Re: [Ace] I-D Action: draft-ietf-ace-oscore-profile-14.txt

Daniel Migault <mglt.ietf@gmail.com> Wed, 27 January 2021 14:12 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67E4F3A11E4 for <ace@ietfa.amsl.com>; Wed, 27 Jan 2021 06:12:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eSuQEbRBlJXN for <ace@ietfa.amsl.com>; Wed, 27 Jan 2021 06:12:03 -0800 (PST)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2998C3A11DE for <ace@ietf.org>; Wed, 27 Jan 2021 06:12:03 -0800 (PST)
Received: by mail-vs1-xe2e.google.com with SMTP id m13so1194329vsr.2 for <ace@ietf.org>; Wed, 27 Jan 2021 06:12:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gPoji958q2nEJ5Ph1rxoLXhEslQKWQo+hYd/QegllRc=; b=hF/CxCURzuG3+Wd9fD0+v6YB4Pw51kCltc3qOQk5BG8HHqfZrkW0gsstxMcIHAV6M4 a4r2hVtBalvfgyWVTJ2eqO2c+C25nnIBTlj88QlHQ6sKUBVHO+dx1WEzxFbTU9D82sSR BwWXUfzMc+t5QITQhx/uhWBC3jIRalT9tzB7YqZ71/THsb3sW7enCEein7gLDZ1pb+aK 7tvWCfK506IYoH2rscNWhTy6GMzmnOCjEH6vxTLUEKu/6IpLL5U2NeFbWSRbwT9GpcoY 4HmmBqv1oFGcZHRfKQCH6asyALE3Kgeia3Rvo/UGuYeic+L9ShiSzZYm6rWGsK9YCUql r0bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gPoji958q2nEJ5Ph1rxoLXhEslQKWQo+hYd/QegllRc=; b=m8DICIy2sLIroCNkTpSE3S/wU2j6xSXd3Tx5d5L0jtTQfnFSYDNgQBXUEbdBCpqpip WT5JGFUwARXfmMvus7qadcgFtmoAA8x4J7a4NqrgsnRXBzlM0nMsjYx3ZKTi1MddQ1T6 38ZeZCjC+hFBpo4l9yjruSzQMSc7l44w67phXSp0m2pbzeltCXmcBqK6mHUnIzWI7c2x zlS1htEWqZdcct5z55eNYRksiqM/90ieVRMLT99cOGqEG9LchpB6ArrxESNa/NJ2MQna smApjtr4JGlZnj+89EtWrvC7TWr8fJUIdyQIPejBMpAANBCvdurR5P/qRShQl1QCh1LL YdbQ==
X-Gm-Message-State: AOAM531qwa/w4pV75bFdAeS8r8HYhs9u6snEo9e7DQYreQBdDhDFm5Qj 6hNKIvbZRzn0hyZf8PS2u45HuFpJRIl9Opscfn8=
X-Google-Smtp-Source: ABdhPJyEh1nSBpi38Ao4RRsDXLHlST3w3I57+erFsjiDMgrxiHMADJk52HQ/jIMw8d2F4/blYjluMqPUAHClUX/ubGs=
X-Received: by 2002:a67:f594:: with SMTP id i20mr8162302vso.56.1611756721715; Wed, 27 Jan 2021 06:12:01 -0800 (PST)
MIME-Version: 1.0
References: <160793569464.18419.15019250928855569100@ietfa.amsl.com> <1752F003-99AA-47F6-9B1A-9B493F07DC7D@ericsson.com> <20201214153231.GE64351@kduck.mit.edu> <07C849A7-2821-4FAE-A5F5-817195C5B03F@ericsson.com> <CADZyTk=0AL2TGOggbZpLYTRz_QOpHiHC00-bgkbdqu=1eDQ5_Q@mail.gmail.com> <B5E992D4-8BD6-4869-8070-321C8672DD26@ericsson.com> <CADZyTknSWFuuq_3ra+aLkmtnRzUViDCKuwzjcFaZxGc2r5JOmQ@mail.gmail.com> <3F5BAB9C-2FE7-468B-BADF-A84BF78D5E23@ericsson.com>
In-Reply-To: <3F5BAB9C-2FE7-468B-BADF-A84BF78D5E23@ericsson.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Wed, 27 Jan 2021 09:11:50 -0500
Message-ID: <CADZyTkkrAaJefqboN+LCV8qbn085hY6TJ6JHM8GpLSKitnwtVg@mail.gmail.com>
To: Francesca Palombini <francesca.palombini@ericsson.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, "ace@ietf.org" <ace@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dcbf2605b9e25a55"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/JIEJrKPdzfsiFv9DICm8PV2mm0Q>
Subject: Re: [Ace] I-D Action: draft-ietf-ace-oscore-profile-14.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2021 14:12:14 -0000

Hi Francesca,

Thanks for the update, I believe that all concerns I raised have been
addressed.   Given the latest update of draft-ietf-ace-dtls-authorize due
to a comment raised by the secdir, I am tempted to think that we may sync a
bit the wording between the two drafts. This is to me the only point we
need to resolve. Before sending this back to Ben.

I provide the remaining concern below. I has been extracted from my more
complete comments/responses to your comments.

Thanks for the update!

Yours,
Daniel

I believe that the RECOMMMENDation comes to
>
> fill the section 5.8.1
>
> draft-ietf-ace-oauth-authz.  I believe the
>
> text should mention that such recommendation
>
> is one attribute that needs to be completed
>
> by the profile. This is mostly to avoid the
>
> recommendation to be considered as anecdotal
>
> or a comment.
>
> It seems that SHOULD would make it more
>
> normative than a RECOMMEND. But that is only
>
> a personal though.
>
>
>
> FP: The recommendation does not fill in 5.8.1, the MUST just before does.
> Its goal is to give one preferred choice to implementers on how the
> previous MUST can be fullfilled. The use of normative text makes it so that
> this text cannot be taken as a comment. Appendix A - Profile Requirements
> summarizes the requirements that this profile defines based on the
> framework.
>
> <mglt>
>
> I understand that it will be clarified that MUST fulfills oauth-authz
> section 5.8.1.  I do see SHOULD as a bit stronger than RECOMMEND - but that
> may not be true. However, I would suggest to emphasize that OSCORE should
> be use unless there is a good reason to not use it.
>
> If we would like clients to use OSCORE and not implement other means, we
> may need to emphasize that AS supporting this profile are expected to
> support OSCORE.
>
>
>
> FP: that is not necessary. I did not add a ref to the section as it is
> referenced in the sentence just before.
>
> </mglt>
>
> <mglt>
ok, fine for the reference. Given the comment from Russ  and the current
wording draft-ietf-ace-dtls-authorize, I believe we should harmonize the
wording.

This is how has just been updated.

 The use of CoAP
   and DTLS for this communication is RECOMMENDED *REQUIRED* in this
profile, other *profile.  Other*
   protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be
   used instead. *will
   require specification of additional profile(s).*


</mglt>


On Tue, Jan 26, 2021 at 9:57 AM Francesca Palombini <
francesca.palombini@ericsson.com> wrote:

> Hi Daniel,
>
>
>
> Thank you. I have now submitted v-15 including changes to answer your
> review comments.
>
> Detailed comments below. Please let me know if I missed anything.
>
>
>
> Thanks,
>
> Francesca
>
>
>
> From: Daniel Migault <mglt.ietf@gmail.com>
>
> Date: Thursday, 14 January 2021 at 23:33
>
> To: Francesca Palombini <francesca.palombini@ericsson.com>
>
> Cc: Benjamin Kaduk <kaduk@mit.edu>du>, Ace Wg <ace@ietf.org>
>
> Subject: Re: [Ace] I-D Action: draft-ietf-ace-oscore-profile-14.txt
>
>
>
> Hi,
>
>
>
> As mentioned during the interim meeting this morning, please find my
> comments below.
>
>
>
> Yours,
>
> Daniel
>
>
>
> On Thu, Jan 14, 2021 at 9:02 AM Francesca Palombini <
> francesca.palombini@ericsson.com> wrote:
>
> Hi Daniel!
>
> Thank you for the review. I have answered your comments inline, and if you
> agree with them I believe I can implement the changes by next week and
> submit the final version. I am happy to see these are clarification
> comments.
>
> Thanks,
>
> Francesca
>
> From: Daniel Migault <mglt.ietf@gmail.com>
>
> Date: Thursday, 7 January 2021 at 17:07
>
> To: Francesca Palombini <francesca.palombini@ericsson.com>
>
> Cc: Benjamin Kaduk <kaduk@mit.edu>du>, Ace Wg <ace@ietf.org>
>
> Subject: Re: [Ace] I-D Action: draft-ietf-ace-oscore-profile-14.txt
>
> Hi,
>
>
>
> I apology for taking too long to review the document. Overall I think it
> is in good shape but I do have some minor comments on the current version.
> I have not been through the IANA section, I assumed it has already been
> validated by IANA.  Please find my comments below.
>
>
>
> Once fixed, I do not expect any action from my p[art on the datatracker
> and expect the draft to move forward almost by itself.
>
>
>
> Yours,
>
> Daniel
>
> OSCORE Profile of the Authentication and Authorization for Constrained
>
>                          Environments Framework
>
>                     draft-ietf-ace-oscore-profile-14
>
> [...]
>
> 2.  Protocol Overview
>
>    This section gives an overview of how to use the ACE Framework
>
>    [I-D.ietf-ace-oauth-authz] to secure the communication between a
>
>    client and a resource server using OSCORE [RFC8613].  The parameters
>
>    needed by the client to negotiate the use of this profile with the
>
>    authorization server, as well as the OSCORE setup process, are
>
>    described in detail in the following sections.
>
>    The RS maintains a collection of OSCORE Security Contexts with
>
>    associated authorization information for all the clients that it is
>
>    communicating with.  The authorization information is maintained as
>
>    policy that is used as input to processing requests from those
>
>    clients.
>
>    This profile requires a client to retrieve an access token from the
>
>    AS for the resource it wants to access on an RS, by sending an access
>
>    token request to the token endpoint, as specified in section 5.6 of
>
>    [I-D.ietf-ace-oauth-authz].  The access token request and response
>
>    MUST be confidentiality-protected and ensure authenticity.  This
>
>    profile RECOMMENDS the use of OSCORE between client and AS, but other
>
>    protocols (such as TLS or DTLS) can be used as well.
>
> <mglt>
>
> I usually expect a recommendation to be
>
> motivated.  In this case, the recommendation
>
> seems to be motivated by not having two
>
> different libraries - OSCORE and TLSvXs as
>
> opposed to taking of some properties that
>
> OSCORE have as opposed to DTLS. I believe the
>
> motivation should be explicitly stated.
>
>
>
> FP: Yes, the first reason we recommend OSCORE between C and AS is to make
> use of only one library on the client. However, that is absolutely
> dependent on the application, and the client is typically not a constrained
> device, so something else could be used depending on the use case scenario.
> Without details on the use case, I don't think we have enough information
> to motivate a recommendation.
>
> <mglt>
>
> Fine, I understand this will be specified.
>
>
>
> FP: Done now.
>
> </mglt>
>
> <mglt>
ok, it seems fine. thanks.
</mglt>

>
>
> I believe that the RECOMMMENDation comes to
>
> fill the section 5.8.1
>
> draft-ietf-ace-oauth-authz.  I believe the
>
> text should mention that such recommendation
>
> is one attribute that needs to be completed
>
> by the profile. This is mostly to avoid the
>
> recommendation to be considered as anecdotal
>
> or a comment.
>
> It seems that SHOULD would make it more
>
> normative than a RECOMMEND. But that is only
>
> a personal though.
>
>
>
> FP: The recommendation does not fill in 5.8.1, the MUST just before does.
> Its goal is to give one preferred choice to implementers on how the
> previous MUST can be fullfilled. The use of normative text makes it so that
> this text cannot be taken as a comment. Appendix A - Profile Requirements
> summarizes the requirements that this profile defines based on the
> framework.
>
> <mglt>
>
> I understand that it will be clarified that MUST fulfills oauth-authz
> section 5.8.1.  I do see SHOULD as a bit stronger than RECOMMEND - but that
> may not be true. However, I would suggest to emphasize that OSCORE should
> be use unless there is a good reason to not use it.
>
> If we would like clients to use OSCORE and not implement other means, we
> may need to emphasize that AS supporting this profile are expected to
> support OSCORE.
>
>
>
> FP: that is not necessary. I did not add a ref to the section as it is
> referenced in the sentence just before.
>
> </mglt>
>
> <mglt>
ok, fine for the reference. Given the comment from Russ  and the current
wording draft-ietf-ace-dtls-authorize, I believe we should harmonize the
wording.

This is how has just been updated.

 The use of CoAP
   and DTLS for this communication is RECOMMENDED *REQUIRED* in this
profile, other *profile.  Other*
   protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be
   used instead. *will
   require specification of additional profile(s).*


</mglt>

>
>
> </mglt>
>
>    Once the client has retrieved the access token, it generates a nonce
>
>    N1.  The client also generates its OSCORE Recipient ID (see
>
>    Section 3.1 of [RFC8613]), ID1,
>
>
>
> <mglt>
>
> I believe that ID1 is the Recipient ID. I am
>
> wondering if the text "OSCORE Recipient ID
>
> ID1 (see Section 3.1... )" would not be
>
> clearer. Though this might be clarified by
>
> the RFC editor.
>
>
>
> FP: Ok, will change.
>
> <mglt>
>
> Ok
>
>
>
> FP: Ok done now.
>
> </mglt>
>
<mglt>
ok, thank you.
</mglt>

>
>
> I believe "its" should be clarified
>
> especially in the overview section to expose
>
> that the Recipient ID is being used by the
>
> client to associate the received messages. In
>
> other words, the RS will use this ID ( as
>
> Sender ID) when sending responses to the
>
> client.
>
>
>
> FP: That's correct. I will change: s/its/its own. I think the next half
> sentence "for use with the keying material associated to the RS." is
> supposed to say exactly what you say above. I would rather not go into
> details of how exactly the Recipient ID works, as that is OSCORE details.
>
> <mglt>
>
> It seems crucial to me that reading the overview section the reader has a
> good sense of what information is being sent to who and what for. Currently
> this is expressed using the OSCORE terminology which requires a relatively
> deep understanding of OSCORE. It seems to me beneficial to adopt a more
> common language that does not require this expertise. This is well
> explained in the detailed section, but - at least when I was reading the
> document - the overview section was more confusing than helping me. This is
> why I suggest being a bit more explicit.
>
>
>
> FP: I don't agree here, simply because I would expect someone implementing
> the OSCORE profile of Ace to be familiar with the OSCORE terminology.
> Understanding OSCORE terminology is a requirement for understanding and
> implementing the draft, and I have now added a sentence about that in the
> Terminology section.
>
>
>
<mglt>
I think that is appropriate and probably the right choice between writing
less and writing too much. Thanks.
</mglt>

> </mglt>
>
> The reason is more that I believe the
>
> overview section should provide a description
>
> that is understandable for people that may
>
> not be fully aware of the details of OSCORE
>
> or that have not yet read the document. In my
>
> case - belonging to these two categories - I
>
> found the detailed section clearer than the
>
> overview. This is just to clarify my
>
> intention.
>
>
>
> FP: Absolutely, which is why I am trying to keep it high level at this
> point. If the sentence "Recipient ID for use with the keying material
> associated to the RS" is not clear enough, could you point me to what is
> missing? (keeping in mind I'd rather not go into messaging level)
>
> <mglt>
>
> """
>
> The client also generates its OSCORE Recipient ID (see
>
>    Section 3.1 of [RFC8613]), ID1, for use with the keying material
>
>    associated to the RS.  The client posts the token, N1 and its
>
>    Recipient ID to the RS [...]
>
> """
>
> When the client and the RS are communicating, it could legitimately being
> inferred that the recipient of a message sent by the client is the RS. In
> fact Recipient ID does not designate the recipient from a client
> perspective, but the recipient from the RS - that is to say the recipient's
> perspective. In this case, the sender ID of the recipient is expected to be
> set with the Recipient ID.
>
> So, I believe the term recipient can be misleading, if not being
> clarified.
>
>
>
> FP: I understand your point, but really I see this as a note to the OSCORE
> terminology, which we are not going to change here. I hope that by adding
> the note in the terminology about OSCORE this becomes less of an issue for
> this document.
>
<mglt>
ok.
</mglt>

> </mglt>
>
>
>
> I have the impression that N1 is specific to
>
> this profile. In other words, it is not
>
> generated for the oauth-authz  (Client-Nonce)
>
> nor for OSCORE.  One difficulty of these
>
> profiles is that they have to put the glue
>
> between the protocol OSCORE and the ACE
>
> framework oauth-auth.  It would maybe ease
>
> the reading to specify what is in the profile
>
> and what is being defined outside.  I have
>
> the impression that the implicit convention
>
> you are using in the protocol overview
>
> section is that by default what is being
>
> mentioned is defined by the profile and what
>
> is being defined outside the profile is being
>
> explicitly referenced.  It might worth
>
> stating that rule - at least in the overview
>
> section.
>
>
>
> FP: It is hard to draw a very strict line as some requirements spill over
> from the framework and OSCORE, even just to give the context of the more
> detailed requirements. I don't think I could correctly state that, but what
> I tried to do, as you noted, is a direct reference everytime (or almost)
> that I can easily point to.
>
> <mglt>
>
> If I recall correctly, mentioning that Nonce are profile specific would
> probably be clarifying - and maybe sufficient.
>
>
>
> FP: Ok, done now.
>
> </mglt>
>
> This is at least clarified in the detailed
>
> sections.
>
>
>
> </mglt>
>
<mglt>
I think what you propose is clear. Thanks.
</mglt>

> for use with the keying material
>
>    associated to the RS.  The client posts the token, N1 and its
>
>    Recipient ID to the RS using the authz-info endpoint and mechanisms
>
>    specified in section 5.8 of [I-D.ietf-ace-oauth-authz] and Content-
>
>    Format = application/ace+cbor.  When using this profile, the
>
>    communication with the authz-info endpoint is not protected, except
>
>    for update of access rights.
>
>    If the access token is valid, the RS replies to this request with a
>
>    2.01 (Created) response with Content-Format = application/ace+cbor,
>
>    which contains a nonce N2 and its newly generated OSCORE Recipient
>
>    ID, ID2, for use with the keying material associated to the client.
>
>    Moreover, the server concatenates the input salt received in the
>
>    token, N1, and N2 to obtain the Master Salt of the OSCORE Security
>
>    Context (see section 3 of [RFC8613]).  The RS then derives the
>
>    complete Security Context associated with the received token from the
>
>    Master Salt, the OSCORE Recipient ID generated by the client (set as
>
>
>
>
>
> Palombini, et al.         Expires June 17, 2021                 [Page 4]
>
> Internet-Draft            OSCORE Profile of ACE            December 2020
>
>
>
>    its OSCORE Sender ID), its own OSCORE Recipient ID, plus the
>
>    parameters received in the access token from the AS, following
>
>    section 3.2 of [RFC8613].
>
>    In a similar way, after receiving the nonce N2, the client
>
>    concatenates the input salt, N1 and N2 to obtain the Master Salt of
>
>    the OSCORE Security Context.  The client then derives the complete
>
>    Security Context from the Master Salt, the OSCORE Recipient ID
>
>    generated by the RS (set as its OSCORE Sender ID), its own OSCORE
>
>    Recipient ID, plus the parameters received from the AS.
>
>    Finally, the client sends a request protected with OSCORE to the RS.
>
> <mglt>
>
> It is unclear it that request is the
>
> communication between the client and the RS
>
> or something in the ace framework or oscore.
>
>
>
> FP: This is any request, so what you call "communication between the
> client and RS". If it was something defined elsewhere there would have been
> a reference to the relevant section.
>
> <mglt>
>
> I believe this should be clarified.
>
>
>
> FP: Ok, done now.
>
</mglt>
>
> </mglt>
>
<mglt>
Thanks.
</mglt>

>    If the request is successfully verified, the server stores the
>
>    complete Security Context state that is ready for use in protecting
>
>    messages, and uses it in the response, and in further communications
>
>    with the client, until token deletion, due to e.g. expiration.  This
>
>    Security Context is discarded when a token (whether the same or a
>
>    different one) is used to successfully derive a new Security Context
>
>    for that client.
>
>    The use of random nonces during the exchange prevents the reuse of an
>
>    Authenticated Encryption with Associated Data (AEAD) nonces/key pair
>
>    for two different messages.  Two-time pad might otherwise occur when
>
> <mglt>
>
> I am wondering if two time pad is correct as
>
> opposed to a collision. I might be wrong but
>
> two time pad seems to be correlated to OTP. I
>
> see this closer to IV collision than OTP.
>
> Unless you are very sure to be correct, I
>
> would suggest to use collision instead.
>
>
>
> FP: I believe two-time pad is the correct term.
>
> <mglt>
>
> So far what I found is that two time pad is really related to two key
> stream re-use, but I will defer to Ben to check if the use here is
> appropriated.
>
>
>
> FP: I checked with John (who was the one to bring this issue up in the
> first place) and he mentioned two-time pad is the correct for
> confidentiality, but does not consider the integrity part. Now rephrased
> according to his suggestion.
>
</mglt>
>
> </mglt>
>
<mglt>
Fine. Thanks to you for updating and thanks to John for the feed back.
</mglt>

   client and RS derive a new Security Context from an existing (non-
>
>    expired) access token, as might occur when either party has just
>
>    rebooted.  Instead, by using random nonces as part of the Master
>
>    Salt, the request to the authz-info endpoint posting the same token
>
>    results in a different Security Context, by OSCORE construction,
>
>    since even though the Master Secret, Sender ID and Recipient ID are
>
>    the same, the Master Salt is different (see Section 3.2.1 of
>
>    [RFC8613]).  Therefore, the main requirement for the nonces is that
>
>   they have a good amount of randomness.  If random nonces were not
>
>    used, a node re-using a non-expired old token would be susceptible to
>
>    on-path attackers provoking the creation of OSCORE messages using old
>
>    AEAD keys and nonces.
>
> <mglt>
>
> I might be missing something, but my
>
> understanding of the text above is that
>
> nonces MUST NOT repeat and I do not see the
>
> necessity for nonce to be non predictable.
>
> Typically would we have an issue using an
>
> incrementing nonce that is persistent to
>
> reboot.
>
> FP: the randomness requirement for the nonces comes from the combination
> of the possibility of reboot (or loss of state/nonces) and using the same
> access token (hence OSCORE input material). We do not assume that the nodes
> have the capability to do persistent storage of nonces, since that would be
> very taxing, but if that was the case, then yes I would think counters
> would be fine (see section 7).
>
> I think the cryptographic properties should
>
> be clearly mentioned and maybe separated from
>
> the implementation recommendation.
>
>
>
> FP: this is just the overview, more detailed considerations are in fact
> separate and can be found in section 7.
>
> <mglt>
>
> The text of section 7 is clear to me, the text mentioned here seems wrong
> to me - there is no randomness requirements. I suggest the text
> "Therefore... nonce" be replaced by some text from section 7 or by a
> reference to section 7.
>
>
>
> FP: I see. I have now rephrased to not talk about randomness in this
> section, and only talk about reuse.
>
> </mglt>
>
>
>
> </mglt>
>

<mglt>
I believe that is fine thanks.
</mglt>

>    After the whole message exchange has taken place, the client can
>
>    contact the AS to request an update of its access rights, sending a
>
>    similar request to the token endpoint that also includes an
>
>    identifier so that the AS can find the correct OSCORE security input
>
>    material it has previously shared with the client.  This specific
>
>    identifier, encoded as a byte string, is assigned by the AS to be
>
>    unique in the sets of its OSCORE security input materials, and is not
>
>    used as input material to derive the full OSCORE Security Context.
>
>    An overview of the profile flow for the OSCORE profile is given in
>
>    Figure 1.  The names of messages coincide with those of
>
>    [I-D.ietf-ace-oauth-authz] when applicable.
>
>
>
>
>
> Palombini, et al.         Expires June 17, 2021                 [Page 5]
>
> Internet-Draft            OSCORE Profile of ACE            December 2020
>
>
>
>       C                            RS                   AS
>
>       |                            |                     |
>
>       | ----- POST /token  ----------------------------> |
>
>       |                            |                     |
>
>       | <---------------------------- Access Token ----- |
>
>       |                           + Access Information   |
>
>       | ---- POST /authz-info ---> |                     |
>
>       |   (access_token, N1, ID1)  |                     |
>
>       |                            |                     |
>
>       | <- 2.01 Created (N2, ID2)- |                     |
>
>       |                            |                     |
>
>     /Sec Context             /Sec Context                |
>
>       derivation/              derivation/               |
>
>       |                            |                     |
>
>       | ---- OSCORE Request -----> |                     |
>
>       |                            |                     |
>
>       |                    /proof-of-possession          |
>
>       |                    Sec Context storage/          |
>
>       |                            |                     |
>
>       | <--- OSCORE Response ----- |                     |
>
>       |                            |                     |
>
>    /proof-of-possession            |                     |
>
>    Sec Context storage/            |                     |
>
>       |                            |                     |
>
>       | ---- OSCORE Request -----> |                     |
>
>       |                            |                     |
>
>       | <--- OSCORE Response ----- |                     |
>
>       |                            |                     |
>
>    /mutual        ...              |                     |
>
>    authentication/
>
>
>
>                         Figure 1: Protocol Overview
>
> <mglt>
>
> The figure is very clarifying, and though
>
> this might be a very personal nit I would
>
> have found it clearer to have the figure
>
> before the explanatory text.
>
>
>
> FP: I will leave this as is for now, willing to see what's best with the
> RFCEditor.
>
> </mglt>
>
> <mglt>
>
> sure
>
> </mglt>
>
<mglt>
just to re-iterate, I do not see this a a real matter.
</mglt>


> 3.1.  C-to-AS: POST to token endpoint
>
> [...]
>
>        Header: POST (Code=0.02)
>
>        Uri-Host: "as.example.com"
>
>        Uri-Path: "token"
>
>        Content-Format: "application/ace+cbor"
>
>        Payload:
>
>        {
>
>          "req_aud" : "tempSensor4711",
>
>          "scope" : "write",
>
>          "req_cnf" : {
>
>            "kid" : h'01'
>
>         }
>
> <mglt>
>
> For my comprehension, the kid seems to me an
>
> id to the security context.  Though this is
>
> an example, I am a bit surprised the value is
>
> 01, which look small.  So I am just willing
>
> to check my understanding.
>
> FP: That is correct, and the value is just an example.
>
> <mglt>
>
> thanks for the response
>
> </mglt>
>
> </mglt>
>
>    Figure 3: Example C-to-AS POST /token request for updating rights to
>
>                  an access token bound to a symmetric key.
>
> 3.2.  AS-to-C: Access Token
>
>    After verifying the POST request to the token endpoint and that the
>
>    client is authorized to obtain an access token corresponding to its
>
>    access token request, the AS responds as defined in section 5.6.2 of
>
>    [I-D.ietf-ace-oauth-authz].  If the client request was invalid, or
>
>    not authorized, the AS returns an error response as described in
>
>    section 5.6.3 of [I-D.ietf-ace-oauth-authz].
>
>    The AS can signal that the use of OSCORE is REQUIRED for a specific
>
>    access token by including the "profile" parameter with the value
>
>    "coap_oscore" in the access token response.  This means that the
>
>    client MUST use OSCORE towards all resource servers for which this
>
>    access token is valid, and follow Section 4.3 to derive the security
>
>    context to run OSCORE.  Usually it is assumed that constrained
>
>    devices will be pre-configured with the necessary profile, so that
>
>    this kind of profile signaling can be omitted.
>
> <mglt>
>
> The AS may indicate the type of communication
>
> between the client and the RS.  However, it
>
> seems to me the client does not provides the
>
> AS the capabilities (i.e.  supported
>
> profiles), which makes for example impossible
>
> to the AS to pick one that fits the client.
>
> I also have the impression the AS cannot
>
> provide multiple available profiles and let
>
> the client pick one that is implemented.  As
>
> a result, the coap_oscore seems to be here to
>
> indicate a "limitation" associated to the RS
>
> - in this case OSCORE is mandatory.
>
>
>
> While I agree that in pre-configuration
>
> environment may things can be pre-agreed, I
>
> am reading the text above as making the
>
> specification of the profile as almost
>
> useless.  I am wondering if we could not
>
> instead mention that an AS willing to
>
> indicate the use of OSCORE SHOULD set the
>
> profile parameter to "coap_oscore".  A client
>
> receiving such value and supporting this
>
> profile SHOULD use this profile.  The
>
> motivation for setting the profile may be
>
> that OSCORE is only supported or that there
>
> is a preference to use OSCORE.
>
>
>
> FP: I believe negotiation of profiles is a point that has been brought up
> (possibly even by me if I remember correctly) and discussed within the ace
> framework,  and is much more general than for the OSCORE profile. I think
> if we want to take on this discussion again, we should do it with the Ace
> framework authors because they have strong views about this. The OSCORE
> profile only adapts what the ace framework specifies.
>
> <mglt>
>
> ok, it seems very unidirectional, but we may leave it as it is.
>
> </mglt>
>
> </mglt>
>
ok

>    Moreover, the AS MUST send the following data:
>
>    o  a master secret
>
>    o  an identifier of the OSCORE Input Material
>
>    Additionally, the AS MAY send the following data, in the same
>
>    response.
>
>    o  a context identifier
>
>    o  an AEAD algorithm
>
>    o  an HMAC-based key derivation function (HKDF) algorithm
>
>
>
>
>
> Palombini, et al.         Expires June 17, 2021                 [Page 8]
>
> Internet-Draft            OSCORE Profile of ACE            December 2020
>
>
>
>    o  a salt
>
>    o  the OSCORE version number
>
>    This data is transported in the OSCORE_Input_Material.  The
>
>    OSCORE_Input_Material is a CBOR map object, defined in Section 3.2.1.
>
>    This object is transported in the 'cnf' parameter of the access token
>
>    response as defined in Section 3.2 of [I-D.ietf-ace-oauth-params], as
>
>    the value of a field named 'osc', registered in Section 9.5 and
>
>    Section 9.6.
>
>    The AS MAY assign an identifier to the context (context identifier).
>
>    This identifier is used as ID Context in the OSCORE context as
>
>    described in section 3.1 of [RFC8613].  If assigned, this parameters
>
>    MUST be communicated as the 'contextId' field in the
>
>    OSCORE_Input_Material.  The applications needs to consider that this
>
>    identifier is sent in the clear and may reveal information about the
>
>    endpoints, as mentioned in section 12.8 of [RFC8613].
>
> <mglt>
>
> It is unclear to me why such contextId is
>
> needed. I suspect - but I am not sure - this
>
> could be used as a reference for the AS of a
>
> Context established between the client and
>
> the RS. In such case I assume the context ID
>
> (kid) is only shared by the client and the RS
>
> so it could not be used for example when a
>
> token needs to be updated /renewed.
>
> I am wondering if that is correct and I
>
> believe motivation for such id should be
>
> clarified.
>
>
>
> FP: Motivation of existence of ID Context is in OSCORE, and we have a
> reference to the correct OSCORE section here (didn't want to repeat
> myself). No, the Context ID is not used as reference for the Sec Ctx by
> itself.
>
> <mglt>
>
> Sorry, I think I messed up with and rather had 'id' in mind. So I
> understand that id identifies OSCORE_Input_Material and contextId
> identifies the OSCORE ID Context. My initial question was why would we need
> a id, and I suspected that the reason was to enable some reference between
> the client and the AS, as the contextId may be changed between the RS and
> client. Is that correct ?
>
>
>
> FP: We need an id for the client to identify the same OSCORE input
> material on the AS in case of updatet of access right. Yes the contextId
> might change. Also id is unique for the AS, while contextId isn't
> necessarily - contextId (together with the Sender ID which is negotiated
> later on) identifies the security context once established.
>
>
>
> If I remember correctly, id and contextId could not be of the same value,
> but I currently do not remember why.Could you just briefly remember me. In
> any case, the reason I am asking is that if we were able to have one id or
> contextId, we would avoid the collision.  Typically, if contextId would be
> sufficient to derive the id, we could avoid such collision issue. So
> basically,  what I wanted to clarify - maybe for only myself - is id cannot
> be derived from contextId and that there is a need to have the separate
> id.
>
>
>
> FP: No, they don't have to be distinct values. So there is really no
> collision issue. As I said above, they identify different material.
>
>
>
> </mglt>
>

<mglt>
I think I am starting to understand that simply means it has been updated
and that having different values is not a goal in itself. Sorry for the
multiple iterations.

"""

In that case, the ID Context in the OSCORE Security
   Context will not match the "contextId" parameter of the corresponding
   OSCORE_Input_Material.

""
</mglt>


> </mglt>
>
>    The master secret and the identifier of the OSCORE_Input_Material
>
>    MUST be communicated as the 'ms' and 'id' field in the 'osc' field in
>
>    the 'cnf' parameeter of the access token response.  If included, the
>
>    AEAD algorithm is sent in the 'alg' parameter in the
>
>    OSCORE_Input_Material; the HKDF algorithm in the 'hkdf' parameter of
>
>    the OSCORE_Input_Material; a salt in the 'salt' parameter of the
>
>    OSCORE_Input_Material; and the OSCORE version in the 'version'
>
>    parameter of the OSCORE_Input_Material.
>
>    The same parameters MUST be included in the claims associated with
>
>    the access token.  This profile RECOMMENDS the use of CBOR web token
>
>    (CWT) as specified in [RFC8392].  If the token is a CWT, the same
>
>    OSCORE_Input_Material structure defined above MUST be placed in the
>
>    'osc' field of the 'cnf' claim of this token.
>
>    The AS MUST send different OSCORE_Input_Material (and therefore
>
>    different access tokens) to different authorized clients, in order
>
>    for the RS to differentiate between clients.
>
>    Figure 4 shows an example of an AS response, with payload in CBOR
>
>   diagnostic notation without the tag and value abbreviations.  The
>
>    access token has been truncated for readability.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Palombini, et al.         Expires June 17, 2021                 [Page 9]
>
> Internet-Draft            OSCORE Profile of ACE            December 2020
>
>
>
>        Header: Created (Code=2.01)
>
>        Content-Type: "application/ace+cbor"
>
>        Payload:
>
>        {
>
>          "access_token" : h'8343a1010aa2044c53 ...
>
>           (remainder of access token (CWT) omitted for brevity)',
>
>          "profile" : "coap_oscore",
>
>          "expires_in" : "3600",
>
>          "cnf" : {
>
>            "osc" : {
>
>              "id" : h'01',
>
>              "ms" : h'f9af838368e353e78888e1426bd94e6f'
>
>            }
>
>          }
>
>        }
>
>
>
>    Figure 4: Example AS-to-C Access Token response with OSCORE profile.
>
>    Figure 5 shows an example CWT Claims Set, including the relevant
>
>    OSCORE parameters in the 'cnf' claim, in CBOR diagnostic notation
>
>    without tag and value abbreviations.
>
>    {
>
>      "aud" : "tempSensorInLivingRoom",
>
>      "iat" : "1360189224",
>
>      "exp" : "1360289224",
>
>      "scope" :  "temperature_g firmware_p",
>
>      "cnf" : {
>
>        "osc" : {
>
>          "ms" : h'f9af838368e353e78888e1426bd94e6f',
>
>          "id" : h'01'
>
>        }
>
>      }
>
>    }
>
>
>
>          Figure 5: Example CWT Claims Set with OSCORE parameters.
>
>    The same CWT Claims Set as in Figure 5, using the value abbreviations
>
>    defined in [I-D.ietf-ace-oauth-authz] and [RFC8747] and encoded in
>
>    CBOR is shown in Figure 6.  The bytes in hexadecimal are reported in
>
>    the first column, while their corresponding CBOR meaning is reported
>
>    after the '#' sign on the second column, for easiness of readability.
>
> <mglt>
>
> Just for my understanding. Figure 5 shows an
>
> "access_token". I am wondering if that is
>
> possible that some parameters may be in the
>
> CWT but not mentioned in clear (to the
>
> client) in the AS-to-C Access Token response.
>
> In my mind, I see the CWT as being encrypted
>
> so the client is not expected to interpret
>
> it. Is that correct ?
>
>
>
> FP: actually, figure 5 shows the "clamis set" of the access token. These
> claims are input to the encryption to create the actual CWT, so yes you are
> correct, and also the terminology used in the draft is correct.
>
> <mglt>
>
> thanks for the response. NOte that I was not questioning the terminology
> here.
>
> </mglt>
>
> </mglt>
>
> [...]
>
> 3.2.1.  The OSCORE_Input_Material
>
>    id:  This parameter identifies the OSCORE_Input_Material and is
>
>       encoded as a byte string.  In JSON, the "id" value is a Base64
>
>       encoded byte string.  In CBOR, the "id" type is byte string, and
>
>       has label 8.
>
>    version:  This parameter identifies the OSCORE Version number, which
>
>       is an unsigned integer.  For more information about this field,
>
>
>
>
>
> Palombini, et al.         Expires June 17, 2021                [Page 13]
>
> Internet-Draft            OSCORE Profile of ACE            December 2020
>
>
>
>       see section 5.4 of [RFC8613].  In JSON, the "version" value is an
>
>       integer.  In CBOR, the "version" type is integer, and has label 0.
>
>    ms:  This parameter identifies the OSCORE Master Secret value, which
>
>       is a byte string.  For more information about this field, see
>
>       section 3.1 of [RFC8613].  In JSON, the "ms" value is a Base64
>
>       encoded byte string.  In CBOR, the "ms" type is byte string, and
>
>       has label 1.
>
>    hkdf:  This parameter identifies the OSCORE HKDF Algorithm.  For more
>
>       information about this field, see section 3.1 of [RFC8613].  The
>
>       values used MUST be registered in the IANA "COSE Algorithms"
>
>       registry (see [COSE.Algorithms]) and MUST be HMAC-based HKDF
>
>       algorithms.  The value can either be the integer or the text
>
>       string value of the HMAC-based HKDF algorithm in the "COSE
>
>       Algorithms" registry.  In JSON, the "hkdf" value is a case-
>
>       sensitive ASCII string or an integer.  In CBOR, the "hkdf" type is
>
>       text string or integer, and has label 4.
>
>    alg:  This parameter identifies the OSCORE AEAD Algorithm.  For more
>
>       information about this field, see section 3.1 of [RFC8613] The
>
>       values used MUST be registered in the IANA "COSE Algorithms"
>
>       registry (see [COSE.Algorithms]) and MUST be AEAD algorithms.  The
>
>       value can either be the integer or the text string value of the
>
>       HMAC-based HKDF algorithm in the "COSE Algorithms" registry.  In
>
>       JSON, the "alg" value is a case-sensitive ASCII string or an
>
>       integer.  In CBOR, the "alg" type is text string or integer, and
>
>       has label 5.
>
>    salt:  This parameter identifies an input to the OSCORE Master Salt
>
>       value, which is a byte string.  For more information about this
>
>       field, see section 3.1 of [RFC8613].  In JSON, the "salt" value is
>
>       a Base64 encoded byte string.  In CBOR, the "salt" type is byte
>
>       string, and has label 6.
>
>    contextId:  This parameter identifies the security context as a byte
>
>       string.  This identifier is used as OSCORE ID Context.  For more
>
>       information about this field, see section 3.1 of [RFC8613].  In
>
>       JSON, the "contextID" value is a Base64 encoded byte string.  In
>
>       CBOR, the "contextID" type is byte string, and has label 7.
>
> <mglt>
>
> I am wondering if there is any kind of
>
> overlap between the id and contextId.  They
>
> do represent different objects, but if Input
>
> generate a single  Security Context, it seems
>
> to me that both designates the same OSCORE
>
> communication. I am thus wondering why do we
>
> need these two ids.
>
>
>
> FP: As mentioned above, no they do not designate the same data. In
> particular, the couple (sender ID, Context ID) identifies one particular
> OSCORE Security Context, while the id identifies not the Security Context
> but only some (incomplete) input material to derive the security context.
>
> <mglt>
>
> This concern can be grouped with the above comments/questions.
>
> </mglt>
>
> </mglt>
>
> [...]
>
> 4.  Client-RS Communication
>
>    The following subsections describe the details of the POST request
>
>    and response to the authz-info endpoint between client and RS.  The
>
>    client generates a nonce N1 and an identifier ID1 unique in the sets
>
>    of its own Recipient IDs, and posts them together with the token that
>
>    includes the materials (e.g., OSCORE parameters) received from the AS
>
>    to the RS.  The RS then generates a nonce N2 and an identifier ID2
>
>    unique in the sets of its own Recipient IDs, and uses Section 3.2 of
>
>    [RFC8613] to derive a security context based on a shared master
>
>    secret, the two nonces and the two identifiers, established between
>
>    client and server.  The nonces and identifiers are encoded as CBOR
>
>    byte string if CBOR is used, and as Base64 string if JSON is used.
>
>    This security context is used to protect all future communication
>
>    between client and RS using OSCORE, as long as the access token is
>
>    valid.
>
> <mglt>
>
> all communication sounds strange to me. I am
>
> wondering if that is not all communicationS
>
> instead - though not being native English.
>
>
>
> Similarly I think that the communication is
>
> between a specific client and a specific RS -
>
> at least once established. Thus I am
>
> wondering if that should not be 'between THE
>
> client and THE RS instead.
>
>
>
> FP: Thanks, I will keep these points in mind when talking to the
> RFCEditor. Not a native English speaking either so can't really make a
> choice :)
>
> <mglt>
>
> sure
>
> </mglt.
>
> </mglt>
>
>    Note that the RS and client authenticates each other by generating
>
>    the shared OSCORE Security Context using the pop-key as master
>
>    secret.  An attacker posting a valid token to the RS will not be able
>
>    to generate a valid OSCORE Security Context and thus not be able to
>
>    prove possession of the pop-key.  Additionally, the mutual
>
>    authentication is only achieved after the client has successfully
>
>    verified a response from the RS protectd with the generated OSCORE
>
>    Security Context.
>
> <mglt>
>
> I think that is RS protected.
>
> FP: Thanks, will fix.
>
> It is unclear - at this stage of reading if
>
> the exchange that performs the mutual
>
> authentication is a specific exchange or the
>
> communication between the client and the RS.
>
>
>
> FP: Hopefully this can be clarified by clarifying the previous comment
> that talked about communication between RS and C.
>
> <mglt>
>
> sure.
>
> </mglt>
>
>
>
> </mglt
>

 <mglt>
yes this is clearer at least to me. Thanks.
</mglt>

>
>
> Palombini, et al.         Expires June 17, 2021                [Page 15]
>
> Internet-Draft            OSCORE Profile of ACE            December 2020
>
>
>
> 4.1.  C-to-RS: POST to authz-info endpoint
>
>    The client MUST generate a nonce value very unlikely to have been
>
>    previously used with the same input keying material.  This profile
>
>    RECOMMENDS to use a 64-bit long random number as nonce's value.  The
>
>    client MUST store the nonce N1 as long as the response from the RS is
>
>    not received and the access token related to it is still valid (to
>
>    the best of the client's knowledge).
>
> <mglt>
>
> Same comment as in the overview section
>
> regarding the nonce randomly generated. It
>
> seems that random generation does not require
>
> storing any context resilient to reboot.
>
>
>
> FP: That's correct. And as mentioned, I think the Sec Cons cover this.
>
> <mglt>
>
> I believe the assumptions of the client are outside the scope of the
> protocol, so it seems to me there is no need for a MUST. As detailled
> previously I woudl either refer to eth security consideration section or
> provide the requirement for not repeating without considering how this
> could be implemented.
>
> </mglt>
>
>
>
> FP: I believe assumptions on the client, as well as implementation
> recommendations, are in scope of this document.
>
>
>
 <mglt>
The text works fine for me. Thanks.
</mglt>


> </mglt>
>
>    The client generates its own Recipient ID, ID1, for the OSCORE
>
>    Security Context that it is establishing with the RS.  By generating
>
>    its own Recipient ID, the client makes sure that it does not collide
>
>    with any of its Recipient IDs, nor with any other identifier ID1 if
>
>    the client is executing this exchange with a different RS at the same
>
>    time.
>
> <mglt>
>
> This paragraph is really clarifying - and to
>
> me necessary.
>
> FP: Good! Thanks for the feedback.
>
> </mglt>
>
>    The client MUST use CoAP and the Authorization Information resource
>
>    as described in section 5.8.1 of [I-D.ietf-ace-oauth-authz] to
>
>    transport the token, N1 and ID1 to the RS.
>
>    Note that the use of the payload and the Content-Format is different
>
>    from what is described in section 5.8.1 of
>
>    [I-D.ietf-ace-oauth-authz], which only transports the token without
>
>    any CBOR wrapping.  In this profile, the client MUST wrap the token,
>
>    N1 and ID1 in a CBOR map.  The client MUST use the Content-Format
>
>    "application/ace+cbor" defined in section 8.14 of
>
>    [I-D.ietf-ace-oauth-authz].  The client MUST include the access token
>
>    using the 'access_token' parameter, N1 using the 'nonce1' parameter
>
>    defined in Section 4.1.1, and ID1 using the 'ace_client_recipientid'
>
>    parameter defined in Section 4.1.2.
>
> <mglt>
>
> The paragraph above is also really
>
> clarifying.
>
> FP: Good to hear. I understand at this point that what might be confusing
> at the overview section gets clarified here for the reader. At the same
> time, I don't want to go into so much detail in the overview, and don't
> want to do too many forward references... you see my dilemma?
>
> <mglt>
>
> I got the dilemma. I think that currently either the overview provides a
> bit more details to clarify or removes details. Currently the overview
> seems to me raising question more than indicating a direction. I am fine
> either way, but I suspect that clarifying is more straight forward.
>
>
>
> FP: I gave a shot at clarifying the points above.
>
>
>
> </mglt>
>
>
>
<mglt>
I like the way it is.
</mglt>

> </mglt>
>
> [...]
>
>
>
> 4.2.  RS-to-C: 2.01 (Created)
>
> [...]
>
> <mglt>
>
> It seems to me that the text is using
>
> OSCORE_Input_Material, so I would say we
>
> should remain coherent through the document.
>
> I personnaly do not believe '_' are needed
>
> and would probably favor the designation used
>
> here.
>
>
>
> FP: The idea behind the different names: the difference between with and
> without '_' is that the name of the actual CBOR object includes the
> underscore, while the more general concept of the data included in that
> object (i.e. the data without any format specification) doesn't.
>
> <mglt>
>
> Sure. I believe that either we use always the same one or explain the
> difference. I have the impression for OSCORE we were using non CBOR object
> terminology. At least we could limit to a single notation in the document.
>
>
>
> FP: I have attempted to keep it consistent, and changed a couple of places
> where it wasn't. Most of the time in the doc we talk about
> OSCORE_Input_Material because we refer to the CBOR object, but in my
> opinion it's still useful to be able to distinguish between the theoretical
> and the CBOR object.
>
> </mglt>
>
>
>
<mglt>
The inconsistency - if any - was viable to me. With your further look at
it, I consider you made the right choice.
</mglt>

</mglt>
>
>    the context used to protect the message.  If that is the case, the RS
>
>    MUST overwrite the old token and associate the new token to the
>
>    Security Context identified by the "kid" value in the 'cnf' claim.
>
>    The RS MUST respond with a 2.01 (Created) response protected with the
>
>    same Security Context, with no payload.  If any verification fails,
>
>    the RS MUST respond with a 4.01 (Unauthorized) error response.
>
>    As specified in section 5.8.1 of [I-D.ietf-ace-oauth-authz], when
>
>    receiving an updated access token with updated authorization
>
>    information from the client (see Section 3.1), it is recommended that
>
>    the RS overwrites the previous token, that is only the latest
>
>    authorization information in the token received by the RS is valid.
>
>    This simplifies the process needed by the RS to keep track of
>
>    authorization information for a given client.
>
> [...]
>
> 4.3.  OSCORE Setup
>
>    Once receiving the 2.01 (Created) response from the RS, following the
>
>    POST request to authz-info endpoint, the client MUST extract the bstr
>
>    nonce N2 from the 'nonce2' parameter in the CBOR map in the payload
>
>    of the response.  Then, the client MUST set the Master Salt of the
>
>    Security Context created to communicate with the RS to the
>
>   concatenation of salt, N1, and N2, in this order: Master Salt =
>
>    salt | N1 | N2, where | denotes byte string concatenation, where salt
>
>    is the CBOR byte string received from the AS in Section 3.2, and
>
>    where N1 and N2 are the two nonces encoded as CBOR byte strings.  An
>
>    example of Master Salt construction using CBOR encoding is given in
>
>    Figure 12.
>
> N1, N2 and input salt expressed in CBOR diagnostic notation:
>
>       nonce1 = h'018a278f7faab55a'
>
>       nonce2 = h'25a8991cd700ac01'
>
>       input salt = h'f9af838368e353e78888e1426bd94e6f'
>
> N1, N2 and input salt as CBOR encoded byte strings:
>
>       nonce1 = 0x48018a278f7faab55a
>
>       nonce2 = 0x4825a8991cd700ac01
>
>       input salt = 0x50f9af838368e353e78888e1426bd94e6f
>
> Master Salt = 0x50 f9af838368e353e78888e1426bd94e6f 48 018a278f7faab55a 48
> 25a8991cd700ac01
>
>
>
>     Figure 12: Example of Master Salt construction using CBOR encoding
>
>    If JSON is used instead of CBOR, the Master Salt of the Security
>
>    Context is the Base64 encoding of the concatenation of the same
>
>    parameters, each of them prefixed by their size, encoded in 1 byte.
>
>    When using JSON, the nonces and input salt have a maximum size of 255
>
>    bytes.  An example of Master Salt construction using Base64 encoding
>
>    is given in Figure 13.
>
>
>
>
>
>
>
>
>
>
>
>
>
> Palombini, et al.         Expires June 17, 2021                [Page 20]
>
> Internet-Draft            OSCORE Profile of ACE            December 2020
>
>
>
> N1, N2 and input salt values:
>
>       nonce1 = 0x018a278f7faab55a (8 bytes)
>
>       nonce2 = 0x25a8991cd700ac01 (8 bytes)
>
>       input salt = 0xf9af838368e353e78888e1426bd94e6f (16 bytes)
>
> Input to Base64 encoding: 0x10 f9af838368e353e78888e1426bd94e6f 08
> 018a278f7faab55a 08 25a8991cd700ac01
>
> Master Salt = b64'EPmvg4No41PniIjhQmvZTm8IAYonj3+qtVoIJaiZHNcArAE='
>
>
>
>    Figure 13: Example of Master Salt construction using Base64 encoding
>
>    The client MUST set the Sender ID to the ace_server_recipientid
>
>    received in Section 4.2, and the Recipient ID to the
>
>    ace_client_recipientid sent in Section 4.1.
>
> <mglt>
>
> It seems to me that the terminology used here
>
> might be a bit misleading. If
>
> ace_server_recipientid is being used as the
>
> SID, it seems that ace_server_receipientid
>
> and ace_client_recipientid could be
>
> designated as ace_server_id and
>
> ace_client_id.  What matters then is that the
>
> IDs in a message can be interpreted by the
>
> receiving side and that the receiving side
>
> can see its ID.  In OSCORE that ID is called
>
> the Sender ID (SID) which in this example
>
> should be set to ace_server_id.  It seems to
>
> me that these Sender and Recipient are only
>
> here to indicate a direction and that Sender
>
> ID is a bit misleading - but that is what we
>
> have with OSCORE.  I am wondering if my
>
> understanding is correct or if I am missing
>
> something.
>
>
>
> FP: Yes, your understanding is correct. The reason for not going with
> server id and client id (which we actually had in a previous version of the
> document) is that the roles of client and server can change in the
> communication, after the ace exchange has happened, i.e. the CoAP client
> can also act as a server and viceversa. The reasoning for going with
> "recipientid" instead of "senderid" (since those are mirrored - the
> server's recipient id is the same as the client's sender id) is that the
> node actually choses its own recipient id, i.e. the other node's sender id.
> So in this case the client sets its own Sender ID (OSCORE terminology) from
> the parameter generated from the server and sent in the
> "ace_server_recipientid" parameter.
>
> <mglt>
>
> As a note this seems to me to be a rather common situation - TLS /
> IPsec/HIP. TLS uses client/ server IPsec uses initiator responder and that
> is only valid for the handshake exchanges, so that could be seen as
> reasonable. That said I am fine with whatever is clearer to everyone.
>
> </mglt>
>
> </mglt>
>
> The client MUST set the
>
>    Master Secret from the parameter received from the AS in Section 3.2.
>
>    The client MUST set the AEAD Algorithm, ID Context, HKDF, and OSCORE
>
>    Version from the parameters received from the AS in Section 3.2, if
>
>    present.  In case an optional parameter is omitted, the default value
>
>    SHALL be used as described in sections 3.2 and 5.4 of [RFC8613].
>
>    After that, the client MUST derive the complete Security Context
>
>    following section 3.2.1 of [RFC8613].  >From this point on, the client
>
>    MUST use this Security Context to communicate with the RS when
>
>    accessing the resources as specified by the authorization
>
>    information.
>
>    If any of the expected parameters is missing (e.g., any of the
>
>    mandatory parameters from the AS or the RS), or if
>
>    ace_client_recipientid equals ace_server_recipientid, then the client
>
>    MUST stop the exchange, and MUST NOT derive the Security Context.
>
>    The client MAY restart the exchange, to get the correct security
>
>    material.
>
> <mglt>
>
> ace_client_id and ace_server_id may collide.
>
> It is unclear to me what problem it causes.
>
> Contexts are being indexed with the ID being
>
> used as a recipient and the binding between
>
> an RID and a context seems only be necessary
>
> for a receiving party. When a node is sending
>
> some data, it might needs the Sending Context
>
> but it is not crucial to index it with an ID,
>
> nor to have all Sending and Receiving Context
>
> mixed together. As a result, I have the
>
> impression that this case of equality is an
>
> implementation issue. Of course I might be
>
> missing something.
>
>
>
> I suggest motivation is provided, and unless
>
> we have some the corner case is removed and
>
> let to implementations.
>
>
>
> FP: The problem if they collide is that there would be collision of keys
> for client and server (Sender Key and Recipient Key). We will add a
> reference to the motivation in OSCORE, section 3.3 of OSCORE
> https://tools.ietf.org/html/rfc8613#section-3.3
>
> <mglt>
>
> ok, yes that would help.
>
>
>
> FP: Ok, done.
>
> </mglt
>
 <mglt>
 thanks.
</mglt>

> </mglt>
>
>    The client then uses this Security Context to send requests to the RS
>
>    using OSCORE.
>
>    After sending the 2.01 (Created) response, the RS MUST set the Master
>
>    Salt of the Security Context created to communicate with the client
>
>    to the concatenation of salt, N1, and N2, in the same way described
>
>    above.  An example of Master Salt construction using CBOR encoding is
>
>    given in Figure 12 and using Base64 encoding is given in Figure 13.
>
>    The RS MUST set the Sender ID from the ace_client_recipientid
>
>    received in Section 4.1, and the Recipient ID from the
>
>    ace_server_recipientid sent in Section 4.2.  The RS MUST set the
>
>    Master Secret from the parameter received from the AS and forwarded
>
>    by the client in the access token in Section 4.1 after validation of
>
>    the token as specified in Section 4.2.  The RS MUST set the AEAD
>
>    Algorithm, ID Context, HKDF, and OSCORE Version from the parameters
>
>
>
>
>
> Palombini, et al.         Expires June 17, 2021                [Page 21]
>
> Internet-Draft            OSCORE Profile of ACE            December 2020
>
>
>
>    received from the AS and forwarded by the client in the access token
>
>    in Section 4.1 after validation of the token as specified in
>
>    Section 4.2, if present.  In case an optional parameter is omitted,
>
>    the default value SHALL be used as described in sections 3.2 and 5.4
>
>    of [RFC8613].  After that, the RS MUST derive the complete Security
>
>    Context following section 3.2.1 of [RFC8613], and MUST associate this
>
>    Security Context with the authorization information from the access
>
>    token.
>
>    The RS then uses this Security Context to verify requests and send
>
>    responses to the client using OSCORE.  If OSCORE verification fails,
>
>   error responses are used, as specified in section 8 of [RFC8613].
>
>    Additionally, if OSCORE verification succeeds, the verification of
>
>    access rights is performed as described in section Section 4.4.  The
>
>    RS MUST NOT use the Security Context after the related token has
>
>    expired, and MUST respond with a unprotected 4.01 (Unauthorized)
>
>    error message to requests received that correspond to a Security
>
>    Context with an expired token.
>
>    Note that the ID Context can be assigned by the AS, communicated and
>
>    set in both the RS and client after the exchange specified in this
>
>    profile is executed.  Subsequently, client and RS can update their ID
>
>    Context by running a mechanism such as the one defined in
>
>    Appendix B.2 of [RFC8613] if they both support it and are configured
>
>    to do so.
>
> <mglt>
>
> I am reading the text as if that works they
>
> will be able to update the ID, but there is
>
> no guarantee for that. I would expect some
>
> ways to announce the support of such
>
> mechanism.
>
>
>
> FP: If the server doesn't support this mechanism, it will reply with an
> error, and the exchange will fail. There is no need to communicate support
> of this mechanism.
>
> <mglt>
>
> This may be something related to OSCORE, but I am not so convinced it is a
> good thing not to have any means to communicate the support of some
> mechanism. I would be happy to understand more on whether this is not
> needed, or if that could be added to OSCORE.
>
>
>
> FP: Right, that is really a comment on OSCORE, nothing we can do about it
> in this specification.
>
> </mglt>
>
<mglt>
ok.
</mglt>

> </mglt>
>
> In that case, the ID Context in the OSCORE Security
>
>    Context will not match the "contextId" parameter of the corresponding
>
>    OSCORE_Input_Material.
>
>
>
> <mglt>
>
> Well, I might be missing something, but I
>
> have the impression the mechanism has been
>
> designed to mitigate the contextID and the id
>
> when they are equal.
>
> FP: Actually no, these IDs are used independently, as mentioned in a
> previous answer. This mechanism is designed to easily update the keying
> material.
>
> <mglt>
>
> Just for me, I understood that if there id and contextId matches, we
> re-key so the contextId. I assume that re-keying update the contextId, in
> which case, contextId is likely to be different from id. In other words, if
> there is a match, a re-key operation is performed.
>
> This also means that any rekey operation that is performed could result in
> a collision. If that is the case, I believe could clarify and generalise
> this to any rekey operation.
>
>
>
> FP: As previously mentioned, contextId and id are really different, they
> identify different things and it is not a problem if they collide. We do
> nott re-key to avoid the collision between the two. The re-key can make so
> that the contextId changes, while id will remain the same.
>
> </mglt>
>
>
>
> I suppose having these
>
> id matching raises some issues, but it is
>
> unclear to me what the issue is.  I am also
>
> wondering - as mentioned earlier whether we
>
> need to have these two ID, and if so, if that
>
> could be possible to derive these IDs one
>
> from another. This would prevent the defining
>
> a mechanism.
>
>
>
> FP: Hopefully this is clearer by the answers above. We do need both, they
> have different functions.
>
> Currently here is how I see the situation:
>
> a) the collision might be an issue, and
>
> b) we might have a mechanism to address this
>
> potential issue.
>
>
>
> Note that I might emphasize the issue too
>
> much, that is just to clarify my thoughts.
>
>
>
> </mglt>
>
> Running Appendix B.2 results in the keying
>
>    material in the Security Contexts of client and RS being updated;
>
>    this same result can also be achieved by the client reposting the
>
>    access token to the unprotected /authz-info endpoint at the RS, as
>
>    described in Section 4.1, but without updating the ID Context.
>
> [...]
>
> 6.  Discarding the Security Context
>
> On Mon, Dec 14, 2020 at 10:46 AM Francesca Palombini <francesca.palombini=
> 40ericsson.com@dmarc.ietf.org> wrote:
>
> Ah, of course, they are indeed out of sync, thank you for noticing! I am
> fixing it already in the github, but I am thinking of waiting for Daniel's
> go ahead before submitting one more version, see if he wanted to review one
> last time.
>
> Francesca
>
> On 14/12/2020, 16:32, "Benjamin Kaduk" <kaduk@mit.edu> wrote:
>
>     Thanks, Francesca!
>
>     It looks like the CBOR label values have gotten out of sync between
> Table 1
>
>     and the prose.  (The IANA Considerations just refer to Table 1, so I
> think
>
>     that Section 3.2.1 is the only thing that needs to be kept in sync.)
>
>     -Ben
>
>     On Mon, Dec 14, 2020 at 09:58:21AM +0000, Francesca Palombini wrote:
>
>     > Hi all,
>
>     >
>
>     > This update answers Marco's latest review (thanks Marco!), answering
> all comments received as WGLC.
>
>     >
>
>     > Thanks,
>
>     > Francesca
>
>     >
>
>     > On 14/12/2020, 09:49, "Ace on behalf of internet-drafts@ietf.org" <
> ace-bounces@ietf.org on behalf of internet-drafts@ietf.org> wrote:
>
>     >
>
>     >
>
>     >     A New Internet-Draft is available from the on-line
> Internet-Drafts directories.
>
>     >     This draft is a work item of the Authentication and
> Authorization for Constrained Environments WG of the IETF.
>
>     >
>
>     >             Title           : OSCORE Profile of the Authentication
> and Authorization for Constrained Environments Framework
>
>     >             Authors         : Francesca Palombini
>
>     >                               Ludwig Seitz
>
>     >                               Göran Selander
>
>     >                               Martin Gunnarsson
>
>     >           Filename        : draft-ietf-ace-oscore-profile-14.txt
>
>     >           Pages           : 33
>
>     >           Date            : 2020-12-14
>
>     >
>
>     >     Abstract:
>
>     >        This memo specifies a profile for the Authentication and
>
>     >        Authorization for Constrained Environments (ACE) framework.
> It
>
>     >        utilizes Object Security for Constrained RESTful Environments
>
>     >        (OSCORE) to provide communication security and
> proof-of-possession
>
>     >        for a key owned by the client and bound to an OAuth 2.0
> access token.
>
>     >
>
>     >
>
>     >     The IETF datatracker status page for this draft is:
>
>     >     https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-profile/
>
>     >
>
>     >     There are also htmlized versions available at:
>
>     >     https://tools.ietf.org/html/draft-ietf-ace-oscore-profile-14
>
>     >
> https://datatracker.ietf.org/doc/html/draft-ietf-ace-oscore-profile-14
>
>     >
>
>     >     A diff from the previous version is available at:
>
>     >
> https://www.ietf.org/rfcdiff?url2=draft-ietf-ace-oscore-profile-14
>
>     >
>
>     >
>
>     >     Please note that it may take a couple of minutes from the time
> of submission
>
>    >     until the htmlized version and diff are available at
> tools.ietf.org.
>
>     >
>
>     >     Internet-Drafts are also available by anonymous FTP at:
>
>     >     ftp://ftp.ietf.org/internet-drafts/
>
>     >
>
>     >
>
>     >     _______________________________________________
>
>     >     Ace mailing list
>
>     >     Ace@ietf.org
>
>     >     https://www.ietf.org/mailman/listinfo/ace
>
>     >
>
>     > _______________________________________________
>
>     > Ace mailing list
>
>     > Ace@ietf.org
>
>     > https://www.ietf.org/mailman/listinfo/ace
>
> _______________________________________________
>
> Ace mailing list
>
> Ace@ietf.org
>
> https://www.ietf.org/mailman/listinfo/ace
>
>
>
> --
>
> Daniel Migault
>
> Ericsson
>
>
>
>
>
>
>
> --
>
> Daniel Migault
>
> Ericsson
>


-- 
Daniel Migault
Ericsson