Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14

Daniel Migault <daniel.migault@ericsson.com> Wed, 17 February 2021 16:16 UTC

Return-Path: <daniel.migault@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D3C53A1B49 for <ace@ietfa.amsl.com>; Wed, 17 Feb 2021 08:16:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.67
X-Spam-Level:
X-Spam-Status: No, score=-2.67 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xlJdJV2cDPmM for <ace@ietfa.amsl.com>; Wed, 17 Feb 2021 08:16:51 -0800 (PST)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2041.outbound.protection.outlook.com [40.107.237.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2A203A1B52 for <ace@ietf.org>; Wed, 17 Feb 2021 08:16:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ocJ86jU9y1ehlnvh/BnTYOqMrcMOVTiQjbfhYI98E6DGY90LB1xJw/zGGO4PwCix/iFomvNtPRiIriiqmlkV1M4XEplGNdOIpR/7Rr8CONdrjhR0KknKkLuPvCOd3WOEjgZHRyeCGxbk0aC6ANIALh4fLGW/vEaYNrx7CWz0GvUZt8G/6IZHPULTbwByCTS9LXNuJhyfqFy7apLaF4AFNgmftTTGZ+CLlVQbU7z3pRuuP19I6uGedGFk6fpJqsaDF/gI2DaJtGlqWS1SGeRbsZKvgsscC6K0p/f2PcnterMohryqfDv9GrB/OtU8Tq0vVFD16X3k9NoWJwkxuuIWIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tYTXhpKfeyM7VnzIktVgAeA+DENnbwxsHHzJQFtwPaE=; b=JZx/kX3JuTtAV/PqB1zR7cp1x0RKzisqTT7R0Chp3UZN4WzSkMMO3FjsIjECyEU4pa1dVBRHdEuGaNewor7MEMLjTZ7RJ7lwesbMEGaHfdN4pyZQ3d7VCYKbNvkVBiBSC6mDNFXMTGOrMygru+NmB3G7/NlepEy+c7manT1aE0RutGNg3OyRwlifswit/f0k8NziVMwZl7juQITW1PB52NTSK09YKlF/vmTegsQn+UVwP8yJAWE7ieMdMHabWFbl0sDWExji24eulOW/iP86Bl4bVPoGq9MhrbwDy/Ex7ri+2AZcGYd2xLc+K063zariHTBkc5nUuuSaQF5/1+i99g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tYTXhpKfeyM7VnzIktVgAeA+DENnbwxsHHzJQFtwPaE=; b=VuN7RoFMMJM87ei40cBEUVfd9QGEh1wXSK7eL7DJMzlmflNx+S9voQ3N5zJHUamUKaORMoE4MzhX2EOYCimhoRm2A1ozBojsnMYYmN98m8OjQLjznofjdffQVcVvutsmyKvTJUfIQABQy2FJ+SDAiyKDqOFudoLFtpo86xVMjhs=
Received: from DM6PR15MB2379.namprd15.prod.outlook.com (2603:10b6:5:8a::16) by DM6PR15MB2587.namprd15.prod.outlook.com (2603:10b6:5:1a7::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.27; Wed, 17 Feb 2021 16:16:05 +0000
Received: from DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::a9f9:326f:8cfb:157b]) by DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::a9f9:326f:8cfb:157b%7]) with mapi id 15.20.3825.040; Wed, 17 Feb 2021 16:16:05 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Stefanie Gerdes <gerdes@tzi.de>, Daniel Migault <mglt.ietf@gmail.com>, Francesca Palombini <francesca.palombini@ericsson.com>
CC: =?iso-8859-1?Q?G=F6ran_Selander?= <goran.selander=40ericsson.com@dmarc.ietf.org>, Russ Mundy <mundy@tislabs.com>, Olaf Bergmann <bergmann@tzi.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14
Thread-Index: AQHXBHa1eigM3cSArEe6Mc/hYixa66pa7HuAgAFylYCAACbaKg==
Date: Wed, 17 Feb 2021 16:16:05 +0000
Message-ID: <DM6PR15MB23798EE51BDED9BB7D0438E3E3869@DM6PR15MB2379.namprd15.prod.outlook.com>
References: <871rdqihww.fsf@wangari> <FD569111-85F8-40A2-8C97-764977309B87@ericsson.com> <CADZyTk=HB26o=mUpUdbYEhfhrGZar+oe28c5PZ2_j-vKYVA6xg@mail.gmail.com> <c6d42d18-f1f3-ec00-fff9-3540fa222d23@tzi.de> <9911269D-AA7F-458C-AA1A-2D59A79C5A00@ericsson.com> <CADZyTkn=3GigtTiihQX0ORYyO0dV0qCfVMtTn37vbsqJuQUJxw@mail.gmail.com> <026242c2-2c6a-485b-cb51-34b2b2d70975@tzi.de> <DM6PR15MB23796DF01885DC7F86C15583E3879@DM6PR15MB2379.namprd15.prod.outlook.com>, <6b5368a6-b8ba-81eb-0c10-6a052fcbad67@tzi.de>
In-Reply-To: <6b5368a6-b8ba-81eb-0c10-6a052fcbad67@tzi.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_307810b4-63de-473e-97d4-e5a3a1d799aa_Enabled=True; MSIP_Label_307810b4-63de-473e-97d4-e5a3a1d799aa_SiteId=92e84ceb-fbfd-47ab-be52-080c6b87953f; MSIP_Label_307810b4-63de-473e-97d4-e5a3a1d799aa_SetDate=2021-02-17T16:16:05.324Z; MSIP_Label_307810b4-63de-473e-97d4-e5a3a1d799aa_Name=Test Sensitivity only; MSIP_Label_307810b4-63de-473e-97d4-e5a3a1d799aa_ContentBits=0; MSIP_Label_307810b4-63de-473e-97d4-e5a3a1d799aa_Method=Standard;
authentication-results: tzi.de; dkim=none (message not signed) header.d=none;tzi.de; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [96.22.11.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a5dc71b2-4d37-4f79-de52-08d8d35f5404
x-ms-traffictypediagnostic: DM6PR15MB2587:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM6PR15MB25879132480921C6A118E3C9E3869@DM6PR15MB2587.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Io7QbFdk8y4rB52SVJCcn+2l0BYM3KasVAabb+L4Rhwc6q9+1Nm1NKdh7HMj8ulVvw+b7ng7JXZiveKbjMnU04wTTPHjhxQvDyDUM7edha809vEsI9XyVeij7Gd+9qpEzlvwB4OjIUmtlspPrO3Ju/jbD0Fl+8ti/49fgjtuFaWCvLCHmpCNpu60wHN/QCu2qIV+KVGyAmwLuchRCTnMYeLpUazYvEBd5grmOVgOc+czuhC0BDzfQZRre/kTdg54F1C7kPK+fuM3NCu0x6S7qFXZL1+zJ+P+Z7rJjUsHtdCXDeT97mL8HUSgWyGBlF8hWimjiaHfX1+48XV6V8qP5Vh+B5Bx3UY08geSTuPCarRUkF1nXsOLulpZWaWiKsqqA5z7G38eBKamIg8iSDUopcKzqwPp9ixGsYpf3u5RhqG9xwEjXmfvQ4bndIwr3xQbkoyYsvWlo9j9+k9zFmpc5Q0035xLcqMz+hTDpAzwyuYLK9tUliaRwwElZCsUVYBoUiMZlySGm+qAN17e3SQ84Q==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB2379.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(136003)(39860400002)(366004)(376002)(7696005)(26005)(86362001)(316002)(5660300002)(66446008)(478600001)(8936002)(76116006)(66476007)(6636002)(66946007)(91956017)(44832011)(110136005)(19627405001)(66574015)(2906002)(33656002)(83380400001)(66556008)(71200400001)(8676002)(186003)(53546011)(6506007)(64756008)(4326008)(55016002)(54906003)(52536014)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?TEi/uSdXTOVLM/gLdEpx5yfrTbwN+S4d8sCwpy24l4l3cxgxt5D2XfFMM0?= =?iso-8859-1?Q?KoH9DCYch8vj/QpoterFUWX7jRYXgx/auBxTlSFUa1wTCwrzMYdMGZ96Fk?= =?iso-8859-1?Q?0o0c/1EE2EsTqASIPrDlRPd1O0axn4bc52ZZlqCleJkwQzf5C0BXGntL4B?= =?iso-8859-1?Q?hJCYSepjob7B8fRt0y2HekgKBbbbzoAZbZrDtV8Us9jhcvG1rmK51dIq7L?= =?iso-8859-1?Q?qK27GYfECd8wewzhbKXlrxaG5FQkd3va+DZCkpFCXLLUlhFJsA9k1QtGWf?= =?iso-8859-1?Q?yPtmu9BuF/kHuI4A0EsOd2Je6T4B34d1ou+khX7RfEq2x0tTAmmPx6Oyc9?= =?iso-8859-1?Q?p5JQn24Xxak6YMKg5Jg1XkNhsApgxoBbtUU5Lp5UyXN0CAvYDAgM8FsUXP?= =?iso-8859-1?Q?jCDW+SgrYmk8zeTdX1NLSLvC0Z/F5X8RXcukFpj84jmAzyG7X7rOn77aoS?= =?iso-8859-1?Q?y5G64JYd2jbs+bnlVJyyTq6jfl+6cQ903isZ50uskciqil46H5pEQ49Sva?= =?iso-8859-1?Q?l2Vib9tVJjvAKqxTRcyCKIw2yQYKGZ83WVh8dgTc+SxMnSGgFNN0+GcKbr?= =?iso-8859-1?Q?jCZELzDushMkLmJCEexP7HYmAMRv5W5U17LOrqIi6kmvxWI9BrdTonhzhb?= =?iso-8859-1?Q?HXiHjFZBQIMGlFyGlZqyRhS3rdNZROdmP//3qbDWpNLKNpPGSXbTEuHOgC?= =?iso-8859-1?Q?1AEUS6kU0Uy2HQEMEfPKLhjeN+TOXEk9UIXUbtG7yHz17w0MdwJzhbVp2Z?= =?iso-8859-1?Q?c2QXpcHkmGJUic9ir6dhNm4GQ9zVXLM81Aq5jly2JCsEMUJS6luxiITciQ?= =?iso-8859-1?Q?K8uIQFaIgmqX9TAuYr5SWSr0IVFh3nR+iaJIaV8YBtevaFEgzMyR8aCnET?= =?iso-8859-1?Q?GVn9qNyB/cCalZlS25saV5bBeqoQE6yZll4KK/1iAxzhpUQiDZfMQ7KbCf?= =?iso-8859-1?Q?fPXdWQG84FTvkJEnK9BaUftasvV94ceP/BUuKz5gribbUL4xy1H9RFvZUW?= =?iso-8859-1?Q?pcKlXON0z1mfy2bAAw3PdnX61vTwypps/HTbUO0Hr6JEGXeRVJoT04bQ4a?= =?iso-8859-1?Q?bfE8poVBdIPR/+OxpVTOIKQsNRFIF6sLKuUtofJsTO1bK9Ca2+TwETtHsd?= =?iso-8859-1?Q?VNl39eXMkjBAJ3qeyKlSHCsMdfG+cCk7OR8Is/Lg0vXPrLF2OIN8SCvyoT?= =?iso-8859-1?Q?P2GQnwR9y+3kPpxA30/UMU+d223YQBqPzyZlku1jFQoAct4cJAueYz6U32?= =?iso-8859-1?Q?g/3ItjlxEExokwnrWlexbIdjbJhYFU2SIc4WPJYU1kEALQX/1eWuCnxrsw?= =?iso-8859-1?Q?7lXXDLzgvMK9zAisN30DhewPtcZg83fW2e4V7EOqbMI+2LM=3D?=
Content-Type: multipart/alternative; boundary="_000_DM6PR15MB23798EE51BDED9BB7D0438E3E3869DM6PR15MB2379namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2379.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a5dc71b2-4d37-4f79-de52-08d8d35f5404
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Feb 2021 16:16:05.7364 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1NbXVUVaCMV1VBZ++UhpQfEVcKbovi63/mL7HBfqU9F/9xT3oWbNuHmH/EFxJYaC+ksH0+D1SL0ReChE32dku1EzMdbNPkuFQWxBQUZz62Y=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR15MB2587
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/icx_8JsNUkf4kNGIYzveWeDF1RM>
Subject: Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 16:16:54 -0000

Hi,

I think that could work for me. If the changes address the initial concerns, we may publish these changes in the coming days.

Yours,.
Daniel
________________________________
From: Stefanie Gerdes <gerdes@tzi.de>
Sent: Wednesday, February 17, 2021 8:51 AM
To: Daniel Migault <daniel.migault@ericsson.com>om>; Daniel Migault <mglt.ietf@gmail.com>om>; Francesca Palombini <francesca.palombini@ericsson.com>
Cc: Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>rg>; Russ Mundy <mundy@tislabs.com>om>; Olaf Bergmann <bergmann@tzi.org>rg>; ace@ietf.org <ace@ietf.org>
Subject: Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14

Hi Daniel,

On 02/16/2021 04:53 PM, Daniel Migault wrote:

> Section 5:
> OLD
> "Profiles MUST specify a communication security protocol that provides
>    the features required above."
> NEW
> "Profiles MUST specify at least one communication security protocol that provides the features required above."
>
> <mglt>
> I have the impression that with MUST specify one expects a mandatory protocol to be provided. Would the following text be acceptable ?
>
> NEW2:
> "Profiles RECOMMENDs at least one communication security protocol that provides the features required above."
> </mglt>

I don't understand it like that but I see your point. But I think
"RECOMMENDS" leaves too much wiggle room :). The profiles could then
omit the protocols completely, which I think is a bad idea. Implementers
should have at least one example how the communication between C and AS
is protected. Since we don't provide it in the framework we must have it
in the profiles. How about:

NEW3:
"Profiles MUST specify at least one communication security protocol that
provides the features required above as an example how the respective
communication can be secured."

Viele Grüße
Steffi