Re: [Ace] I-D Action: draft-ietf-ace-oscore-profile-10.txt
Benjamin Kaduk <kaduk@mit.edu> Tue, 28 April 2020 17:22 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 638993A0967 for <ace@ietfa.amsl.com>; Tue, 28 Apr 2020 10:22:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ugmSvO0j5cNL for <ace@ietfa.amsl.com>; Tue, 28 Apr 2020 10:22:54 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37BED3A0965 for <ace@ietf.org>; Tue, 28 Apr 2020 10:22:53 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 03SHMksj023057 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 28 Apr 2020 13:22:48 -0400
Date: Tue, 28 Apr 2020 10:22:45 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Francesca Palombini <francesca.palombini@ericsson.com>
Cc: "ace@ietf.org" <ace@ietf.org>
Message-ID: <20200428172245.GQ27494@kduck.mit.edu>
References: <158377224835.5665.8978399627549182400@ietfa.amsl.com> <1EC26EAB-B4BF-4EAB-ACC0-E2E8F18D4655@ericsson.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1EC26EAB-B4BF-4EAB-ACC0-E2E8F18D4655@ericsson.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/E1rHoQqqQ0taHMxi5cT3R7zcGTI>
Subject: Re: [Ace] I-D Action: draft-ietf-ace-oscore-profile-10.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 17:22:56 -0000
Hi Francesca, I took a look through the updates and we are looking in quite good shape. I filed https://github.com/ace-wg/ace-oscore-profile/pull/30 with a few final suggested tweaks, though I cannot quite say that they are all just editorial. In particular, I remove text about "the client MUST include the access token using the correct CBOR label (e.g., "cwt" for CWT, "jwt" for JWT")" since I didn't understand how that was expected to work and it wasn't reflected in the example. I also propose to remove "verification of access rights" from the discussion of the procedure to upload a token that updates the access rights on a given security context -- the "verification of access rights" is superficially parallel to the procedures specified in the previous paragraph, but the previous paragraph talks about regular OSCORE exchanges (that do operations that have access control applied to them), whereas the text in question is just for the one-shot "upload new token" operation. Once the text from Jim arrives, then we should be all set on this one ... to wait for the DTLS profile, that is, so the group of four documents goes to the IESG as a unit. Thanks! -Ben On Tue, Mar 10, 2020 at 09:08:11AM +0000, Francesca Palombini wrote: > Hi Ben, ace, > > These 2 updates (09 and 10) address almost all the AD review comments of v-08. > > V-09 covers the majority of them, as we discussed in this thread: https://mailarchive.ietf.org/arch/msg/ace/rgVfs3dzcWQnNlXn331DdpQfwwQ/ and listed in this issue: https://github.com/ace-wg/ace-oscore-profile/issues/26 > > v-10 covers the remaining: > > * The mechanism of letting the RS pick the identifier of the client is not worth the additional complexity. > 6, 7, 32, 61, 65, > * Define and register 2 new ACE parameters to transport the nonces used in the exchange, instead of using "cnonce". > 3, 53, 60 > > The following issue is still open (during the interim meeting Jim volunteered to give a try to draft some text, and we really appreciate his help) and we should pinpoint what we need to include in the document about: > > * Recommendation about length of nonces N1 and N2 to use. > 5, 52 > > > Thanks, > Francesca > > > On 09/03/2020, 17:44, "Ace on behalf of internet-drafts@ietf.org" <ace-bounces@ietf.org on behalf of internet-drafts@ietf.org> wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Authentication and Authorization for Constrained Environments WG of the IETF. > > Title : OSCORE profile of the Authentication and Authorization for Constrained Environments Framework > Authors : Francesca Palombini > Ludwig Seitz > Göran Selander > Martin Gunnarsson > Filename : draft-ietf-ace-oscore-profile-10.txt > Pages : 30 > Date : 2020-03-09 > > Abstract: > This memo specifies a profile for the Authentication and > Authorization for Constrained Environments (ACE) framework. It > utilizes Object Security for Constrained RESTful Environments > (OSCORE) to provide communication security, server authentication, > and proof-of-possession for a key owned by the client and bound to an > OAuth 2.0 access token. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-profile/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-ace-oscore-profile-10 > https://datatracker.ietf.org/doc/html/draft-ietf-ace-oscore-profile-10 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-ace-oscore-profile-10 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace > >
- [Ace] I-D Action: draft-ietf-ace-oscore-profile-1… internet-drafts
- Re: [Ace] I-D Action: draft-ietf-ace-oscore-profi… Francesca Palombini
- Re: [Ace] I-D Action: draft-ietf-ace-oscore-profi… Benjamin Kaduk