Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14

Daniel Migault <daniel.migault@ericsson.com> Thu, 18 February 2021 22:03 UTC

Return-Path: <daniel.migault@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEF603A18FA for <ace@ietfa.amsl.com>; Thu, 18 Feb 2021 14:03:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.67
X-Spam-Level:
X-Spam-Status: No, score=-2.67 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pjt4FzQYwzX1 for <ace@ietfa.amsl.com>; Thu, 18 Feb 2021 14:03:00 -0800 (PST)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2063.outbound.protection.outlook.com [40.107.244.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FA053A195A for <ace@ietf.org>; Thu, 18 Feb 2021 14:02:57 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DIcea8jpx3bHaxgjEaJJmMwxh3nIzJQf9m8ZRlGWU3mQSngR+YBf4mZpY9QZ/SV6tHNc2deJwRlP5xLWHqwmO/jPUPDmMc+EBqeEgM2+wuGtSPKXTfsvoMh4m/pdsMAFl5Zp3jxjskveryrFlnCzgc+7dWcyTIHVvepLJyrvQR/YgTpxMnclIF5buyL1Afxd4ckb5Si6rErQ/V8CyN1NK4VNF89Enevo8eQrpa75NHIOpislZijStZrCCYZLUzaLMwKfKOdLNzCohyZ/uT9aPaLOMxVMIHv8J2NjlNFWSOmfz2CivBJRwQwRcJiYn+YCvw/NtxpJc+epDX/ocACMFQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XV6/H7qadG0weiOqlqToSUa5Gl6gTfd9lPn+bc+zGIo=; b=iKfaMNyRDVNoHX+66r/vII6RQqgxnuTQ2XSl5Q42iF+zcAnAbejMi0BwFceR9BoU0LJq8GAynQe9CgtWi1necAONiHrjdHZWiqrIdWTIzlsDMtbavgavN/Zle2rndt3KM3JGOyk0Q9cjKmZbnVVY/Fp46qARwjtGnVwhdEDqpa6MukPRzj99giizx5J1IxqiJG7WCFn4lY1K75Ua5uDnqCQTWpyyyHPWgWuHccclxf/kLMUuOsJnZqh+hCNc1rvXlIUAAXsbS+MbHPJowcsC9nD1AjpzzRegQqAYPpz4ZglMj6JwcY5OjvPpjnX+OVAWhttxip/rFvaGVkxL9uiaJQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XV6/H7qadG0weiOqlqToSUa5Gl6gTfd9lPn+bc+zGIo=; b=QmL4w6ASS63EWqPqPpXvu6/qZwA4u3VRVBbKepzseEWWNNaSk3nYeHwko0gIQF0hpIfhG7QFKtDYf2CIK9pZFrHXlBonulCJOSNdErvRIotwhtV0jJIv94E+GYEW2A7ccyeKEWQCnApf+NfjwBB1gSBxPPEOZ0S2sv0uDeeKjnY=
Received: from DM6PR15MB2379.namprd15.prod.outlook.com (2603:10b6:5:8a::16) by DM5PR15MB1148.namprd15.prod.outlook.com (2603:10b6:3:bf::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3868.27; Thu, 18 Feb 2021 22:02:55 +0000
Received: from DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::a9f9:326f:8cfb:157b]) by DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::a9f9:326f:8cfb:157b%7]) with mapi id 15.20.3825.040; Thu, 18 Feb 2021 22:02:55 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Russ Mundy <mundy@tislabs.com>
CC: Stefanie Gerdes <gerdes@tzi.de>, Daniel Migault <mglt.ietf@gmail.com>, Francesca Palombini <francesca.palombini@ericsson.com>, =?Windows-1252?Q?G=F6ran_Selander?= <goran.selander=40ericsson.com@dmarc.ietf.org>, Olaf Bergmann <bergmann@tzi.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14
Thread-Index: AQHXBHa1eigM3cSArEe6Mc/hYixa66pa7HuAgAFylYCAACbaKoAB3RYAgAAG7CM=
Date: Thu, 18 Feb 2021 22:02:54 +0000
Message-ID: <DM6PR15MB23799382A92C9B2074B1BF42E3859@DM6PR15MB2379.namprd15.prod.outlook.com>
References: <871rdqihww.fsf@wangari> <FD569111-85F8-40A2-8C97-764977309B87@ericsson.com> <CADZyTk=HB26o=mUpUdbYEhfhrGZar+oe28c5PZ2_j-vKYVA6xg@mail.gmail.com> <c6d42d18-f1f3-ec00-fff9-3540fa222d23@tzi.de> <9911269D-AA7F-458C-AA1A-2D59A79C5A00@ericsson.com> <CADZyTkn=3GigtTiihQX0ORYyO0dV0qCfVMtTn37vbsqJuQUJxw@mail.gmail.com> <026242c2-2c6a-485b-cb51-34b2b2d70975@tzi.de> <DM6PR15MB23796DF01885DC7F86C15583E3879@DM6PR15MB2379.namprd15.prod.outlook.com> <6b5368a6-b8ba-81eb-0c10-6a052fcbad67@tzi.de> <DM6PR15MB23798EE51BDED9BB7D0438E3E3869@DM6PR15MB2379.namprd15.prod.outlook.com>, <2C5A1AA5-6124-407B-A342-AA367CB6D536@tislabs.com>
In-Reply-To: <2C5A1AA5-6124-407B-A342-AA367CB6D536@tislabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: tislabs.com; dkim=none (message not signed) header.d=none;tislabs.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [96.22.11.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cac77b3f-1644-4fa9-f0b7-08d8d458f1ba
x-ms-traffictypediagnostic: DM5PR15MB1148:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM5PR15MB114854FDEF474B8A4EE33C63E3859@DM5PR15MB1148.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5eIxj/PeoRL3SY3zYQJ4e12CwfuzAENoorR/IA1MPCUpe5EPR3KkGZkf1PAcekgv+nhJp6zFoO72yXwHIrRBN3NufMwnpq4dMh2xWUTGT8z6OoVn1CANhdM3TOv0OSxgBn1QADDK2QTEQwwXxR//UZEQGl/8Wtx5SBX/1xOsVnP6yeSAwwRh4Q3B5/a3ynzgzj5RlEtYG/2lVwyoD4IJqx8JWeKv7YudhpmlSMPP5LQqIRr1/3e7JHUldhRIUiOA2lHgp10feWKhS2VL2aC3t57sLzg7Sn77jpTvsuuyKfiGja0dhn63zoN5zT+kQvOuVkgs5XXbCRb07JglS+ZDqlb0xnbYA7foW+Xb272tqXTIK3e7RhqTtFSx99K79sSrr8PKioIbNJHY++4XfVIN0O5A7RpNgbhZj8Lw6WjLR2d8drwOk7eEx9BLWolKmOdvGO0oF9QArICGa4py1I242F6mM/k86gsmQ5oSjU1d4BM2AJE1S/QAfm+d7LaleYktNGb5SyTLlfYiOE2B+v2+zQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB2379.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39860400002)(396003)(346002)(366004)(376002)(9686003)(186003)(6506007)(71200400001)(66556008)(66946007)(8676002)(52536014)(53546011)(91956017)(76116006)(44832011)(478600001)(55016002)(33656002)(54906003)(6916009)(4326008)(66476007)(64756008)(5660300002)(66446008)(316002)(26005)(86362001)(2906002)(7696005)(19627405001)(66574015)(8936002)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?ZjsH4dASSg3zpq/Qk/6+9J4UQB7ftJCJeanPJFvr3qeMjixV23hA2RlX?= =?Windows-1252?Q?5PNeM6Erb6dfLE+/XLQ4/0LTUbMeZCNpFoCYwzlp0pmCLwl09oDIQg0f?= =?Windows-1252?Q?tsYceITZnyPx2G6VcvdOZUsIY8RGopXq5ZurjbNrl4o/pSqbC2AQA24R?= =?Windows-1252?Q?HR39WS49JcvHRLLdmFwBqYvboRE5MDqrczenm27ESrRvZkcGKzyrQ4hP?= =?Windows-1252?Q?KOaCU2QkBGatH0XgchSI2/zpUmL57D0nyxzKEO0sngV7UZafSvehoQZQ?= =?Windows-1252?Q?FVEYLLi8C6qiQcq9256nolOex8ljrCa2otiqrzn7b4kszjIcGPkFYo1+?= =?Windows-1252?Q?3lyzS262DEAbQCENn8HGQplH07F/b6Jaq3BDWA6dornWo6Dnp0W1/fR4?= =?Windows-1252?Q?AUufHP+ye70duNlFU6h0Z+sEtUBi6P3ft4GLJIWNBRbhat0SCmQiX1Gr?= =?Windows-1252?Q?JnpPvwJEL+jR14rjqJfL1aad2D4Mo3WVib85GA4jNfihZibe36L/y9Rd?= =?Windows-1252?Q?lMSUCvE9UvJRzDfXXDpDTNS2Tuu7flbDwtXD1RRgw+M2B9S+b4OLQvCn?= =?Windows-1252?Q?d7kpRwBqF2VGRd/uU1TqZB+WjZ+pZshJcT7Ak3VeXJIFgc2f7/swsOUA?= =?Windows-1252?Q?XdkN5sRQW3XNu6FQaV+wATN3QVNo2xHyrLLzMf3W11Z6kSzeyWifpUif?= =?Windows-1252?Q?AmF0X3co3bRFmZSKZReYr5qqul0xK3hM4E8/GwHsPI/DY0+aMPmiXM4e?= =?Windows-1252?Q?j0qztG1aRX7yQKTgILuthqnRrXzPLIxKydsK2go7SvXFvrjmUCu0kWHy?= =?Windows-1252?Q?7ZXn4iWf/zLvWvXC7BoaBrRL3Tv62B7y8GCuBHeTN34xxbPi24fFAn+U?= =?Windows-1252?Q?yrCGWKhnmWlsKMZee8W6r3utzFUAtWV9zA65Fsz52SPgcIG7jFk8sf2l?= =?Windows-1252?Q?RUi624/C+w4ZWDmT2qV50AF47NxA082DKAKc5t567hw6OBhBoJQ/0GX4?= =?Windows-1252?Q?iH2IwGVndRz/J0GrU99QLaOcHe3PJr7PHgfWza3Jo3zDu0g4T/xEL2W1?= =?Windows-1252?Q?yQsuDVDEprKFWd7JzOCRji9UPqWcsV6pepbqBH2VZOU53PREb53CQRid?= =?Windows-1252?Q?VO3XtELA/RuGfw/gAfAktYkQ/pB0MGcaNqzs9zAlnAa3l3huMBHKIgzH?= =?Windows-1252?Q?XA0PHCXw+uAOEh11sZ5fqMdEdfIUC8bc5ndJd3LG+SUEZc6nHoTEHWHb?= =?Windows-1252?Q?atym4IG24Ju4P4Vm1eIyGKTtomYGonTn6HvvMtjEB+9WvIZLnWg6+czf?= =?Windows-1252?Q?5HJSi3cmPbJRwMktmO4T1mBknfUBF/eKCBUpusycis3JjnZKqDm/z0vL?= =?Windows-1252?Q?2Zd8Gz6SHnW8iatdag/l2ydU85Fjxw25yjU=3D?=
Content-Type: multipart/alternative; boundary="_000_DM6PR15MB23799382A92C9B2074B1BF42E3859DM6PR15MB2379namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2379.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cac77b3f-1644-4fa9-f0b7-08d8d458f1ba
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2021 22:02:54.9236 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SOTdOG0NUOs/hvCTeeHBUawtUfwiZs1RM90cBdBfFuqsk1t+1BG4VyloZcwO2nxTjfeWAg9iTn4HKrAA+L6Cx3799xHdboFGyoncWzTU4Ps=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR15MB1148
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ChtdMynFaHCRk0hwsIzJyqr4OK8>
Subject: Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2021 22:03:04 -0000

Hi Russ,

Thanks for the follow-up. I was waiting clearer agreement from eth WG before pinging you back. I think I agree with your understanding. My understanding is that the WG is willing to specify one way (RECOMMMEND) and not leave that unspecified while not preventing other configurations (MAY). This obviously results in implementation not following the RECOMMENDED way do not interoperate with those following these recommendations.

The question remains open on whether we should favor openness or inter-operability. I suppose that this will be raised at the IESG so we need to address this issue clearly.

Going back to the profiles, it would be good to understand what concrete deployment issues the two statements below would raise:

  *   OSCORE profile mandating the AS to support OSCORE and have the C <-> AS using OSCORE.
  *   DTLS profile mandating the AS to support DTLS and have the C <-> AS using DTLS.

Yours,
Daniel

________________________________
From: Russ Mundy <mundy@tislabs.com>
Sent: Thursday, February 18, 2021 3:38 PM
To: Daniel Migault <daniel.migault@ericsson.com>
Cc: Russ Mundy <mundy@tislabs.com>om>; Stefanie Gerdes <gerdes@tzi.de>de>; Daniel Migault <mglt.ietf@gmail.com>om>; Francesca Palombini <francesca.palombini@ericsson.com>om>; Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>rg>; Olaf Bergmann <bergmann@tzi.org>rg>; ace@ietf.org <ace@ietf.org>
Subject: Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14

Hi Daniel & others,

Thanks for the continuing effort to make the documents more clear and understandable.

I think that there may be a fairly fundamental difficulty understanding (possibly on my part) about the intended relationship between the ACE framework and profile documents.  It seems appropriate to me that the framework would define the overall requirements (especially security requirements) that implementers need to meet and profiles provide the ‘how’ for implementers so the result is secure, interoperable implementations potentially from multiple different implementers of the framework using a particular profile for that framework.

If I’m following the discussion correctly, the changes being proposed to the framework would only require a profile to define one ‘example (or description)’ definition that met the security requirements of the framework (even if it was the RECOMMENDED protocol set) but other protocol set(s) could be used (MAY) within the definition of a profile.  Including what amounts to unspecified protocol set(s) that do not define how they will meet security requirements of the framework will likely result in different implementations that comply with the profile but do not interoperate from either a protocol or a security basis (or both).

Regards,
Russ

On Feb 17, 2021, at 11:16 AM, Daniel Migault <daniel.migault@ericsson.com<mailto:daniel.migault@ericsson.com>> wrote:

Hi,

I think that could work for me. If the changes address the initial concerns, we may publish these changes in the coming days.

Yours,.
Daniel
________________________________
From: Stefanie Gerdes <gerdes@tzi.de<mailto:gerdes@tzi.de>>
Sent: Wednesday, February 17, 2021 8:51 AM
To: Daniel Migault <daniel.migault@ericsson.com<mailto:daniel.migault@ericsson.com>>; Daniel Migault <mglt.ietf@gmail.com<mailto:mglt.ietf@gmail.com>>; Francesca Palombini <francesca.palombini@ericsson.com<mailto:francesca.palombini@ericsson.com>>
Cc: Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org<mailto:goran.selander=40ericsson.com@dmarc.ietf.org>>; Russ Mundy <mundy@tislabs.com<mailto:mundy@tislabs.com>>; Olaf Bergmann <bergmann@tzi.org<mailto:bergmann@tzi.org>>; ace@ietf.org<mailto:ace@ietf.org> <ace@ietf.org<mailto:ace@ietf.org>>
Subject: Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14

Hi Daniel,

On 02/16/2021 04:53 PM, Daniel Migault wrote:

> Section 5:
> OLD
> "Profiles MUST specify a communication security protocol that provides
>    the features required above."
> NEW
> "Profiles MUST specify at least one communication security protocol that provides the features required above."
>
> <mglt>
> I have the impression that with MUST specify one expects a mandatory protocol to be provided. Would the following text be acceptable ?
>
> NEW2:
> "Profiles RECOMMENDs at least one communication security protocol that provides the features required above."
> </mglt>

I don't understand it like that but I see your point. But I think
"RECOMMENDS" leaves too much wiggle room :). The profiles could then
omit the protocols completely, which I think is a bad idea. Implementers
should have at least one example how the communication between C and AS
is protected. Since we don't provide it in the framework we must have it
in the profiles. How about:

NEW3:
"Profiles MUST specify at least one communication security protocol that
provides the features required above as an example how the respective
communication can be secured."

Viele Grüße
Steffi