Re: [Ace] OSCORE Profile status update and way forward

Göran Selander <goran.selander@ericsson.com> Thu, 15 October 2020 18:01 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 249123A0C44; Thu, 15 Oct 2020 11:01:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.302
X-Spam-Level:
X-Spam-Status: No, score=-3.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U23HrQKICM7J; Thu, 15 Oct 2020 11:01:14 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70048.outbound.protection.outlook.com [40.107.7.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09DDD3A0C43; Thu, 15 Oct 2020 11:01:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lntDfWaloW3yV/1tGP7KhTnxGsWfDU46i/Wtap8hbcT3XyPPE9GPLqlkbEFOCdLm7N6bA7TaI7n+YL7+LB+4GsbPb7U8KWLjYpJrEta4D96tktMg6aBJMHgm63LuNn1qSIH55YSFmfu/5Mn90by44vpc9aU6qUKlaTcBXac3kv5Rm4v9xh0Dhu2scZVP8rNvCAVHiP0+IglPmoyvuCyABU2cxFDDKwotJuQEJ8hbOT40u5nbzScfIDre6Bj5iEP+pmib8Vu1z+RJpw8Kj18ojJgtMIAbWFWNum7bF3/1J9xu2ynkOxuhPApvoPQoNW7TuQHJ8TEmiKHxSKIO5/0inw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L7jqr+S+BdgcUXHZzsPLwR4p7ZGG7iuOO+EebGiffdc=; b=OaRDvAVXrawKf4R2/GsN9LYnAwuOEfZcuAimwl016D/CbFMtKWJyJuho8mg1Isp3FGSvGF7NJC79If6EEUfkcv7xZXdHsZetPKUnclmtX/0vsmIqIrSSqPJW7/AgTNC2/7Q2JgkJLyXjiYVn02HSMRw8AWM4HRTmCqlOBmUFJYiBB8kVRZ+mWYjcM+sQxjQjyvu4Dbsv+/MZ1+6uwVRKevooacs8VckR8wS8CUaCyk9/1vpWRkh0fnISIDF6v0IMz3ha6UFujABlzWgSMvzDBibDZw9AQ+o3DuWl9KB0PvQm9bpXVruFX5l98e9Qtz5ZXIaGml14/DLRUX9i73mxGA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L7jqr+S+BdgcUXHZzsPLwR4p7ZGG7iuOO+EebGiffdc=; b=Cd26Yt5f+af01cJtwCs8odjN4WRUPEu3YA+M9+Ts622hOJrc6clN3NtFSrk/kfUVuTi6R443S48UeJAXiCEokH3/kXSaMUtbPCYTMAR31IBGSPI5gm61mlje+crKslBSSrl2giezoBjrnu/rvilqllZXa7iUkzbgHr5p71dnYQg=
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com (2603:10a6:7:82::14) by HE1PR07MB3066.eurprd07.prod.outlook.com (2603:10a6:7:2f::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3477.11; Thu, 15 Oct 2020 18:01:11 +0000
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::f5ce:b24:f47e:799c]) by HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::f5ce:b24:f47e:799c%4]) with mapi id 15.20.3477.020; Thu, 15 Oct 2020 18:01:11 +0000
From: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander@ericsson.com>
To: =?utf-8?B?Q2hyaXN0aWFuIEFtc8O8c3M=?= <christian@amsuess.com>, Francesca Palombini <francesca.palombini=40ericsson.com@dmarc.ietf.org>
CC: Ace Wg <ace@ietf.org>, "draft-ietf-ace-oscore-profile@ietf.org" <draft-ietf-ace-oscore-profile@ietf.org>
Thread-Topic: [Ace] OSCORE Profile status update and way forward
Thread-Index: AQHWkB3lL5vgPcSqm0itM92+Khf54amPhgcAgAm1lwA=
Date: Thu, 15 Oct 2020 18:01:11 +0000
Message-ID: <809D1CE3-A75E-4871-9E1D-48260E787762@ericsson.com>
References: <2D021116-D240-4EE8-9223-83E9F9D4A4EB@ericsson.com> <20201009154454.GA1050533@hephaistos.amsuess.com>
In-Reply-To: <20201009154454.GA1050533@hephaistos.amsuess.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.42.20101102
authentication-results: amsuess.com; dkim=none (message not signed) header.d=none;amsuess.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.251.145.232]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ff412530-e1da-4732-e10e-08d871344ccb
x-ms-traffictypediagnostic: HE1PR07MB3066:
x-microsoft-antispam-prvs: <HE1PR07MB30666EC3E6272D57F7B4D899F4020@HE1PR07MB3066.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Z1z4I2yPJe9s5A85ARzXE0SHdjGaWc/JkYVMGpd/+kYPFP1zeUXt+24buD2e3smKkVnaoWkis5b8zBCcX5eUAocEixZ3Ev3Jbbkv5js9wYcLnY9c+kSMp1QQdacbNx1piNT1yhRoraeEjRSoAvjJb5/8krpNcUfjYi9o8SbDq2cVPrZDbHh+lnORmP93Voxrr4z0AwCuNEFYSy2KYfTvJ6B9SzTobUGp/9b7zyVPBIlhFO9RstUTPGoTFlw0MjFY11Cq0Wh/RrVlJwESlIOTCCUIzCxC5E1g6HuhpPsDlgPzr3gkhgUzfwaQR+CSNWpdR8+VCeLuRkrPVhkNPGd5fA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3674.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(396003)(136003)(39860400002)(376002)(346002)(316002)(64756008)(186003)(8936002)(71200400001)(85202003)(26005)(85182001)(110136005)(66556008)(66476007)(66446008)(5660300002)(76116006)(66946007)(8676002)(83380400001)(33656002)(6506007)(478600001)(6486002)(54906003)(86362001)(2616005)(15650500001)(36756003)(6512007)(2906002)(66574015)(4326008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: cscek7H57zBvqf8mn5nhVPwK0e8IUUUNqT2+NsquxGdEcv8pdAjh6OLJmue0LOtfxuODzfCFce3xmYd/t0ZOBbGIJ/YF2KZtTOPY1b+r0PFMiGQXcN8kdgcW7bIb69WmFlI4kSDWeGJrrcVvOvMGR5uD0zLWe3+ipmrwRYByq/tHzzoI5gdYc5m5Z3505vYUntPQ8sBvjXiJvTP+p+cC3I3776FqyLyDI8NwWICSgxWf3MLG3OBzTT3nVx1KpdiOusMQruxT0jeq58cfpXQuJDZtrAiBHHrBCmxjDplDvSWUyZebnZiwMcYVNKo8HOYRZK8lwHU6SeHOfZ90VriFhRvq8CJu2IHhKJJG/SQ9b2n9WUCIPWb2raXuv07JefgQ0rELrC/kqZTH7Rbkd9xml/E6YwT3OUPq1Y/BNJxW81c1rmpz0KyLTy/v7nUY2nCoCZGx/Q4pJezIuRgxR7SwuZLHfwjfvv3yMKIRPNMsIq/TGgjKefTyg32IshgUUqse/aY6A6tVu9Hf4Pwu8Qj9WdL/2WKYMZEtLZBwHNi27JtULQtMe7YHpbLst7vrgS/+GqEP//qRMNhjPp6YTaxd7roTe/C/7B2A0GB/VbGopytJKaZ2qMB0N5cmY6wjx/RFI/jK1TBkBPSWFxPMQ22CPA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <338BB8A746A173438C0EE68793B18657@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3674.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ff412530-e1da-4732-e10e-08d871344ccb
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Oct 2020 18:01:11.2713 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8Mpxwa88b28tFnSx7+0x5xM8hD4mgeOKHpND9OnuQTvd8CjIUGfyh229TNGz70ax2192qfMocSlu4kbu20pZJh0w7VjACy8YJ7J2W/dZ2h8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3066
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/5GvdkKS3tFGxMMG2W-D7-A1Z0sk>
Subject: Re: [Ace] OSCORE Profile status update and way forward
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 18:01:16 -0000

Hi Christian,

The purpose of the update was to clarify that Appendix B.2 of RFC 8613 could be used in conjunction with the ACE OSCORE profile. But as you point out, the use of B.2 would need to be understood between the client and server beforehand. There are slight differences: With B.2 there is no need to transport the access token again. And B.2 can be triggered by the (resource) server, if it understands that it does not have the right context (which can happen even if there is no ID context in the request). Just using the ACE OSCORE profile, the client would need to understand that the context is lost and run the protocol again. So, there is a difference but essentially the same functionality can be obtained.

Would it be sufficient to clarify the differences as above to address your comment?

Thanks,
Göran


On 2020-10-09, 17:45, "Christian Amsüss" <christian@amsuess.com> wrote:

    Hello Francesca, hello ACE group,

    On Mon, Sep 21, 2020 at 01:48:33PM +0000, Francesca Palombini wrote:
    > - clarified that Appendix B.2 of OSCORE can be used with this profile,
    > and what implementers need to think about if they do.

    I understand B.2 to be something that the involved parties need to agree
    on beforehand; after all, the ID context may be something the server
    relies on (at least for the initial attempt) to find the right key,
    especially when multiple AS are involved. (For example, the RS could
    have an agreement that the AS may issue any KID as long as they use a
    particular ID context). If the server expects B.2 to happen (which, as
    it is put now, it can as long as it supports it in general), it needs to
    shard its KID space for the ASs it uses. (Generally, B.2 is mutually
    exclusive with ID contexts's use of namespacing KIDs).

    Is the expectation that clients that do not anticipate B.2 by the time
    they are configured with their AS just don't offer B.2 to their peers?

    Given B.2 is in its current form client-initiated only (AFAIR we had
    versions where ID1 could be empty in draft versions, but currently it
    reads as client-initialized), does B.2 have any benefits for ACE-OSCORE
    clients? After all, they could just as well post the token with a new
    nonce1 to the same effect.

    Kind Regards
    Christian

    -- 
    To use raw power is to make yourself infinitely vulnerable to greater powers.
      -- Bene Gesserit axiom