Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14

Stefanie Gerdes <gerdes@tzi.de> Wed, 17 February 2021 13:51 UTC

Return-Path: <gerdes@tzi.de>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 115493A1A40 for <ace@ietfa.amsl.com>; Wed, 17 Feb 2021 05:51:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pCBV7CgJ3uis for <ace@ietfa.amsl.com>; Wed, 17 Feb 2021 05:51:41 -0800 (PST)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B147E3A1A41 for <ace@ietf.org>; Wed, 17 Feb 2021 05:51:41 -0800 (PST)
Received: from [192.168.0.57] (p5b36f033.dip0.t-ipconnect.de [91.54.240.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4DgfQM5Nc0z1017; Wed, 17 Feb 2021 14:51:39 +0100 (CET)
To: Daniel Migault <daniel.migault@ericsson.com>, Daniel Migault <mglt.ietf@gmail.com>, Francesca Palombini <francesca.palombini@ericsson.com>
References: <871rdqihww.fsf@wangari> <FD569111-85F8-40A2-8C97-764977309B87@ericsson.com> <CADZyTk=HB26o=mUpUdbYEhfhrGZar+oe28c5PZ2_j-vKYVA6xg@mail.gmail.com> <c6d42d18-f1f3-ec00-fff9-3540fa222d23@tzi.de> <9911269D-AA7F-458C-AA1A-2D59A79C5A00@ericsson.com> <CADZyTkn=3GigtTiihQX0ORYyO0dV0qCfVMtTn37vbsqJuQUJxw@mail.gmail.com> <026242c2-2c6a-485b-cb51-34b2b2d70975@tzi.de> <DM6PR15MB23796DF01885DC7F86C15583E3879@DM6PR15MB2379.namprd15.prod.outlook.com>
Cc: =?UTF-8?Q?G=c3=b6ran_Selander?= <goran.selander=40ericsson.com@dmarc.ietf.org>, Russ Mundy <mundy@tislabs.com>, Olaf Bergmann <bergmann@tzi.org>, "ace@ietf.org" <ace@ietf.org>
From: Stefanie Gerdes <gerdes@tzi.de>
Message-ID: <6b5368a6-b8ba-81eb-0c10-6a052fcbad67@tzi.de>
Date: Wed, 17 Feb 2021 14:51:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <DM6PR15MB23796DF01885DC7F86C15583E3879@DM6PR15MB2379.namprd15.prod.outlook.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/LBNSn4EKSpAkS4zWsbGh_B9LTpc>
Subject: Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 13:51:44 -0000

Hi Daniel,

On 02/16/2021 04:53 PM, Daniel Migault wrote:

> Section 5:
> OLD
> "Profiles MUST specify a communication security protocol that provides
>    the features required above."
> NEW
> "Profiles MUST specify at least one communication security protocol that provides the features required above."
> 
> <mglt>
> I have the impression that with MUST specify one expects a mandatory protocol to be provided. Would the following text be acceptable ?
> 
> NEW2:
> "Profiles RECOMMENDs at least one communication security protocol that provides the features required above."
> </mglt>

I don't understand it like that but I see your point. But I think
"RECOMMENDS" leaves too much wiggle room :). The profiles could then
omit the protocols completely, which I think is a bad idea. Implementers
should have at least one example how the communication between C and AS
is protected. Since we don't provide it in the framework we must have it
in the profiles. How about:

NEW3:
"Profiles MUST specify at least one communication security protocol that
provides the features required above as an example how the respective
communication can be secured."

Viele Grüße
Steffi