Re: [Ace] I-D Action: draft-ietf-ace-mqtt-tls-profile-05.txt
Cigdem Sengul <cigdem.sengul@gmail.com> Thu, 28 May 2020 21:00 UTC
Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E57B73A0EE5 for <ace@ietfa.amsl.com>; Thu, 28 May 2020 14:00:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJ-L5f99sUBf for <ace@ietfa.amsl.com>; Thu, 28 May 2020 14:00:47 -0700 (PDT)
Received: from mail-vs1-xe31.google.com (mail-vs1-xe31.google.com [IPv6:2607:f8b0:4864:20::e31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C3633A0EB2 for <ace@ietf.org>; Thu, 28 May 2020 14:00:46 -0700 (PDT)
Received: by mail-vs1-xe31.google.com with SMTP id l15so251452vsr.3 for <ace@ietf.org>; Thu, 28 May 2020 14:00:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=LtFm1o03okkoSCan2aJLsf0d9QfO6qdkjAqbFPAiKCg=; b=k61yXw2VmNxlJkVhmtaiWp5gljvdEjt+q6ropRq6wcmZfeHJRmvEk4wQ3UD70dT3I5 xtyFunLOcBlZOepBn4REKNVc9rnBPmSujw0LJ/3pkHd0J4nj2Cc0Tt9Yap8bicQys1Fr Cx43swhzrZZggEK9kmvPjo3KWqvIz7l9PWM3olPh2HtDcM/fLNqg+agk4fClP48kvZV0 eFv2ThjQeMWCrC6HTt772jZRjlloJ4NYFSt476EiRBFzOw5XcxOVd8K0Ju0MOYS8DlSp wiPqy3NDs7nQn3Kxp5LgaUlrBJROtX3eT+mXTFvuBsYdntoYWvSav24VNJ9xxqooKM0s xu+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=LtFm1o03okkoSCan2aJLsf0d9QfO6qdkjAqbFPAiKCg=; b=tmA9vBqBSEngph8sBxmm0WQNYkXyUnUG/AZOsrfrGI6Ik/8eNfNy9ZwHEK8YawFFZC TvCCBtWLRU0O+2R0mb+77MyAf+hngDnMQhEbegSfTKiiFCDjnp+CA4miVSnCxYpUWt1r gurS7GfiKu843Dj4ISqUNyO/xh1qEiGysBmdZgqMNQ1O/ywLMtBUqGOeGedPWYY/k+sC a03ZepMPtl4iGRPd97uAJ0vX6gk0eP2XN8YAAXcFfq77q6UPxVUlF6gcakOKjiHhKU/O QsEvTv5NPBDVOSz39Rb4jaxy1m9eR+U++bG3iijh1ITCgbrB3tt59WXbRMLlmop7lT31 DhhA==
X-Gm-Message-State: AOAM533nogkHhXfR5MD5MhSTL3JxR5nceetNbHtxN6Mi0nb4NA4TRE63 QhlzfmK8DMz1JQNGxeapFfGgDR4lXZXpJDfd8hvpwAtb2QY=
X-Google-Smtp-Source: ABdhPJxQciQ3nfb2eRvws6EIKAFKcK6TIwcfFezcNZCDjjijjMeWYRtbTT+n+HsftldyqWHtzhWpDE1VBs3haOCbeCs=
X-Received: by 2002:a67:fa50:: with SMTP id j16mr930067vsq.144.1590699643621; Thu, 28 May 2020 14:00:43 -0700 (PDT)
MIME-Version: 1.0
References: <159069851291.7031.7009323921343905594@ietfa.amsl.com>
In-Reply-To: <159069851291.7031.7009323921343905594@ietfa.amsl.com>
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Thu, 28 May 2020 22:00:33 +0100
Message-ID: <CAA7SwCO=N7HFgkkSKcbiuV90p57ugaW_q0tN3E3YtNNLqphezw@mail.gmail.com>
To: Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000033d48105a6bb9f76"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ItiaMxJPjL-dzmGPsSYZvyIjVOk>
Subject: Re: [Ace] I-D Action: draft-ietf-ace-mqtt-tls-profile-05.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2020 21:00:56 -0000
Dear Ace, I've submitted a v5 of the MQTT profile making the following updates as discussed in the April interim (the changes should be able to close all the remaining 6 issues in the github repo). After Jim and Carsten's e-mails, I've been thinking also how to add support for AIF in the draft. List of changes: * Clarified that MQTT v5.0 Brokers may implement username/password option for transporting the ACE token only for MQTT v.3.1.1 clients. This option is not recommended for MQTT v.5.0 clients. * Changed Clean Session requirement both for MQTT v.5.0 and v.3.1.1. The Broker SHOULD NOT, instead of MUST NOT, continue sessions. Clarified expected behaviour if session continuation is supported. Added to the Security Considerations the potential misuse of session continuation. * Added that client re-authentication is accepted only for the challenge/response PoP. * Also important for misuse of re-authentication messages, clarified that the Broker should not accept any other packets from Client after CONNECT and before sending CONNACK. Other including some minor changes: * Added Ed25519 as mandatory to implement * Fixed the Authentication Data to include token length for the Challenge/Response PoP. * Added that Authorisation Server Discovery is triggered if a token is invalid and not only missing. * Did some reorganisation in Section 2 so that "Unauthorised Request: Authorisation Server Discovery" is presented under Section 2.6 as part of the broker's response to the client. *Fixed Figure 2 to remove the "empty" word from the CONNECT format. Thanks, --Cigdem On Thu, May 28, 2020 at 9:42 PM <internet-drafts@ietf.org> wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Authentication and Authorization for > Constrained Environments WG of the IETF. > > Title : MQTT-TLS profile of ACE > Authors : Cigdem Sengul > Anthony Kirby > Paul Fremantle > Filename : draft-ietf-ace-mqtt-tls-profile-05.txt > Pages : 29 > Date : 2020-05-28 > > Abstract: > This document specifies a profile for the ACE (Authentication and > Authorization for Constrained Environments) framework to enable > authorization in an MQTT-based publish-subscribe messaging system. > Proof-of-possession keys, bound to OAuth2.0 access tokens, are used > to authenticate and authorize MQTT Clients. The protocol relies on > TLS for confidentiality and MQTT server (broker) authentication. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-ace-mqtt-tls-profile/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-ace-mqtt-tls-profile-05 > https://datatracker.ietf.org/doc/html/draft-ietf-ace-mqtt-tls-profile-05 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-ace-mqtt-tls-profile-05 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace >
- [Ace] I-D Action: draft-ietf-ace-mqtt-tls-profile… internet-drafts
- Re: [Ace] I-D Action: draft-ietf-ace-mqtt-tls-pro… Cigdem Sengul