[Ace] Review for draft-ietf-ace-key-groupcomm-03

Jim Schaad <ietf@augustcellars.com> Fri, 08 November 2019 01:33 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E13812004A; Thu, 7 Nov 2019 17:33:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fdiN_zD1bVza; Thu, 7 Nov 2019 17:33:21 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD14A120018; Thu, 7 Nov 2019 17:33:20 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 7 Nov 2019 17:33:14 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: <draft-ietf-ace-key-groupcomm@ietf.org>
CC: <ace@ietf.org>
Date: Thu, 7 Nov 2019 17:33:12 -0800
Message-ID: <036f01d595d4$7daa8430$78ff8c90$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AdWVtirQbQgNKFTfQpqJHRwtDOl7Qg==
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Dcp_FwxpEddaKmkrHOG5G-qOODE>
Subject: [Ace] Review for draft-ietf-ace-key-groupcomm-03
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2019 01:33:24 -0000

This is a review based just on reading through the document.  Comments based
on trying to implement after some time.

After reading this, you have started down the path of being RESTful, but you
are definitely not there yet.  You need to examine statements like "GET
method is safe, meaning that applying it to a resource does not result in a
state change of the resource".  

1.  In section 4 - The new format name is backwards - the "+cbor" goes on
the end not the front.  If you are defining a CBOR number/JSON name mapping
that is unique for this then a new content type would be indicated.

2.  In section 4.1.2.2:  It I not clear to me why an unauthenticated version
of this would be to return the group parameters, assuming that such are
public.  The assumption of public would come from the fact that it is
returned from the POST of the token where it is returned.

3.  In section 4.1 - I understand that "gid" in the paths is going to be a
group specific identifier.  It is not clear to me if "node" in the path is
also going to be a per registered node or a single node.  This may be left
over from what I remember in Montreal.

4.  In Section 4.1.2.1 - 'get_pub_keys' - This text appears to imply that
the client knows a priori if the KDC is going to store the keys.  It implies
that if the KDC does not store them, then it might be considered an error to
include this key.

5.  In Section 4.1.2.1 - 'client_cred' - should this text be altered to
reflect the concept of a monitoring node that would never respond?

6. In Section 4.1.2.1 - 'client_cred_verify' - where does N_S come from in
the event that the token is used directly to validate in TLS rather than
being posted.

7. In Section 4.1.2.1 - 'pub_keys_repos' - It is not clear to me if the URI
includes some type of query parameter to map to the certificate rather than
just being the URI of the repository itself.

8. In Section 4.1.2.1 - 'num' - Is this field ever allowed to be reset to
zero by the KDC?  

9. In Section 4.1.2.1 - 'kty' - I would suggest renaming this to 'gkty' to
avoid confusion with the same field used for COSE and JOSE keys.

10. In Section 4.1.2.1 - 'mgt_key_material' - I think a better set of
requirements is MUST say if it is used, if used then MUST be specified.

11. In section 4.1.3.1 - This seems to be better reflected as a FETCH rather
than a POST operation.

12. In Section 4.1.3.1 - I don't understand the requirement for the
'get_pub_keys' value has to be non-empty.  Is there any reason not to say
that empty equals all?  Alternatively it could be a return nothing answer
but not an error.

13. In Section 4.1.6.1 - It is not clear how I am identifying the "client"
to be removed.  Can I do a third party removal?

14.  In Section 4.1.6.2 - Is this supposed to return new keying material or
the current keying material.

15. In Section 4.3 - I am not sure why I would be observing /ace-group/gid
rather than /ace-group/gid/node in order to get updated keying material.  I
don't know that I would want to get all of the public keys when it rolls
over.  Alternatively, I would observer /ace-group/gid/ctx-num for the same
purpose.

16. Section 4.4 -  It seems odd to use GET for the purpose of renewing key
material.