DICE IETF-89 Minutes Note takers - Akbar, Corinna (Edits from Zach) 1) Intro - Zach is chairing this session alone as Dorothy could not make it. Introduction: - repeating scope of WG - repeating Goals and Milestones - May need to adujst WG deliverable dates as we get closer to the scheduled dates 2) DTLS Profile draft [Klaus Hartke, Hannes Tschofenig] draft-hartke-dice-profile-03 Communication Model - Hannes - Draft covers unicast (as multicast is covered in another document) and IoT device to server (with server being unconstrained) - Carsten - In CoAP, the server is often most resource constrained - Carsten - We have to have a precise definition of client and server - Zach: Terms from DTLS can be applied here not the ones from CoRE. This must be clarified in the next draft version. P2P communication is out of scope here. - Hannes - Will add some simple examples/use cases to illustrate - Matthias - Agrees with Carsten's concern where server is often constrained - Göran? (Ericsson) - Should cover cases where all the nodes can be constrained - Carsten - We have solutions. See what we offer. Look on life time of session. -? - We should cover constrained servers that may be interacting with many clients. This may greatly impact the server - D. Robin - everything has to be peer-to-peer connected. Think about a knocking message that is unsecured, just to initiate the communication - Robert Cragie - Think of network authentication - Subhir - Do you consider a relay in this model? - Hannes - I didn't think it mattered, but if you do think it matters please call it out - Zach - Specifying DTLS relay is out of sope of the WG CoAP vs. non-CoAP - Hannes - Work was heavily influenced by CoAP - Long discussion by several speakers and Hannes about what cipher suites to use and how to align it with various protocols. Hannes started off by looking at what CoAP supported - Hannes - Depending on the used communication type implementations exist that also include special support for this. PSK Ciphersuite & PFS - Carsten - We want get rid of UTF identifier. It is better to send binary data Raw Public Key Mode - Inherited from CoAP - No questions/comments from audience Certifcate Mode - B. Nixon - What about capabilities available with DANE? Which allows certificate to be registered in DNS and allows fast updates - Hannes- Good point but I haven't looked into this yet Zach: Good shape. Some open issues. Please, go on the mailing list and ask your comments/questions there. WG Document adoption scheduled soon 3) Multicast draft [Sandeep Kumar] draft-keoh-dice-multicast-security-05 - Sandeep - Goes over motivating use cases and requirements - Sandeep - Goes over proposed solution (use DTLS rcord layer to protect CoAP group comm messages; out of band setup of Group Security Association) - Sandeep - DTLS record layer adaptation, and DTLS recrd layer processing remains nearly unchanged - Stephen Farrell - Just skip to open questions as we already discussed this previously - Zach - We are chartered for this approach as described by Sandeep. Now we have suggestions by Mike and others to go beyond this solution which is a good discussion. Like requiring source authentication. As a WG do we need to support this? - Eker - You should abandon DTLS record layer to support multicast [if you want to support source authentication]. Source authentication is really required for many IoT use cases. - Zach - Should we try to extend CoAP to do this (instead of DTLS record layer)? - Carsten - Want to avoid complicated re-design. Don't know what component we could use for source authentication? - MikeStJohn - Public key integrity can be done in several ways - Eker - There may be problems with this depending on what layers you are doing this - Zach - We have a solution that fits the charter but may need to support source authenticaton. We need to have complementary drafts looking at alternate solutions - Stepehen Farrell - Sounds like a potentially huge increase in scope - Zach - Yes, we need if weto decide really want to expand the scope - Stephen Farrell - So we should hold this draft until the complementary drafts are written - Zach - Yes 4) Next Steps [Chairs] - WG adoption call for draft-hartke-dice-profile-03 - Strawman ID needed to explore alternative CoAP multicast authentication