Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14

Daniel Migault <daniel.migault@ericsson.com> Tue, 16 February 2021 15:54 UTC

Return-Path: <daniel.migault@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 729433A0883 for <ace@ietfa.amsl.com>; Tue, 16 Feb 2021 07:54:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.67
X-Spam-Level:
X-Spam-Status: No, score=-2.67 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rER6Z-pxNLZ1 for <ace@ietfa.amsl.com>; Tue, 16 Feb 2021 07:54:00 -0800 (PST)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2086.outbound.protection.outlook.com [40.107.237.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7003D3A0884 for <ace@ietf.org>; Tue, 16 Feb 2021 07:54:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g6VKsbVZkobZZX64jRBbOQuO7R04Z1B4wzelQM2t3BC39+MgjpF59cOtQADS9LJC8GlJO/Q2IZ73cXQsz77I+1tN8aFbU+cjznRBWTBx9ONFiOoEaKY3ezBXaQiqnjm0HfEspRQK+07WwNHen3rI5BBsd1ba04i8MZLKyp7ln5NZxy/vAJcfmsdJKpN52IdSJErj44qZlqTAziOsxwE0czPLWHBRguzXaNDYees73ZjH5ZJAwp00EQVEB/Pd6kFByaPnCyy62oOThIrlRaVr2HPHLDIcR6hwP7/jlX7NlSTWtGy1uaoGSJOR4RkB5dz3dwddRQwY276dOj24xhDyjg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zOEjgcDJY89B/As1ghu6pENpjptEJkGFOKTuz4/65mw=; b=Te00TftgLMCCLKR58kY5pLZ2hpEEMylzxfPzdzLMCIPvfKMAHG1mYCc+5B2sROWLvpFOmLJRLrBu5LeN3znYDOJltSAlxIGgXCGBUNDYv6tFfpyUiIcTTSY1EV9LLjbnpeyAOpT9VEY7oo+8tqibD7KMiY6+TNWjdUXH2YnMkiGuqOIpBO4V1tFv6JheaoGbIGjsZCpsgti9D8JOVmpQUbyZvQJ5k/uz3Idf5q5hOqaYotlezAt983zlQW4sGsMk41huWL+z2FvNf6DH4pjWkO4NiaC2wG9eE1jykNhlXX3jHtkCVG/4r1GDn2XwS807WF77Gfw4Fq8nfZH7NxWIQw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zOEjgcDJY89B/As1ghu6pENpjptEJkGFOKTuz4/65mw=; b=lQEAXxjZoai4vVmqEayPF491FsDXJHML09ywtoCZVsQqY/KR2ZhEXzJ5j22eib1d9vDMQsGMV3dkgnfp8OSzNLBxEtBtNmr3xNU0CNM2IKCPiwwbTxQL3nTSDfzRiuSJ1V38U6VZZCEjSIgmneE5gY8Tni8KoGTcOshLgdSHMEs=
Received: from DM6PR15MB2379.namprd15.prod.outlook.com (2603:10b6:5:8a::16) by DM6PR15MB3912.namprd15.prod.outlook.com (2603:10b6:5:2ba::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.30; Tue, 16 Feb 2021 15:53:57 +0000
Received: from DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::a9f9:326f:8cfb:157b]) by DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::a9f9:326f:8cfb:157b%7]) with mapi id 15.20.3825.040; Tue, 16 Feb 2021 15:53:57 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Stefanie Gerdes <gerdes@tzi.de>, Daniel Migault <mglt.ietf@gmail.com>, Francesca Palombini <francesca.palombini@ericsson.com>
CC: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander=40ericsson.com@dmarc.ietf.org>, Russ Mundy <mundy@tislabs.com>, Olaf Bergmann <bergmann@tzi.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14
Thread-Index: AQHXBHa1eigM3cSArEe6Mc/hYixa66pa7HuA
Date: Tue, 16 Feb 2021 15:53:57 +0000
Message-ID: <DM6PR15MB23796DF01885DC7F86C15583E3879@DM6PR15MB2379.namprd15.prod.outlook.com>
References: <871rdqihww.fsf@wangari> <FD569111-85F8-40A2-8C97-764977309B87@ericsson.com> <CADZyTk=HB26o=mUpUdbYEhfhrGZar+oe28c5PZ2_j-vKYVA6xg@mail.gmail.com> <c6d42d18-f1f3-ec00-fff9-3540fa222d23@tzi.de> <9911269D-AA7F-458C-AA1A-2D59A79C5A00@ericsson.com> <CADZyTkn=3GigtTiihQX0ORYyO0dV0qCfVMtTn37vbsqJuQUJxw@mail.gmail.com> <026242c2-2c6a-485b-cb51-34b2b2d70975@tzi.de>
In-Reply-To: <026242c2-2c6a-485b-cb51-34b2b2d70975@tzi.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: tzi.de; dkim=none (message not signed) header.d=none;tzi.de; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [96.22.11.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1fe36465-3ca0-4a30-f7ed-08d8d2931208
x-ms-traffictypediagnostic: DM6PR15MB3912:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM6PR15MB391243D09ACE0FA38F381264E3879@DM6PR15MB3912.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5QRYIn6CEI32pVwf2H2/i3PkIrN809TEE3YM3zRnARaUZNUjbh1umUiwHSnECsqa1fd0msme8/2Kn9792srDJlYcJjm0YuVFlCfYm4hgMQSiXvvt35qltzIDn27UtHRtMQRwaUUnyBJOmJWJVQ1TuO2m73dWtj7WSeahpfvu4i9KXRiH4QQ3jU2X3xMB3REDlKv4ThNZeLSzKFEJbZg3g4x3gnXig54FlltdBuL9MF2LPK/NVhS+b5vf0Frq4Q/kDxwuINjoTpc1bwSpnD3FwDA6lUBTcPEuo6pjdndrguLVOqr/ezyWwJzFC6BMWS5FkTE8X5dbBh2KG+ZLGuUK3MhSBIZLCUMB01f6i/f3tcHtBXdjU5HWUKV/6VItbHelZi43QTC489vR7uBFRJiMVOKSb6bxb/CMwHThRpBAaY4fSM5WuoYCe+KH+M2QBrXMNfrds50rflh+9QlF3/kuhKixWPkzeHAIznVALR4+B/wRgqXhiPNFiZ6iiT/KvJaFNx0LrqQvBMuxeeUl9xMty1A+7oBeeybZCRapmJnBkI0L3+qLYKhF3uYTXYrK5MlCczzwn/2SQwlL29F1VbajLHqzp/ZmcM/8b+iwUUqXpu0=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB2379.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(136003)(346002)(396003)(39860400002)(66574015)(33656002)(186003)(44832011)(966005)(7696005)(83380400001)(316002)(86362001)(54906003)(8936002)(110136005)(5660300002)(8676002)(66556008)(6636002)(66446008)(71200400001)(478600001)(2906002)(64756008)(9686003)(55016002)(52536014)(6506007)(53546011)(66476007)(66946007)(4326008)(76116006)(26005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?S3lUK0ZOU0ZYTXVUc0RFQ2FiajBTWVF3bVhTUE9DM2VoenBneFNJNjk3RmR3?= =?utf-8?B?KzFWeVRibUNFQ3NTLzlZNnFIVW1FTHArODZaNEI4UWc5Tm9RdEErdE1KaTJm?= =?utf-8?B?RDB1d0x0Y1VGZzFLNFZBMHp2T0xUWFhYMDdoSmN5K2lJcEF4MStQSzJDY09h?= =?utf-8?B?N0cxbGlxT1BSdit5YzMxQW9EQnZFcmtOT2lacjNxMEpQb291UHBwaGUrNHNk?= =?utf-8?B?SkVtd0RsWTN3VW9od3VpUnEvWnd5L0JBYW1tWkgwckFOZ2JiOWdXaEZyVDZ5?= =?utf-8?B?ZFV4MzdMSnBnWlJNNy9kb3NNL3JjM2pUa0hER3RLUHV2VkZKTFNEaU1Qd0xs?= =?utf-8?B?NiswbElleHdZRDBsSi9JRXZBRE1FVGRzd2NjNzkxSlVOcTZwMkVrZFdvY3di?= =?utf-8?B?TmNrdDkxOC9idmJxVTZQMEtFb05tNFZIOVZZWmZXenJrQjhvTVpSMVVxV1ZP?= =?utf-8?B?QnR6ak9JUjVadFFmQmNxQ2xob1p6RnhwZXQxVm9RZVhLZDNSR2JJZExWQ055?= =?utf-8?B?VU9sc3FXZnV4UWRCNEVvVXRBTU1aNkxCa1RUL1dJb1ZlMjB4dlZKSURJNmF2?= =?utf-8?B?K1VZM2UzQjE5SUYyNWRVdTJkNFIvNDRMTjVZZjllaHRSM2duNDlOL1A4QkZZ?= =?utf-8?B?cHlEVmdvMFZiVFBkb0tXcENNSXlPdmJzUDlwZThaMVl0dVZHMHhKZ3RwcUhW?= =?utf-8?B?bHBCVzVjb2pFR1lySHVJbmE0VXdsQldHcTB1RFQ1VllSSDhEczVlOHFSNkEx?= =?utf-8?B?NDBNSG93bWplLytEVnErS2JteFNXWERwNXF3QnBzZlIrK0dBQkRaSmhMWXo1?= =?utf-8?B?U2M5WDhjekJvOWw4RlBBUGxYUmdCWEZlRmpybVpYOVQ4VzNlbEtwREZsRlpw?= =?utf-8?B?SjlwNkUrVjUrM1NsVyt0dVNqZ2lra1hsTU5CTmFGVW51V0pSTkNEZVVibFEy?= =?utf-8?B?TXJidmczS1J0SUZZU3RNWFRKUFpoM0dnZ2w5NmwyRGExbVFDT1F4VEt1UTY3?= =?utf-8?B?Q0RXNW5wMFFaKzN5ZncvU2JqbnBCZy9JMWRIVFdIcGJucEFaVER2R0RUN3Er?= =?utf-8?B?M2ZiMGg5WXJWb3lmMHljUWNFUU9uVDVqd21tYWVXcmJaOHdkZDE1QUp4bGFX?= =?utf-8?B?YVJoL0FFMW5vVERRSTJac0FZMS9QY3daeEpaSm9Pd1JOSC9uOU1iR3VKZHEy?= =?utf-8?B?VXBHK3RxNElNMHdMNk5MQWpmNW9xYkFBaGtETlUvWU45OUlEL3dmM3ZONTdh?= =?utf-8?B?KzB5WW1vdkQ4cEFlVHhrdGdhR2dsTksrTFNnaHBCTlVEL2dEd0FLQnV6Z0VH?= =?utf-8?B?VEdhLzZoOC9iQkx3eEJlYTFzRkhFcTBGendHR1AzcXRQSytuY0ozeUt1Z3lV?= =?utf-8?B?anU4bCtXS0ZBRW9SSnhUWklJbzlpWXc1R3Nqc0JCbEtpdll3RjA1K2NxMDNj?= =?utf-8?B?czNWRC9MY25uRkxja0xBK295VXpYK1I2Vk0vUDFMaW4xNFI4QmVtbmZGVGxL?= =?utf-8?B?c0JkdHZpSHlWYXZIZHd6OVRMNmRiUXQvVjFnTHpwWnZuWEM2cGJCWnJoOXZy?= =?utf-8?B?SFJYSWxUbEtMVzI3bDM0STdrQlJwUCtvZUhPc3h2U0VhdjYzaEhvTlUyYktx?= =?utf-8?B?UUpqR09JK3V2b1YyQzRSZkxlYVNzVjVwNERrUXlyY2syM29vSEJEeXpFSi9y?= =?utf-8?B?U2FFK1VyWGJ6bGNzUjJjVmxSa1R5bzBVd2ZZUk94WFhtQStQelFkR1pZU3V4?= =?utf-8?Q?lpKDxEyQoVXxy3TIEs=3D?=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2379.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1fe36465-3ca0-4a30-f7ed-08d8d2931208
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Feb 2021 15:53:57.6648 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lg7Bfq/h5nlwosTdJw8Isjwk9Pr2oYgKixlrqynJAOMcOjuOIOjKKvwi/x1yTEbrEcqRfE5bWM3aj/ytZaEQv3HfwJNNWocwMTRJCJ3uk/0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR15MB3912
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/OxS0HW3IYw1P-BPkuFVLMau06to>
Subject: Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2021 15:54:04 -0000

Hi Stefanie, 

Thanks, for the suggestion. I would like to propose a slight update to one sentence, but I see this moving in the right direction. 

Please find my comments, in line. 

Yours, 
Daniel

-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of Stefanie Gerdes
Sent: Tuesday, February 16, 2021 10:16 AM
To: Daniel Migault <mglt.ietf@gmail.com>om>; Francesca Palombini <francesca.palombini@ericsson.com>
Cc: Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>rg>; Russ Mundy <mundy@tislabs.com>om>; Olaf Bergmann <bergmann@tzi.org>rg>; ace@ietf.org
Subject: Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14

Hi,

I propose that we use the following text for the ACE framework (as originally proposed by Göran):

Section 6.2:
OLD
  "Profiles MUST specify how communication security according
   to the requirements in Section 5 is provided."
NEW
"The requirements for communication security of profiles are specified in Section 5."

Section 5:
OLD
"Profiles MUST specify a communication security protocol that provides
   the features required above."
NEW
"Profiles MUST specify at least one communication security protocol that provides the features required above."

<mglt>
I have the impression that with MUST specify one expects a mandatory protocol to be provided. Would the following text be acceptable ?

NEW2:
"Profiles RECOMMENDs at least one communication security protocol that provides the features required above."
</mglt>

For the DTLS profile, I propose the following text:

OLD
"The use of CoAP and DTLS for this communication is REQUIRED in this profile.  Other protocols (such as HTTP and TLS, or CoAP and OSCORE
[RFC8613]) will require specification of additional profile(s)."

NEW
"The use of CoAP and and DTLS for this communication is RECOMMENDED in this profile. Other protocols fulfilling the security requirements defined in Section 5 of [I-D.ietf-ace-oauth-authz] MAY be used instead."

additional explanation:

one proposal was to state as the reason for recommending DTLS that it reduces the number of libraries the client has to support. But the reason why the ACE framework requires that the profiles specify a security protocol for the communication between C and AS is to provide security for the data that is transmitted between these two parties.
Without a protocol that fulfills the requirements listed in the ACE framework, the solution would not be secure. Requiring that the profiles must specify at least one protocol ensures that implementers have an idea how to implement the profile securely (instead of leaving them in the dark about that). It is also nice if the number of libraries on the client can be reduced, but I am not that comfortable with stating that as the main the reason for recommending DTLS.

<mglt>
I agree that security was the main driver but it seems also to me that limiting the number of libraries was the reason of choosing that one - as opposed to another one. That said, I think the reason is rather obvious and may not need to be specified so I am fine with that text. 
</mglt>

Viele Grüße
Steffi

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace