Re: [Ace] Charter discussion

Daniel Migault <mglt.ietf@gmail.com> Tue, 17 November 2020 23:01 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 931C33A0E8B for <ace@ietfa.amsl.com>; Tue, 17 Nov 2020 15:01:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cx6grApPAvLE for <ace@ietfa.amsl.com>; Tue, 17 Nov 2020 15:01:31 -0800 (PST)
Received: from mail-vs1-xe2d.google.com (mail-vs1-xe2d.google.com [IPv6:2607:f8b0:4864:20::e2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C25A3A0E83 for <ace@ietf.org>; Tue, 17 Nov 2020 15:01:31 -0800 (PST)
Received: by mail-vs1-xe2d.google.com with SMTP id u24so12031036vsl.9 for <ace@ietf.org>; Tue, 17 Nov 2020 15:01:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+4VebrJ7BvuflIFJwxkQP5PUrZI0Ip9drsBHRriD3s4=; b=om7JHNWonEZXxzmwaWSDhyYlUtHelIGvoHWKDY2WFx5q39Fu3Q55TIk9pyo8DheB2x PQ5Fh3emAEAb+VDivXfQNvmVRdVGVeiQwX/1ol1R7p72bQ5u0LYWwWxheiHFG3i/Ohsu QT8QupNjfe+EfR+FKriTem3mzpiT5gY6D+HdawsqSSN6/OE7nP+YDCgQ3eCY16X9cHyy jptBKDlPPv98eNCJ321CYG+RdSnyP7/P1/PNhYUekZcnVzrvoUJEDfO601rB37lVQBjn crB+/96vpU1jDrRq8R9aWXj+uYZ/+1dI8iI6ExKrWMiu7/Dugsa5pf9Rz3Mzgsc1kXGl KFjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+4VebrJ7BvuflIFJwxkQP5PUrZI0Ip9drsBHRriD3s4=; b=Gs/Ry8nXLyKm+r0oE+2K2vcijCOaYfC/G8mvN2OmqRAk9kpvVgQkO5XNU9x60alRnJ VKNLb8LuaY81/BOSVEtF2yJULv/bq63pCBfJS2IxnmCpkgk/vtpUddqyqBK+f/rLiCPs 072l42xLxJRTNwlv/YJ+g0wXFazoHTwBewr1q/4kA9dTil1e/CwfTQLvLjYscQtnzrgJ suIXJ/iP+Iq+7FQL2kDJaoO9jhdqbsbtPSHhMsyISxVRtDy8pYnItkXBEu2P7ZxXi0h6 wcbFq5l3a1fiCFw8uwwZpJ2BcK22DdNdKGRK1os+ZAfMR0UVp5598GMpwGvDGWFCUjij w05w==
X-Gm-Message-State: AOAM532U927rE77JSl7LMRBbQeJE/BzUTnnG6xvY1G6IeGft4ioRST2z /fSwSxz/+CyZDEzoXbZQ+Wz0IRdFKPDI3KRPY0KhiP4QQdw=
X-Google-Smtp-Source: ABdhPJywl2XtThO9flsfnQNLrLD/wr8gS5ZnJyU9xYZmIqvJobZLYc5n5Gj9TBXO9yie3GfZpVPQpWjMS+35kPkiKN8=
X-Received: by 2002:a67:80d7:: with SMTP id b206mr1552367vsd.30.1605654090437; Tue, 17 Nov 2020 15:01:30 -0800 (PST)
MIME-Version: 1.0
References: <CADZyTkmnV_Dhb5iXzykUyEAskLDg7tj=80CbEBGmSyFQNS2FHw@mail.gmail.com> <HE1PR0702MB3674F5E7C6044443418E8B1BF4110@HE1PR0702MB3674.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0702MB3674F5E7C6044443418E8B1BF4110@HE1PR0702MB3674.eurprd07.prod.outlook.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 17 Nov 2020 18:01:19 -0500
Message-ID: <CADZyTkmwFFiZiBHDbOfupr3hkrgdu99+VE18Kz7yZRXWWS0K9w@mail.gmail.com>
To: =?UTF-8?Q?G=C3=B6ran_Selander?= <goran.selander@ericsson.com>
Cc: Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b156fe05b45579f9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/2w8My3T6N1omaOzMMWRxxruErcY>
Subject: Re: [Ace] Charter discussion
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 23:01:34 -0000

On Tue, Nov 3, 2020 at 5:05 AM Göran Selander <goran.selander@ericsson.com>
wrote:

> Hi Daniel, and all,
>
>
>
> Some comments on the proposed charter and your mail, sorry for late
> response.
>
>
>
> 1.
>
> ”The Working Group is charged with maintenance of the framework and
> existing profiles thereof, and may undertake work to specify profiles of
> the framework for additional secure communications protocols”
>
>
>
> I take it this text covers (should the WG want to adopt):
>
>
>
>    - draft-tiloca-ace-group-oscore-profile
>    - an ACE-EDHOC profile (i.e. the POST /token response and the access
>    token provision information to support authentication with EDHOC, e.g. raw
>    public key of the other party). Such a profile could provide good trust
>    management properties, potentially at the cost of a larger access token etc.
>
>
>
My understanding is that it covers anything related to profiles.

>
>
> 2.
>
> ”In particular the discussion might revive a discussion that happened in
> 2017 [2] - when I was not co-chair of ACE -and considered other expired
> work such as [3]. Please make this discussion constructive on this thread.
> ”
>
>
>
> As I remember it, the outcome of this discussion was – in line with the
> mindset of EST – that it is beneficial to re-use authentication and
> communication security appropriate for actual use case. If coaps is
> suitable for a particular use case, then it makes sense to protect also the
> enrolment procedure with this protocol. But whereas the security protocol
> is coaps instead of https, the enrolment functionality and semantics should
> reuse that of EST, possibly profiled for the new setting: [4].
>
>
>
> In the same spirit there was support at the meeting [2] to specify
> protection of EST payloads profiled for use with OSCORE as communication
> security protocol, together with a suitable AKE for authentication.
> Following the adoption of EDHOC in LAKE this work has now been revived [5].
> IMHO the reasoning above still makes sense.
>
>
>
> With this in mind, and taking into account recent discussion on the list,
> perhaps this part of the charter:
>
>
>
> ”The Working Group will standardize how to use Constrained Application
> Protocol (CoAP) as a Transport Medium for the Certificate management
> protocol version 2 (CMPv2).   ”
>
>
>
> should be rephrased or complemented with the reasoning above, for example:
>
>
>
> The scope of the Working Group includes profiles of the Enrolment over
> Secure Transport (EST) transported with the Constrained Application
> Protocol (CoAP)”
>

Thanks for the clarification. I added some text to add EST profiles.

> Thanks
>
> Göran
>
>
>
> [4] https://tools.ietf.org/html/draft-ietf-ace-coap-est
>
> [5] https://tools.ietf.org/html/draft-selander-ace-coap-est-oscore
>
>
>
>
>
>
>
>
>
> On 2020-10-15, 19:50, "Ace" <ace-bounces@ietf.org> wrote:
>
> Hi,
>
> I would like to start the charter discussion. Here is a draft of a
> proposed charter [1].
>
>
>
> It seems to be that additional discussion is needed with regard to the
> last paragraph related certificate management. In particular the discussion
> might revive a discussion that happened in 2017 [2] - when I was not
> co-chair of ACE -and considered other expired work such as [3]. Please make
> this discussion constructive on this thread.
>
>
>
> The fundamental question is whether we need certificate management at this
> stage. If the answer is yes, and we have multiple proposals, it would be
> good to clarify the position of the different proposals and evaluate
> whether a selection is needed or not before validating the charter.
>
>
>
> Please provide your inputs on the mailing list before October 30. Of
> course for minor edits, you may suggest them directly on the google doc.
>
>
>
> Yours,
>
> Daniel
>
>
>
> [1]
> https://docs.google.com/document/d/1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY/edit?usp=sharing
> <
> https://protect2.fireeye.com/v1/url?k=4f3d9c3b-118c475b-4f3ddca0-86e2237f51fb-627e48b069462d70&q=1&e=6924b2a6-e7e5-4ec1-a1af-c94637953dc5&u=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1RtxUSvUeBdZWoQkjSj2c3DtR8DuBwPM2BnBXhoDiptY%2Fedit%3Fusp%3Dsharing>
>
>
> [2]
> https://datatracker.ietf.org/doc/minutes-interim-2017-ace-03-201710191300/
>
> [3] https://datatracker.ietf.org/doc/draft-selander-ace-eals/
>
>
>
> --
>
> Daniel Migault
>
>
>
> Ericsson
>


-- 
Daniel Migault
Ericsson