| Re: [cf-dev] 2.0.0-M6 release and plan for 2.0.0 ? |
|
Le 30/11/2017 à 15:51, Kraus Achim
(INST/ECS4) a écrit :
I would like to know why there is this limitation ? maybe I can ask this on the OMA's github ?Hi Simon, don't waste your time in trying to really understand LWM2M 7.1.9.! This list of "what could not be used" is just to clarify, that the LWM2M security object must be revised. If you really, really worry about that, I can sent you the contact to the author of that. (Maybe you can ask him directly about your concerns or doubts. Or ask your companies OMA delegate.) This line :or if it's concern server too.I can't see that. Do you have any cite, which makes you feel, that the server may be affected too? (and adding such a "exact matching" feature to scandium would allow to build even such a "exact matching" server.) Similarly, a DTLS client running on a LwM2M Server would need to obtain the certificate of the DTLS server running on the LwM2M Client from some repository. I use "expiration" but I talk about validity period. "exact match" does not excluse to check validity period, right ?I don't really see the interest of using ca-signed certificate?The LWM2M server may use this certificate also for other communication, not only for "complying" LWM2M clients. (which is limited due to the definition of the LWM2M security object, until I t gets revised)(It's already difficult to me to see the interest of this exact match certificate over RPK... maybe for expiration/validity ?)AFAIK, "exact match" cannot detect expiration :-). Though, it's only the LWM2M client side, using x.509 will have its "trade-offs" on the server side :-). Mit freundlichen Grüßen / Best regards Achim Kraus (INST/ECS4) Bosch Software Innovations GmbH | Stuttgarter Straße 130 | 71332 Waiblingen | GERMANY | http://www.bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn From: Simon Bernard [mailto:contact@xxxxxxxxxxxxxxx] Sent: Donnerstag, 30. November 2017 14:44 To: Californium (Cf) developer discussions <cf-dev@xxxxxxxxxxx>; Kraus Achim (INST/ECS4) <Achim.Kraus@xxxxxxxxxxxx> Subject: Re: [cf-dev] 2.0.0-M6 release and plan for 2.0.0 ? I re-read the spec again and I still don't know if this restriction is only about LWM2M client or if it's concern server too. I agree that the spec allow self-signed and ca-signed certificate, but if we do a exact match of the certificate I don't really see the interest of using ca-signed certificate ? (It's already difficult to me to see the interest of this exact match certificate over RPK... maybe for expiration/validity ?) Le 30/11/2017 à 12:35, Kraus Achim (INST/ECS4) a écrit : Hi, LWM2M TS 1.0.1, 7.1.9, targets FMPOV the LWM2M client, and describes the use of the resources of LWM2M Security Object to authenticate/authorize the LWM2M server. But, as I already wrote, I can’t see, that the “exact” matching limits the use of x509 to ONLY self-signed, but it allows to use them. Maybe we need to add such a “exact matching” mode to scandium, if we intend to use it for “compliant LWM2M devices”. Mit freundlichen Grüßen / Best regards Achim Kraus (INST/ECS4) Bosch Software Innovations GmbH | Stuttgarter Straße 130 | 71332 Waiblingen | GERMANY | http://www.bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn From: mailto:cf-dev-bounces@xxxxxxxxxxx [mailto:cf-dev-bounces@xxxxxxxxxxx] On Behalf Of Simon Bernard Sent: Donnerstag, 30. November 2017 09:53 To: Californium (Cf) developer discussions mailto:cf-dev@xxxxxxxxxxx; Hudalla Kai (INST/ECS4) mailto:kai.hudalla@xxxxxxxxxxxx Subject: Re: [cf-dev] 2.0.0-M6 release and plan for 2.0.0 ?are we talking about authenticating the DTLS server or the DTLS client?The spec is not so clear to me but I think this is about client and server. Le 30/11/2017 à 08:25, Hudalla Kai (INST/ECS4) a écrit : On 29.11.2017 15:13, Simon Bernard wrote: Ok, so I will do the 2.0.0-M6 release this Friday, if there is no object until this. +1 About self-signed certificate, I agree with you, I don't see any advantage too. My intention was just to support the LWM2M spec. And as I understand it, this mode is part of the spec (more than that it seems this is the only one...) See §7.1.9 X.509 certificates of the LWM2M specification : "this specification supports the domain issued certificate mode whereby the Server Public Key Resource specifies the exact certificate that should be used for the DTLS server, and the certificate does not need to be signed by a valid CA. This allows for the use of self-signed certificates. Other modes are not supported." Did I missed something ? are we talking about authenticating the DTLS server or the DTLS client?If so, what did you not like about the handling?I didn't say I don't like it :), I said it seems to me that scandium don't like it but I don't go deeper about this. Le 29/11/2017 à 14:01, Kraus Achim (INST/ECS4) a écrit : Hi, 1) I would like to release a 2.0.0-M6 release for californium. Do you have issues or PRs you want to see integrated in this milestones release ? Though it's required to update leshan, my stuff (plugtest + android) can be easy moved to afterwards. So no objection for 2.0.0-M6 from my side. 2) About the 2.0.0 plan : https://github.com/eclipse/californium/milestone/3 I think #174 and #104 could be closed thx to Achim's great work. I see #173 is assign to Achim, do you have update about it ? I updated the issue #173 with a comment. That issue is currently my most concern about the 2.0.0 release :-): But right now I'm too busy to work on that, so I postponed my 2 cents ;-(. #442 seems already/almost done. The library part of californium is done, but my changes (too many and too dirty right now) for cf-android are still open. But neither 2.0.0-M6 nor 2.0.0 should depend on that cf-android app. Personally, I would like to add https://github.com/eclipse/californium/issues/484 to the plan. OK. Another point, I would like to explore : verifying how Scandium handle self-signed certificate. Last time I checked it does not really like it. I'm not sure, which advantage a "self-signed x509 certificate" should have over a RPK, when using DTLS. Is your intention to support a "clientside DTLS implementation", which doesn't offer RPK and therefore using such a "self-signed x509 certificate" is intended? If so, what did you not like about the handling? My experience (but only TLS): Server side: if the client's self-signed certs are added to the servers trusts, the "certificate_authorities" may get beasty large. Therefore I implemented a special X509ExtendedTrustManager, which returns an empty list for AcceptedIssuers, because according RFC5246, 7.4.4, page 54, "the certificate_authorities list is empty, then the client MAY send any certificate of the appropriate ClientCertificateType, unless there is some external arrangement to the contrary:" That empty list shrinks the handshake data. It works, if that list is not required to select the right client cert to be used. Scandium, as far as I understood, also sends that "certificate_authorities". Maybe adding some configuration to also use an empty list for that "certificate_authorities" in DTLS may improve the support for self-signed certs. Mit freundlichen Grüßen / Best regards Achim Kraus (INST/ECS4) Bosch Software Innovations GmbH | Stuttgarter Straße 130 | 71332 Waiblingen | GERMANY | http://www.bosch-si.com Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn -----Original Message----- From: mailto:cf-dev-bounces@xxxxxxxxxxx [mailto:cf-dev-bounces@xxxxxxxxxxx] On Behalf Of Simon Bernard Sent: Dienstag, 28. November 2017 16:16 To: Californium (Cf) developer discussions mailto:cf-dev@xxxxxxxxxxx Subject: [cf-dev] 2.0.0-M6 release and plan for 2.0.0 ? Hi, 1) I would like to release a 2.0.0-M6 release for californium. Do you have issues or PRs you want to see integrated in this milestones release ? 2) About the 2.0.0 plan : https://github.com/eclipse/californium/milestone/3 I think #174 and #104 could be closed thx to Achim's great work. I see #173 is assign to Achim, do you have update about it ? #442 seems already/almost done. Personally, I would like to add https://github.com/eclipse/californium/issues/484 to the plan. Another point, I would like to explore : verifying how Scandium handle self-signed certificate. Last time I checked it does not really like it. Simon _______________________________________________ cf-dev mailing list mailto:cf-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/cf-dev _______________________________________________ cf-dev mailing list mailto:cf-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/cf-dev _______________________________________________ cf-dev mailing list mailto:cf-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/cf-dev |