Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin
Marco Tiloca <marco.tiloca@ri.se> Tue, 05 March 2024 18:01 UTC
Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B19C2C14F709 for <ace@ietfa.amsl.com>; Tue, 5 Mar 2024 10:01:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.007
X-Spam-Level:
X-Spam-Status: No, score=-2.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AOMUrqB4Pl9e for <ace@ietfa.amsl.com>; Tue, 5 Mar 2024 10:00:57 -0800 (PST)
Received: from GVZP280CU001.outbound.protection.outlook.com (mail-swedencentralazon11021006.outbound.protection.outlook.com [52.101.75.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FEA3C14F6BD for <ace@ietf.org>; Tue, 5 Mar 2024 10:00:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C+WS1bPVR24uh8jICKWTdr4WGTYQu4SFDDXCTBjzwk5TsodnPerXvaOijzQj2DpuZkzICeafNAnRXPCiDScOvwaOdXvLulPsoZ0RF6CIBoff7VA1HRzohOtxFA6molzFl84Qv5CS6itFckj2p2Rnec/2qrjYORUTlfVJgaX7pH0D2ATsvPR6dE5feAWH0LcSIG5vSWABlzBG5hYDvFlEWXKdaN1jjgwBO6hasYm3Bq2VrPcM7P5x0MCUw241PodCb/sCdKNN6+uyceV2VAr8etnoylC4NRZV/EMdO4qKhvFRmVhGKzmcClG0R449pb7/s+qTwzHkOV6dfUEmIuRiMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FxiN5q0mx61Bj2Y7GuzH0eGNYFYc5+kBL4nMolnODn8=; b=JxnXkb0i8T0VN2JgzbO4EVP1pKpUiCFyyk5WYTFft/d4br5PN4AUGQe0c5eLvqPE7qHGvqOZPAFmPCk63zezeVH2y7rbS97XKvjSAhYm20iadXoLb/RxoyxMp4LHMBdDDYFyeq/ulSxwgoMCma+Kzks/Z2MJ/oGtQOyDMK9OS7kyoJSmQjQlNeexNIbjx+4IMjUFJUXUwk22NFQtCZAhAHcRbUthbh6bQR8sZ4nO/EHUBg8rMV9c2kHD4pHt+Dmvm+x+ytUu6fKhbVZS0gSNVojBT/vokeblmfUs0XF4yGI2VK1LfXh2FbNFp9JvOZCpw+NZw3r8AoJ3U/PYNePEuA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FxiN5q0mx61Bj2Y7GuzH0eGNYFYc5+kBL4nMolnODn8=; b=I+CrRpmCO5KL7VcDyCjaILj31rflhBzh89HEn4bmlh7laSION4t/pafSQMLtuqI3HnFOv99WJdMvg/QLNmFLJzy4H82zJKiEn4X9iT3lBcefmNZ8vHsEL6XF4AhzmQkKMninytu85ymKdeeGnmwngmrl0kNtswyf05gXzq0/wrA=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17) by GVYP280MB0639.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:31::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7339.39; Tue, 5 Mar 2024 18:00:52 +0000
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::b06f:2a2b:8cbf:608d]) by GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::b06f:2a2b:8cbf:608d%7]) with mapi id 15.20.7339.035; Tue, 5 Mar 2024 18:00:52 +0000
Message-ID: <9b7b6763-7bb8-4fec-b998-a68dc561b847@ri.se>
Date: Tue, 05 Mar 2024 19:00:51 +0100
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Cigdem Sengul <cigdem.sengul@gmail.com>, "ace@ietf.org" <ace@ietf.org>
Cc: Tim Hollebeek <tim.hollebeek=40digicert.com@dmarc.ietf.org>
References: <SN7PR14MB64923C9DDDB116F7D6512B9783472@SN7PR14MB6492.namprd14.prod.outlook.com> <SN7PR14MB6492D843C3596805AB0B1826834C2@SN7PR14MB6492.namprd14.prod.outlook.com> <CAA7SwCPSQTZV4WD_b6pCQY=kPjUEiYxFSmfOxHmrtjOiUL5Pjw@mail.gmail.com>
From: Marco Tiloca <marco.tiloca@ri.se>
Autocrypt: addr=marco.tiloca@ri.se; keydata= xsBNBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAHNNk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPsLAdwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzzsBNBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAHCwF8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
In-Reply-To: <CAA7SwCPSQTZV4WD_b6pCQY=kPjUEiYxFSmfOxHmrtjOiUL5Pjw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------VnB01WoBUZIWavzebEWcyDWP"
X-ClientProxiedBy: GV3P280CA0056.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:9::10) To GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GVYP280MB0464:EE_|GVYP280MB0639:EE_
X-MS-Office365-Filtering-Correlation-Id: c00937d0-d2f5-43e4-d7b4-08dc3d3e32aa
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: +LlAAoLPRFWF5jmy/bjkQGluYnghmRQ58C7b+trh4w649sSxlFz4N5iTulVgd7szMQmcl54f8Nqu2y1X6J6a3i0mvQ5nK7nE1qL3XWTa2ASf12jLIELwmb9auIqIGYqUckYkITG88kwzuyEz3yXA8kuDp1zqjJSfqTUpaE5N4PEGctT1bUq0jAeD6gfN0xtdPbCQIqtRbRXcSjz6VIqc1tXVmQVHosr4DXCXKse17OXTBcS/DuwW9AsHF+CM6N5Kk7CB4FIVBsb80CzXMuhoq/2hAGA7FsxzexV7xdRS+6240ysSEOBdzH9SA5sYSNGJm1mz/TbWpl5aNRrlT+IU2/fxlYflAqOo2RWKOSq+hJkHrYBPbd0sYphwfne9M8BpmaiYo/WVvC3DSUlPLtdYrP+qE7HjZ0pM8GZbW4euNfgUVMpv7TaUEgqbtZ6ylmSHEY0AIEuDPitBQJXpCM7vmPDTc4sGiy6WdLE+K2tt8BC4eH8FfWZnB3WPOpdEEiwpmxECcesWHd+im+/MJZX/EHsqhy8QU6qOXBeiusUIUVJp/wTpjnynIXHb7sTjDh6eu3j5OL3IzBcdra5M0HAH+zkBAlTdmAsnlw0kJpdDP2w=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376005); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 9MQ4GVoByqeAUCL9z+o5VQBhRh3VmyZDTzAsdu7BT59FHPTnZiB6IeXXb1WIWZim8d9RwLhdMOqIsitz6nCJakjP9iA3xeW6lv/r8fTR2z8mqrBDCJEgC8pcrZoHOwdEpLecLaohzlkWgEme0kccfnAxXdXO0owDYrjKZs8jbWj6Q+NCy30iuZ07NaTdyf4Y4CGAEd4Nr87RsW4UbH7LJgmspXaEIIAziWux8GRj5WEWdz/DvI2NCL8YemlmkqK4rAWz59zQ+T7eFY0SllfXb58b5HVNvwFaKZ2heX7z68/Wp4B2q77fzUWquLroBODcX6pXbLwKddO8rAxlr7ol3NW5No+9IzI68TIvD9eEXdwvUfNjoRBFXaBTMh467Og2izqJDY8a4b9NzyhRRiMVw0Deo1coIlzAY5DxJzc9AOZfQylEGfSiFvXR2SojfwzhIRDKrlHu7hC4kfG+uj5uonTHKAJR6HInrvxfPy57RjuLwV/fbxHo0CHZtxUiWWjIxbKmMBkL2Ns9CkVcEV551xOOBQD3W4lGTOpq2YazUSxDstP5ujyzyMC9tCztjhkU0U2Xs+axmNBP0kZam0uhlKigYF8hDkETx9sFCSDmdVInJDXxnJI2DOkwyaCT8B5gJA9IiQm8sNzUBZXQyYMFmDAoCsDPw/STEKt635VTxQqexE19rGrBnG6GPZp3KcETDTSzFRWVr/s4Px2DDFGjeU1bWYYPgJSlmN+ARC/pJCVsBUkjXLxVBXDw/FRxg3UDB+e4lKlnfu7ZxpsZQUd7WfHSBkIWSBmqP5NhsMmNqwXT5+y+Euq1/QMVABnpdou4OxQGPm+iEDLPXaYP7N5JFbsiZPzvI5SwpN93q3sxaXwqg8++zjefFKW9wCA65MoeqV7wuRi7oYY5JOO0kaYczcqqbDwP+l6CrTzi1cyQ8OEBeGiOuRNGg0decS2e/1T+gknp/XY/mvY8UF62YhmVuG6sypEqZpe9vaoCqGmWZWT2PGQmSWdObor0IW2sn2qb0vC9BjxEl+0yK6t1Z1O6IIIB5ifT9vArQMpFLhus5n4+IBsSNT9vDB5WdrtFcpK5CZg2p10oZ0VO5K+avtpE3GGFc4/ccrJeNlcAhbAoOgPFrZ9PNCdLeY0BGlGi+yXW/1ZPGqrkmvD/8b/kqRx3PdNmnGYDkRNwemaMoKW4uXzbhyhHJaqpEwf2Wgo49jZBAs5mupJdZvGCxpUX/FfK5owkjmjgBgSr9R99tt861udLDbUIMdS7pjp8B3iZiw0cRH0bXwypbwjyv2xyV2qmipWcwrV9GYgnfxWuFhzBI0etn6TfMRmzuo0RaC67aU36VepXykSi4DqVGkj3cWodmQKGDdJMCLWqw5JSSl+4UHPvaZCu8xEXFG3UXvtARpT2SVkyoVQvTe/XGSO4qXX9u9CuNmzZ1NXTi1/Txyz1IR7IHsqYnFsnmSr20vqCmEPf3Y3awTEpPe9YajJs65BXIsfIUWON5JNfAH+f+TwXLUcE7p0HLIchl0SKtubFva2IxS11pMBPlPLwf41gCOIAhTHMG/SMmK7LqBv8ih91h38dd5D9qE4csyvH+efK+uEt
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: c00937d0-d2f5-43e4-d7b4-08dc3d3e32aa
X-MS-Exchange-CrossTenant-AuthSource: GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Mar 2024 18:00:52.8287 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: GrURSomDmDF1K/ak+t7mWO4AFCH3M58m2O2wpsF+BLMNOdRhvyqwis+mPqL/C58+8jCcshBMrFmTxTsO+zF+qA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVYP280MB0639
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/8Pmrd5Ar7-yp3Nd3BV9qsaSTuik>
Subject: Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 18:01:01 -0000
Hello Cigdem,
Thanks a lot for your review and comments!
We have addressed them in the latest version -11 submitted before the
IETF 119 cut-off.
Please find our answers to your comments inline below.
Best,
/Marco
On 2024-02-16 23:35, Cigdem Sengul wrote:
> Hello ace,
>
> I've reviewed the document and found it largely ready.
>
> Below, I make some suggestions to improve clarity and list a few
> editorial comments, hope it helps.
> Kind regards,
> --Cigdem
>
>
> Section 2. Group Administration
> "The AS MAY release Access Tokens to the Administrator for other
> purposes than accessing admin resources of registered Group Managers"
>
> => Reading further into the document, it becomes clear later that "
> Building on the above, the same single scope can include user scope
> entries as well as admin scope entries"
>
> i.e., tokens may express permissions for user resources). It would be
> good to clarify this earlier.
==>MT
What we meant here is even more general than that.
Not only can the same Access Token include both admin entries and user
entries, as made clearer later in the document.
In addition to that, the same Administrator as an ACE Client can obtain
from the AS Access Tokens to be consumed at totally different ACE
Resource Servers than specifically an OSCORE Group Manager.
We have extended the paragraph as follows.
OLD
> The AS MAY release Access Tokens to the Administrator for other
purposes than accessing admin resources of registered Group Managers.
NEW
> The AS MAY issue Access Tokens to the Administrator for other
purposes than accessing admin resources of registered Group Managers.
For example, an Access Token can specify authorization information for
joining OSCORE groups at a Group Manager (see
[I-D.ietf-ace-key-groupcomm-oscore]), possibly combined with
authorization information for accessing admin resources at the same
Group Manager (see Section 3). Also, an AS can of course issue an Access
Token that specifies authorization information unrelated to OSCORE
groups, but instead pertaining to the access of other resources hosted
by the Group Manager or other Resource Servers.
<==
>
> Section 3. Format of Scope
>
> => The object identifier ("Toid") examples for wildcard patterns and
> complex patterns would be useful.
==>MT
Right, although at this point in the text it would be still too early.
After the CDDL definition of an admin scope entry, we have added the
example below using the CBOR Diagnostic Notation.
Based on a comment from Carsten, we now use the CBOR tag 21065 to tag
CBOR text strings as regular expressions. This is now mentioned already
in the text of Section 3 defining the concept of complex pattern used in
Toid of a scope entry.
<==
> => Can the Create permission be paired with a "literal" Toid? So, the
> admin has the right to create a specific config for a specific group name?
==>MT
Yes, for example in case the Administrator is authorized to create
groups with any name from a set of exactly 5 names, which however cannot
be the only ones expressed by a complex pattern.
In that case, the scope will instead have 5 different scope entries,
each associated with one of those groups and having a literal Toid with
the corresponding group name.
<==
>
> Figure 2:
> Write | 3 | Change group configurations
>
> =>Instread of "Change", Update group configurations?
==>MT
The word "Change" is intentional here, as covering both the specific
actions of entirely "Overwriting" (see Section 6.6) and selectively
"Updating" (see Section 6.7) a group-configuration resource.
<==
>
> Section 3.1
>
> "The Administrator may have established a secure communication
> association with the Group Manager based on a first Access Token T1,
> and then created an OSCORE group G. Following the
> invalidation of T1 (e.g., due to expiration) and the
> establishment of a new secure communication association with the Group
> Manager based on a new Access Token T2, the Administrator can
> seamlessly perform authorized operations on the previously created
> group G."
>
> The example is not clear to me. Why does the G having a wildcard or
> complex pattern help in this case?
==>MT
Having more in mind the subsection title as about any type of pattern,
that bullet point considers the full set of literal/wildcard/complex
patterns, not only the wildcard and complex patterns.
Yet you are right, the wildcard and complex patterns do not help more
than a literal pattern does, as long as the name of the targeted group G
matches (which is always the case when using a wildcard pattern).
This bullet point was attempting to stress the seamless "coming back" of
the same Administrator over a newly established secure communication
association, after the issue of a new Access Token.
Admittedly, it can be confusing, as there is nothing special here
compared to any other case: the Client can access a resource, as long
the RS finds an Access Token associated with the secure association used
to protect the request and specifying a scope that grants the requested
access.
Therefore, we have just removed the quoted bullet point altogether.
<==
>
> 5.1.2
>
> 'group_title', with value either a human-readable description of the
> OSCORE group encoded as a CBOR text string, or the CBOR simple value
> "null" (0xf6) if no description is specified.
>
> ==>If this is group description, group_desc sounds more fitting than
> group_title?
==>MT
Fair point.
It's actually ok to have a longer parameter name 'group_description'.
What goes on the wire is its CBOR integer abbreviation defined in section 7.
So we have renamed 'group_title' to be 'group_description'.
<==
>
> 5.2
> "A possible reason for the Group Manager to consider default values
> different from those recommended in this section is to ensure that
> each of those are consistent with what the Group Manager supports,
> e.g., in terms of signature algorithm and format of authentication
> credentials used in the OSCORE group."
>
> Is this mainly saying, "The Group Manager MAY choose different default
> values instead of those recommended in this section ... "
==>MT
Yes, we have rephrased based on what you suggested.
OLD
A possible reason for the Group Manager to consider default values
different from those recommended in this section is to ensure that ...
NEW
The Group Manager MAY choose different default values instead of those
recommended in this section. A possible reason is to ensure that ...
<==
>
>
> 6.2 Retrieve a List of Group Configurations by Filters
>
> It would be good to give an example with status filters as well. For
> example, is it possible to use a complex pattern for group_name filter?
==>MT
Good point!
In Section 6.2, we have added one more example where the request payload
includes both configuration and status parameters, as well as the
'group_name' parameter specifying a regular expression as complex name
pattern.
This has also required the following two changes.
* The table in Section 7 "ACE Groupcomm Parameters must indicate that
'group_name' has CBOR Type "tstr" or "#6.<uint>(any)". The same goes for
the entry about 'group_name' in Section 10.1.
* The payload of the FETCH request to the group-collection resource is
the only case where the 'group_name' parameter can also be such a tagged
CBOR data item. In any other case, the 'group_name' parameter is always
encoded as a CBOR text string and specifies an exact group name.
Consistently, the text has required the following changes in
different sections.
Section 6.2
OLD
> Entry values are the ones admitted for the corresponding labels in
the POST request for creating a group configuration (see Section 6.3).
NEW
> Entry values are the ones admitted for the corresponding labels in
the POST request for creating a group configuration (see Section 6.3),
with the exception that the parameter 'group_name' (if present) can also
be encoded as a tagged CBOR data item, specifying a group name pattern
with the semantics signaled by the CBOR tag.
>
> In such a case, the parameter 'group_name' expresses a group name
pattern in the same way as a complex pattern Toid does in a scope entry
(see Section 3). In particular, the filter criterion is satisfied by any
group name that matches with the group name pattern specified by the
parameter 'group_name' in the payload of the FETCH request.
Section 6.3
OLD
> The payload MUST include the status parameter 'group_name' defined
in Section 5.1.2 and specifying the intended group name.
NEW
> The payload MUST include the status parameter 'group_name' defined
in Section 5.1.2 and specifying the intended group name encoded as a
CBOR text string.
<==
>
> 6.3 Create a New Group Configuration (and also 6.6.)
>
> "Alternatively, the Administrator can perform the registration in
> the Resource Directory on behalf of the Group Manager, acting
> as Commissioning Tool."
>
> Why consider this option when
>
> "Therefore, it is RECOMMENDED that registrations of links to
> group-membership resources in the Resource Directory are made (and
> possibly updated) directly by the Group Manager, rather than by the
> Administrator."
==>MT
The option of using a Commissioning Tool is something generally
introduced in RFC 9176 (see, in particular, its Sections 2 and 3.1).
Here the OSCORE Group Manager is clearly not supposed to be
resource-constrained, and is in fact RECOMMENDED to be the entity
interacting with the Resource Directory (RD), in the interest of
well-maintained registrations at the RD.
At the same time, we thought to be prudent and to not rule out
altogether the use of a separate Commissioning Tool (in this case the
Administrator), which might be in a better position to practically
communicate with the RD, or among only few entities authorized to
interact with the RD, in line with particular "needs of the application"
(cfr. Section 2 of RFC 9176).
<==
>
>
> Editorial
> Abstract
> OLD:
> A Group Manager is responsible to handle the joining of new group
> members, as well as to manage and distribute the group keying
> material.
>
> NEW:
> A Group Manager is responsible for handling the joining of new group
> members, as well as managing and distributing the group keying
> material.
>
> OLD:
> This document defines a RESTful admin interface at the
> Group Manager, that
>
> NEW:
> This document defines a RESTful admin interface at the
> Group Manager that
>
> Introduction
> OLD:
> When group communication for CoAP is protected with Group OSCORE,
> nodes are required to explicitly join the correct OSCORE group.
>
> NEW:
> When group communication for CoAP is protected with Group OSCORE,
> nodes are required to join the correct OSCORE group explicitly.
>
> OLD:
> e.g., based on
> the current application state or on pre-installed policies.
>
> NEW:
> e.g., based on
> the current application state or pre-installed policies.
>
> TERMINOLOGY
> OLD:
> An OSCORE group is used as security group for
> one or many application groups.
>
> NEW:
> An OSCORE group is usedas a security group for
> one or many application groups.
>
> 3.1
> OLD:
> When relying on wildcard patterns and complex patterns, the
> Administrator and the AS do not need to know exact group names for
> requesting and issuing an Access Token, respectively (see
> Section 4).
>
> NEW:
> When relying on wildcard patterns and complex patterns, the
> Administrator and the AS do not need to know the exact group names for
> requesting and issuing an Access Token, respectively (see
> Section 4).
>
> 4.1
> OLD:
> With respect to the main Administrator, such assistant Administrators
> are expected to have less permissions to perform administrative
> operations related to the OSCORE group at the Group Manager.
>
> NEW:
> With respect to the main Administrator, such assistant Administrators
> are expected to have fewer permissions to perform administrative
> operations related to the OSCORE group at the Group Manager.
>
> OLD: For
> example, they may not be authorized to create the OSCORE group if not
> existing already, or to delete the OSCORE group and its
> configuration.
>
> NEW:
> For example, they may not be authorized to create an OSCORE group, or
> to delete an OSCORE group and its
> configuration.
>
> 6.3
> OLD: "If the POST request did not specify certain parameters and the
> Group Manager used default values different from the ones recommended
> in Section 5.2, then the response payload MUST include also those
> parameters, specifying the values chosen by the Group Manager for the
> current group configuration."
>
> NEW: "If the POST request did not specify certain parameters and the
> Group Manager used default values different from the ones recommended
> in Section 5.2, then the response payloadMUST also include those
> parameters, specifying the values chosen by the Group Manager for the
> current group configuration.
>
> 6.6.2
> OLD: "Retrieve from the Group Manager the new Group Manager's
> authentication credential "
>
> NEW: Retrieve from the Group Manager the Group Manager's new
> authentication credential
>
==>MT
All fixed.
<==
> 8.
>
> Sentence hard to parse:
> "This option
> fundamentally relies on the Group Manager freeing up group
> names, hence it is not viable if considerably or indefinitely
> postponing the creation of the group is not acceptable."
==>MT
Rephrased as follows.
NEW
> This option fundamentally relies on the Group Manager making the
group name available again before the Administrator sends the new POST
request. Hence, this option is not viable if it is unacceptable for the
Administrator to considerably or indefinitely postpone the creation of
the new group.
<==
>
> On Fri, 16 Feb 2024 at 19:48, Tim Hollebeek
> <tim.hollebeek=40digicert.com@dmarc.ietf.org> wrote:
>
> Just as a reminder, this WGLC closes in three days. Please
> provide feedback
>
> as to whether this document is ready to be sent to IESG or not.
>
> -Tim
>
> *From:*Tim Hollebeek
> *Sent:* Monday, February 5, 2024 2:18 PM
> *To:* ace@ietf.org
> *Subject:* WGLC for draft-ietf-ace-oscore-gm-admin
>
> Hello ACE Working Group members,
>
> We’re finally ready to do a Working Group Last Call for the document
>
> draft-ietf-ace-oscore-gm-admin:
>
> https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-gm-admin/
> <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ace-oscore-gm-admin%2F&data=05%7C02%7Cmarco.tiloca%40ri.se%7Cc3dc340b1b6f472f607808dc2f3fa592%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638437197625717479%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=iZavGDhahLE%2BCNes%2B2grRzFRlGRz%2FBQYCzdFnE%2FuL0Q%3D&reserved=0>
>
> Admin Interface for the OSCORE Group Manager
>
> draft-ietf-ace-oscore-gm-admin-10
>
> Abstract
>
> Group communication for CoAP can be secured using Group Object
>
> Security for Constrained RESTful Environments (Group OSCORE). A
>
> Group Manager is responsible to handle the joining of new group
>
> members, as well as to manage and distribute the group keying
>
> material. This document defines a RESTful admin interface at the
>
> Group Manager, that allows an Administrator entity to create and
>
> delete OSCORE groups, as well as to retrieve and update their
>
> configuration. The ACE framework for Authentication and
>
> Authorization is used to enforce authentication and
> authorization of
>
> the Administrator at the Group Manager. Protocol-specific
> transport
>
> profiles of ACE are used to achieve communication security,
> proof-of-
>
> possession, and server authentication.
>
> Please review the document and provide feedback to the list by
>
> 19 February 2024.
>
> For the chairs,
>
> -Tim
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
> <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Face&data=05%7C02%7Cmarco.tiloca%40ri.se%7Cc3dc340b1b6f472f607808dc2f3fa592%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638437197625725741%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=OSZMOrkVrzH%2FPh3%2BIn0Cd9TpYiia86PREM1wMjdTO60%3D&reserved=0>
>
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
--
Marco Tiloca
Ph.D., Senior Researcher
Phone: +46 (0)70 60 46 501
RISE Research Institutes of Sweden AB
Box 1263
164 29 Kista (Sweden)
Division: Digital Systems
Department: Computer Science
Unit: Cybersecurity
https://www.ri.se
- [Ace] WGLC for draft-ietf-ace-oscore-gm-admin Tim Hollebeek
- Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin Tim Hollebeek
- Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin Cigdem Sengul
- Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin Göran Selander
- Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin Carsten Bormann
- Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin Tim Hollebeek
- Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin Carsten Bormann
- Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin Tim Hollebeek
- Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin Marco Tiloca
- Re: [Ace] WGLC for draft-ietf-ace-oscore-gm-admin Marco Tiloca