[Ace] draft-ietf-ace-mqtt-tls-profile connections

[Jim Schaad <ietf@augustcellars.com>]

I am having a problem understanding the flow of authentication.  This may
just be a problem with my preconceptions, but in that case it still needs to
get clarified in the document.

* So as a client I get a token from the AS.  For the first run, assume that
it has a RPK in it.
* I now connect to the server using TLS.  
   	Question #1 - Am I doing client authentication at this point in TLS?
This is what is happening for all of the current profiles, but it is not
clear that this is happening for this profile.  The answer appears to be
both yes and no.

* The connect message holds the token and an authentication value.  The
sentence starting "The client MAY apply ..." in the next to last paragraph
is totally confusing.  Do I get a choice to create a value or not?  Do I get
a choice as to which method I use (which would seem to be dictated by the
token type and not by client choice).

* I am flummoxed by the statement that there is sufficient randomness in the
payload when authenticating.  I presume that all that is being used for the
authentication input is the CONNECT message.  Given that the exact same
input would be used for two different logons, I do not understand how this
could be the case.  Impersonation would seem to be an issue in the event
that the connect message is ever captured (including by the server).  I
would strongly suggest that there is a requirement to include a value from a
tls-exporter to tie the authentication to a specific session.

*  Appendix B says that the broker will accept MQTT PUBLISH messages, does
it have to do a connect before doing the publish or not?  If the connect is
required then what is used for authentication?

Jim