[Ace] ace-oscoap-joining comments

[peter van der Stok <stokcons@xs4all.nl>]

Hi authors,

Below comments on the draft-tiloca-ace-oscoap-joining-03.
The draft seems to be pretty clear, but then, I did not try to implement 
it.

Comments on details, typos, structure, and questions are mixed together 
in reading sequence.

title: I expect draft-tiloca-ace-oscore-joining (oscoap is in the past)

page 3 section 1. dtls-authorize and oscore-profile are mentioned quite 
prominently here, but almost not used elsewhere in the draft (section 
6), and only informative. suggest to remove here.

section 1.1 The phrase "message exchanges .... useful terminology" may 
go for me. (mentioned in authz and others already).
Is reference to oAuth 2.0 not sufficient, ace-actors is not really 
needed IMO.

I miss Group Manager in the terminology. here relation with RS can be 
mentioned, not needed in section 2.

Section 2 bullet 3 is quite complex text:
Suggestion:
The Authorization Server (AS) authorizes joining nodes to join ....
The AS MAY release access tokens for other purposes than accessing join 
resources; for example: to release......
of OSCORE groups

Page 5
Is paragraph "All communication ...... ACE Framework [authz]" not almost 
identical to
"communications between ..... this specification". If not, reformulation 
is clearly needed.

page 5 point 1. suggestion for last phrase: With the response from the 
AS, the joining node starts or continues a secure channel with the Group 
Manager.
point 2 Collapse phrase 2 and 3 to: "Then, a joining node must establish 
....first time".  May be add a reference to DTLS or other recommended 
alternatives?

point 4 in the OSCORE group -> with the OSCORE group members.

Suggest a point 5 to say that the secure channel is maintained for 
between JN and GM

Section 3 is about JN to AS but mentions secure channel between JN and 
GM. That is confusing, because I expect text about secure channel 
between JN and AS.
I suggest to remove the discovery with the aid of resource-directory, or 
add more text and specify a resource-type rt=) for the AS.

section 3.1 under scope parameter first *: I failed to find the 
"dynamic" component of the scope parameter in [key-groupcomm]

get-pub-keys. I wonder why you want to separate the public key storage 
from the GM. What is the operational advantage?; I only see added  
complexity.

section 3.2 "The AS is responsible.....Group Manager" I don't understand 
this phrase.

The "exp" parameter; it MUST be present and then is out of scope?

The phrase "in case the value......include the "scope" parameter" is 
difficult to read.
I suggest: The AS must include the "scope" parameter in the response, 
when the returned value of the response differs from the one in the 
request. (or anything shorter)

section 4 page 7
/what specified/ what is specified/

section 4.2 page 8
/yields to a positive/yields a positive/

section 5
Again why separate key storage

first bullet: IMO, it does not hurt to provide the public key, when 
already known; specifying conditions in the protocol  increases the 
probability of errors. (Others may have different opinions given the 
need of payload reduction)

page 11
"Before sending the join response .... this specification" suggest to 
move this phrase to section 6.

section 6. I suggest to add the reference to oscore-groupcomm when 
referring to the (sections) or (appendix).

Hope this helps,

Peter
-- 
Peter van der Stok
vanderstok consultancy
mailto: consultancy@vanderstok.org
www: www.vanderstok.org
tel NL: +31(0)492474673     F: +33(0)966015248