Re: [Ace] OSCORE Profile status update and way forward

Francesca Palombini <francesca.palombini@ericsson.com> Mon, 19 October 2020 15:52 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D3AF3A0B04; Mon, 19 Oct 2020 08:52:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.201
X-Spam-Level:
X-Spam-Status: No, score=-0.201 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PanVWwOAzyTS; Mon, 19 Oct 2020 08:52:43 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80040.outbound.protection.outlook.com [40.107.8.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5EC53A0AEE; Mon, 19 Oct 2020 08:52:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U6/sroveREz984wCaGrIuXX52m+BoljKIGhU+se01RxIF200ZnmGAsucGQWjh65fouMJ9ZeCRJRLUft2iY59/TXLopBpB5RHFfQDIQcX3rmLX5z0gBm/+P0ZTKL1Hgu2kIp2MHra+QBsNF2iQewMXf74dqOONkYbd8V8OXyYZlkwu9Zdb6WkROxSeNWjJND3K+rCSWJ1G36J7uBimXVaaHK/Ruyu8BOORhJh2iU7f7FuAoLueTlWk2teqR8wejiFOraT+oMtYzbQCTRlxeRdMTFTteSBPTQfmYQBMIhIHEvjDlbuZlk08slAaxqXNGCmOt113vJk4yj1ZvSVIBpTQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HxEcR+nufenvPCTA8eJPk8vs7RSvrTjV8cMudALNmVU=; b=XhLowCWAwTf7qIsqcSrY3DgpoV3+r5zhn0OK4u8dYBe22uabywxNTQF4gAmgV772mEBjSLhP6tIldLdgRsU6hFswpu7pnls09gQfTqtyRLfRp6ucxcDzHUUlhWpLoElQ04Ll1oY/xMZ71lUTEqkXgFRWVHBNFqJcRx8CUp9UneFM+gKzm2w1weVFmqFVq/Y/56/bG2NHMUEa1vNFRUBdd50BbuxvJQ8EKRsjJKHIFqOlkkHCCPWbYEjXBweG1fz5br2WIgNz3BSBNFw0RdHJg8TbGXGtpuZd/4hyLiMGaxwdGIHhM+vYDk3Sn7jcP5WX34eFmrg/d3P+ANF/qYYgxA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HxEcR+nufenvPCTA8eJPk8vs7RSvrTjV8cMudALNmVU=; b=NdHIkbg4KDg0MWYlSZpwvbwaEDycEkk7zmrCe8Nvw2gT8N8Uo7gdqjP+8IMtm0k5IgOvBK/aCbOdYHB8XNquJwFnxL77hBlStFd8omr1GVJ5c61ZE9KE/qb3itpyhBm2PVg46wZTZHzGrjy6/NFUHOAR6MuHJg/SCztvwRIvyoM=
Received: from VI1PR07MB4477.eurprd07.prod.outlook.com (2603:10a6:803:74::33) by VI1PR0701MB6831.eurprd07.prod.outlook.com (2603:10a6:800:191::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.7; Mon, 19 Oct 2020 15:52:40 +0000
Received: from VI1PR07MB4477.eurprd07.prod.outlook.com ([fe80::d9ad:72f6:f14b:40ef]) by VI1PR07MB4477.eurprd07.prod.outlook.com ([fe80::d9ad:72f6:f14b:40ef%7]) with mapi id 15.20.3499.015; Mon, 19 Oct 2020 15:52:40 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: =?utf-8?B?Q2hyaXN0aWFuIEFtc8O8c3M=?= <christian@amsuess.com>, Daniel Migault <daniel.migault@ericsson.com>
CC: Ace Wg <ace@ietf.org>, "draft-ietf-ace-oscore-profile@ietf.org" <draft-ietf-ace-oscore-profile@ietf.org>
Thread-Topic: [Ace] OSCORE Profile status update and way forward
Thread-Index: AQHWkB3lL5vgPcSqm0itM92+Khf54amPhgcAgAm1lwCABiVrgA==
Date: Mon, 19 Oct 2020 15:52:40 +0000
Message-ID: <E3D11940-7AD4-4F3F-B24A-6DE5CA9FD5A9@ericsson.com>
References: <2D021116-D240-4EE8-9223-83E9F9D4A4EB@ericsson.com> <20201009154454.GA1050533@hephaistos.amsuess.com> <809D1CE3-A75E-4871-9E1D-48260E787762@ericsson.com>
In-Reply-To: <809D1CE3-A75E-4871-9E1D-48260E787762@ericsson.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.42.20101102
authentication-results: amsuess.com; dkim=none (message not signed) header.d=none;amsuess.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.219.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1ddfa848-ad40-47a0-1dc7-08d87447024a
x-ms-traffictypediagnostic: VI1PR0701MB6831:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <VI1PR0701MB68311813958D721E9302C491981E0@VI1PR0701MB6831.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uAW3j3xZPDNwrqWZaV9fooA9nRMHUCfK2yllxkYR26CTER23D59lee41p7XSvLBCihOSNcl00O6veHxwi0Y4cyuO5e6dNQPcdXmUUk62sAZteFFkA/OYDqzN+/QUh285tEbzHUDALzVXsfjw6Jr3S6oAUCY4CP3oFDUpjxQWADeTNOaEg7t2ihutILvRsd8VdDcnOWT/7glzLYT06sTv8DF1BBizrPXHuao9GZlVxMZOYVbOO/a2Q6f1s9E8Q2vCN67JqTBN9Vet4KfQSFIZglov8J4qPpKT2h8dSoPdGW9ciry/F7tCUMsEez4Hdr36mEROZRSWBsvsiaa2yqhGqQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB4477.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(366004)(136003)(346002)(39860400002)(376002)(64756008)(316002)(66556008)(66476007)(110136005)(36756003)(66446008)(6636002)(86362001)(26005)(54906003)(66946007)(44832011)(2906002)(4326008)(6512007)(2616005)(8936002)(66574015)(15650500001)(83380400001)(33656002)(53546011)(6486002)(71200400001)(91956017)(76116006)(478600001)(5660300002)(186003)(8676002)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: zVy/zCZj/uSbB+1QBNOmnCIdWpO9VASZIcdkuyImLgbBhSCgCR6C3CKq8IS3pfwNzPL8Ro8GnRmDp8NO2B6ctjxRTVZDSbjiYvk6wxJH5hSHmC5REmSbzh7YdrgFkebiCfO5zFaH7Do94xUFOZ19V2z4O+cP6gJ3riHJAZ35D6urzPNG0r5MENY3xlIuPo/B/nlDp2tYNTYf1ZRMg7duPTFQ3mIzHw96jxBBi5cnphQILOj0pZLTZsgl9tPUu/NXehgk5BcA+RJV1/ZqOLXqWqnaBKJsgnwmH5g93l/hM/29JkDX1ZMLcoaY+G+T/ACFOTcuc3CkEXUbo9MPSUElsV/pnvqhR4MCrDUm8AsOqDQu4DaJYnyUgKxZbo3YvZFPM+0LGB8xBVM2kpNEphk2ikk4Rx/d7h3vJMt5vDFiTz0oWmDLVRb+7GGkw4oDaJI70/n/SGmaWFOeVLSd6yH0w/wpPdEQH2LDhgEHlVwE5AD7siCGQeu/InPpkrrplHIHxtsi90QFuO5S7UcWElhFaW5qSWBgxYUEqgfcr+Mcs8Xs3Qaf0e47oKMMu1V2lLz91TrAHewau2gxS9FCDUEfLiU0fy8qDwnI0Xzng/NDO7BGvW9eOw3lzQqinXwI9itZvDY04bhFPICeeqZGp6v9rw==
Content-Type: text/plain; charset="utf-8"
Content-ID: <2684A52B2230B146A276E4834102512D@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB4477.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1ddfa848-ad40-47a0-1dc7-08d87447024a
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Oct 2020 15:52:40.1687 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: F1vsqLTblflRGBM4/9iGb/v2PkmxTBK+3c0wdWrTnLVaPdex4JuFxaU1ZHJXrDhcqYU65onEFpKxnpd7/nug0AJ8mRQ2tUvAY4tzZ4j5/Z69B4cKCLzHDh6tBskbSi4g
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB6831
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Dja5BLUNYNaogZ9zSuN9R3jtzNU>
Subject: Re: [Ace] OSCORE Profile status update and way forward
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Oct 2020 15:52:44 -0000

Hi Christian, Daniel,

Daniel: I agree that what you describe is the best way forward. Once the PR regarding the negotiation of Ids is merged, I can only see a minor addition to the draft, to clarify what Christian has brought up. By the end of this week we should have Christian's comment implemented as well. After that, we're ready for another round of reviews, and I think a WGLC is warranted.

Christian, let us know if there is anything else except some more considerations covering what you are saying. Göran summarized it well, but basically no, there is no particular benefit. The sentence was added as the response from a review comment, but it seems like a good idea to add more context to it. 

Thanks,
Francesca

On 15/10/2020, 20:01, "Göran Selander" <goran.selander@ericsson.com> wrote:

    Hi Christian,

    The purpose of the update was to clarify that Appendix B.2 of RFC 8613 could be used in conjunction with the ACE OSCORE profile. But as you point out, the use of B.2 would need to be understood between the client and server beforehand. There are slight differences: With B.2 there is no need to transport the access token again. And B.2 can be triggered by the (resource) server, if it understands that it does not have the right context (which can happen even if there is no ID context in the request). Just using the ACE OSCORE profile, the client would need to understand that the context is lost and run the protocol again. So, there is a difference but essentially the same functionality can be obtained.

    Would it be sufficient to clarify the differences as above to address your comment?

    Thanks,
    Göran


    On 2020-10-09, 17:45, "Christian Amsüss" <christian@amsuess.com> wrote:

        Hello Francesca, hello ACE group,

        On Mon, Sep 21, 2020 at 01:48:33PM +0000, Francesca Palombini wrote:
        > - clarified that Appendix B.2 of OSCORE can be used with this profile,
        > and what implementers need to think about if they do.

        I understand B.2 to be something that the involved parties need to agree
        on beforehand; after all, the ID context may be something the server
        relies on (at least for the initial attempt) to find the right key,
        especially when multiple AS are involved. (For example, the RS could
        have an agreement that the AS may issue any KID as long as they use a
        particular ID context). If the server expects B.2 to happen (which, as
        it is put now, it can as long as it supports it in general), it needs to
        shard its KID space for the ASs it uses. (Generally, B.2 is mutually
        exclusive with ID contexts's use of namespacing KIDs).

        Is the expectation that clients that do not anticipate B.2 by the time
        they are configured with their AS just don't offer B.2 to their peers?

        Given B.2 is in its current form client-initiated only (AFAIR we had
        versions where ID1 could be empty in draft versions, but currently it
        reads as client-initialized), does B.2 have any benefits for ACE-OSCORE
        clients? After all, they could just as well post the token with a new
        nonce1 to the same effect.

        Kind Regards
        Christian

        -- 
        To use raw power is to make yourself infinitely vulnerable to greater powers.
          -- Bene Gesserit axiom