Re: [Ace] Planned updates to draft-ace-key-groupcomm
Daniel Migault <daniel.migault@ericsson.com> Fri, 29 July 2022 17:03 UTC
Return-Path: <daniel.migault@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46698C14CF1E for <ace@ietfa.amsl.com>; Fri, 29 Jul 2022 10:03:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.691
X-Spam-Level:
X-Spam-Status: No, score=-7.691 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kOQiRCdm-7HU for <ace@ietfa.amsl.com>; Fri, 29 Jul 2022 10:03:07 -0700 (PDT)
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2056.outbound.protection.outlook.com [40.107.244.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0594C14F742 for <ace@ietf.org>; Fri, 29 Jul 2022 10:03:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=O1HoCRca1J0chHcxIziDsT6p1wAOxAmVc6apqEZRnywbXYPngwxeCV8dBMKu0iBr6oIs7lMHyvv/7a+POYzNLfwdYHuPyZi2bRvyVjRChwD1LtyxGGSvkeA0SwPFReM0wPuYtnRa2hz3eMZ3JggpvwZdXqbSc7eZJe6iimq27tXlNEGuTQWcODqgCcDm1spAN1R4OVX2LMJkMc/sdrYTwtClvDcNUNeKQkhBjIT9e5AeFvL+mXHDFcTuJbKWy3bnQ1bDE7EcUooKrF2N79WnS12BPFnTl2Aa/EYNXuo6cUDbfamSkAfqWLSkDjsaMWJOpw3DRFFsVKB/Vl1NqjSy8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=mpPgL9wq+/jwA4xRIFB2PAwEsNzQTHWBI2NyGuD0Bpk=; b=FGZoOB4Wn/5BR/MKYERqx92uGEghu+G3TSlzOfzqUh75XgEH3DQdtfuev0XaI237mzOuWcVlBAmHMV2k7fVgfs2Bn9j4ZZSOQifoVBPjnb/Pyq8gkTlhLqloTp6Zdy+K6IvOE0HT3Wo/HFV+TJgfmkVJ64djDKv/OJZI82j7E45xO1sOGVkk89JHSe15tnO53kEpdvyhTjbk4yI/vxWo4ZgQ0AufSSHfAUoRrSx1jUCHAPka2goJCNpjqY+rqu1Z074pA4skYwFLfPQf3bm5KH6MxC9ZXRZRBbexZnIZ2GOwlp7JTGsZuQC8UIpDcWvzVg7jDsq/LVZGZtZwlPjxzg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mpPgL9wq+/jwA4xRIFB2PAwEsNzQTHWBI2NyGuD0Bpk=; b=KQoO5A16hwdkCwWfZz7JbJ6Nxgm0/imc3yG9bhmL5DtLvFZN6oMfee8NG/OQSIdK23mic/iAGi8op1UoFddf0awE3H4oNsOPR7elhM/SjLl+LklKZlcBvIgBFkt4KH2JreqOvPjg3qpcSxihiLsK3jKW+rduKGtg/hyz6iXmuX0=
Received: from CH2PR15MB3687.namprd15.prod.outlook.com (2603:10b6:610:b::17) by CO1PR15MB5002.namprd15.prod.outlook.com (2603:10b6:303:e9::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5482.11; Fri, 29 Jul 2022 17:03:05 +0000
Received: from CH2PR15MB3687.namprd15.prod.outlook.com ([fe80::950b:6fc6:741a:6b61]) by CH2PR15MB3687.namprd15.prod.outlook.com ([fe80::950b:6fc6:741a:6b61%4]) with mapi id 15.20.5458.025; Fri, 29 Jul 2022 17:03:05 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Marco Tiloca <marco.tiloca=40ri.se@dmarc.ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Planned updates to draft-ace-key-groupcomm
Thread-Index: AQHYo2dNM5NvVTnbdkeJwLCs+4T5WK2VkvvH
Date: Fri, 29 Jul 2022 17:03:05 +0000
Message-ID: <CH2PR15MB3687327CDFE0C72542736A03E3999@CH2PR15MB3687.namprd15.prod.outlook.com>
References: <21f28cd5-5d8e-f37c-00a3-3b016597cebc@ri.se>
In-Reply-To: <21f28cd5-5d8e-f37c-00a3-3b016597cebc@ri.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: a1c51171-3961-79b5-6ec6-6c9bb15f313e
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 244f0219-e1f1-4d3d-a977-08da7184342d
x-ms-traffictypediagnostic: CO1PR15MB5002:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9vFzmhkUKLLzf2vX4331kDRLcNDZxFi5qVY0VfTT9zqqkQA302Otx71aJ3LomiwnLpcVYF91csDHkP6d7k02Dcm0BpeF/SlMYcqnhNxgyrWn9xgrV/Qr1RPPa8KfeRtdPtPhEQbYMjUaMiXHkZGWJZxXK6D3FuY+e9xa/XitYD53R6s8pujRgfggpCYscjJjNdm9luaM0TKJ8BUkRFE+TAtnbdHBx5tJBG8N2jDy88tvoS66nJI4fuDv3RM9CWBOhVnwI8mxr5vwL3iKs7T6XT32SXvejD5N630QgRCdN+mw2lY0syqy4qVykmqkgsW6QOXKxNn0Rpi4e0cnrNelrWs+Fx3judf/JlBPxaqsUVQcNHGLv10d9CN1O0PulnzWskZj8T9KOi0+a56I7YlLd7LKCYiNM0jy3o30fmc2URzOpuksC0yU0jk/A26ftRw/Ii7S2+EuTXIy+Ti/3kmT4yo9Vd3De3/W7/3H/U9pBOStITyUit+7T2w5UzOJMxYWWpvwulavWbR5Bnph8sHPvukZJ5RGQpzQMz2SQZ5sn4X/ZQ/7xyl7VvqkLVeoFwCAEBZESm9w6pk8gDF3M5Ox4Dys+3HhGFVSPaWIed7DaDj+BZ4emMlLcOcrqwZAs63/gpn0VsXzenW2oub1ktTWo1WaGLxDCxxqlB5AcOULY1lcAYgKK/fwSMpMv/dF3lJBYLwOW4jNAUVxfX4v3ARPdt+FJB093Ug0z9SACVT/1HVCCOGCrmWWZWpPi1fy7RQgZ9UmpUNT8MbxZtljeGESuQSb54KDR/jWr+YYTJv8dlp6pIpIUAwf+rQ0FmWfVwUINl7IqZWiDKMYSQ59PIsZ+D4qJrrnO7iGY/DkKrN0e2XbVO/xIOAlU+LcM6PIyy34
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR15MB3687.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(39860400002)(136003)(376002)(396003)(366004)(186003)(7696005)(122000001)(966005)(6506007)(38100700002)(316002)(110136005)(2906002)(71200400001)(9686003)(86362001)(478600001)(8676002)(41300700001)(8936002)(52536014)(38070700005)(64756008)(44832011)(66446008)(66556008)(76116006)(66476007)(91956017)(26005)(66946007)(33656002)(83380400001)(53546011)(55016003)(82960400001)(15650500001)(5660300002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: eNZxtG5TlhRiYEc+J/8aUVOojqh2ns61SwhKL9MLoQSF2hQUhPk+9o0aDMt9pTnYjg5Rg2M5UUDuyu6JCelwP1rhAWx9ionnMg1aywuW867Dwpfv7wgT3UA2Onn+nfkkyODHy+Xvz1IORTx0O4MzeIn4aQbPfE9UWrLld0819CdYz7oPGenqJvlZ1/JgPIf6BhKTA8M3utrXG4X4Ot6AW4HDl716v/dE+4GTWj1KBrw04VtepCi+FRzcb4XKawvtjthySi04liHvk20ZyWDMThgC/5RWomwOkODlCjMrloT+ntmfUKF/J7BNdIE456vIFb06RbzecS1OUovTFMqdY6hSyQiXFXflcwG1M1/jPb52yLPIZpupUy9CfeWrSbaW1w6zYI6BJ6u2sprQZELrF/hWVvFq1hoptB8DHiXDUsIvo6cFgx+DSz2A2iZN0av4LRU73DJCVBFKeqqpb0BdL9C5ekIrFZ2DykDo3eeiupsfAxuBC0tjL6c7547d0xVPccYXz7m6sTzwfV+hosEZFhZ3s04GvGIXu8vXvZi/VkbFzawKmXB/QQoWHZnoNRGgiLZpnDqAqFrK7gEZBLeH3m9L5crZ0THrdCoRGWJO8TUgXK/N6BxCz0YfTtTtcb6V9w2z8msXTRdkYPEWyIY0llJ8kTCG6Yg2aQLmAbOVGhMKFmVIYIy0IxSZNMYzkXZm2ilH5weNtlPl4KRC8JxaDYKcgwEaPimp128vUhqav0iMtGQJOSPxuNdGP8k0Hyf40i5q2b2bsNjsX1lI0sb554Lwz2zQJa0gCbRJX2jVUp1MlhsZaj4oe1Y1eajpjjCWGoEKZUnss2R2o2pYhYfLr7yJNfwQrkSTBA2o4ii9uJpr2s+IXLBBRzv8BtDQ22nFCNwAW2jZfyk4n/wbmZzE343QrGJfQ5eyDouW7Ohb4JrDcOrNUzlFmm6SlrPbqOhld8mQqC9hpBh9svgyi7YjF/nhW1oyh7CD7unBz1lARNG0wqIwmSAFKV9rZLuUmvkkcKToS4JAnWRAjq0Q82V/EVgLzy4LErx6oobsn5awCWQ8BMYW9OTXunPCFaVFi4A7PqUF39cxM40grGXU+7Ua1Jc0BGdzu0qUQFzYGYyR1bmLNylHWBpgbAtPAkRnNG3i+dg95fdI7KZDI7a38UMJLgtbyoVvNPOFyA6I7Fc5xKq50qYNvoHfO8m8pL8EyHCvBGJlPq8UNYHsE8HFqZRYRFFCJKnzwYmVyBwDGqVvEtv+OOqPwX8u6LfO/7hDHTdTUMzXihPtqgoUBghL9URfToFPIARPkAflaTCoJ0DtHLGxbG49GHYTyfbj+uTInT+1xwrzgEX2iJBxd+sDBUzj/mqOTEy4k0SehlpZ/2ZLg8YM4xKek+VdmO2q9OB3Dt2vTScqSR8FtVzRP+g41LC3CbHlxy3ABT7Qm8r8cES8ytLE6zrktqyEV9IwNUDvy0R8TB2PUoPpaqKI69eXXaWXlNXo5jqJyLOVaE5yzSLFkI7u5eIzXfsVt1lmQAyn3r07DtdkpBwEqQ/o5128AFQ0fAmYmPFEujrtMHNg4bQGoDAW3o6nw1l1yCuE/LZJEZyVPvjRuPuYCOPbbIVzgw3DiA==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR15MB3687.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 244f0219-e1f1-4d3d-a977-08da7184342d
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jul 2022 17:03:05.1219 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VGwLEBSn82plj8dBifWO7sQxvgTNmpQlo0ovDXwOM+IQMknW882KokqWk1XjJWHLl1LGy1S+p/xXuP5JDDmP11KetonSmXOFYUJSY1mfxq4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR15MB5002
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/IqXmWKJUY0RdV0QJK5aSecJrYxs>
Subject: Re: [Ace] Planned updates to draft-ace-key-groupcomm
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2022 17:03:12 -0000
Thanks for the very details - please ship it! To the WG, please state your opinion by the end of August. Yours, Daniel ________________________________________ From: Ace <ace-bounces@ietf.org> on behalf of Marco Tiloca <marco.tiloca=40ri.se@dmarc.ietf.org> Sent: Friday, July 29, 2022 12:20 PM To: ace@ietf.org Subject: [Ace] Planned updates to draft-ace-key-groupcomm Hello ACE, Following some discussions in the past months, I was planning to make two non-invasive changes to draft-ace-key-groupcomm-15 [ACE-KG], which is currently in AD Review. After giving a heads-up to Daniel and Paul at IETF 114, this mail is to check with the Working Group if there are objections to make the changes. --- UPDATE 1 Following IETF 113, there was a proposal from Christian about updating Section 7 "Extended Scope Format" of [ACE-KG]. The defined approach is optional to use, it signals the semantics of a binary encoded "scope" claim of an access token, and is referred to in the documents [ACE-KGO][ACE-ADMIN]. The result of the change, also proposed in [GH-ISSUE], would be a simpler and more efficient signaling of the scope semantics. In turn, it automatically takes advantage of the work done in CBOR at [CBOR-FM]. Question: is there any objection to update Section 7 of [ACE-KG], based on the proposal at [GH-ISSUE]? --- UPDATE 2 At IETF 113, it was discussed that the "scope" claim of a same access token could specify, at the same time, both: i) scope entries related to roles of members in an OSCORE group, as per [ACE-KGO]; and ii) scope entries related to admin permissions for Administrators of OSCORE groups as per [ACE-ADMIN]. Following that discussion and in order to make things simpler, a single AIF data model "AIF-OSCORE-GROUPCOMM" is now defined in Section 3 of [ACE-KGO]. This still builds on the general requirements from Section 3.1 of [ACE-KG], and primarily serves what is specified in [ACE-KGO]. Then, the same AIF data model is extended in Section 3 of [ACE-ADMIN] to serve what is specified therein. That is, in each Administrator scope entry <Toid, Tperm>, Toid indicates a pattern of group names, while Tperm indicates admin permissions on groups whose name matches the pattern. In particular, Toid can be: i) the CBOR Simple Value "true" used as wildcard, also part of a suggestion from Ben at IETF 113 [ACE-113]; ii) a CBOR text string specifying a literal group name; iii) a tagged CBOR item specifying a complex pattern of group names, with the CBOR tag indicating the pattern semantics (e.g., a regular expression provided by a text string). With the above background in mind, the small update for [ACE-KG] would be in its Section 3.1, about having consistent general requirements when using AIF. The requirements are currently mandating "Toid" to always be a CBOR text string, while in fact "Toid" is only _often_ a CBOR text string (also highlighted by Ben at IETF 113 [ACE-113]). The change can simply mandate the use of exactly a CBOR text string only for scope entries related to group members, i.e.: OLD: If the AIF format is used, each scope entry is encoded as specified in [I-D.ietf-ace-aif]. The object identifier "Toid" corresponds to the group name and MUST be encoded as a CBOR text string. The permission set "Tperm" indicates the roles that the Client wishes to take in the group. NEW: If the AIF format is used, each scope entry is encoded as per [I-D.ietf-ace-aif], according to the used AIF specific data model. If a scope entry expresses a set of roles to take in a group as per this document, the object identifier "Toid" specifies the group name and MUST be encoded as a CBOR text string, while the permission set "Tperm" specifies the roles that the Client wishes to take in the group. Question: is there any objection to update Section 3.1 of [ACE-KG] as above? --- Reminder: there are also some minor, editorial changes that are pending, as already mentioned at point 1 of [MAIL] and during the IETF 113 presentation of [KGO]. These updates are about consistently aligning terminology and parameter names, as triggered by the WGLC review of [ACE-KGO] at [REVIEW] and by the latest updates to the CoRE document [GROUP-OSCORE]. I can certainly process these small pending changes together with the two main ones above. Thanks, /Marco [ACE-KG] https://datatracker.ietf.org/doc/html/draft-ietf-ace-key-groupcomm-15 [ACE-KGO] https://datatracker.ietf.org/doc/draft-ietf-ace-key-groupcomm-oscore/ [ACE-ADMIN] https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-gm-admin/ [GH-ISSUE] https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-a993cf57d4eb0424&q=1&e=f7c78eb1-ef42-4a78-b159-4fd24b9b965e&u=https%3A%2F%2Fgithub.com%2Face-wg%2Face-key-groupcomm%2Fissues%2F144 [CBOR-FM] https://datatracker.ietf.org/doc/draft-ietf-cbor-file-magic/ [ACE-113] https://notes.ietf.org/notes-ietf-113-ace?both [MAIL] https://mailarchive.ietf.org/arch/msg/ace/wBpceZW1qT1YYICzECnKqvdwQb8/ [REVIEW] https://mailarchive.ietf.org/arch/msg/ace/SIB_rte0orqkvDEtTAw-1F7Cdzo/ [GROUP-OSCORE] https://datatracker.ietf.org/doc/draft-ietf-core-oscore-groupcomm/ -- Marco Tiloca Ph.D., Senior Researcher Phone: +46 (0)70 60 46 501 RISE Research Institutes of Sweden AB Box 1263 164 29 Kista (Sweden) Division: Digital Systems Department: Computer Science Unit: Cybersecurity https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-3d296ae5721cac2b&q=1&e=f7c78eb1-ef42-4a78-b159-4fd24b9b965e&u=https%3A%2F%2Fwww.ri.se%2F
- [Ace] Planned updates to draft-ace-key-groupcomm Marco Tiloca
- Re: [Ace] Planned updates to draft-ace-key-groupc… Daniel Migault