esealmw126.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Fri, 16 Oct 2009 11:37:20 +0200 Received: from [131.160.37.44] ([131.160.37.44]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Fri, 16 Oct 2009 11:37:21 +0200 Message-ID: <4AD83ED0.1060305@ericsson.com> Date: Fri, 16 Oct 2009 12:37:20 +0300 From: Gonzalo Camarillo User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Pascal Urien References: <4AB8C26C.5040209@ericsson.com> <788eb8c40910160204q70956fc0me0a2d1b242d165a6@mail.gmail.com> In-Reply-To: <788eb8c40910160204q70956fc0me0a2d1b242d165a6@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 16 Oct 2009 09:37:21.0085 (UTC) FILETIME=[425156D0:01CA4E44] X-Brightmail-Tracker: AAAAAA== Cc: HIP Subject: Re: [Hipsec] Rechartering X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Oct 2009 09:37:20 -0000 Hi, the HIP WG will not be meeting in Japan. I suggest you drive discussions on this topic on the list instead. Thanks, Gonzalo HIP co-chair Pascal Urien wrote: > Hi Every Body, > > During the last WG meeting in Stockholm we discuss about a possible WG > item addressing HIP for internet of things > > I would like a slot during the next meeting at Hiroshima, in order to > preset the draft draft-urien-hip-iot that tries to start a woork with > HIP and IOT > > > Best Regards > > Pascal > > > Filename: draft-urien-hip-iot > Version: 00 > Staging URL: http://www.ietf.org/staging/draft-urien-hip-iot-00.txt > Title: HIP for IoT > Creation_date: 2009-10-16 > WG ID: Indvidual Submission > Number_of_pages: 6 > Abstract: > The goal of this document is to analyze issues raised by the > deployment of the Internet Of Things, and to propose a framework > based on an Identity Layer such as the HIP protocol. From samu.varjonen@hiit.fi Mon Oct 19 00:54:50 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A5EAD3A6820 for ; Mon, 19 Oct 2009 00:54:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.185 X-Spam-Level: X-Spam-Status: No, score=-0.185 tagged_above=-999 required=5 tests=[BAYES_40=-0.185] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U9v5XuNnfZzF for ; Mon, 19 Oct 2009 00:54:49 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 9BAD93A677C for ; Mon, 19 Oct 2009 00:54:49 -0700 (PDT) Received: from [128.214.8.109] (dhcp-eduroam-73.mobile.helsinki.fi [128.214.8.109]) by argo.otaverkko.fi (Postfix) with ESMTP id 83F8E25ED14 for ; Mon, 19 Oct 2009 10:54:55 +0300 (EEST) Message-ID: <4ADC1B4D.6010608@hiit.fi> Date: Mon, 19 Oct 2009 10:54:53 +0300 From: Varjonen Samu User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: HIP Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [Hipsec] draft-ietf-hip-cert-02-pre00 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Oct 2009 07:54:50 -0000 Hi, Here is the pre-version of the hip-cert draft. It has been living a quiet life on the list. We have been asking for comments on the list before and after IETF 75 (Stockholm). There seems to be little or no comments about the draft. The new version contains bigger editorial changes, change in the default cert and added type numbers. Now I ask you to read and comment the draft. http://www.cs.helsinki.fi/u/sklvarjo/draft-ietf-hip-cert-02-pre00.txt Few topics for the comments: - Is the draft sufficient? Do we need to specify something more? Is something important missing? - Is SPKI the right choice for the default format? X.509 is more widely deployed and has better support vs. SPKI is simpler but has less support. In the pre-version I already changed X.509s as the default, because the X.509s are commonly used in the wild and SPKIs are more like research curiosity(?). - Are the hash and URL encodings needed? At least with on-path middleboxes they are problematic. - Are the examples in the appendixes sufficient? - Should we start the move from a draft to experimental RFC? BR, Samu Varjonen From david.mattes@boeing.com Wed Oct 21 11:45:47 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A829F3A68C3 for ; Wed, 21 Oct 2009 11:45:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jj-0QqTT5zFE for ; Wed, 21 Oct 2009 11:45:46 -0700 (PDT) Received: from blv-smtpout-01.boeing.com (blv-smtpout-01.boeing.com [130.76.32.69]) by core3.amsl.com (Postfix) with ESMTP id 1154E3A67F7 for ; Wed, 21 Oct 2009 11:44:22 -0700 (PDT) Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by blv-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n9LIiPZs008332 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 21 Oct 2009 11:44:26 -0700 (PDT) Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n9LIiPFJ024116; Wed, 21 Oct 2009 13:44:25 -0500 (CDT) Received: from XCH-NWHT-05.nw.nos.boeing.com (xch-nwht-05.nw.nos.boeing.com [130.247.25.109]) by stl-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n9LIiOT3024086 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Wed, 21 Oct 2009 13:44:25 -0500 (CDT) Received: from XCH-NW-11V.nw.nos.boeing.com ([130.247.25.86]) by XCH-NWHT-05.nw.nos.boeing.com ([130.247.25.109]) with mapi; Wed, 21 Oct 2009 11:44:24 -0700 From: "Mattes, David" To: "'Varjonen Samu'" , HIP Date: Wed, 21 Oct 2009 11:44:22 -0700 Thread-Topic: [Hipsec] draft-ietf-hip-cert-02-pre00 Thread-Index: AcpQkXVKuSMVCsn1R7uw6tEAWFqfWwB6RHfQ Message-ID: References: <4ADC1B4D.6010608@hiit.fi> In-Reply-To: <4ADC1B4D.6010608@hiit.fi> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [Hipsec] draft-ietf-hip-cert-02-pre00 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Oct 2009 18:45:47 -0000 Hi Samu, As some background, I am focused on using HIP operationally and therefore h= ave a pragmatic point of view of the specifications. Here are some in-line= opinions for your questions below. Also, what is the purpose of requiring the HIT as part of the X.509 informa= tion? In practice (at least until HIP is a de-facto standard ;-), I think = it will be quite difficult to convince Certificate issuers to include new o= r different information. I think you should remove that recommendation fro= m the draft. Page 1, Introduction, Last sentence: Do you mean Section 5.2 of RFC5201? Minor nit: Page 3, Paragraph 1, Line 2: s/X.503.v3/X.509.v3 Thank you for your work on this! Regards, David Mattes > -----Original Message----- > - Is the draft sufficient? Do we need to specify something more? Is > something important missing? I agree that having on-path middleboxes request remote data is problematic = (also from a trust point of view!), so what about introducing a mechanism f= or the middleboxes or responders to request the full certificate when prese= nted with a CERT URL? This way, middleboxes and responders can cache certs= and only request the entire certificate when necessary. This mechanism co= uld also allow post-mobility-event middleboxes to request endpoint certific= ates when they start to see a new flow. =20 This mechanism is probably outside the scope of this draft, but would the r= equests themselves be defined here? Another object I could envision being = requested would be a CA chain for a given certificate. >=20 > - Is SPKI the right choice for the default format? X.509 is more widely > deployed and has better support vs. SPKI is simpler but has less > support. In the pre-version I already changed X.509s as the default, > because the X.509s are commonly used in the wild and SPKIs are more like > research curiosity(?). I think that X.509 should be the default format. >=20 > - Are the hash and URL encodings needed? At least with on-path > middleboxes they are problematic. I think the hash and URL encodings are important and would even like to see= them expanded to include http URL, Distinguished Name, and LDAP path. >=20 > - Are the examples in the appendixes sufficient? It would be nice to see an example with sending a certificate chain. From thomas.r.henderson@boeing.com Wed Oct 21 21:13:45 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 897E63A6898 for ; Wed, 21 Oct 2009 21:13:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qa4cLpSznVsG for ; Wed, 21 Oct 2009 21:13:44 -0700 (PDT) Received: from slb-smtpout-01.boeing.com (slb-smtpout-01.boeing.com [130.76.64.48]) by core3.amsl.com (Postfix) with ESMTP id 9925D3A686B for ; Wed, 21 Oct 2009 21:13:44 -0700 (PDT) Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by slb-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n9M4Dh0O005256 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 21 Oct 2009 21:13:44 -0700 (PDT) Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n9M4DgrN012115; Wed, 21 Oct 2009 23:13:42 -0500 (CDT) Received: from XCH-NWHT-02.nw.nos.boeing.com (xch-nwht-02.nw.nos.boeing.com [130.247.70.248]) by stl-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n9M4DgR4012099 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Wed, 21 Oct 2009 23:13:42 -0500 (CDT) Received: from XCH-NW-10V.nw.nos.boeing.com ([130.247.25.85]) by XCH-NWHT-02.nw.nos.boeing.com ([130.247.70.248]) with mapi; Wed, 21 Oct 2009 21:13:41 -0700 From: "Henderson, Thomas R" To: "'Varjonen Samu'" , HIP Date: Wed, 21 Oct 2009 21:13:41 -0700 Thread-Topic: [Hipsec] draft-ietf-hip-cert-02-pre00 Thread-Index: AcpQkXVKuSMVCsn1R7uw6tEAWFqfWwB6RHfQABQF5RA= Message-ID: References: <4ADC1B4D.6010608@hiit.fi> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [Hipsec] draft-ietf-hip-cert-02-pre00 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Oct 2009 04:13:45 -0000 > -----Original Message----- > From: hipsec-bounces@ietf.org > [mailto:hipsec-bounces@ietf.org] On Behalf Of Mattes, David > Sent: Wednesday, October 21, 2009 11:44 AM > To: 'Varjonen Samu'; HIP > Subject: Re: [Hipsec] draft-ietf-hip-cert-02-pre00 > > Hi Samu, > > As some background, I am focused on using HIP operationally > and therefore have a pragmatic point of view of the > specifications. Here are some in-line opinions for your > questions below. > > Also, what is the purpose of requiring the HIT as part of the > X.509 information? In practice (at least until HIP is a > de-facto standard ;-), I think it will be quite difficult to > convince Certificate issuers to include new or different > information. I think you should remove that recommendation > from the draft. I am guessing that the HIT is mandated because the draft focuses on self-si= gned certificates. However, I don't really understand such a use case (sel= f-signed certificate). Isn't all of the information in the example certifi= cate already provided as part of RFC 5201 HIP messaging? I had thought that the HIP CERT draft could specify the following: 1) using the HIP HI (public key) as a subject public key, bind a subject Al= ternative Name (such as email address or other value) to that key, based on= the CA signature. 2) elements of procedure for exchanging CERTs, or requesting that the peer= provide a CERT. So, I'm guessing that David has the first use case in mind, that the CA nee= d not even be HIP aware but is just asked to sign the binding between key a= nd name, and then the host can use the subject key as a host identity. Regarding elements of procedure, it seemed to me that it would be in scope = to specify how to ask the end host to provide a CERT, plus how to handle fa= ilure cases (e.g. "I don't recognize the CA", "Bad certificate signature", = etc.). In addition, I agree with David's comment that a HIP-aware middlebo= x ought to be able to challenge a host to provide a CERT. I don't know whe= ther just a generic challenge would be needed, or whether the middlebox wou= ld be able to identify the CAs that it recognizes in the challenge. > > > > - Is SPKI the right choice for the default format? Do we need a default for this? What does it mean that "All implementations= MUST support the X.509v3 format." This is an optional, non-critical param= eter. It seems to me that implementations ought to be RECOMMENDED to support one = or both formats, and we specify what happens when one side of the exchange = does not understand CERT at all, or when it understands CERT but does not s= upport the Type number. > > > - Are the hash and URL encodings needed? At least with on-path > > middleboxes they are problematic. > > I think the hash and URL encodings are important and would > even like to see them expanded to include http URL, > Distinguished Name, and LDAP path. Agree. > > > > > - Are the examples in the appendixes sufficient? > > It would be nice to see an example with sending a certificate chain. Agree (a non-self-signed example). A few small editorial comments are that in section 2, the capitalization is= not consistent in paragraph 3, and it seems like the last sentence before = the figure should be the lead sentence of paragraph three, so the reader do= esn't infer from the existing paragraph three lead sentence that any HIP pa= cket (e.g. I1) carries CERT. Regards, Tom From samu.varjonen@hiit.fi Wed Oct 21 23:04:29 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BE5CD3A68C1 for ; Wed, 21 Oct 2009 23:04:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8hv0lax1NBOG for ; Wed, 21 Oct 2009 23:04:28 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 5A4EA3A67AA for ; Wed, 21 Oct 2009 23:04:28 -0700 (PDT) Received: from [192.168.1.11] (cs181123046.pp.htv.fi [82.181.123.46]) by argo.otaverkko.fi (Postfix) with ESMTP id C445025ED12; Thu, 22 Oct 2009 09:04:36 +0300 (EEST) Message-ID: <4ADFF5ED.5090608@hiit.fi> Date: Thu, 22 Oct 2009 09:04:29 +0300 From: Samu Varjonen User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: "Mattes, David" References: <4ADC1B4D.6010608@hiit.fi> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] draft-ietf-hip-cert-02-pre00 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Oct 2009 06:04:29 -0000 Mattes, David kirjoitti: > Hi Samu, > > As some background, I am focused on using HIP operationally and therefore have a pragmatic point of view of the specifications. Here are some in-line opinions for your questions below. > > Also, what is the purpose of requiring the HIT as part of the X.509 information? In practice (at least until HIP is a de-facto standard ;-), I think it will be quite difficult to convince Certificate issuers to include new or different information. I think you should remove that recommendation from the draft. We do not want to enforce all certificates to have HITs encoded as subjects and/or issuers. It is there if you need to encode HITs. I will rephrase the text to clearly state this. > > Page 1, Introduction, Last sentence: Do you mean Section 5.2 of RFC5201? > Looks like it, will fix it. > Minor nit: > Page 3, Paragraph 1, Line 2: s/X.503.v3/X.509.v3 > Typo, will fix it. > Thank you for your work on this! > > Regards, > David Mattes > >> -----Original Message----- >> - Is the draft sufficient? Do we need to specify something more? Is >> something important missing? > > I agree that having on-path middleboxes request remote data is problematic (also from a trust point of view!), so what about introducing a mechanism for the middleboxes or responders to request the full certificate when presented with a CERT URL? This way, middleboxes and responders can cache certs and only request the entire certificate when necessary. This mechanism could also allow post-mobility-event middleboxes to request endpoint certificates when they start to see a new flow. > > This mechanism is probably outside the scope of this draft, but would the requests themselves be defined here? Another object I could envision being requested would be a CA chain for a given certificate. We have been discussing this and our solution for this is to use draft-heer-hip-service-00 (see Section 4.1. Certificates)to signal the end-host about the needed additional credentials. > >> - Is SPKI the right choice for the default format? X.509 is more widely >> deployed and has better support vs. SPKI is simpler but has less >> support. In the pre-version I already changed X.509s as the default, >> because the X.509s are commonly used in the wild and SPKIs are more like >> research curiosity(?). > > I think that X.509 should be the default format. I agree. > >> - Are the hash and URL encodings needed? At least with on-path >> middleboxes they are problematic. > > I think the hash and URL encodings are important and would even like to see them expanded to include http URL, Distinguished Name, and LDAP path. I'll look into this. > >> - Are the examples in the appendixes sufficient? > > It would be nice to see an example with sending a certificate chain. With all certificates included or just the parameter headers and parameter payload omitted? This will take loads of space but could be usefull. > Thanks for the comments. They were helpfull. -- BR, Samu "Programmer is an organism that changes caffeine into code" From samu.varjonen@hiit.fi Wed Oct 21 23:16:50 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6DC3328C104 for ; Wed, 21 Oct 2009 23:16:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oc-JDeHiBN3E for ; Wed, 21 Oct 2009 23:16:49 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 366A23A676A for ; Wed, 21 Oct 2009 23:16:49 -0700 (PDT) Received: from [192.168.1.11] (cs181123046.pp.htv.fi [82.181.123.46]) by argo.otaverkko.fi (Postfix) with ESMTP id 510BF25ED12; Thu, 22 Oct 2009 09:16:58 +0300 (EEST) Message-ID: <4ADFF8D3.4030602@hiit.fi> Date: Thu, 22 Oct 2009 09:16:51 +0300 From: Samu Varjonen User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: "Henderson, Thomas R" References: <4ADC1B4D.6010608@hiit.fi> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] draft-ietf-hip-cert-02-pre00 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Oct 2009 06:16:50 -0000 Henderson, Thomas R kirjoitti: > >> -----Original Message----- >> From: hipsec-bounces@ietf.org >> [mailto:hipsec-bounces@ietf.org] On Behalf Of Mattes, David >> Sent: Wednesday, October 21, 2009 11:44 AM >> To: 'Varjonen Samu'; HIP >> Subject: Re: [Hipsec] draft-ietf-hip-cert-02-pre00 >> >> Hi Samu, >> >> As some background, I am focused on using HIP operationally >> and therefore have a pragmatic point of view of the >> specifications. Here are some in-line opinions for your >> questions below. >> >> Also, what is the purpose of requiring the HIT as part of the >> X.509 information? In practice (at least until HIP is a >> de-facto standard ;-), I think it will be quite difficult to >> convince Certificate issuers to include new or different >> information. I think you should remove that recommendation >> from the draft. > > I am guessing that the HIT is mandated because the draft focuses on self-signed certificates. However, I don't really understand such a use case (self-signed certificate). Isn't all of the information in the example certificate already provided as part of RFC 5201 HIP messaging? > There is an answer in the earlier mail for this. Rephrasing the text. > I had thought that the HIP CERT draft could specify the following: > 1) using the HIP HI (public key) as a subject public key, bind a subject Alternative Name (such as email address or other value) to that key, based on the CA signature. That can be done after I rephrase the mandated HIT text. > 2) elements of procedure for exchanging CERTs, or requesting that the peer provide a CERT. This has been discussed but for some reason we put it into hip-service-00. Do you think hip-cert should have its own way of asking the certificates or could it use hip-service-00? The functionality would overlap with the hip-service-00. > > So, I'm guessing that David has the first use case in mind, that the CA need not even be HIP aware but is just asked to sign the binding between key and name, and then the host can use the subject key as a host identity. > > Regarding elements of procedure, it seemed to me that it would be in scope to specify how to ask the end host to provide a CERT, plus how to handle failure cases (e.g. "I don't recognize the CA", "Bad certificate signature", etc.). In addition, I agree with David's comment that a HIP-aware middlebox ought to be able to challenge a host to provide a CERT. I don't know whether just a generic challenge would be needed, or whether the middlebox would be able to identify the CAs that it recognizes in the challenge. > Sounds like hip-service-00 :) >>> - Is SPKI the right choice for the default format? > > Do we need a default for this? What does it mean that "All implementations MUST support the X.509v3 format." This is an optional, non-critical parameter. > > It seems to me that implementations ought to be RECOMMENDED to support one or both formats, and we specify what happens when one side of the exchange does not understand CERT at all, or when it understands CERT but does not support the Type number. It was supposed to be like: If you implement this non-critical parameter you should at-least implement support for this certificate. But I can see your point and I am leaning towards it and here I should refer to the hip-service-00 again. > >>>> - Are the hash and URL encodings needed? At least with on-path >>> middleboxes they are problematic. >> I think the hash and URL encodings are important and would >> even like to see them expanded to include http URL, >> Distinguished Name, and LDAP path. > > Agree. Looking into this and agreeing. > >>> - Are the examples in the appendixes sufficient? >> It would be nice to see an example with sending a certificate chain. > > Agree (a non-self-signed example). OK. can be done. > > A few small editorial comments are that in section 2, the capitalization is not consistent in paragraph 3, and it seems like the last sentence before the figure should be the lead sentence of paragraph three, so the reader doesn't infer from the existing paragraph three lead sentence that any HIP packet (e.g. I1) carries CERT. OK, will fix this. > > Regards, > Tom Thanks for the helpful comments. -- BR, Samu "Programmer is an organism that changes caffeine into code" From miika.komu@hiit.fi Wed Oct 21 23:36:20 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 957FA3A690B for ; Wed, 21 Oct 2009 23:36:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XYtxAT4ybU57 for ; Wed, 21 Oct 2009 23:36:19 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id BD3E53A676A for ; Wed, 21 Oct 2009 23:36:18 -0700 (PDT) Received: from [192.168.1.2] (cs27101111.pp.htv.fi [89.27.101.111]) by argo.otaverkko.fi (Postfix) with ESMTP id E3AB925ED12; Thu, 22 Oct 2009 09:36:27 +0300 (EEST) Message-ID: <4ADFFD73.4030205@hiit.fi> Date: Thu, 22 Oct 2009 09:36:35 +0300 From: Miika Komu User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Samu Varjonen References: <4ADC1B4D.6010608@hiit.fi> <4ADFF5ED.5090608@hiit.fi> In-Reply-To: <4ADFF5ED.5090608@hiit.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] draft-ietf-hip-cert-02-pre00 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Oct 2009 06:36:20 -0000 Samu Varjonen wrote: Hi, > Mattes, David kirjoitti: >> Hi Samu, >> >> As some background, I am focused on using HIP operationally and >> therefore have a pragmatic point of view of the specifications. Here >> are some in-line opinions for your questions below. >> >> Also, what is the purpose of requiring the HIT as part of the X.509 >> information? In practice (at least until HIP is a de-facto standard >> ;-), I think it will be quite difficult to convince Certificate >> issuers to include new or different information. I think you should >> remove that recommendation from the draft. > > We do not want to enforce all certificates to have HITs encoded as > subjects and/or issuers. It is there if you need to encode HITs. I will > rephrase the text to clearly state this. does the HIT have problems with the planned algo agility mechanism described in here: http://www.ietf.org/mail-archive/web/hipsec/current/msg02661.html From heer@informatik.rwth-aachen.de Thu Oct 22 01:47:32 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3AE7F3A677C for ; Thu, 22 Oct 2009 01:47:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.801 X-Spam-Level: X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XtW6s3pz853V for ; Thu, 22 Oct 2009 01:47:30 -0700 (PDT) Received: from mta-1.ms.rz.rwth-aachen.de (mta-1.ms.rz.RWTH-Aachen.DE [134.130.7.72]) by core3.amsl.com (Postfix) with ESMTP id BF4503A63EC for ; Thu, 22 Oct 2009 01:47:30 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=us-ascii; format=flowed; delsp=yes Received: from ironport-out-1.rz.rwth-aachen.de ([134.130.5.40]) by mta-1.ms.rz.RWTH-Aachen.de (Sun Java(tm) System Messaging Server 6.3-7.04 (built Sep 26 2008)) with ESMTP id <0KRW00JJKR3EQX20@mta-1.ms.rz.RWTH-Aachen.de> for hipsec@ietf.org; Thu, 22 Oct 2009 10:47:38 +0200 (CEST) X-IronPort-AV: E=Sophos;i="4.44,604,1249250400"; d="scan'208";a="30719881" Received: from relay-auth-1.ms.rz.rwth-aachen.de (HELO relay-auth-1) ([134.130.7.78]) by ironport-in-1.rz.rwth-aachen.de with ESMTP; Thu, 22 Oct 2009 10:47:39 +0200 Received: from umic-137-226-154-185.nn.rwth-aachen.de ([unknown] [137.226.154.185]) by relay-auth-1.ms.rz.rwth-aachen.de (Sun Java(tm) System Messaging Server 7.0-3.01 64bit (built Dec 9 2008)) with ESMTPA id <0KRW005XBR3ENV40@relay-auth-1.ms.rz.rwth-aachen.de> for hipsec@ietf.org; Thu, 22 Oct 2009 10:47:38 +0200 (CEST) From: Tobias Heer In-reply-to: <4ADFF8D3.4030602@hiit.fi> Date: Thu, 22 Oct 2009 10:47:36 +0200 Message-id: References: <4ADC1B4D.6010608@hiit.fi> <4ADFF8D3.4030602@hiit.fi> To: Samu Varjonen X-Mailer: Apple Mail (2.1076) Cc: HIP Subject: Re: [Hipsec] draft-ietf-hip-cert-02-pre00 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Oct 2009 08:47:32 -0000 Hi. Comments inline. Am 22.10.2009 um 08:16 schrieb Samu Varjonen: > Henderson, Thomas R kirjoitti: >> 2) elements of procedure for exchanging CERTs, or requesting that >> the peer provide a CERT. > > This has been discussed but for some reason we put it into hip- > service-00. Do you think hip-cert should have its own way of asking > the certificates or could it use hip-service-00? The functionality > would overlap with the hip-service-00. > The HIP hip-service-00 draft presents a general way of notifying end- hosts about requirements and properties of a service and allows some simple negotiations. Requesting certain certificates was one of the main reasons for writing the draft. However, we felt that more general negotiations would be out of scope for the hip-crt draft. The draft has not been advanced because we got very little comments on which services people would/could use. If needed we can narrow down the types of services that can be negotiated and focus on the signaling of the certificate first but I wouldn't really want to abandon a more general use of the HIP service parameter. >> So, I'm guessing that David has the first use case in mind, that >> the CA need not even be HIP aware but is just asked to sign the >> binding between key and name, and then the host can use the subject >> key as a host identity. >> Regarding elements of procedure, it seemed to me that it would be >> in scope to specify how to ask the end host to provide a CERT, plus >> how to handle failure cases (e.g. "I don't recognize the CA", "Bad >> certificate signature", etc.). In addition, I agree with David's >> comment that a HIP-aware middlebox ought to be able to challenge a >> host to provide a CERT. I don't know whether just a generic >> challenge would be needed, or whether the middlebox would be able >> to identify the CAs that it recognizes in the challenge. > > Sounds like hip-service-00 :) > >>>> - Is SPKI the right choice for the default format? >> Do we need a default for this? What does it mean that "All >> implementations MUST support the X.509v3 format." This is an >> optional, non-critical parameter. >> It seems to me that implementations ought to be RECOMMENDED to >> support one or both formats, and we specify what happens when one >> side of the exchange does not understand CERT at all, or when it >> understands CERT but does not support the Type number. > > It was supposed to be like: If you implement this non-critical > parameter you should at-least implement support for this > certificate. But I can see your point and I am leaning towards it > and here I should refer to the hip-service-00 again. If needed we can flesh out the certificate handling in the hip-service draft to support the hip-cert draft. So far, the hip-service-00 draft was discussed in the RG. Should we expand this to the WG and process hip-cert and hip-service as a bundle? BR, Tobias > >>>>> - Are the hash and URL encodings needed? At least with on-path >>>> middleboxes they are problematic. >>> I think the hash and URL encodings are important and would >>> even like to see them expanded to include http URL, >>> Distinguished Name, and LDAP path. >> Agree. > > Looking into this and agreeing. > >>>> - Are the examples in the appendixes sufficient? >>> It would be nice to see an example with sending a certificate chain. >> Agree (a non-self-signed example). > > OK. can be done. > >> A few small editorial comments are that in section 2, the >> capitalization is not consistent in paragraph 3, and it seems like >> the last sentence before the figure should be the lead sentence of >> paragraph three, so the reader doesn't infer from the existing >> paragraph three lead sentence that any HIP packet (e.g. I1) carries >> CERT. > > OK, will fix this. > >> Regards, >> Tom > > Thanks for the helpful comments. > > -- > BR, > Samu > > "Programmer is an organism that changes caffeine into code" > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec -- Dipl.-Inform. Tobias Heer, Ph.D. Student Distributed Systems Group RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer From thomas.r.henderson@boeing.com Thu Oct 22 07:26:32 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1786E3A69E9 for ; Thu, 22 Oct 2009 07:26:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id APQRXJXdpE4U for ; Thu, 22 Oct 2009 07:26:31 -0700 (PDT) Received: from slb-smtpout-01.boeing.com (slb-smtpout-01.boeing.com [130.76.64.48]) by core3.amsl.com (Postfix) with ESMTP id 5F75A3A69E8 for ; Thu, 22 Oct 2009 07:26:31 -0700 (PDT) Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by slb-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n9MEQPWR013243 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 22 Oct 2009 07:26:26 -0700 (PDT) Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n9MEQPi8008060; Thu, 22 Oct 2009 09:26:25 -0500 (CDT) Received: from XCH-NWHT-04.nw.nos.boeing.com (xch-nwht-04.nw.nos.boeing.com [130.247.64.250]) by stl-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n9MEQO6R008040 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Thu, 22 Oct 2009 09:26:25 -0500 (CDT) Received: from XCH-NW-10V.nw.nos.boeing.com ([130.247.25.85]) by XCH-NWHT-04.nw.nos.boeing.com ([130.247.64.250]) with mapi; Thu, 22 Oct 2009 07:26:24 -0700 From: "Henderson, Thomas R" To: "'Tobias Heer'" , Samu Varjonen Date: Thu, 22 Oct 2009 07:26:23 -0700 Thread-Topic: [Hipsec] draft-ietf-hip-cert-02-pre00 Thread-Index: AcpS9FD8C/0gcXGDTwSFa7k5blw6rAALQX/w Message-ID: References: <4ADC1B4D.6010608@hiit.fi><4ADFF8D3.4030602@hiit.fi> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: HIP Subject: Re: [Hipsec] draft-ietf-hip-cert-02-pre00 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Oct 2009 14:26:32 -0000 > > If needed we can flesh out the certificate handling in the > hip-service > draft to support the hip-cert draft. So far, the > hip-service-00 draft > was discussed in the RG. Should we expand this to the WG and process > hip-cert and hip-service as a bundle? > I don't have a strong opinion about where it ends up. I would most intuiti= vely find the certificate handling behavior within the certificate draft bu= t if there is a need to make it part of a more general framework, the servi= ces draft might be OK. I think it would be most direct to try to agree on = or write down the use cases and desired functionality/behavior for certific= ate handling, then later decide whether it fits better in a service draft o= r in the cert draft. - Tom From root@core3.amsl.com Fri Oct 23 15:15:01 2009 Return-Path: X-Original-To: hipsec@ietf.org Delivered-To: hipsec@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 90C0028B797; Fri, 23 Oct 2009 15:15:01 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20091023221501.90C0028B797@core3.amsl.com> Date: Fri, 23 Oct 2009 15:15:01 -0700 (PDT) Cc: hipsec@ietf.org Subject: [Hipsec] I-D ACTION:draft-ietf-hip-nat-traversal-09.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Oct 2009 22:15:01 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Host Identity Protocol Working Group of the IETF. Title : Basic HIP Extensions for Traversal of Network Address Translators Author(s) : M. Komu, T. Henderson, H. Tschofenig, J. Melen, A. Keraenen Filename : draft-ietf-hip-nat-traversal-09.txt Pages : 33 Date : 2009-10-23 This document specifies extensions to the Host Identity Protocol (HIP) to facilitate Network Address Translator (NAT) traversal. The extensions are based on the use of the Interactive Connectivity Establishment (ICE) methodology to discover a working path between two end-hosts, and on standard techniques for encapsulating Encapsulating Security Payload (ESP) packets within the User Datagram Protocol (UDP). This document also defines elements of a procedure for NAT traversal, including the optional use of a HIP relay server. With these extensions HIP is able to work in environments that have NATs and provides a generic NAT traversal solution to higher-layer networking applications. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-hip-nat-traversal-09.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-hip-nat-traversal-09.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-10-23151255.I-D@ietf.org> --NextPart-- From samu.varjonen@hiit.fi Mon Oct 26 02:10:19 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA10128C205 for ; Mon, 26 Oct 2009 02:10:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.392 X-Spam-Level: X-Spam-Status: No, score=-1.392 tagged_above=-999 required=5 tests=[AWL=1.207, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SEiCGH2xvIYu for ; Mon, 26 Oct 2009 02:10:19 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 0474628C12A for ; Mon, 26 Oct 2009 02:10:19 -0700 (PDT) Received: from [128.214.113.196] (sutherland.hiit.fi [128.214.113.196]) by argo.otaverkko.fi (Postfix) with ESMTP id EDB0B25ED0E; Mon, 26 Oct 2009 11:10:31 +0200 (EET) Message-ID: <4AE5683A.5000502@hiit.fi> Date: Mon, 26 Oct 2009 11:13:30 +0200 From: Samu Varjonen User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: miika.komu@hiit.fi References: <4ADC1B4D.6010608@hiit.fi> <4ADFF5ED.5090608@hiit.fi> <4ADFFD73.4030205@hiit.fi> In-Reply-To: <4ADFFD73.4030205@hiit.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: HIP Subject: Re: [Hipsec] draft-ietf-hip-cert-02-pre00 X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2009 09:10:19 -0000 Miika Komu wrote: > Samu Varjonen wrote: > > Hi, > >> Mattes, David kirjoitti: >>> Hi Samu, >>> >>> As some background, I am focused on using HIP operationally and >>> therefore have a pragmatic point of view of the specifications. Here >>> are some in-line opinions for your questions below. >>> >>> Also, what is the purpose of requiring the HIT as part of the X.509 >>> information? In practice (at least until HIP is a de-facto standard >>> ;-), I think it will be quite difficult to convince Certificate >>> issuers to include new or different information. I think you should >>> remove that recommendation from the draft. >> >> We do not want to enforce all certificates to have HITs encoded as >> subjects and/or issuers. It is there if you need to encode HITs. I >> will rephrase the text to clearly state this. > > does the HIT have problems with the planned algo agility mechanism > described in here: > > http://www.ietf.org/mail-archive/web/hipsec/current/msg02661.html As I have understood the HIT will remain in the present presentation format and the hash algo is read from DNS or with I1-R1 exchange from the responders HOST-ID. In which, the KEY RR would just have a new algorithm number. This affects the public-key and signature sequences in the certificates but they are defined in their own respective documents (or need to be defined). HIP-cert only describes the parameter, how to carry the certificates in side HIP control messages, and how to encode and use HITs in certificates as entities like issuer and/or subject. At least, now I do not see any problems, but if something comes up please let me know. BR, Samu From root@core3.amsl.com Mon Oct 26 03:30:01 2009 Return-Path: X-Original-To: hipsec@ietf.org Delivered-To: hipsec@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id EED8F3A687C; Mon, 26 Oct 2009 03:30:01 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20091026103001.EED8F3A687C@core3.amsl.com> Date: Mon, 26 Oct 2009 03:30:01 -0700 (PDT) Cc: hipsec@ietf.org Subject: [Hipsec] I-D Action:draft-ietf-hip-cert-02.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2009 10:30:02 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Host Identity Protocol Working Group of the IETF. Title : HIP Certificates Author(s) : T. Heer, S. Varjonen Filename : draft-ietf-hip-cert-02.txt Pages : 10 Date : 2009-10-26 This document specifies a certificate parameter called CERT for the Host Identity Protocol (HIP). The CERT parameter is a container for X.509.v3 certificates and for Simple Public Key Infrastructure (SPKI) certificates. It is used for carrying these certificates in HIP control packets. Additionally, this document specifies the representations of Host Identity Tags in X.509.v3 and in SPKI certificates. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-hip-cert-02.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-hip-cert-02.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-10-26032532.I-D@ietf.org> --NextPart-- From samu.varjonen@hiit.fi Mon Oct 26 04:28:42 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8CFA23A6A60 for ; Mon, 26 Oct 2009 04:28:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.35 X-Spam-Level: X-Spam-Status: No, score=-1.35 tagged_above=-999 required=5 tests=[AWL=-0.042, BAYES_00=-2.599, MISSING_HEADERS=1.292] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kFc+DHEXQWt0 for ; Mon, 26 Oct 2009 04:28:41 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 6F2673A6A5A for ; Mon, 26 Oct 2009 04:28:41 -0700 (PDT) Received: from [128.214.113.196] (sutherland.hiit.fi [128.214.113.196]) by argo.otaverkko.fi (Postfix) with ESMTP id 01D8C25ED0F for ; Mon, 26 Oct 2009 13:28:53 +0200 (EET) Message-ID: <4AE588A9.2010105@hiit.fi> Date: Mon, 26 Oct 2009 13:31:53 +0200 From: Samu Varjonen User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 Cc: hipsec@ietf.org References: <20091026103001.EED8F3A687C@core3.amsl.com> In-Reply-To: <20091026103001.EED8F3A687C@core3.amsl.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Hipsec] I-D Action:draft-ietf-hip-cert-02.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2009 11:28:42 -0000 Hi, This is the new version of the HIP certificates. Modifications include: - Editorial changes according to the discussions on the mailing list. - Added new types for DN and LDAP URL - Added signaling discussion and reference to the heer-hip-service-00 Open questions: 1. Should signaling be defined specifically for hip-cert? Seems like overlapping work because hip-service already defines a generic way to signal the requirements and failures but it is individual submission. 2. Should hip-service be adopted as WG item and handled in bundle with hip-cert? Because the signaling is needed for the hosts to signal the need for a certificate or for a chain of certificates. But referencing hip-service cannot be done unless its taken forward at the same pace. 3. Or should the hip-cert be more generic? Then hip-cert would be about just the parameter and the signaling of requirements and failures would be left to other documents such as hip-service to handle (but which would progress on its own pace). 4. Gathering use case scenarios and adding examples to the draft? 5. Add new examples? If something seems to be missing or off. Please, inform me. Comments are welcome as usual. BR, Samu Varjonen Internet-Drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Host Identity Protocol Working Group of the IETF. > > > Title : HIP Certificates > Author(s) : T. Heer, S. Varjonen > Filename : draft-ietf-hip-cert-02.txt > Pages : 10 > Date : 2009-10-26 > > This document specifies a certificate parameter called CERT for the > Host Identity Protocol (HIP). The CERT parameter is a container for > X.509.v3 certificates and for Simple Public Key Infrastructure (SPKI) > certificates. It is used for carrying these certificates in HIP > control packets. Additionally, this document specifies the > representations of Host Identity Tags in X.509.v3 and in SPKI > certificates. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-hip-cert-02.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec From miika.komu@hiit.fi Mon Oct 26 04:44:28 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1A7C428C22E for ; Mon, 26 Oct 2009 04:44:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hRt9edN07w9r for ; Mon, 26 Oct 2009 04:44:27 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id C62673A68EE for ; Mon, 26 Oct 2009 04:44:26 -0700 (PDT) Received: from [192.168.1.2] (cs27101111.pp.htv.fi [89.27.101.111]) by argo.otaverkko.fi (Postfix) with ESMTP id B8AA825ED0F; Mon, 26 Oct 2009 13:44:39 +0200 (EET) Message-ID: <4AE58BAA.5020708@hiit.fi> Date: Mon, 26 Oct 2009 13:44:42 +0200 From: Miika Komu User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: Samu Varjonen References: <20091026103001.EED8F3A687C@core3.amsl.com> <4AE588A9.2010105@hiit.fi> In-Reply-To: <4AE588A9.2010105@hiit.fi> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: hipsec@ietf.org Subject: Re: [Hipsec] I-D Action:draft-ietf-hip-cert-02.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: miika.komu@hiit.fi List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2009 11:44:28 -0000 Samu Varjonen wrote: Hi, > Hi, > > This is the new version of the HIP certificates. > > Modifications include: > - Editorial changes according to the discussions on the mailing list. > - Added new types for DN and LDAP URL > - Added signaling discussion and reference to the heer-hip-service-00 nice work! > Open questions: > > 1. Should signaling be defined specifically for hip-cert? > > Seems like overlapping work because hip-service already defines a > generic way to signal the requirements and failures but it is individual > submission. I think the certificate draft should be an independent of other extension mechanisms. So, the signaling should be handled in the service draft. > 2. Should hip-service be adopted as WG item and handled in bundle with > hip-cert? > > Because the signaling is needed for the hosts to signal the need for a > certificate or for a chain of certificates. But referencing hip-service > cannot be done unless its taken forward at the same pace. I believe the service draft would be valuable as a working group item. > 3. Or should the hip-cert be more generic? > > Then hip-cert would be about just the parameter and the signaling of > requirements and failures would be left to other documents such as > hip-service to handle (but which would progress on its own pace). I think the draft is quite fine as it is now. > 4. Gathering use case scenarios and adding examples to the draft? No, let's keep it generic. > 5. Add new examples? Not really needed. > If something seems to be missing or off. Please, inform me. The draft has been there for some while, maybe it should go to last call as soon as possible. At least the original dead line seems to have passed already: http://www.ietf.org/dyn/wg/charter/hip-charter.html Jul 2009 Submit Certs in HIP base exchange specification to the IESG > Comments are welcome as usual. > > BR, > Samu Varjonen > > Internet-Drafts@ietf.org wrote: >> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >> This draft is a work item of the Host Identity Protocol Working Group >> of the IETF. >> >> >> Title : HIP Certificates >> Author(s) : T. Heer, S. Varjonen >> Filename : draft-ietf-hip-cert-02.txt >> Pages : 10 >> Date : 2009-10-26 >> >> This document specifies a certificate parameter called CERT for the >> Host Identity Protocol (HIP). The CERT parameter is a container for >> X.509.v3 certificates and for Simple Public Key Infrastructure (SPKI) >> certificates. It is used for carrying these certificates in HIP >> control packets. Additionally, this document specifies the >> representations of Host Identity Tags in X.509.v3 and in SPKI >> certificates. >> >> A URL for this Internet-Draft is: >> http://www.ietf.org/internet-drafts/draft-ietf-hip-cert-02.txt >> >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >> >> Below is the data which will enable a MIME compliant mail reader >> implementation to automatically retrieve the ASCII version of the >> Internet-Draft. >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Hipsec mailing list >> Hipsec@ietf.org >> https://www.ietf.org/mailman/listinfo/hipsec > > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec From root@core3.amsl.com Mon Oct 26 06:00:01 2009 Return-Path: X-Original-To: hipsec@ietf.org Delivered-To: hipsec@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 8B5A53A68AE; Mon, 26 Oct 2009 06:00:01 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20091026130001.8B5A53A68AE@core3.amsl.com> Date: Mon, 26 Oct 2009 06:00:01 -0700 (PDT) Cc: hipsec@ietf.org Subject: [Hipsec] I-D Action:draft-ietf-hip-bone-03.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2009 13:00:01 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Host Identity Protocol Working Group of the IETF. Title : HIP BONE: Host Identity Protocol (HIP) Based Overlay Networking Environment Author(s) : G. Camarillo, et al. Filename : draft-ietf-hip-bone-03.txt Pages : 18 Date : 2009-10-26 This document specifies a framework to build HIP (Host Identity Protocol)-based overlay networks. This framework uses HIP to perform connection management. Other functions, such as data storage and retrieval or overlay maintenance, are implemented using protocols other than HIP. These protocols are loosely referred to as peer protocols. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-hip-bone-03.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-hip-bone-03.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-10-26055558.I-D@ietf.org> --NextPart-- From ari.keranen@nomadiclab.com Mon Oct 26 06:33:13 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C5D0728C29A for ; Mon, 26 Oct 2009 06:33:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h6JH7DJhKlX1 for ; Mon, 26 Oct 2009 06:33:13 -0700 (PDT) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id BF13428C273 for ; Mon, 26 Oct 2009 06:33:12 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id 8A7391EF138 for ; Mon, 26 Oct 2009 15:33:25 +0200 (EET) X-Virus-Scanned: amavisd-new at nomadiclab.com Received: from n2.nomadiclab.com ([127.0.0.1]) by localhost (inside.nomadiclab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WB8e7GCog5U6 for ; Mon, 26 Oct 2009 15:33:24 +0200 (EET) Received: from [IPv6:2001:14b8:400:101:21c:23ff:fe45:a6c1] (unknown [IPv6:2001:14b8:400:101:21c:23ff:fe45:a6c1]) by n2.nomadiclab.com (Postfix) with ESMTP id E33DE1EF12E for ; Mon, 26 Oct 2009 15:33:24 +0200 (EET) Message-ID: <4AE5A524.6050707@nomadiclab.com> Date: Mon, 26 Oct 2009 15:33:24 +0200 From: Ari Keranen User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: hipsec@ietf.org References: <20091023221501.90C0028B797@core3.amsl.com> In-Reply-To: <20091023221501.90C0028B797@core3.amsl.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Hipsec] I-D ACTION:draft-ietf-hip-nat-traversal-09.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2009 13:33:13 -0000 Hi all, FYI, this version contains just minor fixes regarding Gen-ART and IESG review comments. Cheers, Ari Internet-Drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Host Identity Protocol Working Group of the IETF. > > Title : Basic HIP Extensions for Traversal of Network Address Translators > Author(s) : M. Komu, T. Henderson, H. Tschofenig, J. Melen, A. Keraenen > Filename : draft-ietf-hip-nat-traversal-09.txt > Pages : 33 > Date : 2009-10-23 > > This document specifies extensions to the Host Identity Protocol > (HIP) to facilitate Network Address Translator (NAT) traversal. The > extensions are based on the use of the Interactive Connectivity > Establishment (ICE) methodology to discover a working path between > two end-hosts, and on standard techniques for encapsulating > Encapsulating Security Payload (ESP) packets within the User Datagram > Protocol (UDP). This document also defines elements of a procedure > for NAT traversal, including the optional use of a HIP relay server. > With these extensions HIP is able to work in environments that have > NATs and provides a generic NAT traversal solution to higher-layer > networking applications. From ari.keranen@nomadiclab.com Mon Oct 26 06:38:20 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 104F13A6977 for ; Mon, 26 Oct 2009 06:38:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0OBvIWI6AEMo for ; Mon, 26 Oct 2009 06:38:19 -0700 (PDT) Received: from n2.nomadiclab.com (n2.nomadiclab.com [IPv6:2001:14b8:400:101::2]) by core3.amsl.com (Postfix) with ESMTP id CCB743A6975 for ; Mon, 26 Oct 2009 06:38:18 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by n2.nomadiclab.com (Postfix) with ESMTP id F06E61EF138 for ; Mon, 26 Oct 2009 15:38:31 +0200 (EET) X-Virus-Scanned: amavisd-new at nomadiclab.com Received: from n2.nomadiclab.com ([127.0.0.1]) by localhost (inside.nomadiclab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qHOgN3o8jZO7 for ; Mon, 26 Oct 2009 15:38:31 +0200 (EET) Received: from [IPv6:2001:14b8:400:101:21c:23ff:fe45:a6c1] (unknown [IPv6:2001:14b8:400:101:21c:23ff:fe45:a6c1]) by n2.nomadiclab.com (Postfix) with ESMTP id 3E94D1EF12E for ; Mon, 26 Oct 2009 15:38:31 +0200 (EET) Message-ID: <4AE5A657.8070504@nomadiclab.com> Date: Mon, 26 Oct 2009 15:38:31 +0200 From: Ari Keranen User-Agent: Thunderbird 2.0.0.23 (X11/20090817) MIME-Version: 1.0 To: hipsec@ietf.org References: <20091026130001.8B5A53A68AE@core3.amsl.com> In-Reply-To: <20091026130001.8B5A53A68AE@core3.amsl.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Hipsec] I-D Action:draft-ietf-hip-bone-03.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2009 13:38:20 -0000 Hi all, The only major change in this updated version is the addition of the OVERLAY_ID parameter (sec. 3.4.) that allows a HIP host to participate simultaneously in multiple overlay networks. Cheers, Ari Internet-Drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Host Identity Protocol Working Group of the IETF. > > > Title : HIP BONE: Host Identity Protocol (HIP) Based Overlay Networking Environment > Author(s) : G. Camarillo, et al. > Filename : draft-ietf-hip-bone-03.txt > Pages : 18 > Date : 2009-10-26 > > This document specifies a framework to build HIP (Host Identity > Protocol)-based overlay networks. This framework uses HIP to perform > connection management. Other functions, such as data storage and > retrieval or overlay maintenance, are implemented using protocols > other than HIP. These protocols are loosely referred to as peer > protocols. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-hip-bone-03.txt > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ From david.mattes@boeing.com Mon Oct 26 12:11:41 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B028A3A69AA for ; Mon, 26 Oct 2009 12:11:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EOXTxZzIPf7l for ; Mon, 26 Oct 2009 12:11:40 -0700 (PDT) Received: from blv-smtpout-01.boeing.com (blv-smtpout-01.boeing.com [130.76.32.69]) by core3.amsl.com (Postfix) with ESMTP id BA6863A697C for ; Mon, 26 Oct 2009 12:11:40 -0700 (PDT) Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by blv-smtpout-01.ns.cs.boeing.com (8.14.0/8.14.0/8.14.0/SMTPOUT) with ESMTP id n9QJBkVt007731 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 26 Oct 2009 12:11:51 -0700 (PDT) Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by stl-av-01.boeing.com (8.14.0/8.14.0/DOWNSTREAM_RELAY) with ESMTP id n9QJBjcd012327; Mon, 26 Oct 2009 14:11:45 -0500 (CDT) Received: from XCH-NWHT-07.nw.nos.boeing.com (xch-nwht-07.nw.nos.boeing.com [130.247.25.111]) by stl-av-01.boeing.com (8.14.0/8.14.0/UPSTREAM_RELAY) with ESMTP id n9QJBjBB012315 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=OK); Mon, 26 Oct 2009 14:11:45 -0500 (CDT) Received: from XCH-NW-11V.nw.nos.boeing.com ([130.247.25.86]) by XCH-NWHT-07.nw.nos.boeing.com ([130.247.25.111]) with mapi; Mon, 26 Oct 2009 12:11:45 -0700 From: "Mattes, David" To: "'Samu Varjonen'" Date: Mon, 26 Oct 2009 12:11:44 -0700 Thread-Topic: [Hipsec] I-D Action:draft-ietf-hip-cert-02.txt Thread-Index: AcpWL4Kx3jC46wozQIy1yjyao900RgAPz0HQ Message-ID: References: <20091026103001.EED8F3A687C@core3.amsl.com> <4AE588A9.2010105@hiit.fi> In-Reply-To: <4AE588A9.2010105@hiit.fi> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "hipsec@ietf.org" Subject: Re: [Hipsec] I-D Action:draft-ietf-hip-cert-02.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Oct 2009 19:11:41 -0000 Hi Samu, Quick work! Thank you! I still have an issue with Sections 3 and 4, with the statement: "HITs need to be enclosed within the certificates, when using X.509.v3 certificates to transmit information related to HIP hosts." Why is this necessary? Can you either elaborate in the draft, or change "n= eed to" to "can"? Editorial nit: Section 2, Last paragraph, Sentence 2: s/LDAP URL/DN Now I need to read the signaling draft! Thank you, David > -----Original Message----- > From: hipsec-bounces@ietf.org [mailto:hipsec-bounces@ietf.org] On Behalf > Of Samu Varjonen > Sent: Monday, October 26, 2009 4:32 AM > Cc: hipsec@ietf.org > Subject: Re: [Hipsec] I-D Action:draft-ietf-hip-cert-02.txt >=20 > Hi, >=20 > This is the new version of the HIP certificates. >=20 > Modifications include: > - Editorial changes according to the discussions on the mailing list. > - Added new types for DN and LDAP URL > - Added signaling discussion and reference to the heer-hip-service-00 >=20 > Open questions: >=20 > 1. Should signaling be defined specifically for hip-cert? >=20 > Seems like overlapping work because hip-service already defines a > generic way to signal the requirements and failures but it is individual > submission. >=20 > 2. Should hip-service be adopted as WG item and handled in bundle with > hip-cert? >=20 > Because the signaling is needed for the hosts to signal the need for a > certificate or for a chain of certificates. But referencing hip-service > cannot be done unless its taken forward at the same pace. >=20 > 3. Or should the hip-cert be more generic? >=20 > Then hip-cert would be about just the parameter and the signaling of > requirements and failures would be left to other documents such as > hip-service to handle (but which would progress on its own pace). >=20 > 4. Gathering use case scenarios and adding examples to the draft? >=20 > 5. Add new examples? >=20 > If something seems to be missing or off. Please, inform me. >=20 > Comments are welcome as usual. >=20 > BR, > Samu Varjonen >=20 > Internet-Drafts@ietf.org wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the Host Identity Protocol Working Group o= f > the IETF. > > > > > > Title : HIP Certificates > > Author(s) : T. Heer, S. Varjonen > > Filename : draft-ietf-hip-cert-02.txt > > Pages : 10 > > Date : 2009-10-26 > > > > This document specifies a certificate parameter called CERT for the > > Host Identity Protocol (HIP). The CERT parameter is a container for > > X.509.v3 certificates and for Simple Public Key Infrastructure (SPKI) > > certificates. It is used for carrying these certificates in HIP > > control packets. Additionally, this document specifies the > > representations of Host Identity Tags in X.509.v3 and in SPKI > > certificates. > > > > A URL for this Internet-Draft is: > > http://www.ietf.org/internet-drafts/draft-ietf-hip-cert-02.txt > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > Below is the data which will enable a MIME compliant mail reader > > implementation to automatically retrieve the ASCII version of the > > Internet-Draft. > > > > > > -----------------------------------------------------------------------= - > > > > _______________________________________________ > > Hipsec mailing list > > Hipsec@ietf.org > > https://www.ietf.org/mailman/listinfo/hipsec >=20 > _______________________________________________ > Hipsec mailing list > Hipsec@ietf.org > https://www.ietf.org/mailman/listinfo/hipsec From root@core3.amsl.com Tue Oct 27 10:45:01 2009 Return-Path: X-Original-To: hipsec@ietf.org Delivered-To: hipsec@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 396503A67D7; Tue, 27 Oct 2009 10:45:01 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20091027174501.396503A67D7@core3.amsl.com> Date: Tue, 27 Oct 2009 10:45:01 -0700 (PDT) Cc: hipsec@ietf.org Subject: [Hipsec] I-D ACTION:draft-ietf-hip-hiccups-00.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2009 17:45:01 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Host Identity Protocol Working Group of the IETF. Title : HIP (Host Identity Protocol) Immediate Carriage and Conveyance of Upper-layer Protocol Signaling (HICCUPS) Author(s) : P. Nikander, G. Camarillo, J. Melen Filename : draft-ietf-hip-hiccups-00.txt Pages : 19 Date : 2009-10-26 This document defines a new HIP (Host Identity Protocol) packet type called DATA. HIP DATA packets are used to securely and reliably convey arbitrary protocol messages over the Internet and various overlay networks. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-hip-hiccups-00.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-hip-hiccups-00.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-10-27104424.I-D@ietf.org> --NextPart-- From root@core3.amsl.com Tue Oct 27 11:00:02 2009 Return-Path: X-Original-To: hipsec@ietf.org Delivered-To: hipsec@core3.amsl.com Received: by core3.amsl.com (Postfix, from userid 0) id 27AD03A6867; Tue, 27 Oct 2009 11:00:01 -0700 (PDT) From: Internet-Drafts@ietf.org To: i-d-announce@ietf.org Content-Type: Multipart/Mixed; Boundary="NextPart" Mime-Version: 1.0 Message-Id: <20091027180002.27AD03A6867@core3.amsl.com> Date: Tue, 27 Oct 2009 11:00:02 -0700 (PDT) Cc: hipsec@ietf.org Subject: [Hipsec] I-D ACTION:draft-ietf-hip-via-00.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Oct 2009 18:00:02 -0000 --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Host Identity Protocol Working Group of the IETF. Title : Host Identity Protocol (HIP) Multi-hop Routing Extension Author(s) : G. Camarillo, A. Keranen Filename : draft-ietf-hip-via-00.txt Pages : 7 Date : 2009-10-26 This document specifies two extensions to HIP to implement multi-hop routing. The first extension allows implementing source routing in HIP. That is, a host sending a HIP packet can define a set of hosts that the HIP packet should traverse. The second extension allows a HIP packet to carry and record the list of hosts that forwarded it. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-hip-via-00.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Message/External-body; name="draft-ietf-hip-via-00.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2009-10-27104716.I-D@ietf.org> --NextPart-- From samu.varjonen@hiit.fi Tue Oct 27 23:18:34 2009 Return-Path: X-Original-To: hipsec@core3.amsl.com Delivered-To: hipsec@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 930633A685A for ; Tue, 27 Oct 2009 23:18:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0tOm1LNqFPYB for ; Tue, 27 Oct 2009 23:18:33 -0700 (PDT) Received: from argo.otaverkko.fi (argo.otaverkko.fi [212.68.0.2]) by core3.amsl.com (Postfix) with ESMTP id 5B41B3A684F for ; Tue, 27 Oct 2009 23:18:32 -0700 (PDT) Received: from [192.168.1.11] (cs181123046.pp.htv.fi [82.181.123.46]) by argo.otaverkko.fi (Postfix) with ESMTP id 9678125ED06; Wed, 28 Oct 2009 08:18:46 +0200 (EET) Message-ID: <4AE7E241.4060304@hiit.fi> Date: Wed, 28 Oct 2009 08:18:41 +0200 From: Samu Varjonen User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: "Mattes, David" References: <20091026103001.EED8F3A687C@core3.amsl.com> <4AE588A9.2010105@hiit.fi> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "hipsec@ietf.org" Subject: Re: [Hipsec] I-D Action:draft-ietf-hip-cert-02.txt X-BeenThere: hipsec@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: "This is the official IETF Mailing List for the HIP Working Group." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Oct 2009 06:18:34 -0000 Mattes, David kirjoitti: > Hi Samu, > > Quick work! Thank you! > > I still have an issue with Sections 3 and 4, with the statement: > "HITs need to be enclosed within the certificates, when using X.509.v3 > certificates to transmit information related to HIP hosts." > > Why is this necessary? Can you either elaborate in the draft, or change "need to" to "can"? It can be changed to "can". Altough, the HIT will be there for most cases, but not all. > > Editorial nit: > Section 2, Last paragraph, Sentence 2: s/LDAP URL/DN > OK > > Now I need to read the signaling draft! > > Thank you, > David > >> -----Original Message----- >> From: hipsec-bounces@ietf.org [mailto:hipsec-bounces@ietf.org] On Behalf >> Of Samu Varjonen >> Sent: Monday, October 26, 2009 4:32 AM >> Cc: hipsec@ietf.org >> Subject: Re: [Hipsec] I-D Action:draft-ietf-hip-cert-02.txt >> >> Hi, >> >> This is the new version of the HIP certificates. >> >> Modifications include: >> - Editorial changes according to the discussions on the mailing list. >> - Added new types for DN and LDAP URL >> - Added signaling discussion and reference to the heer-hip-service-00 >> >> Open questions: >> >> 1. Should signaling be defined specifically for hip-cert? >> >> Seems like overlapping work because hip-service already defines a >> generic way to signal the requirements and failures but it is individual >> submission. >> >> 2. Should hip-service be adopted as WG item and handled in bundle with >> hip-cert? >> >> Because the signaling is needed for the hosts to signal the need for a >> certificate or for a chain of certificates. But referencing hip-service >> cannot be done unless its taken forward at the same pace. >> >> 3. Or should the hip-cert be more generic? >> >> Then hip-cert would be about just the parameter and the signaling of >> requirements and failures would be left to other documents such as >> hip-service to handle (but which would progress on its own pace). >> >> 4. Gathering use case scenarios and adding examples to the draft? >> >> 5. Add new examples? >> >> If something seems to be missing or off. Please, inform me. >> >> Comments are welcome as usual. >> >> BR, >> Samu Varjonen >> >> Internet-Drafts@ietf.org wrote: >>> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >>> This draft is a work item of the Host Identity Protocol Working Group of >> the IETF. >>> >>> Title : HIP Certificates >>> Author(s) : T. Heer, S. Varjonen >>> Filename : draft-ietf-hip-cert-02.txt >>> Pages : 10 >>> Date : 2009-10-26 >>> >>> This document specifies a certificate parameter called CERT for the >>> Host Identity Protocol (HIP). The CERT parameter is a container for >>> X.509.v3 certificates and for Simple Public Key Infrastructure (SPKI) >>> certificates. It is used for carrying these certificates in HIP >>> control packets. Additionally, this document specifies the >>> representations of Host Identity Tags in X.509.v3 and in SPKI >>> certificates. >>> >>> A URL for this Internet-Draft is: >>> http://www.ietf.org/internet-drafts/draft-ietf-hip-cert-02.txt >>> >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>> >>> Below is the data which will enable a MIME compliant mail reader >>> implementation to automatically retrieve the ASCII version of the >>> Internet-Draft. >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> Hipsec mailing list >>> Hipsec@ietf.org >>> https://www.ietf.org/mailman/listinfo/hipsec >> _______________________________________________ >> Hipsec mailing list >> Hipsec@ietf.org >> https://www.ietf.org/mailman/listinfo/hipsec -- BR, Samu "Programmer is an organism that changes caffeine into code"