IETF 96 - Berlin Thursday 21 July 2016, 11:30 - 12:30 Chairs: Justin Richer (Remote), Kepeng Li * Opening & Welcome - 5 min (Justin/Kepeng) Hannes: What about the reviews for WGLC? Which implementations are out there? It seems like IoT implementations are still in very early stage. Shouldn't we wait for more implementation work? Ludwig: Have an early alpha for embedded, will start working on improving it in September, hope to have something for IETF 97 Kepeng: Let’s see the implementation status from Jim’s next presentation. * COSE message status and update - 15 min (Jim) > https://datatracker.ietf.org/doc/draft-ietf-cose-msg/ Document effectively completed, small updates pending (mostly editorial), new version due next week. Might be useful to ask IANA for early allocation of the COSE registry since it is going to be used in many implementations. Need to nominate experts for the expert review IANA registries Do we have a good IoT crypto library? Hannes: There is not a single crypto library, but candidates are there. E.g. mbedTLS crypto library. Jim: Seems to implement some parts wrong for IoT ChaCha-Poly1305 Jim (proceeding with presentation): Examples available on GitHub, planning to participate in the next code sprints. Jim will support anyone who wants to get going with their own implementations. Mike: The comprehensive example document in JOSE was very helpful. Does anyone want to do this? Jim: Is it useful to do this in paper form? The examples are on github, more machine-readable as a paper version. Mike: Examples in the current doc cover all algorithms? Jim: No Kepeng: Next steps: more reviews, more examples and more implementations. Carsten: Timeline? Jim: Do we really need more reviews? Will people be able to provide them in the next 6 months Hannes: Would rather spend more time on implementation work, can provide comments on WGLC, should have more implementations before moving on. Takeshi: Need more time for review Justin: we had a 2-week pre-review and a 2-week WGLC, you all have had time. Kepeng: Will give people time for review and then move on. * CBOR Encoded Message Syntax: Additional Algorithms - 15 min (Jim) > https://datatracker.ietf.org/doc/draft-schaad-cose-alg/ What algorithms needed that are not in the document? Renzo: I have additional use case where COSE for key establishment (symmetric key authenticated key establishment) is very useful. Need to transport nonces (something like CBOR_KDF_Context object). Jim: Adding those can be done at a later time; is not a big issue. Sean: Jim mentioned that this work creates a large number of registries (or sub-registries). Does anyone view that as a problem? Namely requires too much management? Yes it means the protocol has smaller encodings, but at least at the "fat end", an implementation needs big tables to other identifiers. Ludwig: Implementations will only use the registry entries they need. Agree that management is an issue, but what good alternatives are there? Carsten: Will all exchanges supported by COSE be only between constrained nodes? ACE has some less-constrained actors, these also want to use COSE to avoid switching representation format Mike: Could easily add a field for providing the analysis of security algorithms to the template. Kepeng: let’s come back the question after Mike’s presentation. * Using RSA Algorithms with COSE Messages - 15 min (Mike) > https://datatracker.ietf.org/doc/draft-jones-cose-rsa/ Kathleen: Hasn't Jim's draft been adopted? Jim: No (not this one) Mike: Need to resolve the duplication. Kathleen: Up to the WG. Need to know strongly that the WG is interested before adopting. Kepeng: Who has read either or both of the drafts. 5 hands up. Kepeng: Who plans to implement. 3 hands up. Justin: I see a number of questions: 1) Do we see a need for this work? y/n 2) If yes, should it be in this WG? Tony: Have different use cases for RSA. Kathleen: Who is interested and plans to read the draft. (~4 more people raising hands) Can't decide this now, could we make a timeline for this and take it to the list? Justin: The chairs will take the question to the list, in a week and let the poll run for 2 weeks. Hannes: Hummed for need more information, will get more information from the company Hannes: If you have an algorithm, why would you want to pass larger objects around? Carsten: RSA going on in the big world, would be nice to also use COSE for those exchanges Hannes: Please explain the use-case Goeran: In OSCOAP we speak about security between C-AS and C-RS. RSA might be better for e.g. C-AS Hannes: Why not use the constrained version for both? Goeran: Applications where COSE is used where RSA might be useful Hannes: I don't see this use case at this moments Mike: COSE might be used in unconstrained environments to avoid using other encodings Hannes: Makes sense, but I haven't seen these usecases yet, will look into this. Kepeng: Need discussion on the list, will make a poll.