Re: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication
Cigdem Sengul <cigdem.sengul@gmail.com> Wed, 14 April 2021 08:58 UTC
Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 916103A16A4 for <ace@ietfa.amsl.com>; Wed, 14 Apr 2021 01:58:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a09iFrPPgBSG for <ace@ietfa.amsl.com>; Wed, 14 Apr 2021 01:58:52 -0700 (PDT)
Received: from mail-vs1-xe34.google.com (mail-vs1-xe34.google.com [IPv6:2607:f8b0:4864:20::e34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 049773A16AF for <ace@ietf.org>; Wed, 14 Apr 2021 01:58:51 -0700 (PDT)
Received: by mail-vs1-xe34.google.com with SMTP id r18so4072723vso.12 for <ace@ietf.org>; Wed, 14 Apr 2021 01:58:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=+NEaIlqxlfL+LwSmUkT7lRTUFaPJrErrmMV72MpccgY=; b=aMEA3KaNsdD3oDhH50dGy6ztdC1qTBhrKAOcCvBHgKMS063fk35/jg8Wzn9xuCl6vg gnfm/Wpod6NPpHQjwpxZFKa0eeZdC2HDvOHthwHrUbq4qGI0uy9GIVUjSEMEez5/xUhu N/sCjJFcrGDD1ieL5eGfSnOhzz7/bcSRUW8R9JSsPP7BPizfabLZhe60Cn+4jOmrCm5U kTvoVtWlxcAccUBq1AAiEY53RWYFfeqmZ3S3XGSvFwTINkdKatXuKkdF6Are1DYdiicw KSAE0PJL+qBk0yQxrsD+llJu+XTxxm8Ky9MCFJjpZKGT1dAzXUGRbeS78+vfMuXqjocl fJJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=+NEaIlqxlfL+LwSmUkT7lRTUFaPJrErrmMV72MpccgY=; b=b+c6/VXXrJf5h+NHnMTMHZouSCHMJX98Wht9HVk4pMb1vassfHX7BYaQk+qCDD20D3 dzB6YEZOLjJ5VrVg7+3ImPGMve7qky9a2CYFKyO2J8L3Lq3Ao5RRlF+7vYdazlCrdNL3 VvDhnQu0fBY3Uf52WE8caW1XKUplIWjvha8qvvT+iaRIq5vo81qIww0W8vDt5lSBKm8Q 0VJqed4Zsuuv+Ppc8bT++wcBsWpaXwbf6q0G1gQizBD7Sx+DCMFdEWJwaUrh33UdSmd8 2zgjfqGbkAkd+S9GM2gfCm6ft6z/LYeaq6i4dm0ZOg5oCzUBxJpr++QO3GHypzeA223M hCgw==
X-Gm-Message-State: AOAM530kCjoph3YibY+nK/3R9S3tcYbIThvTLjkdWIkLCLyFdWO6BU7A 6zbFu8HSoy/sxNHA5qmneVQ29tumNlcCYyiudB0=
X-Google-Smtp-Source: ABdhPJzOoiCWkK/mT4fde5roTwRcpRk64lAHs+buDSPfvDzRA8uqNasuzz0UF6f+HXMT1PwXXZ2SsH58hqp2FO36hAg=
X-Received: by 2002:a67:df15:: with SMTP id s21mr8709543vsk.39.1618390729432; Wed, 14 Apr 2021 01:58:49 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR15MB237941DDA59DF2A67A2F52B7E3969@DM6PR15MB2379.namprd15.prod.outlook.com> <CAA7SwCNmxax3F222eeYyQ1rEOq+cOZzZwT1Y4+CPBrJB+8XtXw@mail.gmail.com> <CADZyTkk4j0TJMFFPZ0j4zXo1miRBdG4A=jQUJQdiePdsiiMkVA@mail.gmail.com>
In-Reply-To: <CADZyTkk4j0TJMFFPZ0j4zXo1miRBdG4A=jQUJQdiePdsiiMkVA@mail.gmail.com>
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Wed, 14 Apr 2021 09:58:40 +0100
Message-ID: <CAA7SwCNJ6wkzz=JS4s4xUgZ-rZTf5XFBuHMNe04ijRU1Z9ppmg@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>, Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000089251705bfeaf436"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/7768xT4ixx7vXDHCxrME6yTjumo>
Subject: Re: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 08:59:03 -0000
Hello Daniel, One thing I didn't have a chance to ask yesterday in the interim was about the registration of the 'ace+json' application type. Francesca brought this up as the MQTT profile describes the HTTPS interactions differently than the core draft which says " When HTTP is used as a transport then the client makes a request to the token endpoint by sending the parameters using the "application/ x-www-form-urlencoded" format with a character encoding of UTF-8 in the HTTP request entity-body, as defined in section 3.2 of [RFC6749]." As I discussed with Francesca, we had discussions on the mailing list with Jim using ace+json as well. I recalled the view that the draft that introduces it should register it - I want to check if this is the general agreement, or you (or the group) has a different view - (1) registering this new type, or (2) MQTT draft is modified to comply with framework description - do we still agree that (1) it should be the MQTT profile registering it or (2) it should be done elsewhere? Kind regards, --Cigdem On Tue, Apr 13, 2021 at 1:58 PM Daniel Migault <mglt.ietf@gmail.com> wrote: > Thanks for the update, that works for me. > > Yours, > Daniel > > On Tue, Apr 13, 2021 at 8:44 AM Cigdem Sengul <cigdem.sengul@gmail.com> > wrote: > >> Hello Daniel, >> I propose the following change to clarify the TLS use - if you are happy >> with it, I will update the document: >> >> To provide communication confidentiality and RS authentication to MQTT >> clients, TLS >> >> is used, and TLS 1.3 [RFC8446] is RECOMMENDED. This document makes >> >> the same assumptions as Section 4 of the ACE framework >> >> [I-D.ietf-ace-oauth-authz] regarding Client and RS registration with >> >> the AS and setting up keying material. While the Client-Broker >> >> exchanges are only over MQTT, the required Client-AS and RS-AS >> >> interactions are described for HTTPS-based communication [RFC7230], >> >> using 'application/ace+json' content type, and unless otherwise >> >> specified, using JSON encoding. The Client-AS and RS-AS MAY also use >> protocols other than HTTP, e.g. Constrained Application Protocol >> (CoAP) [RFC7252] or MQTT; it is recommended >> that TLS is used to secure the communication channels between >> Client-AS and RS-AS." >> >> Since it is in this paragraph, one thing that Francesca brought up to do >> is to register the 'application/ace+json' content type. >> Kind regards, >> --Cigdem >> >> On Fri, Mar 5, 2021 at 9:11 PM Daniel Migault <daniel.migault= >> 40ericsson.com@dmarc.ietf.org> wrote: >> >>> Hi, >>> >>> >>> >>> Now that the authz document is being consolidated, I do have some minor >>> concerns regarding the recommendations mentioned in the profile documents, >>> that might require an additional update. >>> >>> The update to the authz document indicates more more clearly than before >>> that profiles need to provide some recommendations for the RS – AS >>> communication. >>> >>> >>> >>> “”” >>> >>> Profiles MUST specify for introspection a communication security >>> protocol RECOMMENDED to be used between RS and AS that provides the >>> features required above. “”” >>> >>> >>> >>> It seems to me the MQTT profile text makes it pretty clear that TLS is >>> recommended for all communications but I am wondering if additional >>> clarification would be beneficial – see below. That said I agree this is a >>> very minor point in this case that could be handled by the RFC editor. >>> >>> For the OSCORE or DTLS profiles, unless I am missing the RS – AS >>> recommendations in the documents , it seems to me it has been omitted and >>> needs to be added -- see below. >>> >>> >>> >>> >>> >>> Yours, >>> >>> Daniel >>> >>> >>> >>> ## MQTT - draft-ietf-ace-mqtt-tls-profile-10 >>> >>> >>> >>> “”” >>> >>> To provide communication confidentiality and RS authentication, TLS >>> >>> is used, and TLS 1.3 [RFC8446] is RECOMMENDED. This document makes >>> >>> the same assumptions as Section 4 of the ACE framework >>> >>> [I-D.ietf-ace-oauth-authz] regarding Client and RS registration with >>> >>> the AS and setting up keying material. While the Client-Broker >>> >>> exchanges are only over MQTT, the required Client-AS and RS-AS >>> >>> interactions are described for HTTPS-based communication [RFC7230], >>> >>> using 'application/ace+json' content type, and unless otherwise >>> >>> specified, using JSON encoding. >>> >>> “”” >>> >>> >>> >>> I am wondering if that would not be more appropriated to specify in the >>> first line RS and AS authentication or simply authentication. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> - OSCORE draft-ietf-ace-oscore-profile-16 >>> >>> “”” >>> >>> This >>> >>> profile RECOMMENDS the use of OSCORE between client and AS, to reduce >>> >>> the number of libraries the client has to support, but other >>> >>> protocols fulfilling the security requirements defined in section 5 >>> >>> of [I-D.ietf-ace-oauth-authz] (such as TLS or DTLS) MAY be used as >>> >>> well. >>> >>> “”” >>> >>> >>> >>> >>> - DTLS draft-ietf-ace-dtls-authorize-15 >>> >>> >>> >>> “”” >>> >>> It is RECOMMENDED that the client >>> >>> uses DTLS with the same keying material to secure the communication >>> >>> with the authorization server, proving possession of the key as part >>> >>> of the token request. Other mechanisms for proving possession of the >>> >>> key may be defined in the future. >>> >>> “”” >>> >>> >>> _______________________________________________ >>> Ace mailing list >>> Ace@ietf.org >>> https://www.ietf.org/mailman/listinfo/ace >>> >> _______________________________________________ >> Ace mailing list >> Ace@ietf.org >> https://www.ietf.org/mailman/listinfo/ace >> > > > -- > Daniel Migault > Ericsson >
- [Ace] MQTT, OSCORE, DTLS profiles - recommendatio… Daniel Migault
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Göran Selander
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Daniel Migault
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Cigdem Sengul
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Daniel Migault
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Benjamin Kaduk
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Cigdem Sengul
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Daniel Migault
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Cigdem Sengul
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Daniel Migault