[Ace] ace-oscoap-joining comments

peter van der Stok <stokcons@xs4all.nl> Thu, 19 April 2018 09:37 UTC

Return-Path: <stokcons@xs4all.nl>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C79812D7F9 for <ace@ietfa.amsl.com>; Thu, 19 Apr 2018 02:37:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u0x1ifwfnCT8 for <ace@ietfa.amsl.com>; Thu, 19 Apr 2018 02:37:02 -0700 (PDT)
Received: from lb1-smtp-cloud8.xs4all.net (lb1-smtp-cloud8.xs4all.net [194.109.24.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68D91124C27 for <ace@ietf.org>; Thu, 19 Apr 2018 02:37:02 -0700 (PDT)
Received: from webmail.xs4all.nl ([IPv6:2001:888:0:22:194:109:20:214]) by smtp-cloud8.xs4all.net with ESMTPA id 95zrfVMBpdX8I95zrfx13n; Thu, 19 Apr 2018 11:37:00 +0200
Received: from 2001:983:a264:1:61f3:5e12:df9b:61b5 by webmail.xs4all.nl with HTTP (HTTP/1.1 POST); Thu, 19 Apr 2018 11:36:55 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Date: Thu, 19 Apr 2018 11:36:55 +0200
From: peter van der Stok <stokcons@xs4all.nl>
To: ace@ietf.org
Organization: vanderstok consultancy
Reply-To: consultancy@vanderstok.org
Mail-Reply-To: consultancy@vanderstok.org
Message-ID: <0c356bc5b658c27cb6341177f205fd67@xs4all.nl>
X-Sender: stokcons@xs4all.nl
User-Agent: XS4ALL Webmail
X-CMAE-Envelope: MS4wfABqIaeC1GYMhHEnkqkUXx2ThFXvcO14VEuYYCUhNmkuywaVezTzymvInr1Lj4pqarQIhDhFE9iZrO69FVKZ7UZyIa2iT3QDd6RNzCydv5OzFnSoWW8+ cZQ+liSliazHdzkRSJBfa5zXzV3LDJsJZakj2kfSPjQ1Wgwwl/OckIWoyj3lnqLFFLmmdu45Ks3aB4F8Exqri5lEsTObpI59ALk=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/7g0zKddni-kPRbkuVjCEjMqGgEk>
Subject: [Ace] ace-oscoap-joining comments
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Apr 2018 09:37:04 -0000

Hi authors,

Below comments on the draft-tiloca-ace-oscoap-joining-03.
The draft seems to be pretty clear, but then, I did not try to implement 
it.

Comments on details, typos, structure, and questions are mixed together 
in reading sequence.

title: I expect draft-tiloca-ace-oscore-joining (oscoap is in the past)

page 3 section 1. dtls-authorize and oscore-profile are mentioned quite 
prominently here, but almost not used elsewhere in the draft (section 
6), and only informative. suggest to remove here.

section 1.1 The phrase "message exchanges .... useful terminology" may 
go for me. (mentioned in authz and others already).
Is reference to oAuth 2.0 not sufficient, ace-actors is not really 
needed IMO.

I miss Group Manager in the terminology. here relation with RS can be 
mentioned, not needed in section 2.

Section 2 bullet 3 is quite complex text:
Suggestion:
The Authorization Server (AS) authorizes joining nodes to join ....
The AS MAY release access tokens for other purposes than accessing join 
resources; for example: to release......
of OSCORE groups

Page 5
Is paragraph "All communication ...... ACE Framework [authz]" not almost 
identical to
"communications between ..... this specification". If not, reformulation 
is clearly needed.

page 5 point 1. suggestion for last phrase: With the response from the 
AS, the joining node starts or continues a secure channel with the Group 
Manager.
point 2 Collapse phrase 2 and 3 to: "Then, a joining node must establish 
....first time".  May be add a reference to DTLS or other recommended 
alternatives?

point 4 in the OSCORE group -> with the OSCORE group members.

Suggest a point 5 to say that the secure channel is maintained for 
between JN and GM

Section 3 is about JN to AS but mentions secure channel between JN and 
GM. That is confusing, because I expect text about secure channel 
between JN and AS.
I suggest to remove the discovery with the aid of resource-directory, or 
add more text and specify a resource-type rt=) for the AS.

section 3.1 under scope parameter first *: I failed to find the 
"dynamic" component of the scope parameter in [key-groupcomm]

get-pub-keys. I wonder why you want to separate the public key storage 
from the GM. What is the operational advantage?; I only see added  
complexity.

section 3.2 "The AS is responsible.....Group Manager" I don't understand 
this phrase.

The "exp" parameter; it MUST be present and then is out of scope?

The phrase "in case the value......include the "scope" parameter" is 
difficult to read.
I suggest: The AS must include the "scope" parameter in the response, 
when the returned value of the response differs from the one in the 
request. (or anything shorter)

section 4 page 7
/what specified/ what is specified/

section 4.2 page 8
/yields to a positive/yields a positive/

section 5
Again why separate key storage

first bullet: IMO, it does not hurt to provide the public key, when 
already known; specifying conditions in the protocol  increases the 
probability of errors. (Others may have different opinions given the 
need of payload reduction)

page 11
"Before sending the join response .... this specification" suggest to 
move this phrase to section 6.

section 6. I suggest to add the reference to oscore-groupcomm when 
referring to the (sections) or (appendix).

Hope this helps,

Peter
-- 
Peter van der Stok
vanderstok consultancy
mailto: consultancy@vanderstok.org
www: www.vanderstok.org
tel NL: +31(0)492474673     F: +33(0)966015248