IETF Logo Mail Archive

Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02

Dan Garcia Carrillo <garciadan@uniovi.es> Fri, 25 June 2021 18:16 UTC

Return-Path: <garciadan@uniovi.es>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A02493A0E9E for <ace@ietfa.amsl.com>; Fri, 25 Jun 2021 11:16:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.026
X-Spam-Level:
X-Spam-Status: No, score=-2.026 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.338, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=unioviedo.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AOk6Id70KZOQ for <ace@ietfa.amsl.com>; Fri, 25 Jun 2021 11:16:46 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30082.outbound.protection.outlook.com [40.107.3.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A5663A0E9C for <ace@ietf.org>; Fri, 25 Jun 2021 11:16:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SqFOwTNKbE2LSjtmI/LWL226KHOvvYDV6p/zoNhYw5Y3zPN9yppcz8D5ijrERhgQnKo2JB4YtjARhR/bxaB8dZ0R1pOVyibkZF3bvjGA+3EF93K0AtUj4yIeQX352PoEKalTrvjO9uK8f528WnkZOJRNCJE/lhVm22+HZjubADAU+3NY8QY48K0UnKy7miAfnBT7id+R6c3z1oZImeB4R/1TG6OZgWtdX57FjnsCyaaaRGzV+CHYuYlHxKVvSnzBmlJ2XCgb6ztXqaV0gYlgx8WOk6BqgU/jm3SqZOLzOOJYFe437FLJDqxCRjiK2Fd1YVnuD1URX1Vstst4ttMDnA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rDvwhid+fWhAmVf2lz2ASYtTGXPi78vxPQ72EtOFS+Y=; b=GuoSNyofwI8ImbcoDNDEqPhfm+NCSNJMnKSQLibSuCcnXT1oZPvSWvIZBNfuCi2/v/ueStSO0FwtheIftnTbfMO9UlIpaRT09FGfh5euXdje05vK1s242/ozY1bJuW2a8h69FwUOHuSrku/cp0v6PLalOHD+/0JYuv/FS6qhkM+nhNe89Xk6fExW9ufCOnP5PLI7O5vgQpAizEzWUebNiQGXhQ68/uk9Hs93r0lHZ8ivZfYESZUWMmMdVrVxV3XAIsBfyNNPo7B+nrLJ/i0I1e6KHBp7bZbUDvExPOOGfzE1+rDf3LQMr05R1wuwhk9LxkWfeUNuzuVp4HeLphiCcA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uniovi.es; dmarc=pass action=none header.from=uniovi.es; dkim=pass header.d=uniovi.es; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unioviedo.onmicrosoft.com; s=selector2-unioviedo-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rDvwhid+fWhAmVf2lz2ASYtTGXPi78vxPQ72EtOFS+Y=; b=Ceq/46OT3KGnwymakjltLlnFL4XAjanF6UD7oUNEaMYCxaN/o9n5bXQ3j3c1sfaEshCgavXidlX6Pof+ztn2QHmW38SIcDZC+Rwnb8hlCyfEarOg0Day0YKErEp+tN5h/EIAWWi62vh9W3zrfUK5fSvf3vdr+58+eJ2JPLc0WK0=
Authentication-Results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=uniovi.es;
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9) by DBAPR08MB5654.eurprd08.prod.outlook.com (2603:10a6:10:1a6::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.23; Fri, 25 Jun 2021 18:16:42 +0000
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::a912:cb2:6af8:b946]) by DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::a912:cb2:6af8:b946%6]) with mapi id 15.20.4264.018; Fri, 25 Jun 2021 18:16:42 +0000
From: Dan Garcia Carrillo <garciadan@uniovi.es>
Cc: garciadan@uniovi.es, "ace@ietf.org" <ace@ietf.org>, Rafa Marin-Lopez <rafa@um.es>, loganaden@gmail.com
References: <CAOp4FwR-pNpfqEY-6aDhd+ThiSWZtg4qBPLy7Xyp1kfRpC-XuQ@mail.gmail.com> <e713a008-f37f-e723-f7e5-5d2667d53109@ericsson.com>
To: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>
Message-ID: <a67e75c7-d002-4e49-b385-28b572b82148@uniovi.es>
Date: Fri, 25 Jun 2021 20:16:40 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
In-Reply-To: <e713a008-f37f-e723-f7e5-5d2667d53109@ericsson.com>
Content-Type: multipart/alternative; boundary="------------7D139D67D10E2A111CF91767"
Content-Language: es-ES
X-Originating-IP: [156.35.171.42]
X-ClientProxiedBy: MR2P264CA0041.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500::29) To DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [156.35.171.42] (156.35.171.42) by MR2P264CA0041.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4264.18 via Frontend Transport; Fri, 25 Jun 2021 18:16:41 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 5a8d23aa-3338-43bf-2dad-08d938056203
X-MS-TrafficTypeDiagnostic: DBAPR08MB5654:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <DBAPR08MB56548D5531F5B990E5BE8246B4069@DBAPR08MB5654.eurprd08.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: P/4YiqG8zTJSPFLSUWMRHwv7Q3MIVIqtpHcrVK9AakN2dbqhPX4G1VxCd1Q3fCkB0fsUibem4/nqmcUAQ/uxCXbU/eXtAUcvyk+LuWyYoH8Beayf9g1F9ma2rfIUecV2NcoKUMxF7agvxyoWTMvimkooZZx/Cx7Atpsk9jHaGxg5CxYQafXMpBRkj29UgdyVUYmno/++nvppXs6WfQDRsSFUlDGUAPUX0O0mQ2xqpbJIqv+Ead4qb9kSdAf3n7rlZFIMTxTlrTKivxT8r2Tg+x6uNiMy4X717r98lLsaAxJ/ELF2ONtrwgVOQ1xe9QgZ1ZvQKX227W6Xp1FIKBsBNLQfuYgpDowEPcPQjeogz2XfhZ0RaCsFi6BluKLrXgssN1cpJL4G8en2bKY9V3yVibf7kW9Tmim2WSEPytRI2Z3IZf3/LdpkAGBM3opME8obYAVoIsQwu4gmu5JWr3JTH0pUcDPsdOtFWCfK59H+yuelwpz7m/b0UNbNp/NsLEVfMOV75A1P+fYY0q2wmhBYGnG4vU5E2cMX8o/OXheZQXKYTy7mpofvDFof51tQXctIIyqVUzIw025c/fa9v4Wh2CC0bUkplX/Hu0tFYqmuG4PkMH/66BdNRtiq7hWHN2cBK3uuqmzWvdBNjITS53q2h+u9bx4FYgVPRT+Nu+G7eP0q/ym212qhWVoY3K0k42ZcUBrTNi/Wt0Gox0EpPwhOGWSzbm1Q0cfkMh8+nb0/MmjihnujpMs94ZV3zEFteQT1Ic30OuRUCBR/a60uQ6BbXcG+4pWqmcluGxi7rFCJAFbiycXSEEnU6FXbuX/CVdTey9BuR3R32SokO7QS8GmK3tVDv3fVmPoymhSOD8yYyvmJ2KVEpAlacYSb8q9dfMsoE6Wsm8KVLnvWlC9a9qLEHP5xSBnedZK+aro+3wVBBtAQz6VKzrB7UsdbvcyniDPG
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB6202.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(366004)(136003)(39840400004)(396003)(376002)(31696002)(31686004)(2906002)(316002)(36756003)(786003)(86362001)(4326008)(2616005)(30864003)(38350700002)(38100700002)(956004)(5660300002)(478600001)(6706004)(66574015)(66946007)(66476007)(54906003)(966005)(33964004)(16576012)(66556008)(166002)(8936002)(53546011)(83380400001)(52116002)(8676002)(26005)(16526019)(186003)(6486002)(3940600001)(43740500002)(45980500001)(559001)(579004); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: LfAzy2qK0+SRPKJGi92PQDiHaS+sAfWtv46BA089Cs65oA4PIMYLEAm6+Y1wvAQobfofRnlfYouB/YeOIFnroSaWFP4lZqBo3jw9PGsGLbWIPurEsu/gKMFqJmEOHekO4IOLLRk2vJO6ghMkne1xEZEbkXXhmt+QK9ySQOwdOs6mxglD0Z6V6vxw7vSHuAPv7tpCKAD4pGka2Aj8TI4nT0ev9iYGXi7jJWqK/7wPONUl8/GAmdb/r+XJDFki8ohEECmpOKC+rdyy1rXv3hq5coy8tXEwg9Cm3rnXEKwWcraqwubPYF8Xphqe6IsarcbqMvqL0v0WuvN1q1RgmkXT+vM5QeS67QHpeJvBPZZ4lp02s2JF5mSCodeV1cB5tTt5pCz/bLUtYo9C+aUNEi3OveOTz3fVExaJMBzBe+7C8K2a2CqwWh9yNxawidqK5Yid5nkGsVV/7XpJpPpDM+rvcqQ0d7RHIJfmtX/WT0lqbkYdJfmNPC4jivtvGGZwHScBdNy1/n/Am93uNJHHQsYkT/FaqUAqMFaZMKypJhhjNvovQYW1X9nuJj4qKNEHkcj9DNkWgs7Sq/qisE/EJ51yD0pNCP0nvj+lx7wV0wrRe9ttf/IfxUVaO8Upy2Dc96eBsPURa+rWipXbLrsX3oFimH0bZzjSRYfOtZyvPqToIQ6kPByIgsqp/BYTGC8gC91L/dfVmS6ZLawN1W4D9nq6m18BFCLvmd7QG5i+1anc+RerkM54GDDMwz41SGqI764k40wpaTXvY06ECnwVXe7Pa7UHHLZLX0nD1r52+k54HWHwS+MOehf/s3uOilvDm9lB8F/gQygpiTxhsnMJNVbBQfkKkGmuVQIQCbs6iNRwQsoYyE3sp7Ap56DbeM+2pZ4qUswK3AAlk6ec6DxLsnJqfxV7+CnTBtrgO5m2EcfVUCJ0ItyDglNpaBm2jkTaGzEqoFQokoB4Mr+d6N3oss9U/OYMJrvQCifG84c4Q0PhRhyGB1l/ZzNocmhjmoe8st/O71hvxa7T4h/Cjnv5GYvxvJomUNiyjKjRkXEzLO4wlfBZOOLs/eIp51rWGNTVAVJtTRx5mcyq7oxTOZp8j3kMbsWNn3K6CF852go0AjYBCxDNKdBWs1N5sYhhRjlruJxGjpWEkaZdoE3n87RR/2GQl934zGOsIGBg2LBIsvIoa9MJ+wFVXlWxFseA91A8uggud1xV041ZUKhTaRH1n9K5S9VVQ7WQIzbl/6LoPSvjK6LxA/EHlws+CKS5lYmIuU21fdg3igUUvue4KBk+MoLUxxWcKVb5pd8mbGJ5UD97WjqYgDjeiY9Okn45Jjgwygc2
X-OriginatorOrg: uniovi.es
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a8d23aa-3338-43bf-2dad-08d938056203
X-MS-Exchange-CrossTenant-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Jun 2021 18:16:42.2143 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 05ea74a3-92c5-4c31-978a-925c3c799cd0
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 01CPJSJnkirnftfS/3fwRBSmyp7ZF8LOtEYQKn/Itb3JnA/7Dx1Zohg33SgMVw+ya/ESkKHCbKuZesdjtMBQrw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR08MB5654
X-MS-Exchange-CrossPremises-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 06
X-MS-Exchange-CrossPremises-Mapi-Admin-Submission:
X-MS-Exchange-CrossPremises-MessageSource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 156.35.171.42
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: DBAPR08MB5654.eurprd08.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/4ZKIRUH1AvelrsZCdlHQqPLOOsE>
Subject: Re: [Ace] WGLC for draft-ietf-ace-wg-coap-eap-02
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2021 18:16:52 -0000

Hi Mohit:


First of all, thank you very much for review. It is really appreciated 
and will help to improve the document.


Please see our comments inline

El 6/20/2021 a las 11:14 AM, Mohit Sethi M escribió:
> The document is currently intended for standards track publication. But
> both the abstract and the introduction mention "describes a service".
> You don't describe a standards specification. You define it? Moreover, I
> find the entire tone of the document to be somewhat lacking for a
> standards track publication. For example, there is text in the document
> which says "The URI of the CoAP-EAP service CAN be set to "/b"? First,
> "CAN" is capitalized but it is not in the list of keywords defined by
> RFC 2119/RFC 8174. What if the URI is something different? How are
> devices supposed to interoperate? I would recommend to either make the
> language more precise or publish this as informational.

[Authors] Following your advice, we will polish the document in order to 
make the language more precise.


> However, I leave
> the final decision to the chairs and the AD. I don't want to be an
> impediment to the publication of this document.
>
> Please expand eap, coap, and IoT on first usage in abstract.

[Authors] Correct.

>   It's not
> great to have bullet lists in abstracts. Also, the capitalization of
> some words looks odd. For example, why "Security Associations" is
> capitalized?

[Authors]  Let’s change this as you suggest.

> Add a reference to RFC 8174 in section 1.1.
[Authors] Ok
> Besides, you already use
> "MAY"/"MUST" in section 1. For example, the text says: "The CoAP client
> MAY contact with a backend AAA infrastructure to complete the EAP
> negotiation as described in the EAP specification [RFC3748]" but "MAY"
> is defined as a keyword only later?
[Authors] We will  change the text so it is consistent.
> I also wonder if CoAP-EAP reflects the correct sequence of protocols.
> EAP is encapsulated in CoAP. Shouldn't it be called EAP-CoAP? Maybe it's
> too late to change that now.

[Authors] We believe that EAP-CoAP may cause some confusion because:

- Typically EAP methods names start with EAP-X hence, therefore it could 
be considered as EAP-CoAP method instead of  a lower layer

- Regarding the encapsulation order, if we take as an example an EAP 
method, EAP-TLS for instance, EAP encapsulates the TLS  method and EAP 
goes before in the name. This would still apply for CoAP-EAP as CoAP 
encapsulates EAP.

> "The assumption is that" -> instead just say EAP methods used in this
> specification MUST generate key.". Standards specifications don't make
> assumptions and rather dictate what implementations/deployments should do.
[Authors] Ok, let us rephrase this as:

"The CoAP client has the option of contactinga backend AAA 
infrastructure to complete the EAP

negotiation as described in the EAP specification [RFC3748]"

> Expand OSCoRE to Object Security for Constrained RESTful Environments.

[Authors] Ok, done.

> Section 2:  "The rationale behind this decision, as we will expand
> later, is that EAP requests go always from the EAP authenticator to the
> EAP peer.". I think the more correct terminology here is that EAP
> requests are always sent from the EAP server to the EAP peer.

[Authors] Yes. We mentioned EAP authenticator based on this text in RFC 
3748:


"Within this document, authenticator requirements apply regardless of

    whether the authenticator is operating as a pass-through or not.

    Where the requirement is meant to apply to either the authenticator

    or backend authentication server, depending on where the EAP

    authentication is terminated, the term "EAP server" will be used."


But we also agree with you that it is clearer to say EAP server.

> CoAP-EAP service CAN be set to "/b" to save bytes over the air. Wouldn't
> it make sense to standardize this. For example: /.well-known/bootstrap?
> You'll need to define URI scheme syntax and semantics but it would go a
> long way in helping interoperability.

[Authors] We tend to agree here. Taking into Carsten’s comments and 
yours, it is important to have a well-known path because the controller 
needs to start the process to a well known URI.


Perhaps, we could have something as /.well-known/b would save bytes.

We need to consider having the same value in both Controller and IoT 
device, since the first message goes from the IoT device to the 
Controller acting as CoAP client and server respectively. All the 
following exchanges after that the Controller asumes the role of CoAP 
client.

So, in order to allow both entities to access to this service in the 
first message they would need to resort to a pre-establish URI like 
//.well-known/b/

After that, the CoAP server would continue as explained in the general 
flow of operation, telling the CoAP client the localtion path to use in 
the next exchange.

> Language issue: " signalling the intention the EAP peer"

[Authors] How about this …

"The use of this option will indicate to the EAP authenticator that the 
EAP peer is ready to start the authentication process."

> Section 3.1: "In any case," -> Not clear. Please rephrase. For example:
> Regardless of whether a No-response option is used, the CoAP client
> sends ....

[Authors]Thank you for the suggestion. Let us rephrase it as follows:

"Once the EAP authenticatior is aware of the intention of the EAP peer 
of starting an authentication process, The EAP authenticator acting as 
CoAP client sends..."

> "This CoAP server can select this value as pleased, as long as, it
> serves to process the following message adequately."  -> Hard to parse
> this sentence. Which server? which value?
[Authors] How about this:

"This CoAP server can select this value as pleased. The only condition 
is that both end points have to correctly process the following message 
based on the selected value."

> have an ongoing authentication -> one authentication session?

[Authors] Yes, we only consider one. We will rephrase this aswell.

> I don't fully understand the logic behind having separate resources for
> each request. I read Christian Amsüss's CoAP FAQ on this. It helped a
> bit but I am not sure why this is needed since RFC 3748 says: "EAP
> provides its own support for duplicate elimination and retransmission."?

[Authors] Yes, RFC 3748 says this however there is also another 
important aspect related with this. In first place, that text also mentions:


EAP provides its own support for duplicate elimination and 
retransmission, but is reliant on lower layer ordering guarantees.


Then the RFC talks about “reliable lower layer”. CoAP is reliable and it 
is used as lower layer in our document. In fact, we have:


"Possible duplication.  Where the lower layer is reliable, it will

        provide the EAP layer with a non-duplicated stream of packets.

        However,  while it is desirable that lower layers provide for

        non-duplication, this is not a requirement.


CoAP is providing non-duplicated stream of packets and accomplish 
“desirable” non-duplication.


"Ordering guarantees.  EAP does not require the Identifier to be

        monotonically increasing, and so is reliant on lower layer

        ordering guarantees for correct operation. “


CoAP is providing this in the way we have describe CoAP-EAP.


Regarding retransmission is also said:


When run over a reliable lower layer (e.g., EAP over ISAKMP/TCP, as

    within [PIC]), the authenticator retransmission timer SHOULD be set

    to an infinite value, so that retransmissions do not occur at the EAP

    layer.


In our specific case, we specifically use the reliability mechanisms of 
CoAP, which requires the use Confirmable requests. Furthermore, to save 
bytes and reduce the number of messages we also specify that we expect 
to receive piggybacked responses, which requires that the request was 
carried in a Confirmable request.

By using the reliabilty mechanisms, we can set the EAP retransmissions 
to infinte which delegates the responsibility of the retransmissions 
onto the eap lower layer.

> Why can't you send the identity already in the first POST message from
> the device. AFAIK, a separate Identity request and response is not
> necessary. You'll save on one round trip? This will also help the
> authenticator to decide already on the first message if it should
> continue or not (depending on the domain name in the NAI)?

[Authors] This in fact is something that we evaluated in a different 
implementation of the protocol for LPWAN which has very high constraints 
(https://www.mdpi.com/1424-8220/17/11/2646 
<https://www.mdpi.com/1424-8220/17/11/2646>) .

We agree with you in this case that would be useful, but I think it is 
would be good to have the opportunity of forcing the exchange of these 
two messages at the Controller's discrection at least. So avoing an IoT 
device blindly sending POST messages that require the creation of a 
CoAP-EAP state in the EAP authenticator as well as an EAP state machine 
state in the EAP server without knowing if the EAP peer is capable of 
engaging in a minimal conversation.

> Section 3.3: casuistics -> interesting choice of words. At least I had
> to lookup the meaning.
[Authors]  Sorry about that, as Carsten said, it is not good to use 
language that needs to be looked at in the dictionary.
> MSG-ID -> Not used in RFC 7252 so I recommend that you should not use it
> either. Also, perhaps adding a bit more context would not hurt. For
> example, Message Id in CoAP is used for....... In CoAP-EAP, the Message
> Id can be used for ..... You have also used MSGID (vs. MSG-ID) in the
> document.
[Authors]  We will correct this and provide additional context.
> "unauthorized communications from the IoT device towards the Controller
> within the security domain." -> I think the more likely repercussion is
> that there will be no access to the network, services, and resources for
> the IoT device.
>
> Not clear which message is lost in Figure 4. I also don't know if EAP-X
> MSG 1 is best representation in the figure. Perhaps EAP-X-Req 1 and
> EAP-X-Res 1?

[Authors]  Sure, lets change it as you suggest, it might help make the 
example more clear.

> Please explain what is meant by "due to internal tracking"

[Authors]  We will clarify that in the text. By internal tracking it was 
intended to conve the idea is that the CoAP messaging layer takes care 
of retransmissions without sending the information the the application 
if not needed.

> Perhaps rename Master Key Session (MSK) to Main Session Key (MSK)
[Authors]  We are referring to the Master Session Key derived from the 
EAP Key Management Framework.
> AS -> never expanded before or introduced properly? what is it referring
> to? Is AS the authenticator or backend server?
[Authors]  We refer to the  Authorization Server (AS) of the ACE 
framework. we will elaborate more in the text.
> Key material needed to derive the OSCORE Security Context, from the MSK
> can be done as follows:? What if it is not done as follows?

[Authors]  You are right. The text  should establish how the process is 
done.

> KDF can be AES-CMAC-PRF-128? What if some other KDF is used?

[Authors]  This is a good point.

Given the fact that we are using OSCORE as Security Association we will 
change the specification to the same crypto suites used in OSCORE.

Understanding that IoT devices can be limited, we intended  to have no 
negotiation, going for the default crypto suites algorithms.

If negotiation is something we really want, we should add to the first 2 
messages carrying EAP, an additional Option to exchange the list of 
prefered cryptosuites by the Controller in the first one, and the chosen 
cryptosuite by the IoT device in the second one.

This could contrast with the initial discussion that was had regarding 
the definition of additional CoAP options, and if they were necessary.

A possible solution for this would be to have this information available 
in the AAA server alongside the credentials of the device, making the 
negotiation unnecessary for this case.

What do you think?

>   Shouldn't
> labels be registered with IANA somehow? What if my implementation uses
> "IETF_MASTER_SECRET_FOR_OSCORE"
[Authors]  That is a good point. I have looked in other RFCs but no 
explicit mention of labels are done for IANA. We will check this.
> "The ID Context can be set to the identity of the EAP peer"? Is it the
> NAI? Is it the identity associated with the EAP peer credentials
> (example: PSK identity or the identity in the TLS client certificate)?
> Is it the Peer-Id? Not all EAP methods export Peer-Id?
[Authors] Good point here. The peer-id in this case would be the NAI.
> Do you mind adding a reference to EAP-NOOB in the list of lightweight
> methods? For full disclosure: I am a co-author of EAP-NOOB. I think it
> is a reasonable example to add given that an implementation with
> CoAP-EAP already exists :https://www.youtube.com/watch?v=rPuFKoihl5E
[Authors]  Sorry about that, It should be in the list.
> "Cryptographic suite is not negotiated". I think this is wrong. Many EAP
> methods inherently include cryptographic suite negotiation. I guess what
> you intend to say here is that the KDF used on the MSK is fixed. Why
> AES-CMAC-PRF-128 is the best choice here for IoT devices?
[Authors]  Yes, indeed. In fact, we ought to change the cryptosuites to 
the ones specified by OSCORE as we are explicitly saying we are 
establishing an OSCORE security association after a successful 
authentication. The choice is based on the requirement of the use of 
OSCORE.
> KMF? I guess you are referring to the Key Management Framework. But the
> original RFC 5247 does not use this acronym so I recommend you avoid it
> as well.

[Authors] We will do that, thank you.

> IANA Considerations section only says TBD.?? I would have thought that
> it would be complete before issuing the working group last call? At the
> very least you should consider registering CoAP-EAP as a lower layer :
> https://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-lower-layers.

[Authors] We will change this.

Thank you again,

Best Regards.

> --Mohit
>
> On 6/17/21 8:25 PM, Loganaden Velvindron wrote:
>> Dear All,
>>
>> After a quick check with the other working group chair, we are ready
>> to proceed to WGLC for:
>>
>> https://datatracker.ietf.org/doc/draft-ietf-ace-wg-coap-eap/
>>
>> Please send your comments to the list.
>> The WGLC period will end on the 1st of July.
>>
>> Kind regards,
>> Daniel and Logan.
>>
>> _______________________________________________
>> Ace mailing list
>> Ace@ietf.org
>> https://www.ietf.org/mailman/listinfo/ace
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email