Re: [Ace] call for adoption for draft-marin-ace-wg-coap-eap
Dan Garcia Carrillo <garciadan@uniovi.es> Fri, 22 January 2021 17:42 UTC
Return-Path: <garciadan@uniovi.es>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17EC33A12CA for <ace@ietfa.amsl.com>; Fri, 22 Jan 2021 09:42:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.161
X-Spam-Level:
X-Spam-Status: No, score=-2.161 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.262, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=unioviedo.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKisPaTYolaJ for <ace@ietfa.amsl.com>; Fri, 22 Jan 2021 09:42:46 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60075.outbound.protection.outlook.com [40.107.6.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F16A3A12C1 for <ace@ietf.org>; Fri, 22 Jan 2021 09:42:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VXtXm/ChH8KsGXMQr5W7iGEvEp6QBb1yAr8XlAAziD9To+V7yUeeaf+34IYtqcBm7+7OmdmuhrSah9fGxV2u34lKY1UsmuSnSLV9wXH07D02xIbLNzLetLlK0r7Fq3BIRpWlNsrwql7R4lMUCFgBgTUlg0KUtoWOgxBqYDkYYh3+b9020Htl0x2OtA9QPpqPUUimnmKcu+iqsKUOXPVT5x+v1s80nqAfi1++JQ9iu7hQCWv5KQQ+0RHCRGFGWgKZMc1BgJVVSRh4qS6V/y8ZGQAJmu4chu0NchcLdhRLD5MQ32zwe8cWsptrT80ubwO4/pPli8pA8bntSLvFPZjz7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5a9yY0K5Rq8Lc8dx5KNtAod5vvJiFGuSFmqE5luMI+E=; b=KUo38iA1QLk2pol4y3zXdvR3OP0BfKr+MWVeV1cEui+N/PeSIYIhLWyaMG2JXzUzpkV/2pcQCI9QA2StBmrjhopbV/BdBzuiZ+XIOCg8OQ7OW5/t/9zn5jPFAbGdYIKxaOUmzRxZYES9Gb4S8++4E71ISvuMiYgnMHaEh+YPV0mT3pBnpVN6ctyIwizm2IIuD3rGIolCdtFdCh5Ssg2zVaUb+GOCwy4rfiP0sbj08eAysxqibsHVpdAOEDvfLff2gY4GZvBZWKOLzNQFa4fgDexL12c4iDbDk/ic3+ujMdTzahXBFNCoipRxP7kaO/61IvimtGlARgd4oliCA8u6rA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uniovi.es; dmarc=pass action=none header.from=uniovi.es; dkim=pass header.d=uniovi.es; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unioviedo.onmicrosoft.com; s=selector2-unioviedo-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5a9yY0K5Rq8Lc8dx5KNtAod5vvJiFGuSFmqE5luMI+E=; b=BvV7Da1c3C6occ/FAnmTGTVsSURaxe82qwzPEtkCeQsvzOKDljaO+I8jSGwD3ZrXjlbdmRLPBdo7WvPvIpbzPcAu/j2qggij2R2qd7RJvWpfomxY+//WG1F6jqSG9Rf1cb0pqHHtnAatN4SZu/oDRhmdg3qt2MzY5uRUiyI/fr0=
Authentication-Results: uniovi.es; dkim=none (message not signed) header.d=none;uniovi.es; dmarc=none action=none header.from=uniovi.es;
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9) by DB8PR08MB4953.eurprd08.prod.outlook.com (2603:10a6:10:ef::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.11; Fri, 22 Jan 2021 17:42:43 +0000
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::38e0:69e7:135f:ad22]) by DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::38e0:69e7:135f:ad22%5]) with mapi id 15.20.3784.012; Fri, 22 Jan 2021 17:42:43 +0000
Cc: garciadan@uniovi.es
To: Michael Richardson <mcr+ietf@sandelman.ca>, Ace Wg <ace@ietf.org>
References: <CADZyTkkiqC=x_oAYsc_jHHeiNWhjvXHHvOKEeF=9W3si8Dp3pw@mail.gmail.com> <25210.1611242790@localhost>
From: Dan Garcia Carrillo <garciadan@uniovi.es>
Message-ID: <e8efeddd-08cb-f529-c8c5-b3a30145744e@uniovi.es>
Date: Fri, 22 Jan 2021 18:42:41 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1
In-Reply-To: <25210.1611242790@localhost>
Content-Type: multipart/alternative; boundary="------------6BC6E554ED042AD7EEFEFCC1"
Content-Language: es-ES
X-Originating-IP: [156.35.171.42]
X-ClientProxiedBy: MR2P264CA0122.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500:30::14) To DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [156.35.171.42] (156.35.171.42) by MR2P264CA0122.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500:30::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.12 via Frontend Transport; Fri, 22 Jan 2021 17:42:43 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 632490d2-1bc2-4eef-c8d5-08d8befd1f4c
X-MS-TrafficTypeDiagnostic: DB8PR08MB4953:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <DB8PR08MB4953B8A780B9E4759895E7F9B4A00@DB8PR08MB4953.eurprd08.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: CG1lRuufU9c212QbDardV9OcL9ml9q1Bd71Nn2vm4OReJa4flY1sRWt5xCydnHtq+APby13a57B5ZqGhd4dmL/8qjD95I9UPBHorU5QPvaw2XyAbXArqq15qCMlQu7MQWiprmXz95pMCY6B5HXZOqVD7lSnjcXJseIiJ+OPIUS2OHR97d8APwV/klmbDT+FqVQ3dpgIO1uN9upMQkWV9l46D/1MQ13MUde1JGVIuxbWOqoJ0s39A2mORRtNEvBEF3luQ3QluezKOjlulYBj9YVwct9R2ghnHluiN+QJVRRs4UZWxAOHgl4ySzSv5X3mAnXzct+W70oxhxbCOZtOmJkB80zetYn2wyZy7pDFFYlqUa6SVBWwol//PvZ+t2CpcK7iKYQfqbKbxoSNIXWnN2xcLCCyV+ZqFfDx6j2/9WTJ/jeV5XB+ZPDV2YPJYLicGzijCKWiZSrt9ZQZDm3oyLwzau3oay4DXSehw9g1CorQbixwbtFk8atlAUvSD77grR+yM8/evrBV0raTEFMT8+ZY0G+krkxUo9QtPu+n1oEcKbiFrAGR3Am0WoJq0r+X7nY+yjWCLTANggnyyJDZTUA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB6202.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(376002)(39850400004)(366004)(396003)(136003)(66476007)(66556008)(26005)(16576012)(786003)(33964004)(478600001)(316002)(966005)(66574015)(4326008)(83380400001)(8936002)(36756003)(66946007)(30864003)(186003)(6706004)(2616005)(31686004)(166002)(956004)(16526019)(6486002)(110136005)(107886003)(2906002)(5660300002)(8676002)(86362001)(31696002)(52116002)(3940600001)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: 7OFh9QAh93EXhENL5NGw2IZv/KFiPbfrE6Ab3SumkHQn+/VjOS30ZSuyu2asByugkTdbO/Zx2HUwQMuRU3HAQUyg3PZ+bual63Ce7f5mr4u5xsO7KmRKHB8GhgrRz8jOk36gc1uCsExNIi7wdR50LanvwOAr/fw0RU6tEd8c1kew+65cjMWg2QkSPsGRxDY0IRy9kwcu9VIlVw3AUyXXkFU2fV8Q3QsZ80Tlro4/OzQhvDpAhRXRxx2Q3CMMhvnn+mMb9YE/Pw4m/es80dLlyn/FW032XOE9DUhB85zTnDOvnI5JMRsp2pVFZHJdA6NMQwkJEldi8mdn++2HQvFN8ANMqjo4DZ5Vz2U+kLJ3j6Oxz95LVXC+shMkZmu0+IByTETnxKiPuICzwj8tX/w9XrahOdKn2HRKMof3WunHuofDB/gck++iBOQkpTJvPhn5Tade/hspb5n11uhF5nKfJqRP3j+fyPtSFD/fzTZhew5yrG1Q5eT4ovYKelxBl1w+u1FUxOGnid1N5OZKcpcbHqI1YwRCzEkZH6I/7LJevL5zVR+fxn/ksfpEjY6nVfkQ33tXSF3446NvkBIo+Gl1zwTvNp7hT9VOvjoF2SYkq8y5xWrQxcDKNtW9x3ZcLHP4GEa4AhqP7bRAByfG16HSOK3TyIEMqzAr8OEmH5M86mEXwuOqQuwnF+fyCstBBxBKDfDD7NxwrjetzZhpLMuQEm3FA0ewZdhTRV2MErT+q2qj00TnMwinqXnIPnW9Dm9js867FNE4nLwVlpry44f6h6WhVuQ9PdA84KyD681hDqJz7XD2Gwc3ss8hVf0PO9GHjPmghMiHrpMEL5h8nIBeUhlHq68qz0tnNE+ccqLhw1fjW356M60M74NpI2qPjr3snaaChUFOSd7qLCaVLVlLOC/AfSH/MhQVGtY3f5230qFt59djjqGQ9gSzRV3NNA2ZgonucWF3TqaERHHpKHxOC/X21wNJ0WWUpess+OQjzUNY4Xhe5hhRb8GR+WAKHO5/p7bHx1CXdL3/482hnXBvxjw5A3m0kXcEXPas7AOzXhOhCUE7rygUJpE57WZarX+O
X-OriginatorOrg: uniovi.es
X-MS-Exchange-CrossTenant-Network-Message-Id: 632490d2-1bc2-4eef-c8d5-08d8befd1f4c
X-MS-Exchange-CrossTenant-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jan 2021 17:42:43.6244 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 05ea74a3-92c5-4c31-978a-925c3c799cd0
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: RZqcvki7w5BFKtaxMOW3c4fbm4zY7eldtZAbi5WxX/9i/zYfoVelmuz2k9bCUh1dUoFq/TF0CxLxhRq9HQLzSw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB4953
X-MS-Exchange-CrossPremises-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 06
X-MS-Exchange-CrossPremises-Mapi-Admin-Submission:
X-MS-Exchange-CrossPremises-MessageSource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 156.35.171.42
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: DB8PR08MB4953.eurprd08.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/KKvofzif5b1H8w8PjtgNY2C2h2Y>
Subject: Re: [Ace] call for adoption for draft-marin-ace-wg-coap-eap
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2021 17:42:49 -0000
Hi Michael, El 21/01/2021 a las 16:26, Michael Richardson escribió: > I reviewed the document before, and my concerns were not really answered. > > I can not understand what the applicability is. Did you check the last version of the use case? The use case is a bit more ellaborate than the initial to give a more broad view of the concept and try to clarify doubts. If it is not clear we will review that part. > > The document starts off with: > > The goal of this document is to describe an authentication service > that uses the Extensible Authentication Protocol (EAP) [RFC3748]. > The authentication service is built on top of the Constrained > Application Protocol (CoAP) [RFC7252] and ALLOWS AUTHENTICATING TWO > CoAP endpoints by using EAP without the need of ADDITIONAL PROTOCOLS > TO BOOTSTRAP A SECURITY ASSOCIATION BETWEEN THEM. We can improve the text to better explain the goal with your comments. > > ... > The assumption is that the EAP method transported in CoAP MUST > generate cryptographic material [RFC5247] > > This implies use of one of the many EAP-TLS modes, some EAP PAKE > mode, or maybe, in theory some EAP-SIM/AKA mode. We do not specify a particular EAP method to be used and that is one of the reasons for choosing EAP: "One of the advantages of the EAP architecture is its flexibility" > > 1) TLS modes could just use TLS, or DTLS and omit the extra EAP > bytes. If saving those bytes are not important, then > the use of PANA seems to do the same thing. > > 2) The EAP PAKE modes could just TLS with some PSK or PAKE > authentication. > > 3) The EAP-SIM/AKA modes are not realistic, as they generally depend upon > being able to talk to a database of SIM/AKA secrets. > > So, which modes that generate cryptographic material are envisioned? As commented above, we do not force a specific EAP method to be used, that is the key desing behind an EAP lower layer, to be agnostic to the EAP method in use. But to answer to your question, we will not use EAP methods that do not export key material such as EAP-MD5. > > The document goes on to say: > > The CoAP client MAY contact > with a backend AAA infrastructure to complete the EAP negotiation as > described in the EAP specification [RFC3748]. > > which is a third party, when the intro told me that no third party was > required. Even figure 1 show three parties. > And section 5 says there might be five parties, again including an AAA server. The added parties are for the purpose of ellaborating the use case, but at the end they all map to the EAP architecture. EAP is clear with this point. You have the option of using it in standalone or pass-through mode. If you use it in standalone mode, the controller wil act as EAP authenticator/server, and there will be no need for contacting any AAA server. In other words, the design of an EAP lower layer is not dependant on a AAA server. This said, we can improve the abstract for example with this: "This document describes an authentication service that uses EAP transported by means of CoAP messages with the following purposes: o Authenticate a CoAP-enabled constrained device that enters a new security domain under the control of a CoAP-enabled Controller, providing flexible authentication with EAP. o Bootstrap key material to protect CoAP messages exchanged between a constrained device and controller. o Enable the establishment of a security association between them." > > I believe that this entire proposal goes against the ACE architecture, > and should not be adopted by this WG. > This work seems to duplicate the work in LAKE, as well as cTLS, while not > bringing any clear advantage over existing protocols. > > If adopted, I don't review the document. This is not correct. It does not go against the ACE architecture but it is a complement to it. Our main contribution is the definition for a CoAP-based transport for EAP (Figure 1). We tried to explain the relationship with ACE in the use case section, but we will improve the text after your comments. In fact we have: "In the second phase, when node A wants to talk with node B, it contacts the controller C for authorization to access node B and obtain all the required information to do that in a secure manner (e.g. keys, tokens, authorization information, etc.). It does NOT require the usage of CoAP-EAP. The details of this phase are out of scope of this document, but ACE framework can be used for this purpose [I-D.ietf-ace-oauth-authz]” Therefore CoAP-EAP happens before and can be used to establish a secure relationship between the AS and the constrained device in ACE-OAuth. The most general or broad use case we have in mind are constrained devices with: - Different types of credentials and authentication mechanisms - Can belong to different domains - Want to join a domain under the control of a controller. It turns out that CoAP-based EAP service allows you to generate key material (the MSK) to establish this secure association. Having provided the initial key material that the ACE-OAuth framework requires: "... Client registration and provisioning of client credentials to the client is out of scope for this specification. " What happens after that, is all about the ACE-OAuth framework. Best Regards, Dan. > > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works | IoT architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ > > > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace
- [Ace] call for adoption for draft-marin-ace-wg-co… Daniel Migault
- Re: [Ace] call for adoption for draft-marin-ace-w… Michael Richardson
- Re: [Ace] call for adoption for draft-marin-ace-w… Mohit Sethi M
- Re: [Ace] [EXTERNAL] Re: call for adoption for dr… Seitz Ludwig
- Re: [Ace] call for adoption for draft-marin-ace-w… Michael Richardson
- Re: [Ace] call for adoption for draft-marin-ace-w… Dan Garcia Carrillo
- Re: [Ace] [EXTERNAL] Re: call for adoption for dr… Dan Garcia
- Re: [Ace] call for adoption for draft-marin-ace-w… Dan Garcia Carrillo
- Re: [Ace] call for adoption for draft-marin-ace-w… Michael Richardson
- [Ace] Fwd: call for adoption for draft-marin-ace-… Dan Garcia
- Re: [Ace] call for adoption for draft-marin-ace-w… Josh Howlett
- Re: [Ace] call for adoption for draft-marin-ace-w… Francisco Martin de la Fuente
- Re: [Ace] call for adoption for draft-marin-ace-w… Göran Selander
- Re: [Ace] call for adoption for draft-marin-ace-w… Alexandre Petrescu
- Re: [Ace] call for adoption for draft-marin-ace-w… Pedro Moreno-Sanchez
- Re: [Ace] call for adoption for draft-marin-ace-w… Eduardo Inglés (IMT)
- Re: [Ace] call for adoption for draft-marin-ace-w… Michael Richardson
- Re: [Ace] call for adoption for draft-marin-ace-w… Daniel Migault
- Re: [Ace] call for adoption for draft-marin-ace-w… Daniel Migault