Re: [Ace] AD review draft-ietf-ace-key-groupcomm-16
Paul Wouters <paul.wouters@aiven.io> Mon, 05 February 2024 16:44 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45124C14F614 for <ace@ietfa.amsl.com>; Mon, 5 Feb 2024 08:44:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Mf6w097RYGt for <ace@ietfa.amsl.com>; Mon, 5 Feb 2024 08:44:02 -0800 (PST)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5723EC14E513 for <ace@ietf.org>; Mon, 5 Feb 2024 08:44:02 -0800 (PST)
Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-a2a17f3217aso620607566b.2 for <ace@ietf.org>; Mon, 05 Feb 2024 08:44:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1707151440; x=1707756240; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=puTep+tP72Q57TAyENkhqlr+DiaXoWWYuAZjlku8+8M=; b=eNRKi5cnT24ovB2nWOT5MxewBGubX14oLGX4zNxJzjyZDso0feJNmab0JHJhJusCN0 5uYmIRtYyQxq+PNApFVo71xgEApjkHBApgMJoel9HE09v2a1VwDbUWBgWzNwQnE85GBH nyo+24uMH1hN2aXFSSPFUWafbxwOjmwC6HfTI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707151440; x=1707756240; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=puTep+tP72Q57TAyENkhqlr+DiaXoWWYuAZjlku8+8M=; b=BtaCilTuiHIdUM+vUzGo9cfHtXJ0s+T+hCCxNZz1u97aDAUiqg4KEbYzb4yyZAQpJ5 tO2Ya8Q6INiCRGlCK38jCbK7kgBuIAHy008QmF+KPxtFPgNFb6IgRruXQzOb/d/axnfr jjI4il0mSqnMEzbBTmsZlVgmTjn+OWBWG/QnBvfpRREcOmXk8lh1hHWYdqdsU/VsiCX2 OkuhHiCSk/uDjaOBA/Ozay3GaezI3atNalRZnGmms2NR13qJ591C1IX0iXe9VSfGclqf ze7YZFeBMVv2FnX3K+g1ZVef39IrgWvn5+03XcpgVyZCNOEtYQFNXS2EpLLZDklsX0CQ pwow==
X-Gm-Message-State: AOJu0Yxa3Azua4S71Xz89gessQIpoRXZxjk9RVPAmR/Oh5xXjkUSjMLl 7GXZgG464ib+sL4XmFqPvMjevSF2UE3FuvDTFQb76LIz44zuuWPuMlI8FKc1EghvzsX6MEQLlkq OcFSud87z0GOSjjfwfd3SqoNo8t2d/QQG27aBO9mWCLAiFNgd
X-Google-Smtp-Source: AGHT+IG5g+1rEnTPy/x94A9Cxxats4rak62IiY1vTE7Peh9mEzLk8edlGXroK6NHOm9+FjeHDXbR3F47PbpRjpQu40Q=
X-Received: by 2002:a17:906:81c7:b0:a2f:1077:68d with SMTP id e7-20020a17090681c700b00a2f1077068dmr11688619ejx.39.1707151440359; Mon, 05 Feb 2024 08:44:00 -0800 (PST)
MIME-Version: 1.0
References: <CAGL5yWZ+JQ3TtS2CMyzcfD8ETgcb4hH5h5qN5WRxbNU16u5y+Q@mail.gmail.com> <4fcdb62b-8ad2-1732-7efd-b5d7e927be6b@ri.se> <f1d781ce-166a-b626-1ae6-d3a35f5a0cc3@ri.se> <CAGL5yWYrm7ZTcGMDLFxv+k3z5NGpS37b=qwxeV-0sH1M47w-nw@mail.gmail.com>
In-Reply-To: <CAGL5yWYrm7ZTcGMDLFxv+k3z5NGpS37b=qwxeV-0sH1M47w-nw@mail.gmail.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Mon, 05 Feb 2024 11:43:49 -0500
Message-ID: <CAGL5yWYRkh2h98rwrJ2HifTmSUnaiGjh+xdKFKAU04oD_atzBA@mail.gmail.com>
To: Marco Tiloca <marco.tiloca@ri.se>
Cc: Francesca Palombini <francesca.palombini@ericsson.com>, ace@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002e92330610a52bf9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/5YMdKUjqDs1aqFzNvd2kyfdoGeI>
Subject: Re: [Ace] AD review draft-ietf-ace-key-groupcomm-16
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2024 16:44:07 -0000
I still do not see a -17 version? Could you push it out? Paul On Fri, Sep 29, 2023 at 12:49 PM Paul Wouters <paul.wouters@aiven.io> wrote: > Thanks for the feedback to my review. I'll await the publication of a new > draft version and then move the document further through the process. > > Paul > > On Fri, Sep 22, 2023 at 12:16 PM Marco Tiloca <marco.tiloca@ri.se> wrote: > >> Hello Paul, >> >> The authors have discussed your review comments and compiled detailed >> replies in line below. >> >> Based on those, we will now proceed updating the Editor's copy on Github >> [1] towards version -17, also taking into account any follow-up feedback >> from your side. >> >> Thanks, >> /Marco >> >> [1] https://github.com/ace-wg/ace-key-groupcomm >> >> >> On 2023-09-01 15:53, Marco Tiloca wrote: >> >> Hi Paul, >> >> Thank you for your review, we will start working on it. >> >> When addressing your comments, we will also process a few more recent >> points tracked as Github issues [0]. In particular: >> >> - Issues 148, 150, and 151 are about editorial fixes/improvements. >> >> - Issues 147 is about clarifications, while issue 149 is about fixes in >> the IANA considerations. >> >> - Issue 146 is about relaxing the now-mandatory inclusion of one >> parameter in a message. >> >> This issue 146 was first brought up to the WG at the ACE interim >> meeting on 2022-09-12, further elaborated on its Github entry, and then >> confirmed at the ACE interim meeting on 2022-12-19. >> >> >> Best, >> /Marco >> >> [0] https://github.com/ace-wg/ace-key-groupcomm/issues >> >> >> On 2023-09-01 02:26, Paul Wouters wrote: >> >> >> You don't often get email from paul.wouters@aiven.io. Learn why this is >> important <https://aka.ms/LearnAboutSenderIdentification> >> >> Hi, >> >> Thanks for this document and my apologies for the long wait time. >> >> I think this document is mostly ready to go. I have a few questions and >> some comments on what I think are changes needed for the IANA >> Considerations section. >> >> >> >> 1) Race conditions with group rekey >> >> Section 2: >> >> When a group rekeys so an new member joining won't be able to read >> old messages, how are race conditions prevented? eg one node wants to >> send a message, but processes a group rekey, then sends the message it >> had. Then the new member join is complete and that message can be read >> by the new member. >> >> >> ==>MT >> >> As you also noticed, a discussion on these aspects comes later in the >> security considerations, i.e., in Section 10.2.1 "Misalignment of Group >> Keying Material" (about which we give a specific reply to your comment >> further below). >> >> At this point in the document, we should better clarify what we mean with >> "old messages". Those are messages exchanged in the group and protected >> with keying material older than the one provided to the joining node. >> >> Clearly, once the joining node obtains the new keying material, the >> joining node becomes able to read any message protected with it, even if >> those messages were sent before the joining procedure was completed. >> However, the joining node will not be able to read "old messages", i.e., >> messages protected with keying material having a strictly lower version >> number num. >> >> For the sake of simplicity, we preferred not to discuss and analyze >> different strategies (each with pros and cons) that the KDC can follow, >> e.g., fully rekeying the group first and then providing the new keying >> material to the joining node, or vice versa, or a hybrid approach. We can >> however clarify in: Sections 2 "Overview" (within the bullet point 3 above >> Figure 2); in Section 6 "Group Rekeying Process"; and in Section 10.2 >> "Update of Group Keying Material" (in the security considerations). >> >> <== >> >> >> Section 6: >> >> The KDC MUST increment the version number NUM of the current >> keying material, before distributing the newly generated keying >> material with version number NUM+1 to the group. >> >> So when the KDC increments the version, and starts distributing the new >> keying material, any client requesting "num" will believe it is behind >> and request a new copy? Wouldn't this cause duplicate rekeys? >> >> >> ==>MT >> >> Trying to clarify, let's consider this general sequence of events. >> >> 1. The current keying material has version num=1 >> 2. The KDC generates new keying material, with version num=2 >> 3. The KDC starts rekeying the group and distributes the new keying >> material with version num=2 >> 4. (the group rekeying is ongoing) >> 5. A group member that has not yet received the new keying material via >> the group rekeying sends a GET request to the KDC at ace-group/GROUPNAME/num >> 6. The response from the KDC specifies num=2 >> 7. (maybe the group rekeying is still ongoing or maybe not, it doesn't >> really matter ...) >> >> At step 5, since the group member has not already received the new keying >> material, the group member still has the old keying material with version >> num=1 and wrongly believes it to be the latest one, until receiving the >> response from the KDC at step 6. Therefore, at step 6, indeed the group >> member learns and believes to be behind, because it actually **is** behind. >> >> The group member can now do two things: >> >> * Assume that a group rekeying is ongoing, and just wait for receiving >> the group keying material through such a rekeying process; or >> * Send a request to the KDC resource at ace-group/GROUPNAME, thus >> retrieving the new keying material with version num=2. >> >> In either case, there is no "duplicate rekey". >> >> In the first case, a rekeying is in fact already ongoing and no further >> one is expected to follow back-to-back. >> >> In the second case, the request from the group member is not going to >> trigger yet another group rekeying (and, in general, scheduling group >> rekeying instances is a prerogative entirely of the KDC). That is, any >> group member can request the keying material from the KDC at any time, and >> will get the latest keying material as a result (nothing more will happen). >> >> Therefore, we believe that no addition or change to the document should >> be required, as we cannot see text that contradicts the above or suggests >> anything different. >> >> <== >> >> >> I see this is partially addressed in the Security Considerations, but >> I feel handling these race conditions is part of the actual protocol, >> not merely a security consideration? >> >> >> ==>MT >> >> Please see the reply to that later comment, as also considering to move >> up that text from the security considerations and have it earlier in the >> document. >> >> <== >> >> >> 2) IV/counter re-use >> >> Section 4: >> >> Symmetric keys are shared between group members. How is it prevented that >> same IVs/counters are used by different members of the group? (there is >> some talk about Base IV and Partial IV, but that didn't seem to answer >> my question >> >> >> ==>MT >> >> We talk about "Partial IV" and "Base IV" only much later in Section 6.2.1 >> "Point-to-Point Group Rekeying", when discussing specifically about how to >> protect group rekeying messages in the proposed rekeying protocol. That is, >> that section does not refer to the use of the group keying material to >> protect the communication between the group members. >> >> Instead, with respect to the secure communication among the group >> members, the proper use of counters/IVs as well as avoiding the reuse of >> pairs (AEAD Key, AEAD Nonce) is strictly related to the particular secure >> communication protocol used in the group. While that protocol determines >> the specific group keying material, such a protocol and its security are >> out of the scope of this document, which defines only a common stub of ACE >> application profiles for the provisioning of group keying material with ACE. >> >> That information is instead expected from an application profile of this >> document, and even such an application profile may take these aspects for >> granted, as already defined by the used secure communication protocol >> indicated by the application profile. To give two concrete examples: >> >> * The application profile in draft-ietf-ace-key-groupcomm-oscore >> incarnates this document to support secure group communication for CoAP >> protected with Group OSCORE, and takes Group OSCORE "as is" per its >> definition in draft-ietf-core-oscore-groupcomm, which relies on >> constructions that ensure a proper, safe use of keys, sequence numbers, and >> IVs. >> >> * The application profile in draft-ietf-ace-pubsub-profile incarnates >> this document to support secure group communication in CoAP Pub-Sub >> scenarios, protecting end-to-end the content of messages between publishers >> and subscribers using COSE. This application profile is directly specifying >> aspects such as handling of IVs, since it is also defining the actual >> protocol for end-to-end protection of messages between the group members. >> >> If this was not clear enough, a possibility is to extend the text of one >> paragraph in Section 1 as follows: >> >> OLD >> > Therefore, this document delegates details ... provided to group >> members. >> >> NEW >> > Therefore, this document delegates details ... provided to group >> members. The actual protection of group communication can be defined in a >> further specification (e.g., as a self-standing secure communication >> protocol) that application profiles of this document can seamlessly rely >> and build on if they do not define it themselves. >> >> <== >> >> >> 3) IANA port registration? >> >> optionally together with a port number (which defaults to 5683 if >> omitted) >> >> Is this port going to be registered with IANA ? >> >> >> ==>MT >> >> Quoting the full sentence for completeness: >> >> > The URI MUST specify addressing information intended to reach all the >> members in the group. For example, this can be a multicast IP address, >> optionally together with a port number (which defaults to 5683 if omitted). >> >> We think that your comment can be referring to two different aspects. >> >> A first one is about the exact port number 5683 (which is already >> registered), and we can improve the text by rephrasing it as follows. >> >> NEW >> > The URI MUST specify addressing information intended to reach all the >> members in the group. For example, this can be a multicast IP address, >> optionally together with a port number that, if omitted, defaults to 5683, >> i.e., the default port number for the "coap" URI scheme (see Section 6.1 of >> [RFC7252]). >> >> The second aspect is about registering a new port number used as >> destination port number in the mentioned multicast request. We think it is >> not absolutely necessary to register such a well-known port number. >> Application profiles might have a reason for defining and registering a >> specific port number, and in such a case they are free to do so. >> >> <== >> >> >> 4) PoP evidence with own nonce >> >> Section 4.5.1: >> >> The PoP evidence is computed over the nonce specified in the >> 'kdc_nonce' parameter and taken as PoP input, by means of the >> same method used when preparing the Join Response >> >> What is the point of the nonce here? Since the nonce comes from the same >> party that >> uses the nonce, it doesn't "prove" anything, eg it could be a replay of a >> previously >> observed/triggered nonce. Can you explain what the purpose of the nonce >> is? >> >> Similar in Section 4.9.1.1 where the Client updates its Authentication >> credential, >> and uses its own nonce to prove possesion of the private key. >> >> >> ==>MT >> >> TLDR; Good point. The following describes a simple fix, to always involve >> in the computation of the Proof-of-Possession evidence also a nonce from >> the other peer. >> >> As discussed below, this review comment applies also to Section 4.3.1, >> but it actually does not apply to 4.9.1.1. >> >> **Change 1 - Section 4.3.1, first part** >> >> This part covers the Join Request, i.e., a POST request to >> ace-group/GROUPNAME >> >> In this request, the joining node specifies a PoP evidence in the >> parameter 'client_cred_verify', to prove possession of its private key >> corresponding to its authentication credential conveyed in the parameter >> 'client_cred'. >> >> The PoP input is: (scope | N_S | N_C) , where: >> >> - 'scope' is as specified in another parameter of the same Join Request >> - N_S is typically the latest 'kdc_challenge' that the joining node has >> obtained from the KDC, either as a response to the Token upload to >> /authz-info, or from an error response from this ace-group/GROUPNAME >> resource. Alternative methods rely, e.g., on TLS exporters as defined for a >> corner case in the application profile for Group OSCORE. >> - N_C is a nonce generated by the joining node and included in the >> parameter 'cnonce' of this Join Request. >> >> What needs to change here? (as useful in the following points ...) >> >> OLD >> > 'cnonce', encoded as a CBOR byte string, and including a dedicated >> nonce N_C generated by the Client. This parameter MUST be present if the >> 'client_cred' parameter is present. >> >> NEW >> > 'cnonce', encoded as a CBOR byte string, and including a dedicated >> nonce N_C generated by the Client. This parameter MUST be present. >> >> **Change 2 - Section 4.3.1, second part** >> >> This part covers the Join Response, i.e., the response produced by the >> POST handler of ace-group/GROUPNAME >> >> In this response, the KDC specifies a PoP evidence in the parameter >> 'kdc_cred_verify', to prove possession of its private key corresponding to >> its authentication credential conveyed in the parameter 'kdc_cred'. >> >> Currently, the PoP input is only a nonce generated at this point in time >> by the KDC, and specified in the 'kdc_nonce' parameter of this response. >> >> What needs to change here? >> >> OLD >> > The PoP input is: kdc_nonce >> >> NEW >> > * The PoP input is: (N_C | kdc_nonce), where N_C is the nonce specified >> by the joining node in the 'cnonce' parameter of the Join Request (now to >> be always included there, per the "Change 1" explained above). >> > * After sending this successful Join Response, the KDC stores N_C as >> associated with this group member. >> >> **Change 3 - Section 4.5.1** >> >> This section covers the GET request-response exchange to >> ace-group/GROUPNAME/kdc-cred . A group member can send such a GET request >> to retrieve the latest authentication credential of the KDC. >> >> In the response to this request, the KDC specifies a PoP evidence in the >> parameter 'kdc_cred_verify', to prove possession of its private key >> corresponding to its authentication credential conveyed in the parameter >> 'kdc_cred'. >> >> Currently, the PoP input is only a nonce generated at this point in time >> by the KDC, and specified in the 'kdc_nonce' parameter of this response. >> >> What needs to change here? >> >> OLD >> > The PoP input is: kdc_nonce >> >> NEW >> > The PoP input is: (N_C | kdc_nonce), where N_C is the nonce specified >> by the joining node in the 'cnonce' parameter of the Join Request (now to >> be always included there, per the "Change 1" explained above) and that the >> KDC stored after having sent the corresponding Join Response at that point >> in time. >> >> **No change - Section 4.9.1** >> >> This section covers the POST request-response exchange to >> ace-group/GROUPNAME/nodes/NODENAME/cred . A group member can send such a >> POST request to upload its own, updated authentication credential. >> >> In this request, the group member specifies a PoP evidence in the >> parameter 'client_cred_verify', to prove possession of its private key >> corresponding to its authentication credential conveyed in the parameter >> 'client_cred'. >> >> The PoP input is: (scope | N_S | N_C) , where: >> >> - 'scope' is as specified in the original Join Request >> - N_S is the value of 'kdc_challenge' the group member has received from >> the KDC, irrespective of how exactly. >> - N_C is a nonce generated by the joining node at this point in time, and >> included in the parameter 'cnonce' of this request. >> >> The text in Section 4.9.1 already says (emphasis mine): >> >> > In particular, the PoP evidence included in 'client_cred_verify' is >> computed in **the same way** considered in Section 4.3.1 and defined by the >> specific application profile (REQ14), with a newly generated N_C nonce and >> **the previously received N_S**. >> >> Therefore, the raised issue does not apply in this section. The PoP input >> in fact includes not only a brand new N_C from the group member, but also a >> nonce N_S generated by the KDC and that the group member already knows from >> earlier steps. In other words, even though N_S is indeed not sent again on >> the wire (see Figure 32), it is used as part of the PoP input to compute >> the PoP evidence. This section should thus be ok as is. >> >> <== >> >> >> COMMENTS: >> >> >> Section 1: >> >> If the application requires backward and forward security >> >> What is "backward security" ? I assume a new member not seeing old >> msgs. Maybe explain that? >> >> >> ==>MT >> >> Correct; this is later expanded in the security considerations of Section >> 10.2, but we can try to give the intuition here. Proposed rephrasing: >> >> OLD >> > If the application requires backward and forward security, new keying >> material is generated and distributed to the group upon membership changes >> (rekeying). >> >> NEW >> > New keying material is generated and distributed to the group upon >> membership changes (rekeying), if the application requires backward >> security (new group members must be prevented from accessing communications >> in the group prior to their joining) and forward security (former group >> members must be prevented from accessing communications in the group after >> their leaving). >> >> <== >> >> >> >> Section 2: >> >> The full procedure can be separated >> >> The full procedure being "add member to group" ? >> >> >> ==>MT >> >> Quoting the full paragraph in question (that's how Section 2 starts): >> >> > The full procedure can be separated in two phases: the first one >> follows the ACE Framework, between Client, AS and KDC; the second one is >> the key distribution between Client and KDC. After the two phases are >> completed, the Client is able to participate in the group communication, >> via a Dispatcher entity. >> >> "Full procedure" does not refer to adding a member to a group. Per the >> document title, the "full procedure" is the "key provisioning for group >> communication using ACE". >> >> Instead, "adding a member to a group" is only (a specific case of) the >> second phase, when a new node is added to the group and it is also provided >> with the necessary keying material. >> >> Proposed rephrasing of the same paragraph: >> >> **NEW** >> > At a high level, the key provisioning process is separated in two >> phases: the first one follows the ACE Framework between Client, AS, and >> KDC; the second one is the actual key distribution between Client and KDC. >> After the two phases are completed, the Client is able to participate in >> the group communication, via a Dispatcher entity. >> >> <== >> >> >> The overview for "Dispatcher" does not make it clear whether it can read >> the content to be dispatched from the client, or not. >> >> >> ==>MT >> >> Quoting the definition of "Dispatcher" >> >> > * Dispatcher: entity through which the Clients communicate with the >> group, when sending a message intended to multiple group members. That is, >> the Dispatcher distributes such a one-to-many message to the group members >> as intended recipients. A single-recipient message intended to only one >> group member may be delivered by alternative means, with no assistance from >> the Dispatcher. >> > >> > Examples of a Dispatcher are: the Broker in a pub-sub setting; a >> relayer for group communication that delivers group messages as multiple >> unicast messages to all group members; an implicit entity as in a multicast >> communication setting, where messages are transmitted to a multicast IP >> address and delivered on the transport channel. >> >> Short answer: yes, it can. We can extend the definition above by adding >> the following note. >> >> > If it consists of an explicit entity such as a pub-sub Broker or a >> message relayer, the Dispatcher is comparable to an untrusted on-path >> intermediary, and as such it is able to read the messages sent by Clients >> in the group. >> >> <== >> >> >> Section 4: >> >> As most important operation after trasferring the access token to >> the KDC, the Client can perform a Join Request-Response exchange >> with the KDC, by specifying the group it requests to join >> >> Should "group" be "group(s)" ? >> >> >> ==>MT >> >> No, it is correct as is. To quote the full paragraph (emphasis mine): >> >> > As most important operation after transferring the access token to the >> KDC, the Client can perform a Join Request-Response exchange with the KDC, >> by specifying **the group** it requests to join (see Section 4.3.1.1). >> Then, the KDC verifies the access token and that the Client is authorized >> to join **the specified group**. If so, the KDC provides the Client with >> the keying material to securely communicate with the other members **of the >> group**. >> >> The access token can indeed specify multiple groups that the client is >> authorized to join. However, the Join Request is specifically about joining >> one group. >> >> <== >> >> >> to join the specified group >> >> Should "group" be "group(s)" ? >> >> >> ==>MT >> >> See the answer to the previous comment, also referring to the same >> paragraph. >> >> <== >> >> >> >> /ace-group/GROUPNAME/creds : this resource is invariant once >> established, and contains the authentication credentials of all >> the members of the group with name GROUPNAME. >> >> How is this "invariant" when it changes depending on group members? Am >> I misunderstanding the term "invariant" ? >> >> >> ==>MT >> >> "Invariant" does not mean that the representation of the resource does >> not change. If we meant that, then that statement would be indeed wrong for >> all the resources for which we use it. >> >> We actually refer to the resource path, and we can rephrase as below. >> >> OLD >> > this resource is invariant once established >> >> NEW >> > the path of this resource is invariant once the resource is established >> >> For completeness, this applies to all the resources for which we are >> making that statement, i.e.: >> >> * /ace-group >> * /ace-group/GROUPNAME/creds >> * /ace-group/GROUPNAME/kdc-cred >> * /ace-group/GROUPNAME/policies >> * /ace-group/GROUPNAME/num >> * /ace-group/GROUPNAME/nodes/NODENAME/cred >> >> <== >> >> >> Section 4.1 >> >> The KDC can provide a list of group names that exist. Can this >> access be restricted to a partial list depending on the client? >> >> >> ==>MT >> >> This operation is intentionally meant to serve any authorized client, >> also to facilitate a possible group (re-)joining. In fact, this operation >> is permitted both to members and non-members of the groups indicated in the >> request to the KDC. >> >> As long as the access token grants permission to access the KDC resource >> at /ace-group, then any node can send a FETCH request to that resource, and >> retrieve the names and joining URI of all the groups for which the current >> group identifier was specified in the request. >> >> <== >> >> >> Section 4.3.1 >> >> Group members MUST stop using the keying material to protect >> outgoing messages and retrieve new keying material at the time >> indicated in this field. >> >> Don't you mean "retrieve new keying material before this time" and "start >> using the new key material after this time"? >> >> >> ==>MT >> >> This sentence can be confusing, as it's discussing two aspects blended >> together. Proposed rephrasing: >> >> > Group members MUST NOT use the keying material after the time indicated >> in this field, and they can retrieve the new group keying material from the >> KDC. >> >> <== >> >> Related in 4.8.1.1 it says: >> >> In either case, if it wants to continue participating in the >> group communication, the node has to request the latest keying >> material from the KDC. >> >> and: >> >> if the Client wants to be sure that it has the latest group keying >> material. If that is the case, the Client will receive from the >> KDC the same group keying material it already has in memory. >> >> Seems to suggest key material is not available before expiry time. That >> is, >> there is always a downtime of a few RTTs when the keying material >> expired, as >> clients cannot prefetch new keying material ahead of time ? I think it >> would >> be a lot more robust if clients could prefetch the new key slightly before >> the expiry time. Then adjust for group membership changes to ensure a >> rekey >> is done if the leaving member could (or has) obtained the num+1 keying >> material? >> >> >> ==>MT >> >> That's not a suggestion that we want to give. It's ultimately up to the >> KDC to decide when to exactly produce the new group keying material, in >> order to distribute it through a group rekeying and make it available for >> manual fetching. >> >> That can even happen after the expiration of the old group keying >> material, if it's acceptable or there are reasons to put on pause the >> secure communications in the group for a while, after the old keying >> material expires. >> >> At the same time, there is no possible "prefetching": only one, latest >> version of the group keying material is available at the KDC. Retrieving it >> can be interpreted as a "prefetch", in the sense that "the new group keying >> material is available to retrieve before the old keying material reaches >> its expiration time". >> >> On the comment: >> >> > Then adjust for group membership changes to ensure a rekey is done if >> the leaving member could (or has) obtained the num+1 keying material? >> >> This does not require any adjustment. In the considered situation, as >> long as the application profile mandates forward security (like in the case >> of draft-ietf-ace-key-groupcomm-oscore), a group rekeying has to happen, in >> order to distribute a new version of the keying material with value num=2. >> >> This can be clarified by extending a paragraph of Section 4.8.1.1 as >> follows: >> >> OLD >> > In either case, if it wants to continue participating in the group >> communication, the node has to request the latest keying material from the >> KDC. To this end, the Client sends a CoAP GET request to the >> /ace-group/GROUPNAME/nodes/NODENAME endpoint at the KDC, formatted as >> specified in Section 4.8.1. >> >> NEW >> > In either case, if it wants to continue participating ..., formatted as >> specified in Section 4.8.1. The Client can request the latest keying >> material from the KDC before the keying material reaches its expiration >> time. >> >> Also, we can make the following addition in Section 6 "Group Rekeying >> Process": >> >> OLD >> > Reasons that can trigger a group rekeying are a change in the group >> membership, the current group keying material approaching its expiration >> time, or a regularly scheduled update of the group keying material. >> >> NEW >> > Reasons that can trigger ... of the group keying material. >> > >> > The KDC can perform a group rekeying before the current group keying >> material expires, unless it is acceptable or there are reasons to >> temporarily pause secure communications in the group, following the >> expiration of the current keying material. >> >> <== >> >> >> Section 4.8.2: >> >> Not providing the Client with newly generated, individual keying >> material, but rather rekeying the whole group >> >> Doesn't this open up a denial of service possibility with a malicious >> client? >> The Security Considerations do warn about this and that requests for >> rekeys >> can be ignored by the KDC, so this is okay. >> >> >> ==>MT >> >> Good. Note that a following paragraph in the same section says: >> >> > Note that this handler is not intended to accommodate requests from a >> group member to trigger a group rekeying, whose scheduling and execution is >> an exclusive prerogative of the KDC. >> >> We can extend this paragraph, by adding a pointer to the security >> considerations, i.e.: >> >> > ... prerogative of the KDC (see also related security considerations in >> Section 10.2). >> >> Furthermore, note that the quoted text is immediately preceded by: >> >> > However, application profiles of this specification MAY also extend >> this handler in order to achieve different akin outcomes (OPT12), for >> instance: >> >> This is in fact what happens in the corresponding Section 9.2 "Request to >> Change Individual Keying Material" of the application profile >> draft-ietf-key-groupcomm-oscore for Group OSCORE, which says: >> >> > The Group Manager SHOULD perform a group rekeying only if already >> scheduled to occur shortly, e.g., according to an application-specific >> rekeying period or scheduling, or as a reaction to a recent change in the >> group membership. In any other case, the Group Manager SHOULD NOT rekey the >> OSCORE group when receiving a Key Renewal Request (OPT12). >> >> <== >> >> >> What is "individual keying material" ? Is based on the security >> association the client <-> KDC have based on the transport protocol? >> >> >> ==>MT >> >> No, it is not related to the Client <-> KDC secure association; it is >> related to the membership of that Client to the secure group GROUPNAME, >> hence to the keying material and other information pertaining to that group. >> >> Note that the Client <-> KDC secure association has nothing to do with >> the secure communication within the group; the former is based on whatever >> transport profile of ACE (e.g., RFC 9202, RFC 9203), while the latter is >> based on what is specified by an application profile of this document. >> >> Consistent with the intended generality of this document, in the earlier >> Section 4.8.1 we say: >> >> > The specific format of individual keying material for group members, or >> of the information to derive it, and corresponding CBOR label, MUST be >> specified in the application profile (REQ27) and registered in Section 11.6. >> >> To better clarify, we can add the following new entry to the terminology >> in Section 1.1: >> >> > * Individual keying material: information exclusively pertaining to a >> group member, as associated with its group membership and related to other >> keying material and parameters used in the group. For example, this can be >> a member identifier that is unique within the group. The specific nature >> and format of individual keying material used in a group is defined in >> application profiles of this specification. The individual keying material >> of a group member is not related to the secure association between that >> group member and the KDC. >> >> <== >> >> >> Section 5: >> >> A Client identified by NODENAME may be removed from a group >> identified by GROUPNAME where it is a member, due to the >> following reasons. >> >> I don't think the following list is a complete set of possible reasons. I >> would >> rephrase this along the lines of "for example, for the following reasons". >> >> >> ==>MT >> >> Correct. Proposed rephrasing: >> >> > A Client identified by NODENAME may be removed from a group identified >> by GROUPNAME where it is a member, for example due to the following reasons. >> >> <== >> >> >> Section 6: >> >> In case the KDC deletes the group, this also allows the KDC to >> send an unsolicited 4.04 (Not Found) response >> >> What does "this" refer to? Making the resource Observable ? >> >> >> ==>MT >> >> Indeed. Proposed rephrasing: >> >> > In case the KDC deletes the group (and thus deletes the >> ace-group/GROUPNAME resource), relying on CoAP Observe as discussed above >> also allows the KDC to send an unsolicited 4.04 (Not Found) response ... >> >> <== >> >> >> Section 6.2.1: >> >> COUNT, as a 1-byte unsigned integer associated with the used >> encryption key. Its value is set to 0 when starting to perform >> a new group rekeying instance, and is incremented after each >> use of the encryption key. >> >> This limits the key to only be used for 256 messages. Is that enough for >> large groups of thousands of devices? Or are groups to be expected to be >> smaller? Or should those groups anticipate this and switch to one-to-many >> rekey methods? Wouldn't 2 bytes create a much larger safety margin at >> a very little cost? >> >> >> ==>MT >> >> Good point; 2 bytes is better. Then, we can update the text to be as >> follows. >> >> > - COUNT, as a 2-byte unsigned integer associated with the used >> encryption key. Its value is set to 0 when starting to perform a new group >> rekeying instance, and is incremented after each use of the encryption key. >> > >> > - NEW_NUM, as the version number of the new group keying material to >> distribute in this rekeying instance, left-padded with zeroes to exactly >> NONCE_SIZE - 2 bytes. >> >> Also, after the paragraph >> >> > Then, the KDC computes a Partial IV as the byte string concatenation of >> COUNT and NEW_NUM, in this order. Finally, the AEAD nonce is computed as >> the XOR between the Base IV and the Partial IV. >> >> it's also better to add the note: >> >> > In order to comply with the security requirements of AEAD encryption >> algorithms, the KDC MUST NOT use the same pair (encryption key, AEAD >> nonce). For example, this includes not using the same encryption key from >> the administrative keying material more than (2^16 - 1) times during the >> same rekeying instance. >> >> <== >> >> >> >> Section 10.2: >> >> The KDC should renew the group keying material upon a >> group membership change. Since the minimum number of group >> members is one, the KDC should provide also a Client joining >> an empty group with new keying material never used before in >> that group. Similarly, the KDC should provide new group keying >> material also to a Client that remains the only member in the >> group after the leaving of other group members. >> >> Why are these "should"s not normative, eg SHOULDs ? >> >> >> ==>MT >> >> Proposed rephrasing also addressing the comment: >> >> > Unless otherwise defined by an application profile of this >> specification, the KDC SHOULD renew the group keying material upon a group >> membership change. In particular, since the minimum number of group members >> is one, the KDC SHOULD provide also a Client joining an empty group with >> new keying material never used before in that group. Similarly, the KDC >> SHOULD provide new group keying material also to a Client that remains the >> only member in the group after the leaving of other group members. >> >> <== >> >> >> Section 10.2.1 >> >> This (finally) addresses my race condition questions.... >> >> >> ==>MT >> >> This relates to "race conditions" as to possible misalignment of group >> keying material among group members when a rekeying has been happening. >> >> We can make the following changes to make this content more and earlier >> visible: >> >> * This Section 10.2.1 can be moved up, when presenting the group rekeying >> in Section 6. For example, it can become a new Subsection 6.3. Note that >> its content is independent of the specific approach used to rekey the group. >> >> * Early in Section 2, we can include a forward pointer about these >> considerations to be found in Section 6. >> >> <== >> >> >> In any case, the recipient should actively ask the KDC for the >> latest group keying material according to an application-defined >> policy, for instance after a given number of unsuccessfully >> decrypted incoming messages. >> >> Seeing that the KDC presumably is hard at work distributing new keying >> material, >> would nodes sending more requests to the KDC not just make things worse? >> >> >> ==>MT >> >> Interesting point, although it's not exactly about DoS (like discussed at >> the end of Section 10.2.0) since it's about requests to the KDC done in >> "good faith". >> >> This applies pretty much to every possible access to the KDC, but >> especially to the operations referred by the comment and defined in >> Sections 4.3.2.1 and 4.8.1.1. >> >> To clarify, we can point especially to the operations defined in Sections >> 4.3.2.1 and 4.8.1.1, and add the following text in Section 6.0 "Group >> Rekeying Process". >> >> > In order to facilitate the completion of a group rekeying instance, the >> KDC MAY stop serving requests pertaining to the group in question until the >> group rekeying is completed. This especially applies to Key Distribution >> Requests (see Sections 4.3.2.1 and 4.8.1.1) and Join Requests (see Section >> 4.3.1.1). The KDC MAY reply to those requests with a 5.03 (Service >> Unavailable) error response, including the Max-Age CoAP Option to indicate >> after how long a new request can be sent (see Sections 5.9.3.4 and 5.10.5 >> of [RFC7252]). >> >> <== >> >> Maybe >> it should also mention that it MUST first verify the signature of the >> node sending >> the encrypted payload before deciding it might need to ask for the >> updated group >> key material to prevent spoofed messages trying to trigger all clients to >> send >> requests to the KDC to overload it ? (I can also see that this is a very >> obvious >> thing to do anyway, so perhaps this advise is meaningless) >> >> >> ==>MT >> >> We understand that, in the sentence >> >> > it MUST first verify the signature of the node sending the encrypted >> payload before deciding it might need to ask for the updated group key >> material ... >> >> the subject "it" is a group member that receives a protected message, >> fails to verify the message, and decides to ask the KDC for the current >> group keying material. >> >> First of all, we cannot just generally talk of signed group messages and >> verification of their signatures in this document. The exact protection of >> messages within the group is up to the security protocol used by an >> application profile of this document, and their protection does not >> necessarily rely on signatures. >> >> For example, when considering exactly the application profile >> draft-ietf-ace-key-groupcomm-oscore and therefore the security protocol >> Group OSCORE: i) messages protected with the group mode are signed, and >> indeed the signature verification happens before decryption; ii) messages >> protected with the pairwise mode are not signed (although still providing >> source authentication through their tags). >> >> The quoted text specifically talks about decryption. If a signature is >> included in the message, it should be verified first and (several) failed >> verifications are not a sufficient trigger to ask for the current group >> keying material (although they can be a trigger for asking for the current >> authentication credential of the sender group member). However, this is >> ultimately about the secure communication protocol defining in which order >> the different message processing steps occur, and it's not something we can >> really dictate in this document. >> >> <== >> >> >> Section 11: >> >> The IANA section mentions the IESG as Change Controller, but it is >> prefered to use >> IETF instead. (IANA will bug you about this later if not changed) >> >> >> ==>MT >> >> Yes, let's use "IETF". >> >> <== >> >> >> Under which collection/grouping should the a "ACE Groupcomm" registries >> appear ? >> Under https://www.iana.org/assignments/ace/ace.xhtml >> <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.iana.org%2Fassignments%2Face%2Face.xhtml&data=05%7C01%7Cmarco.tiloca%40ri.se%7C90f845f51ae441a280f808dbaa821350%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638291247875827690%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Vh6usMKEgwgUsG%2FxjgtT493TD7%2Fh3o9jI6ZKH0%2B2b6k%3D&reserved=0> >> or under a sub-registry ace-groupcomm ? >> Either way, it should be clarified to IANA. >> >> >> ==>MT >> >> Correct, the plan is to have all the new 7 registries added to the >> registry group "Authentication and Authorization for Constrained >> Environments (ACE)" at https://www.iana.org/assignments/ace/ace.xhtml >> >> The proposal to fix this is also already compiled in >> https://github.com/ace-wg/ace-key-groupcomm/issues/149 >> >> <== >> >> >> It should be noted that, in addition to the expert review, some >> portions of the registry require a specification, potentially >> a Standards Track RFC, to be supplied as well. >> >> Possibly rephrase as: >> >> Values in this registry are covered by different registration >> policies as indicated >> >> >> ==>MT >> >> We plan to add the suggested phrase to prepare the reader about the >> different ranges coming later on. >> >> At the same time, the original text (also used in other document) covers >> a different point, which also comes back in following comments and related >> replies from our side. >> >> <== >> >> >> Section 11.10 describes this as well, but it does indicate how/when >> different policies apply. >> (likely based on the Value field?) >> >> Section 11.11 doesn't list the maximum/minimum values (or limiting size >> of the value) >> >> >> ==>MT >> >> Correct; these IANA sections have different and inconsistent level of >> details about what they say. >> >> The proposal to fix this is also already compiled in >> https://github.com/ace-wg/ace-key-groupcomm/issues/149 , and further >> elaborated in replies to comments below. >> >> <== >> >> >> Section 11.13: >> >> The IANA Registries established in this document are defined as >> expert review. >> >> It's a bit contentious whether a registry can be Standards Track PLUS >> Expert Review. To >> avoid issues around this, I would remove this entire sentence. >> >> >> ==>MT >> >> We are defining 7 new IANA registries. >> >> * "ACE Groupcomm Parameters" >> * "ACE Groupcomm Key Types" >> * "ACE Groupcomm Profiles" >> * "ACE Groupcomm Policies" >> * "Sequence Number Synchronization Methods" >> * "ACE Groupcomm Errors" >> * "ACE Groupcomm Rekeying Schemes" >> >> Considering also the clarifications in >> https://github.com/ace-wg/ace-key-groupcomm/issues/149 and depending on >> the specifically considered value range, each registry uses the policy: >> >> * "Standards Action With Expert Review"; or >> * "Specification Required"; or >> * "Expert Review" >> >> It is true that RFC 8126 does not define a single policy "Standards >> Action With Expert Review". However, its Section 4.12 says (emphasis mine): >> >> > In some situations, it is necessary to define multiple registration >> policies. >> > ... >> > Thus, a particular registry might want to use a policy such as "RFC >> Required" or "IETF Review" sometimes, with a designated expert checking a >> "Specification Required" policy at other times. >> > ... >> > Such combinations will commonly use one of {**Standards Action**, IETF >> Review, RFC Required} in combination with one of {Specification Required, >> **Expert Review**}. >> >> Based on the above, we believe that the current text is appropriate and >> legitimate. >> >> Also, as long as it is done appropriately, this is quite common practice; >> see, above all, selected value ranges of several COSE registries at >> https://www.iana.org/assignments/cose/cose.xhtml >> >> <== >> >> >> >> Specifications are needed for the first-come, first-serve range >> if they are expected to be used outside of closed environments >> in an interoperable way. >> >> I think for all non-private use entries, this is "expected", so I would >> remove the part >> starting at "if they are expected ....". >> >> >> ==>MT >> >> This does not seem to be the case; see a longer reasoning in the response >> to the following comment. >> >> In short, registrations with policy "First-Come-First-Serve" (or "Expert >> Review") do not necessarily need a specification (see Section 4.4 of RFC >> 8126). >> >> Given that baseline, in this document we have an additional expectation >> that we are raising, since it is otherwise not to be assumed. >> >> Also, the quoted sentence is used in other RFCs, such as in >> https://datatracker.ietf.org/doc/html/rfc9203#section-9.7 >> >> <== >> >> >> When specifications are not provided, the description provided >> needs to have sufficient information to identify what the point >> is being used for. >> >> That feels a little odd to me. Not sure this makes much sense, since even >> FSFC needs >> a specification. Private use is well, private use. So which registration >> cases would >> there be that can leave out a specification? >> >> >> ==>MT >> >> Based on RFC 8126, the first registration policy requiring a >> specification is, in fact, "Specification Required" defined in >> https://www.rfc-editor.org/rfc/rfc8126.html#section-4.6. >> >> Instead (emphasis mine): >> >> * https://www.rfc-editor.org/rfc/rfc8126.html#section-4.4 >> >> > For the **First Come First Served policy** ... There is no >> substantive review of the request, other than to ensure that it is >> well-formed and doesn't duplicate an existing assignment. However, >> **requests must include a minimal amount of clerical information**, such as >> a point of contact (including an email address, and sometimes a postal >> address) and a brief description of how the value will be used. >> >> * https://www.rfc-editor.org/rfc/rfc8126.html#section-4.5 >> >> > For the **Expert Review policy**, review and approval by a >> designated expert (see Section 5) is required. While **this does not >> necessarily require formal documentation**, information needs to be >> provided with the request for the designated expert to evaluate. ... The >> required documentation and review criteria, giving clear guidance to the >> designated expert, should be provided when defining the registry. >> >> In this document, we are defining also registries with "Expert Review" >> policy, so the quoted text in Section 11.13 should be correct. >> >> Also, the quoted sentence is used in other RFCs, such as in >> https://datatracker.ietf.org/doc/html/rfc9203#section-9.7 >> >> <== >> >> >> NITS: >> >> ** Downref: Normative reference to an Informational RFC: RFC 7967 >> ** Downref: Normative reference to an Informational RFC: RFC 9053 >> >> These downrefs are okay. >> >> >> ==>MT >> >> Ok. >> >> <== >> >> >> == Outdated reference: A later version (-19) exists of >> draft-ietf-core-oscore-groupcomm-14 >> >> == Outdated reference: draft-ietf-cose-countersign has been published as >> RFC 9338 >> >> -- Possible downref: Normative reference to a draft: ref. >> 'I-D.ietf-cose-countersign' >> >> == Outdated reference: draft-ietf-ace-mqtt-tls-profile has been >> published >> as RFC 9431 >> >> == Outdated reference: A later version (-12) exists of >> draft-ietf-core-coap-pubsub-10 >> >> == Outdated reference: A later version (-09) exists of >> draft-ietf-core-groupcomm-bis-07 >> >> == Outdated reference: A later version (-06) exists of >> draft-ietf-cose-cbor-encoded-cert-04 >> >> == Outdated reference: A later version (-13) exists of >> draft-tiloca-core-oscore-discovery-11 >> >> These need updating (because of my long time to do my AD review. Again my >> apologies) >> >> >> ==>MT >> >> Ok. (draft-ietf-cose-countersign has also been published as RFC 9338) >> >> <== >> >> typoes/grammer: >> >> for those that aim to -> for those that aim for >> >> trasferring -> transfering >> >> consistently with the roles it has in the group -> consistent with the >> roles it has in the group. >> >> the handler reply with a -> the handler replies with a >> >> Due to different reasons - > [remove entirely] >> >> ameliorate -> [pick a different more common term for this] >> >> >> ==>MT >> >> All to be fixed as proposed, except for the following ones: >> >> * > trasferring -> transfering >> >> While "trasferring" is certainly a typo to fix, "transferring" is >> correct but "transfering" is wrong, both in American and British English. >> See: >> - https://whichiscorrect.com/transfering-or-transferring/ >> - https://oneminuteenglish.org/en/transfering-or-transferring/ >> >> * > ameliorate -> [pick a different more common term for this] >> >> We can change it to: "A possible way to limit the impact of this issue >> ..." >> >> <== >> >> This sentence does not parse: >> >> As long as both sides get the new group keying material, updating >> group the keying material in the middle of a transfer will not >> cause any issue. >> >> >> ==>MT >> >> It should read: >> >> "As long as both sides get the new group keying material, updating the >> group keying material in the middle of a transfer will not cause any issue." >> >> <== >> >> retro-compatibility -> backwards compatibility ? >> >> >> ==>MT >> >> Yes, or actually "backward compatibility" >> >> <== >> >> >> >> Paul >> >> >> >> ==>MT >> >> Thanks a lot again for this review! >> >> <== >> >> -- >> Marco Tiloca >> Ph.D., Senior Researcher >> >> Phone: +46 (0)70 60 46 501 >> >> RISE Research Institutes of Sweden AB >> Box 1263 >> 164 29 Kista (Sweden) >> >> Division: Digital Systems >> Department: Computer Science >> Unit: Cybersecurity >> https://www.ri.se >> >> >> -- >> Marco Tiloca >> Ph.D., Senior Researcher >> >> Phone: +46 (0)70 60 46 501 >> >> RISE Research Institutes of Sweden AB >> Box 1263 >> 164 29 Kista (Sweden) >> >> Division: Digital Systems >> Department: Computer Science >> Unit: Cybersecurity >> https://www.ri.se >> >>
- [Ace] AD review draft-ietf-ace-key-groupcomm-16 Paul Wouters
- Re: [Ace] AD review draft-ietf-ace-key-groupcomm-… Marco Tiloca
- Re: [Ace] AD review draft-ietf-ace-key-groupcomm-… Marco Tiloca
- Re: [Ace] AD review draft-ietf-ace-key-groupcomm-… Paul Wouters
- Re: [Ace] AD review draft-ietf-ace-key-groupcomm-… Paul Wouters