Re: [Ace] [Russ Mundy] Re: secdir review of draft-ietf-ace-dtls-authorize-14

Francesca Palombini <francesca.palombini@ericsson.com> Thu, 11 February 2021 15:03 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8C563A0CB7 for <ace@ietfa.amsl.com>; Thu, 11 Feb 2021 07:03:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6rsOwznAZ6I5 for <ace@ietfa.amsl.com>; Thu, 11 Feb 2021 07:03:01 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2048.outbound.protection.outlook.com [40.107.20.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02A053A168A for <ace@ietf.org>; Thu, 11 Feb 2021 07:02:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gjMLdv1AvADzRh7BKTL0ZsZ3UAk9I+wvjqn7OhaPXLM8xsTJKOzLTse09klFh+FevhhLXKNVHkC4+ZoK1zzpyJa0BPNAmQ05JkJU7S08HfDHDDkXn5THa6zYdFMxgas4xEEf/JLOfHHLRi67bZMLM8qtIIo3J06gHrkVVN6HgLPPidESjs64PTer5LHHc/vVyf5MTu+nxJ6nGJY2Nu/PqI2ii9Vsfjj/AplyjuNXTg+7lHd+rSBNiYVr3umke2S3apRP9SZdXTY/NuybaFqxxG8P+1lmoo25coIX4r0C4bfq13LGmp7VnxWZTmc+CTgxJqvSHFW1utbYrbYnEFxmbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8SgOpurWmHJDPc9ijpWQo4YmGqixcT4kIv7n6K/MoEs=; b=Vv7OU7fVgt+dXfbLwt2e5Eh2qHSYU8y2DMsSkmGgCDeybyXPx4DI49kVXaUZykpoxWWSXZ0xXJyPdlFH86zAk9o7NdhFBHjQpY9zx/SDMVwm4Xs1ydTGoCl/wRxhSGpR+sCJ4l2WQp8N1BJ71NeMf1Va/85YU8c2sZZBz3/NvLOfJEMRDd4alClRR3UZB5IO3cEgjV2Eyk0cyZwl/Nuf6igirQPyoNsqW+0ohCV0vLcDt1XZOHq3263+9blEy25s6gZeL/OA/w2lq+7IMrnVRBK5meihOLDDDE6Akl44dm1JXhRGchwAC0NoIgh4dl93GmZBw78kKMKd7pbisI1HNw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8SgOpurWmHJDPc9ijpWQo4YmGqixcT4kIv7n6K/MoEs=; b=UjRrK6bKdkx7oVNETRcK2S7vU1Hra9O0oSK9H4yKv7abPBeglT2AvWcWnC+dDNP4izeKqmOxN17ICOWHyWoTaLD9VJRW3V++WhEPe7seCzYJMM4mvjklL/NO9lU5S/It6TgoEcAO3XtM5MbBK4KVuEeNVxhDB6c83l3TcAB1Nb0=
Received: from (2603:10a6:803:74::33) by VI1PR07MB4479.eurprd07.prod.outlook.com (2603:10a6:803:65::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.10; Thu, 11 Feb 2021 15:02:55 +0000
Received: from VI1PR07MB4477.eurprd07.prod.outlook.com ([fe80::c5e9:fb9a:e4a0:e7a4]) by VI1PR07MB4477.eurprd07.prod.outlook.com ([fe80::c5e9:fb9a:e4a0:e7a4%5]) with mapi id 15.20.3846.029; Thu, 11 Feb 2021 15:02:55 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Stefanie Gerdes <gerdes@tzi.de>, Daniel Migault <mglt.ietf@gmail.com>, =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander=40ericsson.com@dmarc.ietf.org>
CC: Russ Mundy <mundy@tislabs.com>, Olaf Bergmann <bergmann@tzi.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] [Russ Mundy] Re: secdir review of draft-ietf-ace-dtls-authorize-14
Thread-Index: AQHW/kB8j0lEzu7zgkuzuVmljgIYR6pOxDyAgAOKq4CAAIhjAIAASusA
Date: Thu, 11 Feb 2021 15:02:55 +0000
Message-ID: <9911269D-AA7F-458C-AA1A-2D59A79C5A00@ericsson.com>
References: <871rdqihww.fsf@wangari> <FD569111-85F8-40A2-8C97-764977309B87@ericsson.com> <CADZyTk=HB26o=mUpUdbYEhfhrGZar+oe28c5PZ2_j-vKYVA6xg@mail.gmail.com> <c6d42d18-f1f3-ec00-fff9-3540fa222d23@tzi.de>
In-Reply-To: <c6d42d18-f1f3-ec00-fff9-3540fa222d23@tzi.de>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
authentication-results: tzi.de; dkim=none (message not signed) header.d=none;tzi.de; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:1ba8:147a:c100:59f3:9410:85d1:1470]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cc0f74b1-1268-49dc-c402-08d8ce9e1cc4
x-ms-traffictypediagnostic: VI1PR07MB4479:
x-microsoft-antispam-prvs: <VI1PR07MB4479969E52A77CE419751F0A988C9@VI1PR07MB4479.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ktEOCPf9MdLh3QExsiwRh78ydpDCqL4co0q9in5S/72aw94vQKnTMbEyHc/ftVMiASBDHM8NiXlK2hjabiU/dtn+5UZddF2uTe0lMv/ydrVN3Ssg9iD9277QcTNfcqAHE5sW+lqf2GKOb3YdlQyVyuNgWreOzk/DXkcjIEJ1WMjD3BkkE7OXL9WWtTsT4vP8KNXv2IlKblXuGPFjtCoQmK+/ehNwcfVdKhoXG9Ciypbl6xvhDlC7u0Zjw+WePjGym3HxiVmr6XUzJDDRBnwyzndb78NDQPCmgp7U8rCeIvu+V6QdjDPF/GM5fWI6HB/iWwnJHW3LHo+pbQIJGRiCottPw/YFdGvvGCDQ2Bgcncb/fSLogM88nmRT4gC22e9R77+oMhqCX6BFq1KH+KNPbWij/c2znC2N3VlntrF9wduGrmw9aKPxe4PSqX35M8Di7LVpSNkqyMnVqTfCzkVpK6Fh/oYJ7z9aNmkg6kiRBnbdceA7l3+beVJejRYu7+bBlLkfggha3om03VGTjvMcZy3qV7wrKTEjBxld1PUIWfBtFIq9MfwnmbqqPemLOuo1oqnh79r8TnWgXTN1VUl9GQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB4477.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(136003)(346002)(376002)(396003)(366004)(478600001)(66946007)(66476007)(64756008)(66556008)(66446008)(76116006)(6506007)(53546011)(8936002)(110136005)(71200400001)(36756003)(33656002)(2616005)(86362001)(5660300002)(6486002)(8676002)(2906002)(316002)(54906003)(6512007)(4326008)(66574015)(44832011)(83380400001)(186003)(91956017)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?UHZFVC9saklFNWg3WHFzM1V0OEdwaGowNkhxWFRpblVmVEpFaDA4THVSd0hS?= =?utf-8?B?TThLbTFUalduVURiZ1kzT21TSGY1VW9xdmEzZTZSK2JnU0RUUi9HcGNJWDM0?= =?utf-8?B?a1NLZFFQQUlqeUo5WWNOOHBYcnFBeEtyMjRES29NU1g4V1htY29VNW5CUjJx?= =?utf-8?B?TFlLaG1yYVRqZnl1WjV2cHhObEZSeUlHTHY3RWtEUjQrWWR4SHJiWnJxaFNs?= =?utf-8?B?SzVFOVZUK2RLK214TEZhMEJRNDE2N3hXNXFUS29pc0d0QS9vaGpiQitETTBw?= =?utf-8?B?RWpVY2twTWlNKzE0THJzeG5YQVRJWHZyREh3ZlJSUlZVbUNqUnA0US9xNVRG?= =?utf-8?B?Z1RYcFUvQThPMTdFU1huZVkzb3lZYkhKdVdhMVp5SFdSR0RVSHhMOTMwWXRK?= =?utf-8?B?NHBVZ0QwRmc3WjYycWhkVVRhUWtaWWhLZnBzMjdjc05abDZ4RDI2UEkzU01F?= =?utf-8?B?Y2E2WWNDNEk2RVJGWFNoOEh6RXU3MFZYV2YzYlJJR0ZaOWtUSmE4NTlCNXZK?= =?utf-8?B?SHkzb3ptVDJJZXFmOEJOU1FDa3FBOVo4Ym5UMjBBd0h1eDllWDRyZlUwd2sx?= =?utf-8?B?ZlpPcU9ubWUvVFlubGt6dm15S2ZQcjJSdE5hMjlvckdndythdVBVZmVBbWpU?= =?utf-8?B?eDA3U0dQaWxja3Bla3FSTWZ3NU1xMTM4ckgxNEhiV2c0UG5ORWg4QXFMVFp5?= =?utf-8?B?VmZjVTB3MTBNZnlQWTR1ZWZNZXljN1JKbDdqRW9EajlNem9RUEloZ0hDODVK?= =?utf-8?B?V284Vi9vYzFyTHlkSGIza0xMZkJyb1VZNGFvOUk5WVNvcXBpd2gyZ0U1WDJ6?= =?utf-8?B?QXFmdDJlTG1WTU1OZDVLMXF0NFZNL09hMWRrRXZYamtBUGkwaVQvUjUxMDky?= =?utf-8?B?R1BrVytVZnI2ZWxVVm9hc2NZdWE1dzBQbGtmZ1ROZ1U5aU9yVDJ0c2sxdjNB?= =?utf-8?B?RStTOVg2Sm5UNzRWcTFqcWpKeEVaWnFFWGJhZTdhTjJaV1lhaUxOTVpuUERF?= =?utf-8?B?MGYvaUppdFVXWDBzUXNLM1N2QWZrSXVkcVZ6UnpnNW12dUswY1lPWHQ3L2hv?= =?utf-8?B?VW8zenZVczZzVUZKRXRpU1hRcHgrdnNNK0FtL2ZCbzB4cEpzVmdodEtGM2Uy?= =?utf-8?B?TjRBM245TmNVM1NRN0tNaXBlYVNRaXFxV1lLZUlaWDlqQW1MWFk3UUV6cmpM?= =?utf-8?B?Y25lenk5eVJ1T3BFbWZFZHQwTlVWZDIzQVpNQVMwT0E5eUkzRDFmS2ZkdllJ?= =?utf-8?B?Q0tQV1lUQmVjUXY3OEdZUEdDa01WUE4yaEhHOUpIc21NMDM3RmlvM2prc3Mv?= =?utf-8?B?SlNqb3dyRHVjMWRqbC9IVnBhWkRuYzhuV2JUSDhDRjNzQldTa2g2VEVVSjJt?= =?utf-8?B?ZVlqZ0JLendkS1BsR1hrTTdJbTRxcVNpS0RFYi9NTFRhTnpDOHRaWjZYRTRu?= =?utf-8?B?c3JKYTNFczNYRnVzeU9OaGFaVlRka3FNLzMwR0xzSjN0bUNWM2NjZ24yR3pz?= =?utf-8?B?bjlpSkNqeEFWTEU2NU9SNmM0OWFOSDhDMzhLK0NSY1RMVjVOZkloSGpBV1Zt?= =?utf-8?B?TlE3bUw1TithcGdVMWRvNWNpdlYwL1UwMnF2NWl2Q2dEc0htSHFMbEpOelUv?= =?utf-8?B?V1VDNkpmaHE0OU1CUXRNVWRzQmR1NW5mY1VCY2NjSEVPUHZnNlFiL3VFNkxR?= =?utf-8?B?YitaZnBBcmtGL0x5anJjQW1JV3c0bW5aSmowYzdyb3hIbzc5QTZXd2dnQWlm?= =?utf-8?B?T0lSZDVkWG5VMVZ4RzBZRW53aE4xTTMzYzdCN2dWLzc1OEp5MTJyeEVkMDNn?= =?utf-8?B?STJ2QzMrTjVNbHlOT3A1aVk0SVZhRDZQdkIrbFVmY05KMUQraEpTdWZBTzZW?= =?utf-8?B?TDUrU2wrT1h2RTJXOGpwRE5ZaFRubDZFNDJueDMwWHc2Z1E9PQ==?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <D43C8F44BF528E48B1174F9BCD38655B@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB4477.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cc0f74b1-1268-49dc-c402-08d8ce9e1cc4
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Feb 2021 15:02:55.4827 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sxi59+HoT6lOzbQs0dzE7UoQG2uQBMnbUZGBV7J8DKJ7ifeAM36hbGKU07Nn+tALt4TQyrglNhyI80GgzsLltSngzl8WcnAmy2bGg3Rm0Bv4GnphJbt+un6ESBvBiFFj
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4479
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/1uhv_jHH_kxfOvXko4Sl5vu9Uwg>
Subject: Re: [Ace] [Russ Mundy] Re: secdir review of draft-ietf-ace-dtls-authorize-14
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 15:03:03 -0000

Hi,

I am fine with Daniel's change to the DTLS profile (which wants to add motivation on why the DTLS profile is RECOMMENDED), and prefer Göran's formulation to the Ace framework. 

I had to think about it and figured out where the different interpretations come from, and hence what needs to be clarified:

    "Profiles MUST specify a communication security protocol that provides
       the features required above."

Russ reads this sentence as: one (and only one) protocol MUST be specified *and used* between Client and AS.
I (and others) read this sentence as: (at least) one protocol fulfilling the security requirements MUST be specified in the profile. (and as a consequence: One and only one of these protocols specified in the profile MUST be used between client and AS)

I think Göran's modification clarifies the above, but hopefully Russ can let us know how to make his even clearer.

Francesca

On 11/02/2021, 12:35, "Stefanie Gerdes" <gerdes@tzi.de> wrote:


    On 02/11/2021 04:26 AM, Daniel Migault wrote:

    > 
    > OLD: section 6.2
    >  "Profiles MUST specify how communication security according
    >    to the requirements in Section 5 is provided."
    > NEW:
    > section 6.2 is focused on security but the security requirements are
    > provided in section 5. We may simply remove this sentence.
    > 
    > OLD section 5.
    > "Profiles MUST specify a communication security protocol that provides
    >    the features required above."
    > NEW:
    > Profiles MUST provide some recommendation on protocols used to establish
    > these communications.
    > These communications MUST meet these security requirements. As
    > communications meeting these requirements may be established in multiple
    > ways, profiles MUST provide some recommendations as to favor
    > interoperability. In most cases the recommendations aim at limiting the
    > number of libraries the client has to support.
    > 

    The reason that this requirement on the profiles was included in the
    framework is that the framework itself does not specify how
    communication security is provided. For the security of the solution it
    is important that the profiles fill this gap. I think that it is
    important to emphasize this security requirement. I therefore prefer
    Goeran's proposals:

    Proposal 1 (Section 6.2):
    OLD
      "Profiles MUST specify how communication security according
       to the requirements in Section 5 is provided."
    NEW
    "The requirements for communication security of profiles are specified
    in Section 5."

    Proposal 2 (Section 5):
    OLD
    "Profiles MUST specify a communication security protocol that provides
       the features required above."
    NEW
    "Profiles MUST specify at least one communication security protocol that
    provides the features required above."


    Viele Grüße
    Steffi