Re: [Ace] Charter discussion

Göran Selander <goran.selander@ericsson.com> Tue, 03 November 2020 10:05 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1DB13A15C2 for <ace@ietfa.amsl.com>; Tue, 3 Nov 2020 02:05:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e7VicFo0vh8M for <ace@ietfa.amsl.com>; Tue, 3 Nov 2020 02:05:47 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2070.outbound.protection.outlook.com [40.107.20.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D6B83A15BC for <ace@ietf.org>; Tue, 3 Nov 2020 02:05:47 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZJ8J5qQA9+rCuSG0h3L+c36PsCa0Wu/plO3TqnTZ04feII+BQiY5TCOLoMi3DO0MMybsBZgj4tHDn9z/8PZ6tNAFrmACSn6jBVBSNJweYMSYxXMz2cAld4pH21Sh5yHpy/oB/FtTJaemXwvO11uXovtymxzkmEtM9tx8tr4IAMA3zxJ5WzB9KvCSLw24JDoZo2soWbk0NsBoNUX4cdpal4Sdl7UrjpOM/Nc65OXfipW8di2i30N1sIgB0/KAMSNMreaos4LKp6pPv4MrfRIx7cGyAhr9ahSZxK6gknOl29W0ZlOPLrLPSrlISd5o2Rs5HfW6EnqlNqyl8P2mgBPaYw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pwQDC58Vu37OT2AOLCs0vVuhqFANX4C2HBISH+uQep4=; b=JyUMziqKrzExnf43Sl88mSK0Lu2UDkTjN44YmodviPD7blWuKGJNxniTPJAhX/Srt70QBtv6EU+nexEg0AMxCqRs+riPeGLwFkDOxN1/tO2ZOMEgWohA9+3XYLIrPhvM8YLVXfocHj/hegO4b4BbiDj/jDOkAxcgrezfeoXMoM64FZYBwsjuEIUu7raBCr2jFtOjw5Je9q4nVQFBOd9rftxEK7/RtW7kGyeYbx2QgHiwU7enQlc9Ltko84jie55DwZjzI7qRE4SI6w8mK+W2DPupMFs2QQriMm76GhtBsQRDUOUUlx4IORfBNWDTJP8gmF0oD9Ix9w9syhYS+6DYKg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pwQDC58Vu37OT2AOLCs0vVuhqFANX4C2HBISH+uQep4=; b=HmCoQalqlP5bll3LhzfsczuwoyT/XG1SdjW0Z/umTI6aYhpWZChmiXB3A2VrozAIrmsjWPt3QPnNQvCs92CgjUHvlZkVsjJVvtpFptfrN56eDEhp8bAY4+xyoyEkffd+sj4Xq4LqC8Q18iAvOj1Ppp+ndlxRhmQJIedrEZnh0AQ=
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com (2603:10a6:7:82::14) by HE1PR0702MB3580.eurprd07.prod.outlook.com (2603:10a6:7:8c::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.13; Tue, 3 Nov 2020 10:05:44 +0000
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::c99c:9978:10bb:e231]) by HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::c99c:9978:10bb:e231%3]) with mapi id 15.20.3541.015; Tue, 3 Nov 2020 10:05:44 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Daniel Migault <mglt.ietf@gmail.com>, Ace Wg <ace@ietf.org>
Thread-Topic: [Ace] Charter discussion
Thread-Index: AQHWoxucbAjxceIga0igx21acPgYqam2JmJS
Date: Tue, 03 Nov 2020 10:05:44 +0000
Message-ID: <HE1PR0702MB3674F5E7C6044443418E8B1BF4110@HE1PR0702MB3674.eurprd07.prod.outlook.com>
References: <CADZyTkmnV_Dhb5iXzykUyEAskLDg7tj=80CbEBGmSyFQNS2FHw@mail.gmail.com>
In-Reply-To: <CADZyTkmnV_Dhb5iXzykUyEAskLDg7tj=80CbEBGmSyFQNS2FHw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.251.145.232]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d1d71eee-8ff6-473c-cfd6-08d87fe00758
x-ms-traffictypediagnostic: HE1PR0702MB3580:
x-microsoft-antispam-prvs: <HE1PR0702MB3580141498EDCF6EF42E7284F4110@HE1PR0702MB3580.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: H2Km/Ip1Hjj9K8XlRXeMx+fRCHskSaEKRoz6eZ/mFw1DCEbhs/Pof/N5cc6hqqo+km7H9JGDKKd8lUw129JEnjz07BI/0eD6Kgx5PQmF3uOwxlBQtlOkHySBE92M2xvWDrRifUBBbawf0Oz/XGlvr9IEfs/bEbJCgmBAhByHqdbu8UPjhSHAAWE94r7TnEXcNrIN/ssw/93E2+ircV2GqYDX2b7w/ZsVbNZMa/pZImhC4YgI158WVB6Bf3qBOGT9mPMJl1LE7kC7heOec6oQK8k6DhpUwvx6/bDbMTMWkZXt/byjDVCKAANhIzKgMJ3UN+k188Xgy4CGM3rKeMudopcstrpbRTAOb7F/vuB0R1sx5r/+2FgHWho2ISyyb93VnwZGUvKjArpWWojY27wDGAeNlEA68NIvCjThjLwGfsvmfdULaTHMvPFLEaYDv1X8uLLyQ9WKrF2Apva7ZWTCbQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3674.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(396003)(366004)(136003)(376002)(346002)(5660300002)(66476007)(64756008)(66446008)(52536014)(66946007)(76116006)(2906002)(71200400001)(8936002)(9686003)(316002)(55016002)(66556008)(110136005)(7696005)(86362001)(66574015)(166002)(53546011)(4001150100001)(186003)(83380400001)(6506007)(33656002)(8676002)(478600001)(26005)(966005)(15940465004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: dFuRF8UNyqJfIL5f4CSCskH/QplAkPw9HkSmbBKOSM2pRedoETp8AqyL0db/drS1ilKzg/f+Z3zJUTFVI0HDc2pvkg9wEtbbTcOuGg/XnVIyXLeAEsK2Xj/ZTs/H2CP8U0yaCoTe53Ede1pjAh0H0OephokgeQCvjy6XzO2bz7KxpqtwPaay7XZaeq5HRzSW4z5ZPLgBfL2JVoTVDzkaCmFef90TtQ2J+0IKiDinrGDRge6QpygSlhcA+lkEtVQz6VPPMJDDc38YfjJlmy30GBxADgN4LdJj5sYciGi4oWcCst9+58naIb2Ms+LG9ubS+v7NayK97uLeKkXgZMKAWSoejttSPMpvZTWGi1q4CN8YThPAcTYQ6c0cWF3DbMqFZqiWmnfSxi14WgINaqMBfTuMH2sGfvWGxS1Q3sZ7lEexJnHT1NWTRZP6Gm1qbTJfHn0Yr10BOO/A1+aAybfL3QI0ZzUn9QKF2CEUGEwepsfLlwsrMkHgErUY2+zs7uNmfpBxH7XE1w6VN3NvkRnWrdHNcoq0FEcImolkvRQSpqcuMAml4MeIdr544R5ta1bXAbqs41qo2i1e5GiTpe3djEj9GkzLLCoZOp4Ej3hbHgHi0yjSvTdgsPO+lVk8K4guQ+7+C+yXOY6eWBv/Eml9aw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_HE1PR0702MB3674F5E7C6044443418E8B1BF4110HE1PR0702MB3674_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3674.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d1d71eee-8ff6-473c-cfd6-08d87fe00758
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Nov 2020 10:05:44.3788 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qqROiyAEGiWasMsrx42kxijwlIjP+mbtElrMvhfE0iXbNJ2QSJtP43r6F0+gTdnE7X/dBbg8PbLTsxlhTOOgp4xhxAVSTKqzHEHlNcUn2t8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3580
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/8PSK4ciBqx_4ayxc5YhgzQn271I>
Subject: Re: [Ace] Charter discussion
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 10:05:50 -0000

Hi Daniel, and all,

Some comments on the proposed charter and your mail, sorry for late response.

1.
”The Working Group is charged with maintenance of the framework and existing profiles thereof, and may undertake work to specify profiles of the framework for additional secure communications protocols”

I take it this text covers (should the WG want to adopt):


  *   draft-tiloca-ace-group-oscore-profile
  *   an ACE-EDHOC profile (i.e. the POST /token response and the access token provision information to support authentication with EDHOC, e.g. raw public key of the other party). Such a profile could provide good trust management properties, potentially at the cost of a larger access token etc.

Right?

2.
”In particular the discussion might revive a discussion that happened in 2017 [2] - when I was not co-chair of ACE -and considered other expired work such as [3]. Please make this discussion constructive on this thread.”

As I remember it, the outcome of this discussion was – in line with the mindset of EST – that it is beneficial to re-use authentication and communication security appropriate for actual use case. If coaps is suitable for a particular use case, then it makes sense to protect also the enrolment procedure with this protocol. But whereas the security protocol is coaps instead of https, the enrolment functionality and semantics should reuse that of EST, possibly profiled for the new setting: [4].

In the same spirit there was support at the meeting [2] to specify protection of EST payloads profiled for use with OSCORE as communication security protocol, together with a suitable AKE for authentication. Following the adoption of EDHOC in LAKE this work has now been revived [5]. IMHO the reasoning above still makes sense.

With this in mind, and taking into account recent discussion on the list, perhaps this part of the charter:


”The Working Group will standardize how to use Constrained Application Protocol (CoAP) as a Transport Medium for the Certificate management protocol version 2 (CMPv2).   ”

should be rephrased or complemented with the reasoning above, for example:

The scope of the Working Group includes profiles of the Enrolment over Secure Transport (EST) transported with the Constrained Application Protocol (CoAP)”

Thanks
Göran

[4] https://tools.ietf.org/html/draft-ietf-ace-coap-est
[5] https://tools.ietf.org/html/draft-selander-ace-coap-est-oscore




On 2020-10-15, 19:50, "Ace" <ace-bounces@ietf.org> wrote:
Hi,
I would like to start the charter discussion. Here is a draft of a proposed charter [1].

It seems to be that additional discussion is needed with regard to the last paragraph related certificate management. In particular the discussion might revive a discussion that happened in 2017 [2] - when I was not co-chair of ACE -and considered other expired work such as [3]. Please make this discussion constructive on this thread.

The fundamental question is whether we need certificate management at this stage. If the answer is yes, and we have multiple proposals, it would be good to clarify the position of the different proposals and evaluate whether a selection is needed or not before validating the charter.

Please provide your inputs on the mailing list before October 30. Of course for minor edits, you may suggest them directly on the google doc.

Yours,
Daniel

[1] https://docs.google.com/document/d/1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY/edit?usp=sharing <https://protect2.fireeye.com/v1/url?k=4f3d9c3b-118c475b-4f3ddca0-86e2237f51fb-627e48b069462d70&q=1&e=6924b2a6-e7e5-4ec1-a1af-c94637953dc5&u=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY%2Fedit%3Fusp%3Dsharing>
[2] https://datatracker.ietf.org/doc/minutes-interim-2017-ace-03-201710191300/
[3] https://datatracker.ietf.org/doc/draft-selander-ace-eals/

--
Daniel Migault

Ericsson