Re: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication
Daniel Migault <mglt.ietf@gmail.com> Tue, 13 April 2021 12:58 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D3C33A155E for <ace@ietfa.amsl.com>; Tue, 13 Apr 2021 05:58:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RblRvjClO9uW for <ace@ietfa.amsl.com>; Tue, 13 Apr 2021 05:58:06 -0700 (PDT)
Received: from mail-qv1-xf32.google.com (mail-qv1-xf32.google.com [IPv6:2607:f8b0:4864:20::f32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52FE83A1559 for <ace@ietf.org>; Tue, 13 Apr 2021 05:58:06 -0700 (PDT)
Received: by mail-qv1-xf32.google.com with SMTP id x27so7971753qvd.2 for <ace@ietf.org>; Tue, 13 Apr 2021 05:58:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HV5Q9AiDUZZwAl7ET7DHgKEMBd9BkM9LOlx8njF6b9M=; b=O9TiPfNGHAjG3l0CijcKw6S8/RAmW8fIBEWIIXAhlOEE/tK6s6RUQJikHekYI1+rut wf3BH3ln34r5jfUKMvVRFfwtgE3+ej4mFb3GyqyKo9TNkXwBIb9Q6sdE0aHdD+g6n6UP u2rQEcCezO9eRRmXQQf5UC9hVxene1WocUswQcD2TZRU7d+ZbKMZMvGiu//HexdXZZkv LbZYXl/1mhS/4OTAFZIttOFyVinwJu2wmRJxhzF4sQPJGoeev6n8zp0mmYw1775W+5Wm uJ33dML0ZsI1Glh6mytXOKLrmy/TTw4/Vs7JZ5avRqySZGyQiwOOdgR84K4oHppMox8U 2T6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HV5Q9AiDUZZwAl7ET7DHgKEMBd9BkM9LOlx8njF6b9M=; b=gbfgl9na1zyQG5fO5B7glio8wWaqnZfd1vR4bCRFU4r0xk8sYN5GeIN5m1vM7zpxPg HCTJHQnwbWFIP0ceY9NcJmstMY7Uqugk5GWK/7wShXt215AwaUqIQE6SIMkJP6tWu9OY 00boG3QeCLrWc3aFhJ5jq05+sklJ6f+fTJA23Bt289LzXTKSsUHof2uqhec1m4EfUVUj N0YBiHXftonJMNrPfA7gK3O4fmLloIlof/nblN1BY2p/dL1rHVYbsweO1i2Hz6i+IsEe 9zdNKYAzIqHW+RWiwycqcr9VsalRuLfxGll5jK+cX0IB+unGuZsYOYm3QQZelEnH6GdE aEeg==
X-Gm-Message-State: AOAM5324D7Y3iadg2GBabxxeAHXalpJOUtMfW7it4GDlGZun+AGNYMI5 yrshZkJZz4y5AB596dmRi+Dvv+52kM3KZMs5A0DYcOy+
X-Google-Smtp-Source: ABdhPJxUilZP0oa0MIxOXczJHXSJ9yHIMTpmt/oQWrutyUqjnP/fnE7FBn/EGuk/axFkSrzOSB7PwHjyWqUMpP63FmY=
X-Received: by 2002:a0c:b294:: with SMTP id r20mr32013354qve.16.1618318684613; Tue, 13 Apr 2021 05:58:04 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR15MB237941DDA59DF2A67A2F52B7E3969@DM6PR15MB2379.namprd15.prod.outlook.com> <CAA7SwCNmxax3F222eeYyQ1rEOq+cOZzZwT1Y4+CPBrJB+8XtXw@mail.gmail.com>
In-Reply-To: <CAA7SwCNmxax3F222eeYyQ1rEOq+cOZzZwT1Y4+CPBrJB+8XtXw@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 13 Apr 2021 08:57:53 -0400
Message-ID: <CADZyTkk4j0TJMFFPZ0j4zXo1miRBdG4A=jQUJQdiePdsiiMkVA@mail.gmail.com>
To: Cigdem Sengul <cigdem.sengul@gmail.com>
Cc: Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org>, "ace@ietf.org" <ace@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000546ec705bfda2e2e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Hq7xMaFguYxe8uIPTQ82IIi_Jgs>
Subject: Re: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 12:58:09 -0000
Thanks for the update, that works for me. Yours, Daniel On Tue, Apr 13, 2021 at 8:44 AM Cigdem Sengul <cigdem.sengul@gmail.com> wrote: > Hello Daniel, > I propose the following change to clarify the TLS use - if you are happy > with it, I will update the document: > > To provide communication confidentiality and RS authentication to MQTT > clients, TLS > > is used, and TLS 1.3 [RFC8446] is RECOMMENDED. This document makes > > the same assumptions as Section 4 of the ACE framework > > [I-D.ietf-ace-oauth-authz] regarding Client and RS registration with > > the AS and setting up keying material. While the Client-Broker > > exchanges are only over MQTT, the required Client-AS and RS-AS > > interactions are described for HTTPS-based communication [RFC7230], > > using 'application/ace+json' content type, and unless otherwise > > specified, using JSON encoding. The Client-AS and RS-AS MAY also use > protocols other than HTTP, e.g. Constrained Application Protocol > (CoAP) [RFC7252] or MQTT; it is recommended > that TLS is used to secure the communication channels between > Client-AS and RS-AS." > > Since it is in this paragraph, one thing that Francesca brought up to do > is to register the 'application/ace+json' content type. > Kind regards, > --Cigdem > > On Fri, Mar 5, 2021 at 9:11 PM Daniel Migault <daniel.migault= > 40ericsson.com@dmarc.ietf.org> wrote: > >> Hi, >> >> >> >> Now that the authz document is being consolidated, I do have some minor >> concerns regarding the recommendations mentioned in the profile documents, >> that might require an additional update. >> >> The update to the authz document indicates more more clearly than before >> that profiles need to provide some recommendations for the RS – AS >> communication. >> >> >> >> “”” >> >> Profiles MUST specify for introspection a communication security >> protocol RECOMMENDED to be used between RS and AS that provides the >> features required above. “”” >> >> >> >> It seems to me the MQTT profile text makes it pretty clear that TLS is >> recommended for all communications but I am wondering if additional >> clarification would be beneficial – see below. That said I agree this is a >> very minor point in this case that could be handled by the RFC editor. >> >> For the OSCORE or DTLS profiles, unless I am missing the RS – AS >> recommendations in the documents , it seems to me it has been omitted and >> needs to be added -- see below. >> >> >> >> >> >> Yours, >> >> Daniel >> >> >> >> ## MQTT - draft-ietf-ace-mqtt-tls-profile-10 >> >> >> >> “”” >> >> To provide communication confidentiality and RS authentication, TLS >> >> is used, and TLS 1.3 [RFC8446] is RECOMMENDED. This document makes >> >> the same assumptions as Section 4 of the ACE framework >> >> [I-D.ietf-ace-oauth-authz] regarding Client and RS registration with >> >> the AS and setting up keying material. While the Client-Broker >> >> exchanges are only over MQTT, the required Client-AS and RS-AS >> >> interactions are described for HTTPS-based communication [RFC7230], >> >> using 'application/ace+json' content type, and unless otherwise >> >> specified, using JSON encoding. >> >> “”” >> >> >> >> I am wondering if that would not be more appropriated to specify in the >> first line RS and AS authentication or simply authentication. >> >> >> >> >> >> >> >> >> >> - OSCORE draft-ietf-ace-oscore-profile-16 >> >> “”” >> >> This >> >> profile RECOMMENDS the use of OSCORE between client and AS, to reduce >> >> the number of libraries the client has to support, but other >> >> protocols fulfilling the security requirements defined in section 5 >> >> of [I-D.ietf-ace-oauth-authz] (such as TLS or DTLS) MAY be used as >> >> well. >> >> “”” >> >> >> >> >> - DTLS draft-ietf-ace-dtls-authorize-15 >> >> >> >> “”” >> >> It is RECOMMENDED that the client >> >> uses DTLS with the same keying material to secure the communication >> >> with the authorization server, proving possession of the key as part >> >> of the token request. Other mechanisms for proving possession of the >> >> key may be defined in the future. >> >> “”” >> >> >> _______________________________________________ >> Ace mailing list >> Ace@ietf.org >> https://www.ietf.org/mailman/listinfo/ace >> > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace > -- Daniel Migault Ericsson
- [Ace] MQTT, OSCORE, DTLS profiles - recommendatio… Daniel Migault
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Göran Selander
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Daniel Migault
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Cigdem Sengul
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Daniel Migault
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Benjamin Kaduk
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Cigdem Sengul
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Daniel Migault
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Cigdem Sengul
- Re: [Ace] MQTT, OSCORE, DTLS profiles - recommend… Daniel Migault