Re: [Ace] Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)

Daniel Migault <daniel.migault@ericsson.com> Tue, 08 June 2021 12:10 UTC

Return-Path: <daniel.migault@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EE913A2EA8; Tue, 8 Jun 2021 05:10:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S5ePCydHLTDF; Tue, 8 Jun 2021 05:10:09 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2041.outbound.protection.outlook.com [40.107.244.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 401AE3A2EA4; Tue, 8 Jun 2021 05:10:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mDTDKFlZ3B+f0aWFCQofPIzdfblZtQ2BtDTmrCphBuZ28/CI1/btvVFpw/MIPC/CwppRidDj+Hujrw4heKqWEhOdOIZgHwia1LZFRRAsFph60kOS5Jm/Dq8zZ0Vwk+evfS6Y8v5ocsXA3J4iS+4qbFesT4Re+4A+w37Csy3DNcMeQRYFAX2Oldv53fvZ2Qnk9dFzV8mCOYy0YOyp5cPWkgM3clizPg1dJC3YYl9DhHT++W3XBS+J+eDgExVaBvdbOxkOzwNNuqlzEGuRqfQg2e/JKi5nI2Qb+JzKuWMxLbw/UEih6erpiVKSH/2F96QqRXGd4asAjcJNIbHwK9lsPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iLSjiUJ5FNirWlcd4XGRcgwGZs/kdbz2faxDyBnsgUk=; b=GYM+HO2sNqP7xF6Zc+NZKnhcaRlnVF7C/iAV5UJskwEiTviQxHHIuf9YkcKrmY0j2KaSOiwgbGg+JKCxfSSgxAp1FZtlsjDes82RanOmzxUN+bfzhjmsKpcU98ub2Xcu0UI5Xgf958/79qTwmHoiq/P91o6OgoouVtd0Q2xiMor9bGoZ+xUsXDCS6NqUSecTixmJIuOene0xwIxAL1YBxRke4WumO2XuCJoaE4v1nG73hYHyA0eJjI0wbYFNjzC7kCJKJHMJfHkFN9S5eN5OI5j4F5Wv63Sz1Ddm0+EshNds8SJdp+OIWJNUunTeAEx/oKymbXOBVRF5wAGRddyaZg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iLSjiUJ5FNirWlcd4XGRcgwGZs/kdbz2faxDyBnsgUk=; b=SJhJCF1pb3197ItLxTW7A2dvGHSH/Lbd/hNvQkHc1JHexLKmG56tHvbkV+JQHpHb5kPYHLpMO4KamtKsjhasHPmCXa3T+waMqvrAdJ14dES74Gty1V1GXVxe15ezdFMLhow5OsbIRWQmmNm9aEf1quVYln+ydVS5InZHmRFlbis=
Received: from DM6PR15MB2379.namprd15.prod.outlook.com (2603:10b6:5:8a::16) by DM6PR15MB3420.namprd15.prod.outlook.com (2603:10b6:5:172::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.27; Tue, 8 Jun 2021 12:10:04 +0000
Received: from DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::39b3:cab5:d394:8adc]) by DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::39b3:cab5:d394:8adc%5]) with mapi id 15.20.4195.030; Tue, 8 Jun 2021 12:10:04 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Francesca Palombini <francesca.palombini@ericsson.com>, Olaf Bergmann <bergmann@tzi.org>
CC: Stefanie Gerdes <gerdes@tzi.de>, The IESG <iesg@ietf.org>, "draft-ietf-ace-dtls-authorize@ietf.org" <draft-ietf-ace-dtls-authorize@ietf.org>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)
Thread-Index: AQHXIMVWxGOLTrD+9E6NbzRdlSS5a6rehGsAgBkQDWuAErypAIAAB0bVgAAB5oCAACJTRQ==
Date: Tue, 8 Jun 2021 12:10:04 +0000
Message-ID: <DM6PR15MB23795E9FC1FE681FC423D693E3379@DM6PR15MB2379.namprd15.prod.outlook.com>
References: <161660098197.9740.5845062491913232974@ietfa.amsl.com> <e82ac862-4e9d-8b5e-56f3-8550a768aafb@tzi.de> <871r9smnad.fsf@wangari> <C7FA8969-E67D-48B6-A82F-9E88EFF1B75D@ericsson.com>, <87k0n4fzit.fsf@wangari>, <E6892454-722B-47A1-AF87-FCD46365E257@ericsson.com>
In-Reply-To: <E6892454-722B-47A1-AF87-FCD46365E257@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ericsson.com; dkim=none (message not signed) header.d=none;ericsson.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [96.22.11.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 54969f30-4768-4eb9-fe45-08d92a76598d
x-ms-traffictypediagnostic: DM6PR15MB3420:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM6PR15MB3420DD30A3BFBAE36269E0D9E3379@DM6PR15MB3420.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4CH0K5Ywh7wR1NET7/KYFWUhFRrVxOYc+CfuMy4L+5+eZZcOkrccdT3fEQDHLzneQFYDKXpVblp7yLeTzaUe+gWOAsZykU0mZaEHjaFb7aWeFUQEalEI+e6FD4yh577yLn36sjqKC2uLjbrp/fmJJcnZUX6eopRgJbtq/NaQxn0zcATIfDhUNDpGBF7D9w33Tl6YhUKcD199KFMyMDdT5Vd944pAgmMlXKkvPZuLKMT8wvdSdvO/zh5GUtLjN/2l4zAHkaojYPZF9fhsjuabU4bcz4HK8uuREoYmDUiD6gonLlobpLOVcRpv++Xce9+Mcv0elfSvwJojhXn7FCzNf3S6hqHDvy01NpW+NwD64rTsBC/XEOPVuJQpKyBllFpF5hS6lwjU9cUQN1uxvzEbd29Lu34eLe7A7sIQmSCX1mHtfpVQFI1LyJKRKEiuqU6fv8AjxwCFBLh3SPxmmv2IwqWlflLwf84GFxYe21sEYTuJyU/VnSKLXbO+MF8WIYhsNFl6RZg+br2j4H8SIK4BWa393y+H5+3T6CFdbK8sLFHKxzTaP8eKovmWPxtCYZTj6HvhdGCyeMgHymBnqQrTCovt/rexlLnaqBpjtr73klk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB2379.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(136003)(376002)(396003)(39850400004)(26005)(8676002)(8936002)(110136005)(316002)(54906003)(186003)(71200400001)(19627405001)(86362001)(4326008)(44832011)(122000001)(7696005)(38100700002)(2906002)(478600001)(55016002)(33656002)(91956017)(9686003)(5660300002)(76116006)(53546011)(52536014)(6506007)(66556008)(66446008)(64756008)(66476007)(66946007)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?VXDf+xsL9IawQOLyXAaDSgBM9O/zQJacPeCicPwfXgJXCgkronK6qCFg?= =?Windows-1252?Q?6XaqBUcL37d20rB63BcUFyFbP0OEONosteaPvSi7+kWF6NLOVjvyLBJA?= =?Windows-1252?Q?zxcZNC3Ec+umxnOOaJCEagkQ+GDq6GYVr1YISv5e5lkpzbVXL76pdp7h?= =?Windows-1252?Q?zUKiHxu6ouxfWMV9nZiGhY0HXT4PoHZPkFRYzMXm7AagLBi3aye6kQB+?= =?Windows-1252?Q?y99ra6O0zyZo+bI3sf3Ta9bEgl6MFuzmMfR/Bd4WVnqImWK4Cvqqk4lx?= =?Windows-1252?Q?2bRTYttnF2BdV+q5ADi5qlyTBnyHO9/R829b4WPV1EHhT23hMyV0CB2V?= =?Windows-1252?Q?/psOYsfp84gRYd09qw2e+ig6LPEN7Utr4s6rcfhwjmd/C1ltBBeBBJkH?= =?Windows-1252?Q?O3qPjSpGUjoKRWZzJ7YCNjkM4Y61lormiIOi5QVs+I/bBDKZxEa9ZdAQ?= =?Windows-1252?Q?9tove+8pfGQ0XJXgagmjnS2DUrfTFhks+3nmEv66Vk814jaCtXhyOput?= =?Windows-1252?Q?a5uJ51REBBQFvAlWQOKPTdBVq8wPjEag3wpN2m0K+ZlJIOrLa8YaKy2k?= =?Windows-1252?Q?QK81mgc1HrVuE/yHh7iME72I0H+Jx4wMCGbEAYRKqxQHkXlvqQr5lLis?= =?Windows-1252?Q?OPbSljlj99PwvMOgJc8TlkILuVwLqS9xDNH4jiIkjjh3gS81QbkW/YiE?= =?Windows-1252?Q?dqkG+akJ4hh8fQ8g9FuuVdPj2spNuwd9C0n/mArvdJZldbz6wjF4Nj99?= =?Windows-1252?Q?qlOmgopIfIbEZAso8SGs+3knzalXp01ru5T0ldFtCpny+YEPBn/MW6Ew?= =?Windows-1252?Q?X9BBadj0xGBuP5p7wElBiK2pNTSM0227aTm8X4FLRxdfpjH0X0kQFuJy?= =?Windows-1252?Q?2nvm/K2/qy9DPtbgj7Z6gHpmyoB5duIxDX/pQjwCmSE8BQAE9G71OGs+?= =?Windows-1252?Q?0fWonoE9egIdBMnfrnVFBcQ5eGbW4sEOp0N5WbC4gkKdpHGR1qvtXIog?= =?Windows-1252?Q?1NyF1kQpPJS+GXUZNAnufPoNv7qwhvhI5Hiaajh9lChPPoaHRGqKXO/m?= =?Windows-1252?Q?m7sDYNmh+8Mh/C1xfyHFS2Xowru0ifZMxHlCMtQxJ7rVLP6nyNWR4IC+?= =?Windows-1252?Q?KKawicAPN6IwUKd7AhV8bsRh7MUygPJy2cERGh45Rv8Zi3RiYNTSGDeT?= =?Windows-1252?Q?x9q0gs7hd/rzWTFZvC3LYRaa6aWN7wWeMjAjCTK0FL9veguDD6SHE/pO?= =?Windows-1252?Q?TnzOw7aEE8tbvasEPHoHCn6w3O64ANQYTKlQj73XRqw73GjNBCLpGiKW?= =?Windows-1252?Q?D/LYUFLD/7tG69fcaj3/H2AucF8YL91DVnzUPbHpH9LvCIbZ6SgJzsSh?= =?Windows-1252?Q?TdJjC2DJAxn+Vw0Q5WFuGWO0TMU5YXPwsPw=3D?=
Content-Type: multipart/alternative; boundary="_000_DM6PR15MB23795E9FC1FE681FC423D693E3379DM6PR15MB2379namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2379.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 54969f30-4768-4eb9-fe45-08d92a76598d
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2021 12:10:04.5292 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0pqZX4WXtOID/1Gu1jSCy4gqn8/rSJnmLAgf6mAQlqGCWH/O0qh9wYPLgt1lUCDaTZ6uwcKU+mjh/mN2SA0BbcEDVocT93y9WYOvLXsNs14=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR15MB3420
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/-ZyB040CoeyGLe9Luhwlgf8JfrU>
Subject: Re: [Ace] Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 12:10:15 -0000

Great!
Thanks Olaf for addressing the comments and moving the document forward!

Yours,
Daniel
________________________________
From: Francesca Palombini <francesca.palombini@ericsson.com>
Sent: Tuesday, June 8, 2021 6:06 AM
To: Olaf Bergmann <bergmann@tzi.org>
Cc: Stefanie Gerdes <gerdes@tzi.de>de>; The IESG <iesg@ietf.org>rg>; draft-ietf-ace-dtls-authorize@ietf.org <draft-ietf-ace-dtls-authorize@ietf.org>rg>; ace-chairs@ietf.org <ace-chairs@ietf.org>rg>; ace@ietf.org <ace@ietf.org>
Subject: Re: Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)

Hi Olaf,

Right! Somehow I managed to miss the « response » from the « access token response ».

Thanks for the answers, it all looks good to me and ready to ship.

Francesca





On 8 June 2021 at 11:59:19 CEST, Olaf Bergmann <bergmann@tzi.org> wrote:
Hi Francesca,

On 2021-06-08, Francesca Palombini <francesca.palombini@ericsson.com> wrote:

> My turn to apologize for the late reply :) I went through the comment
> again and I believe I must have misread something. I am ok with the
> current text, or the previous one as well, if you'd rather not add
> this sentence.

Thanks for the followup — we have kept the new text in version -18.

> I do have one additional comment, which came out while looking this over again - about the following text:
>
>    correct public key in the DTLS handshake.  If the authorization
>    server has specified a "cnf" field in the access token response, the
>    client MUST use this key.  Otherwise, the client MUST use the public
>
> The access token is opaque to the client (as defined the ace
> framework), so the client is not necessarily able to read and extract
> the key it is supposed to use from it. If I am not mistaken, the
> correct way for the AS to tell the client what key to use would be to
> use the "cnf" field defined in Section 3.2 of oauth-params.

You are correct. That is basically what this text says (= if the AS has
provided the cnf in its response, the client has to use it).

Grüße
Olaf