IETF Logo Mail Archive

Re: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication

Daniel Migault <mglt.ietf@gmail.com> Tue, 13 April 2021 12:58 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D3C33A155E for <ace@ietfa.amsl.com>; Tue, 13 Apr 2021 05:58:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RblRvjClO9uW for <ace@ietfa.amsl.com>; Tue, 13 Apr 2021 05:58:06 -0700 (PDT)
Received: from mail-qv1-xf32.google.com (mail-qv1-xf32.google.com [IPv6:2607:f8b0:4864:20::f32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52FE83A1559 for <ace@ietf.org>; Tue, 13 Apr 2021 05:58:06 -0700 (PDT)
Received: by mail-qv1-xf32.google.com with SMTP id x27so7971753qvd.2 for <ace@ietf.org>; Tue, 13 Apr 2021 05:58:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HV5Q9AiDUZZwAl7ET7DHgKEMBd9BkM9LOlx8njF6b9M=; b=O9TiPfNGHAjG3l0CijcKw6S8/RAmW8fIBEWIIXAhlOEE/tK6s6RUQJikHekYI1+rut wf3BH3ln34r5jfUKMvVRFfwtgE3+ej4mFb3GyqyKo9TNkXwBIb9Q6sdE0aHdD+g6n6UP u2rQEcCezO9eRRmXQQf5UC9hVxene1WocUswQcD2TZRU7d+ZbKMZMvGiu//HexdXZZkv LbZYXl/1mhS/4OTAFZIttOFyVinwJu2wmRJxhzF4sQPJGoeev6n8zp0mmYw1775W+5Wm uJ33dML0ZsI1Glh6mytXOKLrmy/TTw4/Vs7JZ5avRqySZGyQiwOOdgR84K4oHppMox8U 2T6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HV5Q9AiDUZZwAl7ET7DHgKEMBd9BkM9LOlx8njF6b9M=; b=gbfgl9na1zyQG5fO5B7glio8wWaqnZfd1vR4bCRFU4r0xk8sYN5GeIN5m1vM7zpxPg HCTJHQnwbWFIP0ceY9NcJmstMY7Uqugk5GWK/7wShXt215AwaUqIQE6SIMkJP6tWu9OY 00boG3QeCLrWc3aFhJ5jq05+sklJ6f+fTJA23Bt289LzXTKSsUHof2uqhec1m4EfUVUj N0YBiHXftonJMNrPfA7gK3O4fmLloIlof/nblN1BY2p/dL1rHVYbsweO1i2Hz6i+IsEe 9zdNKYAzIqHW+RWiwycqcr9VsalRuLfxGll5jK+cX0IB+unGuZsYOYm3QQZelEnH6GdE aEeg==
X-Gm-Message-State: AOAM5324D7Y3iadg2GBabxxeAHXalpJOUtMfW7it4GDlGZun+AGNYMI5 yrshZkJZz4y5AB596dmRi+Dvv+52kM3KZMs5A0DYcOy+
X-Google-Smtp-Source: ABdhPJxUilZP0oa0MIxOXczJHXSJ9yHIMTpmt/oQWrutyUqjnP/fnE7FBn/EGuk/axFkSrzOSB7PwHjyWqUMpP63FmY=
X-Received: by 2002:a0c:b294:: with SMTP id r20mr32013354qve.16.1618318684613; Tue, 13 Apr 2021 05:58:04 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR15MB237941DDA59DF2A67A2F52B7E3969@DM6PR15MB2379.namprd15.prod.outlook.com> <CAA7SwCNmxax3F222eeYyQ1rEOq+cOZzZwT1Y4+CPBrJB+8XtXw@mail.gmail.com>
In-Reply-To: <CAA7SwCNmxax3F222eeYyQ1rEOq+cOZzZwT1Y4+CPBrJB+8XtXw@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Tue, 13 Apr 2021 08:57:53 -0400
Message-ID: <CADZyTkk4j0TJMFFPZ0j4zXo1miRBdG4A=jQUJQdiePdsiiMkVA@mail.gmail.com>
To: Cigdem Sengul <cigdem.sengul@gmail.com>
Cc: Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org>, "ace@ietf.org" <ace@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000546ec705bfda2e2e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Hq7xMaFguYxe8uIPTQ82IIi_Jgs>
Subject: Re: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 12:58:09 -0000

Thanks for the update, that works for me.

Yours,
Daniel

On Tue, Apr 13, 2021 at 8:44 AM Cigdem Sengul <cigdem.sengul@gmail.com>
wrote:

> Hello Daniel,
> I propose the following change to clarify the TLS use - if you are happy
> with it, I will update the document:
>
> To provide communication confidentiality and RS authentication to MQTT
> clients, TLS
>
>    is used, and TLS 1.3 [RFC8446] is RECOMMENDED.  This document makes
>
>    the same assumptions as Section 4 of the ACE framework
>
>    [I-D.ietf-ace-oauth-authz] regarding Client and RS registration with
>
>    the AS and setting up keying material.  While the Client-Broker
>
>    exchanges are only over MQTT, the required Client-AS and RS-AS
>
>    interactions are described for HTTPS-based communication [RFC7230],
>
>    using 'application/ace+json' content type, and unless otherwise
>
>    specified, using JSON encoding. The Client-AS and RS-AS MAY also use
>    protocols other than HTTP, e.g.  Constrained Application Protocol
>    (CoAP) [RFC7252] or MQTT; it is recommended
>     that TLS is used to secure the communication channels between
> Client-AS and RS-AS."
>
> Since it is in this paragraph, one thing that Francesca brought up to do
> is to register the 'application/ace+json' content type.
> Kind regards,
> --Cigdem
>
> On Fri, Mar 5, 2021 at 9:11 PM Daniel Migault <daniel.migault=
> 40ericsson.com@dmarc.ietf.org> wrote:
>
>> Hi,
>>
>>
>>
>> Now that the authz document is being consolidated, I do have some minor
>> concerns regarding the recommendations mentioned in the profile documents,
>> that might require an additional update.
>>
>> The update to the authz document indicates more more clearly than before
>> that profiles need to provide some recommendations for the RS – AS
>> communication.
>>
>>
>>
>> “””
>>
>> Profiles MUST  specify for introspection a communication security
>> protocol RECOMMENDED to be used between RS and AS that provides the
>> features required above. “””
>>
>>
>>
>> It seems to me the MQTT profile text makes it pretty clear that TLS is
>> recommended for all communications but I am wondering if additional
>> clarification would be beneficial – see below. That said I agree this is a
>> very minor point in this case that could be handled by the RFC editor.
>>
>> For the OSCORE or DTLS profiles, unless I am missing the RS – AS
>> recommendations in the documents , it seems to me it has been omitted and
>> needs to be added -- see below.
>>
>>
>>
>>
>>
>> Yours,
>>
>> Daniel
>>
>>
>>
>> ## MQTT - draft-ietf-ace-mqtt-tls-profile-10
>>
>>
>>
>> “””
>>
>>    To provide communication confidentiality and RS authentication, TLS
>>
>>    is used, and TLS 1.3 [RFC8446] is RECOMMENDED.  This document makes
>>
>>    the same assumptions as Section 4 of the ACE framework
>>
>>    [I-D.ietf-ace-oauth-authz] regarding Client and RS registration with
>>
>>    the AS and setting up keying material.  While the Client-Broker
>>
>>    exchanges are only over MQTT, the required Client-AS and RS-AS
>>
>>    interactions are described for HTTPS-based communication [RFC7230],
>>
>>    using 'application/ace+json' content type, and unless otherwise
>>
>>    specified, using JSON encoding.
>>
>> “””
>>
>>
>>
>> I am wondering if that would not be more appropriated to specify in the
>> first line RS and AS authentication or simply authentication.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>    - OSCORE draft-ietf-ace-oscore-profile-16
>>
>> “””
>>
>> This
>>
>>    profile RECOMMENDS the use of OSCORE between client and AS, to reduce
>>
>>    the number of libraries the client has to support, but other
>>
>>    protocols fulfilling the security requirements defined in section 5
>>
>>    of [I-D.ietf-ace-oauth-authz] (such as TLS or DTLS) MAY be used as
>>
>>    well.
>>
>> “””
>>
>>
>>
>>
>>    - DTLS draft-ietf-ace-dtls-authorize-15
>>
>>
>>
>> “””
>>
>> It is RECOMMENDED that the client
>>
>>    uses DTLS with the same keying material to secure the communication
>>
>>    with the authorization server, proving possession of the key as part
>>
>>    of the token request.  Other mechanisms for proving possession of the
>>
>>    key may be defined in the future.
>>
>> “””
>>
>>
>> _______________________________________________
>> Ace mailing list
>> Ace@ietf.org
>> https://www.ietf.org/mailman/listinfo/ace
>>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email