Hi Hannes,
Michael was only asking if allowing any anonymous entity to get the cacerts 
(trusted root cert list) is worth it. RFC7030 allows for this. Of course an 
enrollment would still require authentication/authorization. 
I was making the case that it is not worth to even allow anonymous get cacerts. 
Panos


-----Original Message-----
From: Hannes Tschofenig <hannes.tschofe...@arm.com> 
Sent: Wednesday, December 12, 2018 11:01 AM
To: Panos Kampanakis (pkampana) <pkamp...@cisco.com>; Michael Richardson 
<mcr+i...@sandelman.ca>; ace@ietf.org; an...@ietf.org
Cc: Peter van der Stok <stokc...@bbhmail.nl>; Max Pritikin (pritikin) 
<priti...@cisco.com>
Subject: RE: est-coaps clarification on /att and /crts

Hi Panos, Hi Michael,

> We want all our clients to be authenticated by DTLS before they start loading 
> up our RF network.
> I'm not suggesting that the DTLS be skipped, I'm suggesting that the client 
> certificate presented might be meaningless to the EST server.

I am curious what security model you have in mind? If you don't do client 
authentication then you are essentially issuing certificates to an anonymous 
entity. This feels like a very bad idea, particularly since the CA is supposed 
to assert the identifier of the client via the certificate.

What am I missing here?

Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are 
confidential and may also be privileged. If you are not the intended recipient, 
please notify the sender immediately and do not disclose the contents to any 
other person, use it for any purpose, or store or copy the information in any 
medium. Thank you.

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Reply via email to