Re: [Ace] WGLC draft-ietf-ace-extend-dtls-authorize

Marco Tiloca <marco.tiloca@ri.se> Fri, 18 February 2022 13:20 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 575773A1116 for <ace@ietfa.amsl.com>; Fri, 18 Feb 2022 05:20:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.814
X-Spam-Level:
X-Spam-Status: No, score=-2.814 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.714, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QYsSSWQ8GS9p for <ace@ietfa.amsl.com>; Fri, 18 Feb 2022 05:20:21 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on0620.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::620]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B29013A10DE for <ace@ietf.org>; Fri, 18 Feb 2022 05:20:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XkpJW1JgaphCTkeCVZTo39flbdyX7+aov5rSfTWZLNhbE0m2MgB7qX/ObHldDJmnYQTd1Ag9un4eaITT0hWiAItDNfvZz9gvkpCbXGeiGkPb6tS3bF87+UcKBjnf7Xr4PvwkwHxszxzwgNQB9n2Ur79TrdBKnOQIqaih+Stf6rEDk59ox2g6PQy+2qDuUsPJeE6F4NqouAlCG0WibqT88TnRDEUFXNH51EX/8zoFjPdL2LPBIZv2V0CG7NQTWtPoVN07R3TF9f5f1aEkUbZQ1E1nOsh5twQLEg9UVQLQLDSqPwlBI0P+Dtj5+T3cGsSV3ZAU/fySMexuClfQXkhu/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ll00B3Nc7Pbeqe4ZpbxF68i43dTZBQIMGvD2Q4eBADw=; b=kjs6VeOWiibFwZVN6sK1wAZt9FS1p8EtlqM7FlpuQvMuYmInWrKN4+u/uRUT4vRAKsv/X1IKD5MmKzMQLDZMW76LiWCbb4PaJHf42GF+DqDYzIMP1zfF+JWE2k/kbzdnzDu5KiXbEextdA+92PKUedfE/kUX6Y0PHiDl4l49Pzdk0YxBUXzC1VGIrJB6HgaFMLgJH7PU/p3PIGZTcRraApsMNe7Fv7NoaqD3lkKwMZ8bvpMcSB/9yfGg5jUymDXTAQAL25XUHO3ba7aLiQVDJQH2Ry1zc0wPQ8O/L3x/HpnZ1WiLHke+U6ELVpQ+/WB8j0BejO4WY+faGviV8Mftbg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ll00B3Nc7Pbeqe4ZpbxF68i43dTZBQIMGvD2Q4eBADw=; b=dSGmQVRTjN+9oNjMP1GET+2VgooTgHPnz6xcguABD/BCHAjWkM4lzDHgvTGP5bPDn4yTKeJ7W2hFZDFhqdy90vlVzxPZ1461QZtpv3dwc5cKIMulhjmKEgvDJ6gX90vSKMPElVnXuTnalUdopUZAND+5Is3oVzEM5zS52k1giNw=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14) by AM5P18901MB0164.EURP189.PROD.OUTLOOK.COM (2603:10a6:203:77::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4995.16; Fri, 18 Feb 2022 13:20:13 +0000
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::8548:6918:4d2d:e57a]) by DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::8548:6918:4d2d:e57a%4]) with mapi id 15.20.4995.022; Fri, 18 Feb 2022 13:20:13 +0000
Message-ID: <8e507770-8438-9721-7e42-b0fcd5c08360@ri.se>
Date: Fri, 18 Feb 2022 14:20:10 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: Olaf Bergmann <bergmann@tzi.org>
Cc: Daniel Migault <mglt.ietf@gmail.com>, Ace Wg <ace@ietf.org>, Loganaden Velvindron <loganaden@gmail.com>
References: <164396483981.22307.17112641331652425403@ietfa.amsl.com> <CADZyTk=BKLPUBBp88c6W0baYjjfpgJb7R=p9H+XkZ_4YoRTGiQ@mail.gmail.com> <1c0c1db5-926f-31bc-10b6-7edc2f5da773@ri.se> <87h78wz6px.fsf@wangari>
From: Marco Tiloca <marco.tiloca@ri.se>
In-Reply-To: <87h78wz6px.fsf@wangari>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------0S4HHBZRLA1e0H9ewrOrn6af"
X-ClientProxiedBy: GV3P280CA0050.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:9::13) To DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: daafde1d-a0be-4c25-c26e-08d9f2e16556
X-MS-TrafficTypeDiagnostic: AM5P18901MB0164:EE_
X-Microsoft-Antispam-PRVS: <AM5P18901MB0164D076240E4B5B6D04D92099379@AM5P18901MB0164.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: MjDTuRXyS26I84/vboHeAKJyQZvOtcY7qOWMNtmYmUhdsZGEI8WkoRaPuQEbV8infnOM1mzVFiItveKkdLT/koqJ0BGLRs9vVkUZs90wqnrJpGBgXvU4oqc0VHCySvGpoq1VJnBcEEVtC/LB0LFzPvZuEh5HaYU2M8ufm0d3D5ZdcxiYFgImRRS+SeTKe6JLS2XB+pjU5grND6otNcKMmPeq+JDAcsYd88G7AUi5VylSmGP6jjk/9ZA/+ufTD8VIxZefo+Ve6ojencGNZfcAkT4mB9fbogqMfbbwm6YrWNod6oh18tUeGqouYtMYLcUHTmTd4j7rW9x62VraydBlEmpJT1Vw7GNNmt14nFg4uR3qTiTbgUx78Cr9TV11srQtHI+PgscPQPHtI8XUD1Yl6MF/9Xjgd14AOlO3i5GNUwj6/UgaPI66F9VbaXaKY9iCgEiBdrEXrXgCihA7ZBOZdyh0AhEpwMUNXk/NTJZ1wGv0PaPuPcCdZEcsYcbiChsr0+7spWnC+NbasQGguNUe+bCLJ1LN7POxL1WHxNN4cltfaliRcaLtCgXzUSrTnH8oF7OiGhnxUKdmZfb2MCtm2yLjXT4cfyUWybhiFUZg7WkzmkkU/Wr2+5avwlSjAny9poIo86BItQz9Mqb5uH6J5YS8i6qaiXbKNt/HAv3DZDpDANO52I70/J1kfJXVQNd10Cx36Cq5oj8Lo1Pkd6uaiQ5Hk09WDLtwbwvREhrcTCjPMJwO90/63mIp8h7sq9PSlq351Kmodv/+5kzE55sV7/z+s4zF+vzMWvTkaDUw6S6/Iqb2TiLxPafsd2J+ra3f
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB8P189MB1032.EURP189.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6916009)(8936002)(186003)(53546011)(66946007)(6506007)(8676002)(33964004)(6512007)(2616005)(31696002)(66556008)(508600001)(26005)(86362001)(966005)(6486002)(316002)(21480400003)(83380400001)(4326008)(38100700002)(66574015)(54906003)(44832011)(36756003)(2906002)(31686004)(5660300002)(235185007)(66476007)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: mWWR5LdpXYguEegXYqTRU2n52IQR/MqXIcsx7/caVQAClE8Dag3BrzZSL+XJ0ELNOao1UfpEkaZs4Sqekiu4RXEPK19IIdehxBkEbUhvY0lG6yFC8qL66X1OYqxaF4Kf18DOTiSpmmKwlJ0H9h0J6vVm4lX/Ru359hYb8Pj7QoR1pwnALW4O6jRG4E8BWZbuboEZv/qYGhFfCYoL2wImBtrfWOKAR3svpPtsbv3uNlZrm5sSTuEPu3lm4QDDPWBuVPDM4T1spxw49W30amvO2qNXOtt3Jfj8c/9FCLwkNT2OGG+GTIslZ2R3XdKksf2EM0IbMEcpvlZHOYvKKQS2iGVeRT0OqSwrKLMxVximhV/ArKaIFsN9wVorf4IPiGpaTZbYCbtmZYW3bRf/dte5yCiSHW/n8rSM1FkocI45jd/aSYUDD8YbwQiWtGp7p9dTljOGswnKGiTyVzhYz2GJb3gQRJiDZsmbpHSwZN3hcmdLudK/9m01RNG6HjEsLKv8baj7IR94q5r0H8yXuOm82dnr2ZZmnou/dfjgd/MhMvZOFQuA9mRwxSDY3ErzQ9ez+K1X8zhmrV0kPaQd31h8INvNKvVxOti93+/KXHbBLoviHNB4uibNvQ790D0Ahng30sBRuFNp0MFQsr1H68FtcJaON8MQi6zNFBxtfjWrvZPpPLBCZnJj29FEgg3lhrfgIF/RXkQR7Jyenb3oVte45BhwgDmvEYEayEp2j0QtwV/7zTwtYlUd8FzyvQL2MhhDrR43cFq2/PoBEJNoilZvgf0bOFGoz8n0KGDKfjDi4xJoK6ahRh5QskY2HSTZ5nWQE614Bnp+S06QE/jnF7VL9OAvni7+rWxIzniIjm7qQ8g/pqSUWEc5q4P2oUIE/DRA5N9trtVcB5iQcA/NygnR/cqNvGVIySO+9uAIjiVYEW6JDSqSajfjirM5OuBLH/ZckL/U/0JaACs4+G+9c6F+T5lkwC+xrjV8to6DcA296VcVilJ7piffgZkcBeJI88vED6wbzTo+y98d4bFcxPhW4eg4rktRvvaWHLyQ4mC0S8fcG9hS8luYWq7LFiYLwDKb878yOiHcOnZTJe2xJh547LeUHe+rPg8GfzJUQ2lZc+muN1EVaxcAA9RnDJDWOSQoOVbMGAYCB2pSFgxD2FMIv/yw1WwGnsJKZPxXrojFi+rfWnDgm3/jEPkWbhBdzRZpFpuq7nJiTDCJc0U6itVC5zmrtuFL4HcxluWEF+5hcBQF70wLoiJeFHsq4vS0zc3MhgLHzi0ZDYXIqZ5weI+WQUicFnsBBJpa8cwDEFBOv+YVPZQu08jvumfxjzpb7tZon9Yl47cxLC9hiuu/XxMrkY9b4n6GR3uCIfbMWL8H3kNoXU/doxfJg02W2nLgQQNHJlEsuC7dw7G6bD/RNtHFtBprLQWmDV9+3DR4dDE7SJsZnddVphUCYHT75tlg4+GRbmROq7dKD8i2hnsA9v1L5j+cen4B6kYWECgGEGe/EIN774DfWurP7ng1EsVfVzPhGzKkx6QD4+0OpuuXxId5CTTwUo1rZUTxaHA9ra30xoOTrrrs5XH25Jgl+hylAlGAH1m/SR0aU9f8t4vcpzVzxfp2wUR7hOjKoQkpi3aT0XY=
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: daafde1d-a0be-4c25-c26e-08d9f2e16556
X-MS-Exchange-CrossTenant-AuthSource: DB8P189MB1032.EURP189.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Feb 2022 13:20:13.3727 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: YAATvV/WcxyK9aye++nu4TjOGTJgxA8iBvjDgKCCifuVlR0BG0XzdtWVVK2LMcuqEwpqVE5GkBmWzbmlXL2iyw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P18901MB0164
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/DwI8GIbsH4Kp0eExMcW00a9E8bc>
Subject: Re: [Ace] WGLC draft-ietf-ace-extend-dtls-authorize
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Feb 2022 13:20:38 -0000

Hi Olaf,

Thank you for the quick update!

Please, see my replies inline (trimming the solved points)


On 2022-02-18 13:42, Olaf Bergmann wrote:
> Hi Marco,
>
> thanks for the thorough review. I have done most of the suggested
> updates (see Editor's copy [1]).
>
> Just a few comments and questions inline.
>
> [1] https://ace-wg.github.io/ace-extend-dtls-authorize/draft-ietf-ace-extend-dtls-authorize.html
>
> On 2022-02-18, Marco Tiloca <marco.tiloca=40ri.se@dmarc.ietf.org> wrote:
>
>> [Section 1]
>>
>> * For consistency with draft-ietf-ace-dtls-authorize , I think
>> here it would be better to refer to RFC 6347 when mentioning
>> DTLS. The original profile only mentions DTLS 1.3 as a possible
>> later version, without pointing to the specification.
> Done.
>
> DTLS1.3 now is not referenced anymore. Do you think a normative
> dependency for DTLS1.3 is required?

==>MT
I think you can remove the DTLS 1.3 entry from the list of normative 
references. That reference is not present among those in 
draft-ietf-ace-dtls-authorize either (where DTLS 1.3 is at least named 
once), so it feels even more unnecessary here.
<==
>> * "The same access rights are valid in case transport layer
>> security is either DTLS or TLS, and the same access token can be
>> used."
>>
>>     This implies that the "ace_profile" claim in the access token
>> and the corresponding "ace_profile" parameter in the AS-to-Client
>> response still indicate the profile name "coap_dtls", even though
>> TLS might be used between C and RS. I think it's better to
>> highlight it.
> Yes, good point.
>
> I have added the following sentence at the end:
>
>    Therefore, the value `coap_dtls` in the `ace_profile` parameter of
>    an AS-to-Client response or in the `ace_profile` claim of an
>    access token indicates that either DTLS or TLS can be used for
>    transport layer security.

==>MT
Looks good.
<==

>> * Building on the previous point, there's probably something more
>> worth clarifying. Let's say that the client receives an
>> AS-to-Client response specifying "ace_profile" with value
>> "coap_dtls". Presumably, the following applies:
>>     
>>     - The client can feel free to go ahead with TLS or DTLS as it
>> sees fit, if it does not know in advance which the RS prefers or
>> exclusively supports.
>>     
>>     - Then, if the RS does not show support for DTLS (TLS), the
>> client may want to try again with TLS (DTLS) if supporting it.
>>     
>>     On the other hand, a client or RS that has been registered to
>> the AS as supporting the "coap_dtls" profile is supposed to
>> support at least one among TLS or DTLS.
> You are raising an interesting point. It might happen that the
> client supports either DTLS or TLS, and the resource server has only
> support for the other transport layer security, they might not be
> able to talk to each other at all. The same might happen for other
> values of 'ace_profile' but for different profiles, the
> AS-to-clientn response would make this transparent.
>
> Do you feel that we should elaborate on the case where ace_profile:
> coap_dtls is returned in the AS-to-Client response but client and
> resource server still will not be able to setup a (D)TLS connection?

==>MT
Yes, it would help to elaborate on that. As you say, there is a 
possibility of no commonly supported transport security protocol, 
although within the commonly supported profile.

In that case, and assuming that neither of the two parties can be 
(promptly) updated to broaden its support, the client would just have to 
give up after failing to establish a channel with the only transport 
security protocol it supports.


Thanks,
/Marco
<==

> Done
>
> Grüße
> Olaf

-- 
Marco Tiloca
Ph.D., Senior Researcher

Division: Digital System
Department: Computer Science
Unit: Cybersecurity

RISE Research Institutes of Sweden
https://www.ri.se

Phone: +46 (0)70 60 46 501
Isafjordsgatan 22 / Kistagången 16
SE-164 40 Kista (Sweden)