[Ace] AD review of draft-ietf-ace-extend-dtls-authorize-04
Roman Danyliw <rdd@cert.org> Fri, 04 November 2022 18:30 UTC
Return-Path: <rdd@cert.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40E35C14CE2D for <ace@ietfa.amsl.com>; Fri, 4 Nov 2022 11:30:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zvp3pjZNjN0O for <ace@ietfa.amsl.com>; Fri, 4 Nov 2022 11:29:59 -0700 (PDT)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0090.outbound.protection.office365.us [23.103.209.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1210C1522A3 for <ace@ietf.org>; Fri, 4 Nov 2022 11:29:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=QJ6gohFDaHZ5mQ6WbusHZ/6lILyVizI+SGZJiwOFEtoD3AEHnvVuDOZ9qY8XI5xieEbjdRtX38BuT1NIpdBpEutmRpBYwR25nN06EpZzEeE7W13DSFqDfZP8BjuoGd2bzFnrU8pMj1Su4nMa/dCb0+A9fK0ZCZV4yHrNwESPNwah/DiqWt3DnbHIt9LIoE5WPe2a8zPRthe/ostYO0WW4ktXEghmqcjlyzXYpphtFUACsIEgN43fomp74JkLK1227F7nxMXWIlstDOzek4nG+uV9Hld/A3V+JAsx6PuW+PtOJNoHijYfa3jfcmU/l9+9Nr56gHJpfWvPN+eeUN+kwg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2noiar8QMqQK9+jteywQjfdHF9MWrLYg9LzpCPPILoU=; b=MUstlhEClnramH5HdR0CIOUvif3COkypmTiOGzKM9TV4d3hVyRKwHDb6QVpZhq4DMzwh3vln/Eh9HBBlqTJ6ZUB7n35Sf1z2IiEH/QoS9LTrbJDob2f5zGmkGPncm+IXSVKNZDCz23amrJt+c9J2UMbQkBR23sT8LNEUm9DfCVJaAHL4PF4jypUflTxJckZcNyTMxqyaNSYcDIF4TeLN2A9JcBiUNkil+otuM0s2vwBy/VfHRhF5NrVnI6yL7Ak0+HrBlieNRufprci5WnKyPvadaeKKTFy1MAjgImmg+CKczDVCzdUWyN60GvW+Buu2P54uYAdsh2ubcrGr/YgXXA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2noiar8QMqQK9+jteywQjfdHF9MWrLYg9LzpCPPILoU=; b=IxUaRYzj7M0q+iqLFBz6epzO4IBCAu4zspEmW3PutRkJXMaqcWYS8nEZRM6Q11nD8hsdSNRN+VuGrvrg9lI8ZBsYIliSogQWKnKuBu7Y79B0uhLricM1I3oxQ5t8PKOqXc+c0Xn3cn7Wd4zQlSMUka0q4aJZJswwtn1yUAqu/Sg=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1122.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:16a::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5791.22; Fri, 4 Nov 2022 18:29:51 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::11dc:e93c:167b:f429%6]) with mapi id 15.20.5746.036; Fri, 4 Nov 2022 18:29:51 +0000
From: Roman Danyliw <rdd@cert.org>
To: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: AD review of draft-ietf-ace-extend-dtls-authorize-04
Thread-Index: Adjwe2JJT0tAn6HAQfuKfX8B1dBWhw==
Date: Fri, 04 Nov 2022 18:29:51 +0000
Message-ID: <BN2P110MB1107891F227FFF59E3C5487BDC3B9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1122:EE_
x-ms-office365-filtering-correlation-id: b51837c6-5384-4d43-9519-08dabe929008
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RJAzOUFeBME3bYgE3RfG67bL/iukGVL67+03umSZ06jhbqZWGyowKhyg7TYvhWKNXaEyXrfF+pzEH6jR980d5Ih2MWYNv8FbV/OfQGkteapO7qpPZT+312xc4/QaCTovO2CHiXZob3WFBOiWkcLmGSi2hXDqeyEMi6ljIHkHn2zkB0U0dCxoV+eH9CdpRRpEWshKkxCU3qGAfO4rWkP12gx/eOUof3Q64zjQxJrZk2H8ZnkrW8xfTnrl78+CR6f7xRwuUh9wujGnFD+qxnt4q22MmqJUSckmp0QXEcwii55v2stf/tQWDuNEwrOOpklV+eMXkGkcGiq3zw/JfXMFBmxsB0p3tK3BGgSecYQ1YWigzdg+fUVkxuYq3uxOuvDf7VkWm6ObO7bihFOElNIjGV67JxvQBqPkZt9R39numq+TwhUrhsiRB+tu+N3Wmp/LxFKoMBhxn8Wwb7F2lPMZWgNi/hg8XZ6CsZs77as60Q5PgTlW6nNjs9RMSkwOrDZoYSZzzZBDqw1P+jc1UN3T8rD7JqDH+5Afu2PGCI5EJD28C6gZyKWiZQAKaqDtec/ErWFQXfDTHxgsHZkBOCRTRU/KSxYvl5oZofMzPRCvZ5yH5D/JPBLLJFnMZ6V+Gs7dBbTbtwT9h75pSN2+EKqlypeaCnbcBCiFc/R6xmBbKw7zGxmNB+I18Ts3cgeBIxs1
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(451199015)(38070700005)(2906002)(71200400001)(66946007)(66556008)(76116006)(66446008)(66476007)(64756008)(86362001)(55016003)(8676002)(186003)(498600001)(9686003)(6506007)(26005)(122000001)(38100700002)(7696005)(82960400001)(6916009)(83380400001)(8936002)(52536014)(5660300002)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bRiXC99Y2+FwHQJ3ZJK8QiaP2LTyLjhx2q6Jk7AC7Qe51dCd+EL2jYxYBoDIzIK+DrUQ383j9dkDoCX8roODzYx3zl00Oo974AgjvtLhX77AuRsly+2E1RE72LdRhFBn+nQ+jofKhfQGT20RNgq1kT2w2ErgaEzdaRZVwd/YYjG9ROUmt+cvtW+DngHvVx5KOKGrqAWoYQPWaHJZANM2ND7EYbYUt0x0ILwkp8p95KriLHtzwpdtHbopdbITjEd1pL/4bXG9oTUUfiLf2UMXBXChXE2z9MvqM5y6BukkgUKhc+w7zizoxvZ0Ej5Vyeg2nKxm+Am3UrZF0Q5iMNVgN3hv3B9T+RWC1fnY/8vikx/8/5nWuUyzMmgRw7jP3KXR/LeG+n1aJcHqeVzjXhHGn3M7DmLwh6P/6mOaumXO/2g=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: b51837c6-5384-4d43-9519-08dabe929008
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2022 18:29:51.7174 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1122
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/LECjW-g5p1tU4ZawHfgNK0j243w>
Subject: [Ace] AD review of draft-ietf-ace-extend-dtls-authorize-04
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2022 18:30:05 -0000
Hi! Paul and I are load balancing, so I'll be the responsible AD for draft-ietf-ace-extend-dtls-authorize-04 moving forward. I performed an AD review on the document and my feedback is as follows: ** Document Meta-data. s/Updates: draft-ietf-ace-dtls-authorize /Updates: RFC9202/ ** Abstract. The abstract text needs to name the RFC that it is updating per the metadata. OLD This document updates the CoAP-DTLS profile for ACE by specifying that the profile applies to TLS as well as DTLS. NEW This document updates the CoAP-DTLS profile for ACE described in RFC9202 by specifying that the profile applies to TLS as well as DTLS. ** Section 1. Editorial clarity OLD This feature is supported by the OSCORE profile [RFC9203] but is lacking in the DTLS profile. NEW This dual support for TLS and DTLS is already supported by the OSCORE profile [RFC9203]. ** Section 1 The same access rights are valid in case transport layer security is provided by either DTLS or TLS, and the same access token can be used. Could this language please be refined so it is clearer on who the target is? Is guidance to the RS (that given a token, it should read anything into whether it was presented over DTLS or TLS)? ** Section 3. the Client MAY try to connect to the Resource Server via TLS, or try TLS and DTLS in parallel to accelerate the session setup. What happens if the RS responds to a connection on both protocols? ** Section 3. This error SHOULD be handled by the Client in the same way as unsupported ACE profiles. Can this be explained a bit more. The client has a token with "coap_dtls" but the connection failed. How would it distinguish between the peer being misconfigured (and not responding) vs. not supporting this protocol? What is the alternative way to handle it (given that this is SHOULD as opposed to a MUST)? ** Section 3. If the Client is modified accordingly or it learns that the Resource Server has been, the Client may try to connect to the Resource Server using the transport layer security mechanism that was previously not mutually supported. Does this imply some kind of state is kept? If so, how is that managed? ** Section 3. If this message exchange succeeds, the Client SHOULD first use the same underlying transport protocol for the establishment of the security association as well Is this the same things as roughly saying that the Client SHOULD connect to the AS for the token request over the same protocol it successfully contacted the RS? Recommend explicitly mentioning the AS here. ** Section 3. Clients that support either DTLS or TLS but not both SHOULD use the transport protocol underlying the supported transport layer security mechanism also for an initial unauthorized resource request. I'm not following something here. If the Client only supports one of the protocols, what's the optionality suggested by the SHOULD in using it. Either it tries to uses the single protocol it supports, or no connection can be made. ** Section 4. Please Use the exact registry field names: OLD The following updates have been done for the "ACE Profiles" registry for the profile with Profile ID 1 and Profile name coap_dtls: NEW The following updates have been done to the "ACE Profiles" registry for the profile with a "CBOR Value" field value of 1 and "Name" of "coap_dtls": ** Section 4. Is the WG sure it doesn't want two references, [RFC9202] and this [RFC-XXXX] ** Section 5. Should draft-ietf-uta-rfc7525bis apply here instead of RFC7525? ** Section 5. Don't the security considerations of RFC9202 also still apply here? Regards, Roman
- [Ace] AD review of draft-ietf-ace-extend-dtls-aut… Roman Danyliw