IETF Logo Mail Archive

Re: [Ace] Artart last call review of draft-ietf-ace-mqtt-tls-profile-14

Cigdem Sengul <cigdem.sengul@gmail.com> Wed, 09 March 2022 23:42 UTC

Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07C833A123F; Wed, 9 Mar 2022 15:42:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pt7UFIpuDbsI; Wed, 9 Mar 2022 15:42:04 -0800 (PST)
Received: from mail-vs1-xe30.google.com (mail-vs1-xe30.google.com [IPv6:2607:f8b0:4864:20::e30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88A043A1049; Wed, 9 Mar 2022 15:42:04 -0800 (PST)
Received: by mail-vs1-xe30.google.com with SMTP id a186so4180770vsc.3; Wed, 09 Mar 2022 15:42:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xXiAdBkISN31Eh2wLSNadex742njofVSnHGyHiP5XQM=; b=VqsqsROPYQQcBjTSV8R2hZyaDJJr/I7UauwD2OrwfwAwuyoePKkPXNcvhKKcqybv4h +nlyk1llu7zDCaphjjRdR+nahgJ8OtAti/SQeVRoGNLzMbcjn7LMyH2fZDnCKYQB7gIX dKAaNuFyinm5ySxxqwB01DZCzOimVBLQJMPw3dffcGET9KLHPXa0zoRTSW7CbsSE9ktv +oVl73kxSsQp4uN2aa5GAss4oQWug3aE3y8srZ7yO+j6ppOlAsbsq64MxULne3FkK3ss gcKowP5I0/fzWpEZkazvOQO8lb9c8kl+qCggaTe2bioGtyQYgiLt9PrBRaOq8zTH76V2 PPsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xXiAdBkISN31Eh2wLSNadex742njofVSnHGyHiP5XQM=; b=Zy4/zRhR6kYjjEvVMuNlmR3vTpWyXgLwmLP6tgSD79QiIE0/c6vvhweUXbL4xztAIv F7edGbXBjBFl3nbNKLCnV4AUFXgOohKgtbKrOvNRz8ntszlkplwvapdFhqLKaAGdwZq/ IdoLZ8JqjzRZynuLg3+K+jXnCS1m9xg+U+smIbdX+uj6XvKlZUKtLKL8R4O00GNZwuEL KRirokWlwVzp2xSnby3x/bfEwBN3FPUth9F5aGE/LYM8PYwqGLLAktWSYtSEose/XjqF LrSRtp2Lj6sFrwaS33v6Bidz5qF63AVMTWIj3TcStqAAmk5dbO9TaHSjpH8JMNLtGUlq 0eUw==
X-Gm-Message-State: AOAM5325LVuS2V5SARX0GfGj4mHWlwGVTKgfWG07Iakxs//TQ9Wm/1Ac 4C6Scq73R95qmRwlwRQ6K3dnd7YOeSSnbQyDZ9e3gi3evnk=
X-Google-Smtp-Source: ABdhPJyXyCpeEEW59zhVSJWkyBMN2xVtXP3mrX/813iAMqkq9Yt4RieqnroZo7qXjdXMp0al2FNFXKz3d2bLnso3Hfw=
X-Received: by 2002:a67:cd85:0:b0:320:7c27:4377 with SMTP id r5-20020a67cd85000000b003207c274377mr1102865vsl.32.1646869322842; Wed, 09 Mar 2022 15:42:02 -0800 (PST)
MIME-Version: 1.0
References: <164643005466.28393.1552756094187219874@ietfa.amsl.com> <CAA7SwCOUHYJTpt-0JOVfwxZ1jgpDve87k2sSpxho=iS6q7Mgfg@mail.gmail.com> <8613abde-1c43-8f7f-b85f-a9db4a10b0a7@nostrum.com>
In-Reply-To: <8613abde-1c43-8f7f-b85f-a9db4a10b0a7@nostrum.com>
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Wed, 09 Mar 2022 23:41:51 +0000
Message-ID: <CAA7SwCOQUvK+6J=-yO-hmYckoanR4g++sxPdRzKLfz2AszA=Zw@mail.gmail.com>
To: "A. Jean Mahoney" <mahoney@nostrum.com>
Cc: art@ietf.org, draft-ietf-ace-mqtt-tls-profile.all@ietf.org, last-call@ietf.org, Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fac77205d9d1a469"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/C4Y6hD5EEkJGuUFY5cdF6ETo4Xw>
Subject: Re: [Ace] Artart last call review of draft-ietf-ace-mqtt-tls-profile-14
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2022 23:42:09 -0000

Hello Jean,

Thank you for your feedback on the changes.
I have updated the pull request with a new commit:
https://github.com/ace-wg/mqtt-tls-profile/pull/102/commits/75ac0c0a86812f359471a63f6b481b0b80482b97

Responses to questions/comments are inline below.

On Wed, 9 Mar 2022 at 23:18, A. Jean Mahoney <mahoney@nostrum.com> wrote:

> Cigdem,
>
> Thank you for reply and for incorporating the feedback into a PR. I have
> few comments and questions below.
>
>
> > references due to changes of text etc.) I have still kept MQTT as
> > normative, as the document is about MQTT, but is it expected to be
> > informative when the reference is a non-RFC?
>
> [JM] I think that is okay. The document shepherd indicated in his
> writeup that he thinks the MQTT reference should be normative
> (
> https://datatracker.ietf.org/doc/draft-ietf-ace-mqtt-tls-profile/shepherdwriteup/).
>
>
> [CS: OK, will leave as is.]


>
> >
> >     Section 2.2.4.2.2: I'm having difficulty parsing the following
> normative
> >     statements. Does "MUST" also cover the Authentication Data (i.e.,
> >     MUST be set
> >     to "ace" and MUST contain Authentication Data)? If the
> >     Authentication Data MUST
> >     NOT be empty, MUST it contain the 8-byte RS nonce or could it
> >     contain something
> >     else?
> >
> >     Current:
> >         The AUTH packet to continue authentication includes the
> >         Authentication Method, which MUST be set to "ace" and
> Authentication
> >         Data.  The Authentication Data MUST NOT be empty and contains an
> >         8-byte RS nonce as a challenge for the Client (Figure 6).
> >
> >
> > [CS: Revised as:
> > The Broker continues authentication using an AUTH packet that contains
> > the Authentication Method
> > and the Authentication Data. The Authentication Method MUST be set to
> > "ace", and the Authentication Data MUST NOT be empty and contain
> > an 8-byte RS nonce as a challenge for the Client.
> > ]
>
> [JM] This is better, but the last half of the last sentence could be
> interpreted as saying "MUST NOT be empty and MUST NOT contain...".
> Perhaps it could just say "the Authentication Data MUST contain an
> 8-byte RS nonce..."?
>

[CS: True, revised as your suggestion.]


>
> >
> >
> >     Section 6.1: Could more guidance or examples of necessary policies
> >     be provided
> >     here?
> >
> >     Current:
> >         However, stored Session state can be discarded as a
> >         result of administrator policies, and Brokers SHOULD implement
> the
> >         necessary policies to limit misuse.
> >
> >
> > [CS: Revised as:
> > "However, stored Session state can be discarded as a result
> > of administrator action or policies (e.g. defining an automated
> > response based on storage capabilities), and Brokers SHOULD implement
> > the necessary policies to limit
> > misuse."
> >
> > Would this work?
> > ]
>
> [JM] I like the added example. As someone unfamiliar with MQTT, I was
> wondering what "necessary policies" might look like. That is, if I were
> to build a Broker implementation, what sort of things SHOULD my
> implementation be doing here? An example or two might clarify.
>

[CS: The example regarding defining an automated response based on storage
capabilities come from the MQTT standard.
The standard itself does not define policies explicitly. I changed the
wording from "necessary policies" to "administrative policies" to avoid
misunderstanding. Such policies may include setting quotas on storage,
connection rates etc, but since they are not explained as such in the MQTT
standard, I would like to avoid specifying them here as well]

>
>
> >
> >        -- Possible downref: Non-RFC (?) normative reference: ref.
> >           'MQTT-OASIS-Standard'
> >
> >        -- Possible downref: Non-RFC (?) normative reference: ref.
> >           'MQTT-OASIS-Standard-v5'
> >
> >
> > [CS: OK for these two, I feel on the fence as the document is about MQTT.
> > Is the downref suggested because this is a Non-RFC and a standard coming
> > from OASIS]
>
> [JM] The idnits script calls out any normative reference that is not a
> Standards Track RFC. Documents from other standards bodies can be
> approved by the IESG to be listed in the Normative References section.
> The MQTT refs shouldn't be an issue. More info about downrefs can be
> found in RFC 8067.
>

[CS: Thanks, then I will keep things as they are.]

>
> >
> >
> >        ** Downref: Normative reference to an Informational RFC: RFC 6234
> >
> >
> > [CS: Moved to Informative references]
>
> [JM] RFC 6234 should be okay as a normative reference because it has
> been normatively referenced in other RFCs
> (https://datatracker.ietf.org/doc/rfc6234/referencedby/) and the
> following sentence says "mandatory to implement":
>
>     HS256 (HMAC-SHA-256) [RFC6234] and Ed25519 [RFC8032] are mandatory
>     to implement for the Broker.
>
[CS: OK, moved back to normative]

>
> >
> >
> >        ** Downref: Normative reference to an Informational RFC: RFC 7251
> >
> >
> > [CS: Reference removed] >
> >
> >        ** Downref: Normative reference to an Informational RFC: RFC 8032
> >
> >
> >   [CS: Moved to informative]
>
> [JM] Same as RFC 6234, RFC 8032 can be normative.
>
> https://datatracker.ietf.org/doc/rfc8032/referencedby/


[CS: Moved back to normative]

>
> Thanks again.
Kind regards,
--Cigdem

>
> >
> > _______________________________________________
> > art mailing list
> > art@ietf.org
> > https://www.ietf.org/mailman/listinfo/art
>

v2.23.0 | Report a Bug | By Email