Re: [Ace] Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)

Olaf Bergmann <bergmann@tzi.org> Thu, 27 May 2021 11:25 UTC

Return-Path: <bergmann@tzi.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48F103A19A4; Thu, 27 May 2021 04:25:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_FAIL=0.001, SPF_HELO_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BmPjXoV1x6sa; Thu, 27 May 2021 04:25:19 -0700 (PDT)
Received: from gabriel-2.zfn.uni-bremen.de (gabriel-2.zfn.uni-bremen.de [IPv6:2001:638:708:32::19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3EDC3A19A6; Thu, 27 May 2021 04:25:18 -0700 (PDT)
Received: from wangari.tzi.org (p5b36f986.dip0.t-ipconnect.de [91.54.249.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by gabriel-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4FrQTl1N27z316L; Thu, 27 May 2021 13:25:15 +0200 (CEST)
From: Olaf Bergmann <bergmann@tzi.org>
To: Francesca Palombini <francesca.palombini@ericsson.com>
Cc: Stefanie Gerdes <gerdes@tzi.de>, The IESG <iesg@ietf.org>, draft-ietf-ace-dtls-authorize@ietf.org, ace-chairs@ietf.org, ace@ietf.org
References: <161660098197.9740.5845062491913232974@ietfa.amsl.com> <e82ac862-4e9d-8b5e-56f3-8550a768aafb@tzi.de>
Date: Thu, 27 May 2021 13:25:14 +0200
In-Reply-To: <e82ac862-4e9d-8b5e-56f3-8550a768aafb@tzi.de> (Stefanie Gerdes's message of "Tue, 11 May 2021 14:41:36 +0200")
Message-ID: <871r9smnad.fsf@wangari>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/0RXi1L9z9en10OEXMEQT1yGolAc>
Subject: Re: [Ace] Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 11:25:23 -0000

Hi Francesca,

Did you have chance to take another look at comment #3 of your review
(see below)?

Grüße
Olaf


On 2021-05-11, Stefanie Gerdes <gerdes@tzi.de> wrote:

>
> On 3/24/21 4:49 PM, Francesca Palombini via Datatracker wrote:
>> 
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>> 
>> 3. ------
>> 
>>    raw public keys, it needs to determine which key to use.  The
>>    authorization server can help with this decision by including a "cnf"
>>    parameter in the access token that is associated with this
>>    communication.  In this case, the resource server MUST use the
>> 
>> FP: The example in Figure 4 show how the whole RPK of the client can be
>> included in the access_token, so maybe this paragraph should cover that case,
>> or the example changed.
>
> I am not quite sure if I understand your comment. In Figure 4, the
> contents of the access token is omitted for brevity. The response
> contains access information for the client with the server's RPK in
> the rs_cnf parameter. This is required by the client to authenticate
> its peer during the DTLS handshake. We changed the example paragraph
> so that it now explains the use of the rs_cnf parameter. Does that
> make it more clear?

The new text we have included reads:

"The response comprises access information for the client that contains
the server's public key in the rs_cnf parameter."