Re: [Ace] I-D Action: draft-ietf-ace-mqtt-tls-profile-05.txt

Cigdem Sengul <> Thu, 28 May 2020 21:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E57B73A0EE5 for <>; Thu, 28 May 2020 14:00:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dJ-L5f99sUBf for <>; Thu, 28 May 2020 14:00:47 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::e31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5C3633A0EB2 for <>; Thu, 28 May 2020 14:00:46 -0700 (PDT)
Received: by with SMTP id l15so251452vsr.3 for <>; Thu, 28 May 2020 14:00:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=LtFm1o03okkoSCan2aJLsf0d9QfO6qdkjAqbFPAiKCg=; b=k61yXw2VmNxlJkVhmtaiWp5gljvdEjt+q6ropRq6wcmZfeHJRmvEk4wQ3UD70dT3I5 xtyFunLOcBlZOepBn4REKNVc9rnBPmSujw0LJ/3pkHd0J4nj2Cc0Tt9Yap8bicQys1Fr Cx43swhzrZZggEK9kmvPjo3KWqvIz7l9PWM3olPh2HtDcM/fLNqg+agk4fClP48kvZV0 eFv2ThjQeMWCrC6HTt772jZRjlloJ4NYFSt476EiRBFzOw5XcxOVd8K0Ju0MOYS8DlSp wiPqy3NDs7nQn3Kxp5LgaUlrBJROtX3eT+mXTFvuBsYdntoYWvSav24VNJ9xxqooKM0s xu+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=LtFm1o03okkoSCan2aJLsf0d9QfO6qdkjAqbFPAiKCg=; b=tmA9vBqBSEngph8sBxmm0WQNYkXyUnUG/AZOsrfrGI6Ik/8eNfNy9ZwHEK8YawFFZC TvCCBtWLRU0O+2R0mb+77MyAf+hngDnMQhEbegSfTKiiFCDjnp+CA4miVSnCxYpUWt1r gurS7GfiKu843Dj4ISqUNyO/xh1qEiGysBmdZgqMNQ1O/ywLMtBUqGOeGedPWYY/k+sC a03ZepMPtl4iGRPd97uAJ0vX6gk0eP2XN8YAAXcFfq77q6UPxVUlF6gcakOKjiHhKU/O QsEvTv5NPBDVOSz39Rb4jaxy1m9eR+U++bG3iijh1ITCgbrB3tt59WXbRMLlmop7lT31 DhhA==
X-Gm-Message-State: AOAM533nogkHhXfR5MD5MhSTL3JxR5nceetNbHtxN6Mi0nb4NA4TRE63 QhlzfmK8DMz1JQNGxeapFfGgDR4lXZXpJDfd8hvpwAtb2QY=
X-Google-Smtp-Source: ABdhPJxQciQ3nfb2eRvws6EIKAFKcK6TIwcfFezcNZCDjjijjMeWYRtbTT+n+HsftldyqWHtzhWpDE1VBs3haOCbeCs=
X-Received: by 2002:a67:fa50:: with SMTP id j16mr930067vsq.144.1590699643621; Thu, 28 May 2020 14:00:43 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Cigdem Sengul <>
Date: Thu, 28 May 2020 22:00:33 +0100
Message-ID: <>
To: Ace Wg <>
Content-Type: multipart/alternative; boundary="00000000000033d48105a6bb9f76"
Archived-At: <>
Subject: Re: [Ace] I-D Action: draft-ietf-ace-mqtt-tls-profile-05.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 May 2020 21:00:56 -0000

Dear Ace,

I've submitted a v5 of the MQTT profile making the following updates as
discussed in the April interim (the changes should be able to close all the
remaining 6 issues in the github repo). After Jim and Carsten's e-mails,
I've been thinking also how to add support for AIF in the draft.

List of changes:
* Clarified that MQTT v5.0 Brokers may implement username/password option
for transporting the ACE token only for MQTT v.3.1.1 clients. This option
is not recommended for MQTT v.5.0 clients.
* Changed Clean Session requirement both for MQTT v.5.0 and v.3.1.1. The
Broker SHOULD NOT, instead of MUST NOT, continue sessions.
   Clarified expected behaviour if session continuation is supported. Added
to the Security Considerations the potential misuse of session
*  Added that client re-authentication is accepted only for the
challenge/response PoP.
 * Also important for misuse of re-authentication messages, clarified that
the Broker should not accept any other packets from Client after CONNECT
and before sending CONNACK.

Other including some minor changes:
* Added Ed25519 as mandatory to implement
*  Fixed the Authentication Data to include token length for the
Challenge/Response PoP.
*  Added that Authorisation Server Discovery is triggered if a token is
invalid and not only missing.
* Did some reorganisation in Section 2 so that "Unauthorised Request:
Authorisation Server Discovery"  is presented under Section 2.6 as part of
the broker's response to the client.
  *Fixed Figure 2 to remove the "empty" word from the CONNECT format.


On Thu, May 28, 2020 at 9:42 PM <> wrote:

> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Authentication and Authorization for
> Constrained Environments WG of the IETF.
>         Title           : MQTT-TLS profile of ACE
>         Authors         : Cigdem Sengul
>                           Anthony Kirby
>                           Paul Fremantle
>         Filename        : draft-ietf-ace-mqtt-tls-profile-05.txt
>         Pages           : 29
>         Date            : 2020-05-28
> Abstract:
>    This document specifies a profile for the ACE (Authentication and
>    Authorization for Constrained Environments) framework to enable
>    authorization in an MQTT-based publish-subscribe messaging system.
>    Proof-of-possession keys, bound to OAuth2.0 access tokens, are used
>    to authenticate and authorize MQTT Clients.  The protocol relies on
>    TLS for confidentiality and MQTT server (broker) authentication.
> The IETF datatracker status page for this draft is:
> There are also htmlized versions available at:
> A diff from the previous version is available at:
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at
> Internet-Drafts are also available by anonymous FTP at:
> _______________________________________________
> Ace mailing list