[Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication

Daniel Migault <daniel.migault@ericsson.com> Fri, 05 March 2021 21:11 UTC

Return-Path: <daniel.migault@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2A1A3A0D9D for <ace@ietfa.amsl.com>; Fri, 5 Mar 2021 13:11:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.348
X-Spam-Level:
X-Spam-Status: No, score=-2.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mjSOI8GiKOiE for <ace@ietfa.amsl.com>; Fri, 5 Mar 2021 13:11:06 -0800 (PST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2046.outbound.protection.outlook.com [40.107.223.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 117FD3A0D97 for <ace@ietf.org>; Fri, 5 Mar 2021 13:11:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dHN/T6zg2FxhRCtvqEVeBKPlFcPzwPYtAQ6eZPncKKh3Dk4xteq0k0LzkWaAlUAKtBEM6gwJorSNjgt/FtJOVDDioJPbK7HUZUGahc1JFcvrnfoLQ5XIUwSqq3ZuN1ehzFKv2abkb6bH1D7cFE0Y12ZPuTHn0i1df3Olqk4qiN1L0ojenLrRpgnIAJVoyTU9eaxZc25OaPbKfFVpo7Oot7QJaaw3wc4Q0JgWM+rKnMVrezp6TpR8vfVSJcePaBZbmDb6OSL5CKp3XJx2qMegdjo+c2I45dwRFDdSE+k1QKou7mfu7dw/rGioctzfaNm2znLsIoNB7oDZuEk3h5gflQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=abJ30WLkWs/YQrmdSmZGTh/VpPBrK9ZSFe87Q0duSQc=; b=E3u8k0koUevLf2oR8w6DtGA2CkNY5z8AIdha9rIsDlx/XfW02R3o+qVm77lxKxlXG+lISTlOdQqT1Z7ZGa1nYpOmDvUoW02a3hSwOvaJuwZ5miqEK17Q1riWLqNpFnEtTpdpd0cEcuSdUilgNeuCLEek63tGLt7xDp0dt/FfUOlP5zEwBSGKcpdeOtUrXhFomnKE80whdKHpc/x1rNhCaQ/01E/rn4aAl6rabVm6POoRAWS671r2lwdZZGHw93TVQcwacY8eu5K6UKBYkj0FRfZ99i52wlFD31ou0CGWhj6ZFkeCpr/dna6n+zUcGy4pTPM/aFdHkLnbJn7jrJPmdQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=abJ30WLkWs/YQrmdSmZGTh/VpPBrK9ZSFe87Q0duSQc=; b=ne5LRscANWme+PMQXi0fy5jAW681qPeIr1kVL6xMR9CUGSZ1W4IaYH8PA8Ynqjw74LIi5uHy4GuaiFlgO9t12joAsoNhWW+po15E4G/xRB1bVjopzibi1eA8NecebIkOaI/9VOyK4YSJYvtTMa1PsdG0zsd3PE2nJK/yW81Nm1s=
Received: from DM6PR15MB2379.namprd15.prod.outlook.com (2603:10b6:5:8a::16) by DM6PR15MB4794.namprd15.prod.outlook.com (2603:10b6:5:1f5::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.2; Fri, 5 Mar 2021 21:10:59 +0000
Received: from DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::98bf:c687:dcef:f893]) by DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::98bf:c687:dcef:f893%4]) with mapi id 15.20.3890.035; Fri, 5 Mar 2021 21:10:59 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication
Thread-Index: AdcR/JJKBqAZJjuZQzq6TyD8//pPGQ==
Date: Fri, 5 Mar 2021 21:10:59 +0000
Message-ID: <DM6PR15MB237941DDA59DF2A67A2F52B7E3969@DM6PR15MB2379.namprd15.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [96.22.11.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 12a29bf6-209c-4f53-4fe3-08d8e01b2d1e
x-ms-traffictypediagnostic: DM6PR15MB4794:
x-microsoft-antispam-prvs: <DM6PR15MB4794575CC23646A99DF74D40E3969@DM6PR15MB4794.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: pryEoaHAoWYeW5i4B96JsJpwAokEGgSaYzJteWEgEBo0bpHJbcSlXF/tkiRxJwCP3PnJ2zRLxiEEH/PmlM27xqZfT4BZS2En5RLtxaRc+iQLyHvZH+DwcZvpWqaeiEtPiul4MJgaD7sYphqyprIxKqfDteM/Ar9WsZzY8Aq664akA4gezahI8YGt6pa5qBHL88z+5h5LDuQNOD8wJSXD+49KmKeLosPAb3XYyBfn22oakdGF84X7Yyf3cY2IIQIKWKM8ajSEQosL35we5/xupUuo4vxPGpziSTh2DKfv/3Vdqk2Rk4uNXK2H6Qqz6ecSoa7HWRp5DuO3n/F87CMR5cuAJven8fM+JpCXlclMgbS5/CaOrX9SAv61W3lX+HqKQzmEtzmiE/IGKCRhbBTdNsfZhZBqliskdsThccVJwNfnUU9yq9WtKrh1Av99drkdah+nWFYGB7rRzHJK+mBHp+MT9bgBZdvWK+mxrAMlpIKCLzS2Kmc26+jGpkLRj/znyloTg23LBV2+rTTjiaEBOg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB2379.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(366004)(136003)(346002)(39860400002)(396003)(86362001)(8936002)(26005)(7696005)(9686003)(2906002)(44832011)(5660300002)(76116006)(83380400001)(66946007)(316002)(71200400001)(6916009)(55016002)(66446008)(66556008)(9326002)(52536014)(8676002)(6506007)(66476007)(64756008)(478600001)(33656002)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?gFheYP5OsUGaZuv3BD3ShYmx4Q1GB+7yifUUFDKzUj/rW3kLOcyw/fl6Kczj?= =?us-ascii?Q?/EE1WxyZkIdjqkAViXW7GPWu4gO/cOrBkcIINqV+9xoAAiTl0jJcpeHP2LOj?= =?us-ascii?Q?bWUplqbifa3IaezAX9Hcy7NyoZasn5mpdLWGTCuUrBwwj+L+zC85lV+8m4GQ?= =?us-ascii?Q?2XC8oX5YzNeRBPQcG32Z6Yh5v8E1yObH2WIVHj04/qduX4mHOI2ndVJXGtOr?= =?us-ascii?Q?QuidfYUe4po4ft3gMETJ+CLAkfHO4VZKjL7rKiyJamfw4vfAfDqTgAtEnvmQ?= =?us-ascii?Q?05DugB3/pn9F+JWWQhYCAA08rim3IS5eKDJ/haga4gmMRdhLQTAICGvZH3vH?= =?us-ascii?Q?T8N1+HYVfVRwbE3IyR/U8223rU/30cn14VPZpP2DSX8FOIfRjivHO98eMKU3?= =?us-ascii?Q?jgV8NbyRsjtrpC6eV/dENSQxLeLoIheZryYL2mpq5PH0GsRhhv/Qzt0buXwC?= =?us-ascii?Q?QvaWf6Ha8Nr/9rviK4FKx7GgSdEyW2lS/a4ZrjMxZaqlNr8JHk6p2D0FLQVj?= =?us-ascii?Q?3aiP0k2FLSv0bTDQUBuDdkD26zwWuy5ghXCvbGcVh2ewJzVrl6HXsdjTVOcQ?= =?us-ascii?Q?OBfqvQOX6DSmbv6A85PA+UFVAGcvvEk5bZnP5zMewkI9Dmk3n0TsXe4gBLFd?= =?us-ascii?Q?67/yxhWmGN/H6/niQ1T+FCgKcsUg1zovRZFeXRWS6GKmFLrKYNbeaylA5iLU?= =?us-ascii?Q?RAWQ4reRyr+HphfPZHcyRDfMai46mhUpDb2gm/XzrqLq6xi1IjtY6bgETzEG?= =?us-ascii?Q?/WPYU8/iUcGOis8OdjMSYENsKu/caDTIulXNvx4G6iuaEq+YcZ/cCg5iCh3X?= =?us-ascii?Q?zHsSrI8QlZhmXZzeecKs3IMn4q/BCYqwJ0mG/pGK2fHkI4kOAw+DDtw2YG2E?= =?us-ascii?Q?YlPCfiLidvnSPl/WiqFSwrFdLbhxheZxNgZzOuMQJLH5w+7etVpjjKXfAp33?= =?us-ascii?Q?Ao8pbjKlLDtmuhNoY+zPsb2Zs3NO+KGQe8UKULhUyGXTBnB7rgcAOmJTq87L?= =?us-ascii?Q?OZVIW7LkRm1s+3cFbM//2Iq6ufQ5rUxx/BPN/sMGn4qJBZMb39oMBQoTZ4VB?= =?us-ascii?Q?dCw/BSg44dz+tYogFMr8vgNsps6R5xG3+QIfrwuKamSbSzafz/y3wkq/Cwpc?= =?us-ascii?Q?2nhOLCE3wUXG408XlA7koTT3Q9C7ZnYp7zf+EObIKCUJz2P+0tJfYk3MFxY7?= =?us-ascii?Q?Kl1R0mxNaKyQaOhTfZw3NFY6zjr81B644uQ4EU5zeaPt3bh83MIuo06xukD7?= =?us-ascii?Q?5wnzweED7cFA7hkKDadQsYYa9QRqLd2j8hR89Tu1vayYtoMmIunVXCU5Fj79?= =?us-ascii?Q?6iw=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR15MB237941DDA59DF2A67A2F52B7E3969DM6PR15MB2379namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2379.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 12a29bf6-209c-4f53-4fe3-08d8e01b2d1e
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2021 21:10:59.7465 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NK9c1LHRO0bj2EroZgP1KPWtzu7DDcmsZ0pEbz3ia8ddM5O03LJ1JLLSYYHCkltQl1oSc29+PvpHBX5TRJDlJadraVNAiyTYtsoJGNQeGME=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR15MB4794
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/1fXw9EpjZBgmeI6Ps5H3Zrq68Rw>
Subject: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2021 21:11:08 -0000

Hi,

Now that the authz document is being consolidated, I do have some minor concerns regarding the recommendations mentioned in the profile documents, that might require an additional update.
The update to the authz document indicates more more clearly than before that profiles need to provide some recommendations for the RS - AS communication.

"""
Profiles MUST  specify for introspection a communication security protocol RECOMMENDED to be used between RS and AS that provides the features required above. """

It seems to me the MQTT profile text makes it pretty clear that TLS is recommended for all communications but I am wondering if additional clarification would be beneficial - see below. That said I agree this is a very minor point in this case that could be handled by the RFC editor.
For the OSCORE or DTLS profiles, unless I am missing the RS - AS recommendations in the documents , it seems to me it has been omitted and needs to be added -- see below.


Yours,
Daniel

## MQTT - draft-ietf-ace-mqtt-tls-profile-10

"""
   To provide communication confidentiality and RS authentication, TLS
   is used, and TLS 1.3 [RFC8446] is RECOMMENDED.  This document makes
   the same assumptions as Section 4 of the ACE framework
   [I-D.ietf-ace-oauth-authz] regarding Client and RS registration with
   the AS and setting up keying material.  While the Client-Broker
   exchanges are only over MQTT, the required Client-AS and RS-AS
   interactions are described for HTTPS-based communication [RFC7230],
   using 'application/ace+json' content type, and unless otherwise
   specified, using JSON encoding.
"""

I am wondering if that would not be more appropriated to specify in the first line RS and AS authentication or simply authentication.





  *   OSCORE draft-ietf-ace-oscore-profile-16
"""
This
   profile RECOMMENDS the use of OSCORE between client and AS, to reduce
   the number of libraries the client has to support, but other
   protocols fulfilling the security requirements defined in section 5
   of [I-D.ietf-ace-oauth-authz] (such as TLS or DTLS) MAY be used as
   well.
"""


  *   DTLS draft-ietf-ace-dtls-authorize-15

"""
It is RECOMMENDED that the client
   uses DTLS with the same keying material to secure the communication
   with the authorization server, proving possession of the key as part
   of the token request.  Other mechanisms for proving possession of the
   key may be defined in the future.
"""