[Ace] remarks on draft-tiloca-ace-oscore-gm-admin-00
Jim Schaad <ietf@augustcellars.com> Tue, 19 November 2019 23:13 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDB6B1208EC; Tue, 19 Nov 2019 15:13:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yt2VF2lgsd5w; Tue, 19 Nov 2019 15:13:56 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E5881208AC; Tue, 19 Nov 2019 15:13:53 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 19 Nov 2019 15:13:46 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: draft-tiloca-ace-oscore-gm-admin@ietf.org
CC: ace@ietf.org
Date: Wed, 20 Nov 2019 07:13:44 +0800
Message-ID: <01b401d59f2e$ff406560$fdc13020$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdWfJkCd54YEkIoYSoqR2Q9ieECPkw==
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/DhAI3fdLB_qf3jF_9oQlqVivdyE>
Subject: [Ace] remarks on draft-tiloca-ace-oscore-gm-admin-00
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2019 23:13:58 -0000
This is just going to be a high level review on how things are done rather than a detailed review on each line of text. 1. - Go and read that CoRE Pub-Sub update document - you know the one that Klaus and friends have not managed to get written since the model proposal was done way back when. 2. Re-write this to use CoRAL - Yes I know that this makes another dependency on getting it published from the CoRE group, but I don't want to do things multiple times. 3. I think that this document really needs to be able to be used with HTTP/JSON as well as CoAP. If you can get the JSON version of CoRAL from Klaus then this falls out without any work. 4. Are you making it a requirement that the group name be the same as the group identifier assigned by the "group_name" parameter? If so then having some type of title and description would seem to be almost mandatory. 5. There needs to be some parameters around pointing to the correct AS and so forth. The management API may reject because it does not trust the AS. Don't assume that this is a single value for the AS either. 6. You are missing a lot of management detail on the POST to the group node. Some of the things that are missing would be: a) Is the group active or inactive b) How does the server react if you change a the content encryption algorithm, is this a simple re-key operation or is it more complicated c) How does the server react if you change the signature algorithm? This would seem to be a much harder thing to do if the group is not empty or not active as everybody is going to need to re-join. d) Other parameter that are changed may be just as bad as changing the signature algorithm - how the re-key is done jumps immediately to mind. 7. Is there currently any way for a KDC to signal to all of the members that have joined that the key group no longer exists? A DELETE would seem to indicate the need to be able to do this. Jim
- [Ace] remarks on draft-tiloca-ace-oscore-gm-admin… Jim Schaad
- Re: [Ace] remarks on draft-tiloca-ace-oscore-gm-a… Marco Tiloca
- Re: [Ace] remarks on draft-tiloca-ace-oscore-gm-a… Jim Schaad
- Re: [Ace] remarks on draft-tiloca-ace-oscore-gm-a… Marco Tiloca
- Re: [Ace] remarks on draft-tiloca-ace-oscore-gm-a… Jim Schaad
- Re: [Ace] remarks on draft-tiloca-ace-oscore-gm-a… Marco Tiloca