Re: [Ace] Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)

Francesca Palombini <francesca.palombini@ericsson.com> Tue, 08 June 2021 10:06 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 023173A2B06; Tue, 8 Jun 2021 03:06:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OE0uoNqHe0Lo; Tue, 8 Jun 2021 03:06:21 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60076.outbound.protection.outlook.com [40.107.6.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CF833A2AFF; Tue, 8 Jun 2021 03:06:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lEctBAgIACk+UrcZJiwB1O6kCoMD3hAQjN5UsUufUjXrEDINxYn7RIx2N+MH9DcQ73VOmfx/cMFZlgiJvxwnVPNTg7yefwXjckJP2+8PdJ4zBCCGo/4ZQzDRXDscBvJBQzXH0zHy9dhQNM1z9Ert0BtutdXT0QIb9rA6IOVf6xvXS96Frw94ayLXOmJZqxRsRc2guQRBf4Kt2fRkzcFaRNOZqY/IgFhLaPDFb1hMGlEY2jAMaXyE0sSLlmGHvkgWTPOo8doYYyG9rH54ru5OZxw2QUoNUQo7eVYW1A+87Lh8D8+xwTnAMn1XhKP/2cYZyj9jUWOiERxwBkQE3Dq8xg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GxGnHYw2IFIHqPS7I9KgDZYyXC0x65brZFgqnbyzpx0=; b=AzRK589aqtvjmQ+8TKbC2Kt2finjATglbMNRUa5EjuU0Hy1s2sFZ1ACD5MwlaFqSg2YKFdla1kQGGCFiDAEgz4bfHTlujjkN6hVFmN32Z1QeoXdfN5UtyaH2ZRn5qZ+AWkAoP2jx5Ahw0UCHaoKJjNVMWOz60HkX5naWhciqD4k4dbN5dj4eRXJVvXRt8hrc8bJiKHa+XvEDS94miiiEDn0/WQX4oPbPxEqgDzCyhghJcvITr0rKWU7wV84uyVWajMPM4vjWVtnuEYaIvJok90FzqfT+8GWUSjhCXVlBgDLCo3SzgJRlazj/NaBWDXty8nrfTaYOxF8OpHjUPlIY+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GxGnHYw2IFIHqPS7I9KgDZYyXC0x65brZFgqnbyzpx0=; b=tigvcFsz1aarvjDeYyRG4Z28KWthbjOcTg+HRWKARJwv0qT0AwdLx9zOrtzZ2NcCQA6epobq+oM7mwEkKWoMmR782lLyamu7g1gytC4usIe9/Vn3Fq9VIf1FmzB5Jx2i+XjQFfv2wfs7XG0Nb+R9cmFyAHTxgP7CzB+WcFLaW/4=
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com (2603:10a6:7:96::33) by HE1PR0701MB2460.eurprd07.prod.outlook.com (2603:10a6:3:70::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.17; Tue, 8 Jun 2021 10:06:18 +0000
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::6ce5:7088:a9a8:15d9]) by HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::6ce5:7088:a9a8:15d9%7]) with mapi id 15.20.4219.021; Tue, 8 Jun 2021 10:06:18 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Olaf Bergmann <bergmann@tzi.org>
CC: Stefanie Gerdes <gerdes@tzi.de>, The IESG <iesg@ietf.org>, "draft-ietf-ace-dtls-authorize@ietf.org" <draft-ietf-ace-dtls-authorize@ietf.org>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)
Thread-Index: AQHXRmMB78EJt+uENUOdMKs2FvvQkar3STSMgBLeOID//+WzO4AAAfMO
Date: Tue, 8 Jun 2021 10:06:17 +0000
Message-ID: <E6892454-722B-47A1-AF87-FCD46365E257@ericsson.com>
References: <161660098197.9740.5845062491913232974@ietfa.amsl.com> <e82ac862-4e9d-8b5e-56f3-8550a768aafb@tzi.de> <871r9smnad.fsf@wangari> <C7FA8969-E67D-48B6-A82F-9E88EFF1B75D@ericsson.com>,<87k0n4fzit.fsf@wangari>
In-Reply-To: <87k0n4fzit.fsf@wangari>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: tzi.org; dkim=none (message not signed) header.d=none;tzi.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [217.213.66.232]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1bf17b64-5d2f-4bfb-dc0a-08d92a650ef2
x-ms-traffictypediagnostic: HE1PR0701MB2460:
x-microsoft-antispam-prvs: <HE1PR0701MB2460B7B5D7B91D9A8A9067A498379@HE1PR0701MB2460.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ByfViiUS76JwmOoKFFzJFw5faByTYxbTrqItglzxUH79Xt0dHQhhbK1fKX10LMyh59p4x1sRmnIPLViO2kKpkHg0mBVuaqTSTxcGWnOuYUVO830I/Qw8hgXkzk9XDBndcmroj14NdojM4A0Mzf5JoEzRjUw5gSXZQ8TElHd99Xrdx7cQt5+e9nMPMsa6shJnxfnD+GQ4RZ/kbDH7t+Zo4ea5gUnb5iQD02ygMMlaH7LWe87R2oQRC0i3zfCowmECizfz2p6bz3cdnBrpHG39RGuCnqUCAL38BH7hQQLPihtMSpqI5VstDW55PC0yNvdco5LRyIDFRH35RtNbQY4Y+vb2tAE+I0FwRb9uwKOA+js08fLZdKaaKHoLNElmaxv6AhJABePOOBT8Tjll2ZzZOlvIPzzytmt7DS5h9T5EBgqSYdyx3fgRSIs6PlNKrEkijwyEXzbQuj6GQtJSzC4aqRw/rEkjy6PsMG0Fr3ikGStAqmLGkzF0Y0DBnlkXUngLP05/ZYKW9HSLkXcBWsgpwtaK6etXtBcRNsnZoGp2Ixy6wGkmfmVbL9ahKAphfWz45edYsW/RhqIHpCNfedd0sRXW+l6j8t//S7cPhuYtwYYjBBkuarDYMyNgi2+cvtsR5Qsy5qmelmyUJK9NNXmoRFVhcwmVEzNsZ17lya/IfyQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4217.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(39860400002)(366004)(346002)(136003)(44832011)(6506007)(86362001)(2616005)(66476007)(66946007)(71200400001)(8676002)(8936002)(26005)(4326008)(64756008)(38100700002)(6512007)(83380400001)(54906003)(33656002)(186003)(53546011)(316002)(478600001)(122000001)(76116006)(5660300002)(6916009)(66446008)(36756003)(2906002)(6486002)(66556008)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?SFJjdGpIVmlYczRod1IwRStQakZCY1ZWUkllOVc0cjYzNU03blhJRWxZNlYv?= =?utf-8?B?ZmFQMjhOOVpOaE9UMFBuRjNSRnZMSENzZ2pQYTJ3L3BrRGlPT3l3aVJPVTNC?= =?utf-8?B?d3RWU0VmUmFxL0ZPeG00U05tR1dUWWNjMk1FSHM1ZUUxZnlhWW5NQnRDeXBp?= =?utf-8?B?d2NYOUlNK2cva2R6a2tHN05uZ01rVWlXc1lFdGptUXhlc3o1SGlob0NCSmVV?= =?utf-8?B?eTlkS21wWUl6ZUViK3F3bk9WMHFoUmRIUStEenI5T1dENGd1UWxXaWt4bzFW?= =?utf-8?B?MERIaHc2U1liemdhR0dJK2NVS3p6WGlCVUxKU1N4cHNMS3VFbTRoWTJWZFVq?= =?utf-8?B?M2VTSThSczNxdVFQYjhtaExoWGloYXBMOHAwRzBwbU9hY0pIT0kxeS95Q2gx?= =?utf-8?B?bWFGSVJkYkpJZ3VxZ3puUUJpdk5vdStKMnpMUG1QRkllVEpHS3M4WEllcy9R?= =?utf-8?B?d3Bvd0tmYVZDem5SazkyR0Njaml5ZmFjU0FVWGM0ZVI4UFRORE9uVllqQUxO?= =?utf-8?B?Smg2RHo0cklzN1RYd2hLSXFCeWs1dkZHOEs0YWV6cXpaZ3p5Q1FUUWdRd2hM?= =?utf-8?B?RVJpa3pRNHZGSmttMnpnRVg0aG5FcGtYeDVZOGc2V3VPb2R0M2ZYU1BrMzBm?= =?utf-8?B?NVNxemNQODBYY3hPS1JOZkEzaUZ0OFhJcnFieFBITUhZbEdyNlk0Sm04Qk5L?= =?utf-8?B?c1BTYS9YZWVMRGYvZTRScWFiU2prK05DZnorcXdyUTVLbFQyMkQ2Vkx5eDhH?= =?utf-8?B?cUxGYWdGNjdMVzB0aDNPSnoxK3JqQVp2cVdsUHUyL0haOXo5ZzZ6YTBXYnFt?= =?utf-8?B?V3FzRDlPaFhmRU9YTWZ4bTNYckNDL3VLTlh4TERRUmVSdDVIMndrc1dRUDFm?= =?utf-8?B?VlVlUWdSQ0xEZi9YUmVvMEoxQVdTUVc1SzNCUU1uK3NLY3pSbUwxN212aUsv?= =?utf-8?B?Y0JBWXQ5LzZvREtZYW55eEpzNXRvcnMrdi9KaHVBZHhrOUk5SEJaMmlxcVJy?= =?utf-8?B?WXVKWStITmlYYlB0RnhBKzhEL2NEY2FXY1VOR1c4LzZhM3ZDWUFnOWdyTVFI?= =?utf-8?B?RVZTUFNtYVoyanJUeHA4UnphbkowMG56bWxpbEtwUHpoOEZnYXl6N2JiUUdE?= =?utf-8?B?M3hKN3Bub2wrSzJnWGlrbTJNcjdLbHlKUE9DMVBpb0JMMWZuRDlJRXZGeVp4?= =?utf-8?B?dEt2SlZLSko1azkvbTZMaS9UcDU4dS9DcitVT0tGUEN5UXV5MEl3VVFldk55?= =?utf-8?B?ZXpjc1hWRmYxcXF4d1pTWG9yd3pMamE0blIxRmR1VkwzYVFGUjVCSVpxM0Ev?= =?utf-8?B?VXcwV3EweFNtM2lNRWlLZ2J0ZjNwakRTL2FxYjRnTG1KMzBPbGsrSnFzcUZh?= =?utf-8?B?TXRPTEtaWFk5Zlp2MURhWXBiRm0ySVQ1T01CeWlGOVVJUGNOMy8rYTJndmY1?= =?utf-8?B?dWNQNEZiNnNBK1RsaE1oVFpwYVdodk5MNVI0YjQ4ellIbUlDMlJ6QVRSK2dj?= =?utf-8?B?ZFljQXlsTnVGOTU1bk10b0FncXNwaWRCRXAxQlI0czdDeDlqSklkN2VJQlNr?= =?utf-8?B?bytOK1BaQnBNRWUrRCsrb2V6NFFPSzdNS3VGMnBENjUweHNteVBDQnFqN2JD?= =?utf-8?B?ZjdRZE53M2QrSEZ6Z0FsM2QwNHB1WGFoRk5xZUQrL01mM2FvcVgvOXB2UDZL?= =?utf-8?B?OHFGU0tZT2x2TjdyVFlOWjhDODFkVkVBY2tPSndLekVUOVV2TjVPT0hJVFRx?= =?utf-8?Q?li80YwSgtE17VOc0mn21fMQ7RAWEAmKJtef1Uy3?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_E6892454722B47A1AF87FCD46365E257ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4217.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1bf17b64-5d2f-4bfb-dc0a-08d92a650ef2
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2021 10:06:17.9632 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: neLIN/0m/ctvw/AT96len53Z8fuOSqGvt+xEw+lb0brBwRcsRhdCmrsaR60YWhk+P9ECiYeE9jITvj5LkdQCHKsNVa/W06orWsCXg5Rt02oc0JjjDFYX6AQ8nu9hPVPx
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2460
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/-ewU_KeDtHjb0eMGFhpGjNBmgPo>
Subject: Re: [Ace] Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 10:06:27 -0000

Hi Olaf,

Right! Somehow I managed to miss the « response » from the « access token response ».

Thanks for the answers, it all looks good to me and ready to ship.

Francesca





On 8 June 2021 at 11:59:19 CEST, Olaf Bergmann <bergmann@tzi.org> wrote:
Hi Francesca,

On 2021-06-08, Francesca Palombini <francesca.palombini@ericsson.com> wrote:

> My turn to apologize for the late reply :) I went through the comment
> again and I believe I must have misread something. I am ok with the
> current text, or the previous one as well, if you'd rather not add
> this sentence.

Thanks for the followup — we have kept the new text in version -18.

> I do have one additional comment, which came out while looking this over again - about the following text:
>
>    correct public key in the DTLS handshake.  If the authorization
>    server has specified a "cnf" field in the access token response, the
>    client MUST use this key.  Otherwise, the client MUST use the public
>
> The access token is opaque to the client (as defined the ace
> framework), so the client is not necessarily able to read and extract
> the key it is supposed to use from it. If I am not mistaken, the
> correct way for the AS to tell the client what key to use would be to
> use the "cnf" field defined in Section 3.2 of oauth-params.

You are correct. That is basically what this text says (= if the AS has
provided the cnf in its response, the client has to use it).

Grüße
Olaf