Re: [Ace] Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)

Francesca Palombini <francesca.palombini@ericsson.com> Tue, 08 June 2021 09:33 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E2963A29D1; Tue, 8 Jun 2021 02:33:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ag8dpQzDaLxf; Tue, 8 Jun 2021 02:33:34 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80047.outbound.protection.outlook.com [40.107.8.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D05D3A29D0; Tue, 8 Jun 2021 02:33:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Vxx+XwOtJ7MbfTrsFU+5uO+vyWpiXfwiT5t/jIYy0dj2g6vF1mGD19N5av8dCgF1w2EN8VA5uWFPSniKG99LxYTgegmt6b4lkJKLs8BZ9iHteq4Hdnau4ByXxtLg5bhoOX9UAlLkeldzUY+do7ZR17sutSEUKc/gnCAxj4vsikH8dxSAmMCZkv9SdfcrrjQ1KrDIocF05nWY8JbP01bCwd0B1XtlTOudzEIfVeScwPirjv4utOyJK/abZ/mOK4ox6VUtfn1A8YAlaROaH3NlUAUMkksp2f+WrZcx3tCa2Lb3Jfk/sSABIZXzGxW8CN3FvHitMDDQhULJ/ykNqxrY3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KAwmx6hwfXlu9thi2prqtxTs62Gc6Oowl0TTThUm8Bc=; b=Dlo5N4O58fE0rKjBGvcxsDeAxFfF93odz93iE5S9wUmIrF3f+t0QUb5tWkcmE+kX685YgTw97eXQJNowjc1PEzqJaYc4mJnjmdmWAJ8EQ1EQ73IEY1sMy7FXOsmHfKw/rHVSheVZsH4aSDKrLZzTxyzf5uXE6p2mtk/u9Dag/1G1ke15CdPwo8/4FsvYZl8QSjEHVX/BYuaGh9P5J+D+6uYQL+s+DJTYYF5o/TnRU+2lpcsJrlnNnEpkDLhBNubwbvHGnJYGy5y4HTcJI/G9XDoftifKGzX0B4v99yH2XdAnEavO9NusxPa7aBZBDU5yXSZC4sydgi9tfN4N/Jux2Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KAwmx6hwfXlu9thi2prqtxTs62Gc6Oowl0TTThUm8Bc=; b=HboyGQuz/4/CZDIeo/1d0mztjZfeZailBpBDaA8GQI894ZYpIOCoVd6vAm4wZjroSV/UDdtpc/DJudm3FH5YNbZEQKNZI90ZCcnnQ/7ZYbJZSKZ39E+2IakXoBqAni0axP9MHJgLVo2G7aNSS/4MERSQksJ7wbdBHmiECMTQ7WE=
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com (2603:10a6:7:96::33) by HE1PR0701MB2890.eurprd07.prod.outlook.com (2603:10a6:3:4c::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.16; Tue, 8 Jun 2021 09:33:28 +0000
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::6ce5:7088:a9a8:15d9]) by HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::6ce5:7088:a9a8:15d9%7]) with mapi id 15.20.4219.021; Tue, 8 Jun 2021 09:33:28 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Olaf Bergmann <bergmann@tzi.org>
CC: Stefanie Gerdes <gerdes@tzi.de>, The IESG <iesg@ietf.org>, "draft-ietf-ace-dtls-authorize@ietf.org" <draft-ietf-ace-dtls-authorize@ietf.org>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)
Thread-Index: AQHXRmMB78EJt+uENUOdMKs2FvvQkar3STSMgBLeOIA=
Date: Tue, 8 Jun 2021 09:33:28 +0000
Message-ID: <C7FA8969-E67D-48B6-A82F-9E88EFF1B75D@ericsson.com>
References: <161660098197.9740.5845062491913232974@ietfa.amsl.com> <e82ac862-4e9d-8b5e-56f3-8550a768aafb@tzi.de> <871r9smnad.fsf@wangari>
In-Reply-To: <871r9smnad.fsf@wangari>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
authentication-results: tzi.org; dkim=none (message not signed) header.d=none;tzi.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:1ba8:147a:eb00:c0:fdce:d20c:ebbe]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f5f12a20-6f09-4e10-f1bc-08d92a6078dc
x-ms-traffictypediagnostic: HE1PR0701MB2890:
x-microsoft-antispam-prvs: <HE1PR0701MB2890C088D4CF93958055A2EF98379@HE1PR0701MB2890.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vZ0NTnaQeD0MvHzkhSc1JaW4pcwPzK0PCLHbbudvAgM6wbXHdXsHvEafWN9Jz01HgXiImBt1H4FXUK0TpVsLcniewbAs/GehAVYnZA9UFnm6KHrFh+IFp5V0xBN0oYR/bQ950axQg9lE+w33VQRQwNOACEwgaSiz/mxCIpWhPChbfU3foyc4ulSB0+VmMIAh20TpMJzQXg2C7QTVdNVsUfJXS3USGFXCtdYbzDX8Q7db14oQIWa/bUVt0m51+SqZvnMmj8cnSZOeHBYbeuLC09MXz9R0Doun+LoZTYl/R+XYsvtIQ1hrdUWV3615z3DPiH00IMKbELRV1vWcQ8I3I9EGMSq36sTZvLt2y5DdLm+7S1KwIAI9uOVALbAyuJ/H/p8LSBpwgZEhXDOyzOREEIako4wF334bukbm623YIj92PbiBOxpQsU3FvicWsvS18UObqmt9JYj6+K48ZVP/VsypOtmYcuPrIJYh7QlWoUapg+c0yy+nLvDCkoQwXDScx0rW7SVOO6JvXEhtUCU0ZB7x4M8P4AY74fO6fdkJooHt80Y5KBmjA08xTxvnrusGy5KL9Ul9a660CQOas6L5jSYxHF/+YIP54EWTPrBq9vEAGtIDOXbX4SKPXLBIneTDSiMUIF1KdQF6diQ2IKa9ns8k9t1vFqWZd/vPKTOzjgs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4217.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(136003)(346002)(39860400002)(396003)(5660300002)(53546011)(33656002)(6512007)(76116006)(6486002)(6506007)(2906002)(2616005)(478600001)(83380400001)(66556008)(64756008)(66946007)(66446008)(66476007)(186003)(54906003)(71200400001)(6916009)(8936002)(36756003)(316002)(8676002)(44832011)(122000001)(38100700002)(4326008)(86362001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?aWVRSFdic0ZzaXJicGRlMlpLYWlDYnlHM040YUp3Uzh0RklOdXRhdWpqSEtz?= =?utf-8?B?YnJmRWN3R3V0OTBFNlZpQzFEWHFlb09jSGErVHkwMjMvOHd3NHpFbk0rWDV1?= =?utf-8?B?YUpFb3E2b1N3SW1rU3B0NVRTUEhJYkxQYldMZmRxR0lWMHkrREdxZ3VLL3hz?= =?utf-8?B?eTNrdm1IVy9FOENvM2lqSlJSODdSZUpRcEMrRWtRY21tN21uWUJFZmJMbWtk?= =?utf-8?B?amlMQjZUZEdRSFI4MDVxWHJwWXdNQkI5amh2K3BMMW8yMHk2b1ZXWHM4eGNl?= =?utf-8?B?UnBPOVVPSXBCeWxOTklkSDdzRlZ3eExvUk5SWENhS2Y2dllGVTZwaUo0STJv?= =?utf-8?B?cGRVNVhmcnBQWm0yZ3Y4R25jMEp4ZFZ1SWZYSzh5QWVJTVhFUGhBUnJXeW1Z?= =?utf-8?B?ajFwOWdBTmUxRFJra2VtemlVOE8yNG9vajZkUS9pcnZrK2hhTGxIUzJyRnNw?= =?utf-8?B?MnRha0JWR0VsWmJvb3FNTUR3U2crMCs1YUZCMzUreExCUmgzdzVIY0NVVSsz?= =?utf-8?B?ZzM2MG5FRFhEcmNQWmhNemFOY3E5QmdDYWJKZ3hMTnI1VzVYVlJaV2xCUnQ4?= =?utf-8?B?SmN5MjhidW1mSDFlNzFaeGNjSFZORjRTRFpQd2ZMTFQ4ZHhYRkd1bDdqNmxG?= =?utf-8?B?dUh3RElGanpVdVpqNi9SQjgzVlBzVmZZdVlmb05UZnNLb0VOUUc4NmJ0TDJW?= =?utf-8?B?ai9ibXFveWwwbWxKaXdxSHhuUGgrOW1CRXBPTVpUcGx4QlN4VFI1bEhIaW92?= =?utf-8?B?UHNIc2dnOUVxZHJUOHcxbTYzNHVBbEdFelB4cTRoRHFBb3g2czlSQUk2Z2F6?= =?utf-8?B?bWdJeFBIOUd3c0FDdjJmQmNaZ0ZScHA4NVNvcGJqR3BDMTNZVXhDZkxLelA5?= =?utf-8?B?aktQV0Y0UUJ6R3BSZThRajNmQU5hYVpqR0p5VFY5UmlqT2thdHZjc2dXUTNq?= =?utf-8?B?ZmNXcml6MHJiZkZpMERoZUI4d051d3liRERsVWYySkZQMXRHQWJHYTNSMHRj?= =?utf-8?B?UU1CMXBPRnp5Z2dpRFV1d2VaTVEzQXZBK3BtL0xlN3dDU2RyLy9KRkd2amhC?= =?utf-8?B?SytNcTI4UWZhT1JUdHBsQTB6WExTVlAzdTl2dU1EZzZ0YlFSRVdmMWJOTTds?= =?utf-8?B?cnZWbFFUTDZpb25WbkU4dkg1SkVROThwV0RYWDhhdG5WSEZPQ1l4K0Q3dVZQ?= =?utf-8?B?YnBMZVJIV2VjMFhJRXhQSnErZGsvekJHOU14Uk1JdUIveWpuUjB1MVJkanlJ?= =?utf-8?B?RnVYZmVCemYvaXZESC90WmZWMVhCWmZZdk96aE9KK0pBUzBYN0E2a0NUdHJl?= =?utf-8?B?eEdmU1NzZ0pFSnpLZXU2dXRPbDZCR3l6ZEJzRUxCcVJUY1pHd0Z3eWhKY3pV?= =?utf-8?B?MThWRUpQUTBvRE9GMFM1bytoK0piUGp6Wmh2bzBKZ1FoZVpzSTkxaDNDM3M5?= =?utf-8?B?VWZTRGRyZFZGZXdqbG1CcUtRUXIrdkZUSmM4Z0lST0tFYUF3RDNtTWhNRFQ2?= =?utf-8?B?dVVxRE44NEFMdExacFovbytHb1NaS2NsMThEdkhyMFJqOEdYZGtnQmdrTStz?= =?utf-8?B?NTM3R1paWXpzd2VGckhwNjdnSEFpQkR4YzV5Q2dXVDRQNDlDa09QQU1oZFg4?= =?utf-8?B?S2FEN2JYVUJuSVpHbGREbU1uZVpQUS9sTnhOckVkbFA4aE92K2ZCcGN6L2dQ?= =?utf-8?B?YVhNaEJCcW1JL3FKWUxzU0ZDM2lEODhYWEZFMzVKTmg2L0h1MVJJTmcxNHBT?= =?utf-8?B?eldsSDN0NlRaWko4eVcvNzgyaEdNR2M5TWZmdGtoTU94UWRDdEFkNmh2VDZN?= =?utf-8?B?SGVPN2dUcm1lMGpnalh4UWxMc3JBSEp1VWxPNFF4NXIvSEdDcUUrWXBScEZ2?= =?utf-8?Q?V85mH1McOg+ZL?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <BB918D9E8343874B9BDFBAA00C00C9D0@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4217.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f5f12a20-6f09-4e10-f1bc-08d92a6078dc
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2021 09:33:28.0811 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HYhVHTrGJ5VHGqKryJMBsnjevbqDX25PEXK87E9sEao+a9lAyjrB3/XLaOjnUvdOPaqObgCKPtEwK42dxX1YTSsWwt6hqdUWazU4TY6xRonB2O4CiiHTEuyqEKzRueOU
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2890
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/3iQSZrBfMMwgy4CxBtSQ3sH4wv8>
Subject: Re: [Ace] Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 09:33:41 -0000

Hi Olaf, Steffi,

My turn to apologize for the late reply :) I went through the comment again and I believe I must have misread something. I am ok with the current text, or the previous one as well, if you'd rather not add this sentence.

I do have one additional comment, which came out while looking this over again - about the following text:

   correct public key in the DTLS handshake.  If the authorization
   server has specified a "cnf" field in the access token response, the
   client MUST use this key.  Otherwise, the client MUST use the public

The access token is opaque to the client (as defined the ace framework), so the client is not necessarily able to read and extract the key it is supposed to use from it. If I am not mistaken, the correct way for the AS to tell the client what key to use would be to use the "cnf" field defined in Section 3.2 of oauth-params.

Francesca

On 27/05/2021, 13:25, "Olaf Bergmann" <bergmann@tzi.org> wrote:

    Hi Francesca,

    Did you have chance to take another look at comment #3 of your review
    (see below)?

    Grüße
    Olaf


    On 2021-05-11, Stefanie Gerdes <gerdes@tzi.de> wrote:

    >
    > On 3/24/21 4:49 PM, Francesca Palombini via Datatracker wrote:
    >> 
    >> ----------------------------------------------------------------------
    >> COMMENT:
    >> ----------------------------------------------------------------------
    >> 
    >> 3. ------
    >> 
    >>    raw public keys, it needs to determine which key to use.  The
    >>    authorization server can help with this decision by including a "cnf"
    >>    parameter in the access token that is associated with this
    >>    communication.  In this case, the resource server MUST use the
    >> 
    >> FP: The example in Figure 4 show how the whole RPK of the client can be
    >> included in the access_token, so maybe this paragraph should cover that case,
    >> or the example changed.
    >
    > I am not quite sure if I understand your comment. In Figure 4, the
    > contents of the access token is omitted for brevity. The response
    > contains access information for the client with the server's RPK in
    > the rs_cnf parameter. This is required by the client to authenticate
    > its peer during the DTLS handshake. We changed the example paragraph
    > so that it now explains the use of the rs_cnf parameter. Does that
    > make it more clear?

    The new text we have included reads:

    "The response comprises access information for the client that contains
    the server's public key in the rs_cnf parameter."