Re: [Ace] draft-ietf-ace-dtls-authorize

Francesca Palombini <francesca.palombini@ericsson.com> Fri, 29 January 2021 13:15 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD37E3A0CB1 for <ace@ietfa.amsl.com>; Fri, 29 Jan 2021 05:15:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id weJafY1weXtE for <ace@ietfa.amsl.com>; Fri, 29 Jan 2021 05:15:23 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150083.outbound.protection.outlook.com [40.107.15.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2A023A0CB3 for <ace@ietf.org>; Fri, 29 Jan 2021 05:15:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jYUZ+f2EA/LHLCMkN0Khpjw8g7hT2xKPQVJrwKlWNXQXi+1EQhfqNUHsVx2+WQf5qJU4scA21D4v5kJzJIPZSiPoP0RFfZgHujKbvvk4tmxoSrxlLfoal8eie4TXZj6ENBOnUnn2No89VrDOlRAiG7hC1Qiy4h/RGNTqZspZ4LvRQd9EGqbEB3biROersjWISKGGVcWqcjhYZxWUcme1FN2GQvJGmnqh14GcxfO4y+o6vqgltUe3VTiLBhwtbrc6Vpso1jkc+usC8nGKbf7nsezKNpKbLuHb4QK9sTkBZL8ZyEgoiYlki73dcrc4s2ZhIalIflbHBI4TorQMFotFNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aZKlTONWP3+oEIoZZs1uNCj2Cqg8Fzvzg+aYJdizu8M=; b=J9yPGJT9BC/2qDBNy6Kf4aCBEkPYfFZn5lBMZ//qS8jXmPWLgVpB8tmpciUBZGoVk33N+qmCodDJTm0n/zotpbbSr2M0LDbKNM188c8nk0M+BddP2H9z/LCKQwQ8Qv0yqW5gzcCcDmU3ykSJRsdxb4yOB0kc+Zkuo/VxHnv51pXhsZznFJaw5HgXHuw2lnBBZqFLOZ0taCkY2/tb4jXXqmH3TmH0Q6u1yi50//BGwMZElJZAeLszx1NqUxBFXR2BQoBuPS9Y+PAAiDXPqEDwuWmf0wxk8Kcvq/tHWdolzQ+pGsgICx9MBzs6SRHW4C2TkY9vN7b1O76NayHkRvz0HA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aZKlTONWP3+oEIoZZs1uNCj2Cqg8Fzvzg+aYJdizu8M=; b=Ge5npRzkIVytU+8fGbrSSHZrHDtUhpXupuwrN2pXJQGMapapglh6emDxsCKA7jSVsnLiVhkLOCUDX0Grub79rxTi5WrXPg0oQRjNz/lbZ3N8YbRU5f6wzl+uiOs6pyqOq7NJOuay2p+3cUVbIcHerdzn91iWgX0oF5e6KQWuQHE=
Received: from (2603:10a6:803:74::33) by VI1PR07MB6159.eurprd07.prod.outlook.com (2603:10a6:803:d7::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.10; Fri, 29 Jan 2021 13:15:14 +0000
Received: from VI1PR07MB4477.eurprd07.prod.outlook.com ([fe80::c5e9:fb9a:e4a0:e7a4]) by VI1PR07MB4477.eurprd07.prod.outlook.com ([fe80::c5e9:fb9a:e4a0:e7a4%5]) with mapi id 15.20.3825.010; Fri, 29 Jan 2021 13:15:14 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Olaf Bergmann <bergmann@tzi.org>
CC: Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org>, "ace@ietf.org" <ace@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
Thread-Topic: [Ace] draft-ietf-ace-dtls-authorize
Thread-Index: AQHW9ZUs7LKYTzgsQE6xxm6/1BNMyao9RgAmgAFelgA=
Date: Fri, 29 Jan 2021 13:15:14 +0000
Message-ID: <3148902D-F91E-40E1-AC9B-2110DB46CCD5@ericsson.com>
References: <DM6PR15MB237928B2B84B18E9AE050EC3E3BA9@DM6PR15MB2379.namprd15.prod.outlook.com> <8735ylc7hi.fsf@wangari>
In-Reply-To: <8735ylc7hi.fsf@wangari>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
authentication-results: tzi.org; dkim=none (message not signed) header.d=none;tzi.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:1ba8:147a:c100:118f:a12e:f4c7:d7ad]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f058b409-31b2-482c-2f77-08d8c457ea44
x-ms-traffictypediagnostic: VI1PR07MB6159:
x-microsoft-antispam-prvs: <VI1PR07MB615957225482052FCCE835CD98B99@VI1PR07MB6159.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Cr2gPqCRp8hPWazj9BEo9RGRO23haSJTxlZkvGi8fjC3hFdd5H75PVg880+/cvJQQEZORLbNb/VQdfNPPex5fs/n02JLEy3q9mc7iNfRlNJs8zOqq4DGvx3wWTiPalo4TNrMctJ6pAYZedKgXkr7reNcazIR0fphhp6kozxdIdwQxg3kdJVUF8YVUp+6WB/VtdEYbe4qNahcnj7zYJJYNuNgh4iHURgT5LWKXBHpsGIZLtjdPQmWrytid/Ah0c4g/4cKqwuL01f6OxeAgjRGxYmZfhd2fR41WcKbcbzHQ6Tau4OL/F7+YjEbAKZ1AbdA/cr3BBU1oc2j3MbHbZw3ileqoFNQlvLRA9BXmpG6BV/Hn1+IPx/Npxgwg4CB4pQH3ppJ+SYj1B4XvWUvsz+yiWo9ZHFK5JK2c885WIAhgtAjrL1bw/rbg0xKibCT9hae5Xr1T3tJbFHnMJo8mjExvKz4LvHRtxcxHaXC6YJC7zo7D/Nhrdi4vTmrHh4lpNhsvS0OzNVyBTBthiZApuEBqkk+mtucruXVKhuT1pwYQQIBzfAwwejKyD/NOqDt42oyo1AjYp9r8/3c1eTPc5yUbZgwFQYhhWWKWWg8WcXK/2DLN6vrblmZy7rjrMiE5Cfih7UuJSW3JdWMV/qAt7M2wA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB4477.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(136003)(396003)(346002)(376002)(366004)(33656002)(5660300002)(54906003)(2906002)(6916009)(966005)(71200400001)(478600001)(36756003)(6486002)(6506007)(186003)(2616005)(4326008)(66556008)(8936002)(6512007)(91956017)(86362001)(76116006)(66946007)(66476007)(64756008)(83380400001)(44832011)(8676002)(316002)(66446008)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?eC9ZTmpBdTAvUVYxL09TZ0hnMnRxaktQNCtjd3drRWdZdHFBZHhMY2doQzNi?= =?utf-8?B?czU3azNmRThlSjlLWGpTR05xMVhHTUovZ2o5TktFT09ld1l2cE9YRFpFK2hB?= =?utf-8?B?ZXBjSlRiY0QwbnlEMWV2NEZQaFM2ZEg0Smp6Q3htREM2MWNLdGFJSHl4cisy?= =?utf-8?B?ejhCQkt4bm9DL09KRHZWcXQ0Tm1nQSt1NHJ3M2Fkb2FTSHVKanMzTityVk8y?= =?utf-8?B?eE84dnEwQnlnai9LMUFXaVNzMC9ueDVyRHZWcjFRZC84UTc2am1ZSVdHY0tw?= =?utf-8?B?VXNCaGRURkRTUnIxZ29mWmNrVHhQdUlkTFpsZFBKRE11T2FkRE9wbzRuRWN1?= =?utf-8?B?bVViNC81d1cwVkJ2OTNwNy91cHpsMDVjcTJ5eEpUVktFU0JGVUdYNjNvMmg5?= =?utf-8?B?WVFJSkJJTktUSVhoZitUbnUrQ2hqanBveUVpSm8xVGxzNkZxd3JQNy9XQVQy?= =?utf-8?B?ejRuOXhnNjBObFRHYVRzdm1rTkNNUW5IaERYenN1d040ZGEvVG1Lalhuajlv?= =?utf-8?B?QXgrNDhhZ2N0MEhCeVJZdVlyUFduYlk2SzRzYVBhRStqVFVaWWtmclhxU3R4?= =?utf-8?B?RnkxZ1F0eFhvTitIbjBLbjFOMmU5cXJqMW9pSHpkQXdpUFZ0dkxKOFV4RTQ2?= =?utf-8?B?ZDBiTi8za1d6ZnJLR2x3ZUdkTVdCZ1BpQ1NkSkR6OGpBQVBXUmRSRkdJRFE5?= =?utf-8?B?VVZacCs2UWc2bVR5MVBRb2ppV3ZaSXlBaDJBd1F3WVA5dDV4VW1BSDZCUHRZ?= =?utf-8?B?ejYvTjRaZHc5ZHVmRWJVRDV6QVFhQ2NYdlQ5clFrSGg3ajgzdUlFTk9DTXFI?= =?utf-8?B?RndMU0RHNGRqQ1RFbURwNU5wSnRUWGZIM0wwelVReU0wa0ovenpOTCt2NFpz?= =?utf-8?B?akRlaFNMaUhCdjlvLzV2c1U4VjZwcWVmODVSa1NuMzR1SWxzS0wrNWx1VkFr?= =?utf-8?B?MlhuQ3ZwcldjKzhONkhoS0xGc1BuVVV6Z1BQZkNLRVlVcS9YeW5lYkUxVkhH?= =?utf-8?B?cGd0Y2Z5cy9mMTE0NEp0NFUrdmc3SStaZXNBcmpTaXk1bEFETVJHMXlRZWFo?= =?utf-8?B?aEFsTWJ4MXdxTlJpS3RtWjA2VHBjUGRiZko2TlZBNnBIMmdMLzA1SUhvcktS?= =?utf-8?B?bmw3YVVzdG85Sys3MXRUOGVpT2UxT2RkbWJkNTNDSUMvN3RBVjF5WWloMXBN?= =?utf-8?B?UjVnVWR6ZTh1QWIrVzFiMyt0bEw4emIya3h4ZXZRWmV4Q3RNZm5WMjgyRkpT?= =?utf-8?B?TC9uVGVBM3ZpanM0Q3N0elVYSzFqaUp5VXhVUkdaSzM3Vzk4M3REbjZxWTBl?= =?utf-8?B?dldjbTV4Yzl3MFRCeTRmOW55cTY0ZmFqdTVqdDNnc2ZjVHVERXNScjdIVDNJ?= =?utf-8?B?cWpZZGFxeFd4Ynh5NExXNEM2OEFXd09JN0FqRGRmWWZFNUppRHlrL0tJME5q?= =?utf-8?B?N0JBSGI5WnNFd1FpK25XSnJwT3M5T0hsQmFsclpZdnp3d0VYZXEwZVhYeG1x?= =?utf-8?B?aktGT0ZZTS9NVzVRZ0ZNTG1kRVUyekE1SDRJK2pQQlo4NTdqbTNLZkZCQTR4?= =?utf-8?B?UDVaQT09?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <93245EAEE8D57A4A977EFE2E4CACCDA7@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB4477.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f058b409-31b2-482c-2f77-08d8c457ea44
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jan 2021 13:15:14.3241 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: f1OqrzV3ydfQeA/CNJIL8G8oRjKy88K0aPHaDMVUNiNQDwIz3c0K7BWIt9hv0eQDTDrsCzq3PdMx7VTTnL88mFDn5OAW+Bbtg5s2dezHSVS/Mmkbp0efveAo/d+SOAZt
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB6159
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/NQM1L6MhmsqmgNYhakku05JhCEk>
Subject: Re: [Ace] draft-ietf-ace-dtls-authorize
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2021 13:15:26 -0000

Hi Olaf,

When I read the draft I don't see how the change is reflected in your summary, actually your summary shows no difference between OSCORE and DTLS profile, while actually there is one. This is the difference we are discussing in the DTLS profile, about secure communication between Client and Authorization Server:

1. DTLS OLD:
   The use of CoAP
   and DTLS for this communication is RECOMMENDED in this profile, other
   protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be
   used instead.

2. DTLS CURRENT:
  The use of CoAP
   and DTLS for this communication is REQUIRED in this profile.  Other
   protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) will
   require specification of additional profile(s).

3. OSCORE CURRENT:
    The
   use of CoAP and OSCORE ([RFC8613]) for this communication is
   RECOMMENDED in this profile; other protocols fulfilling the security
   requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] (such
   as HTTP and DTLS or TLS) MAY be used instead.

3. allows for applications to use this OSCORE profile "coap_oscore" and OSCORE between C and AS, but also if they prefer, DTLS between C and AS, or other security protocols that fulfil the security requirements of the framework.
1. also allows for the same for the DTLS profile (although it might be good to clarify that other protocols are only allowed if they fulfil the sec requirements).
2. does NOT allow for "coap_dtls" to use anything else than DTLS between C and AS. If C and AS want to use e.g. TLS, a new profile needs to be defined. This doesn't seem like a good idea.

About the "need to look somewhere else" : the only thing we say in the profiles is that C and AS have to have set up a secure communication channel. That is not really protocol specific, how that is established is out of scope of the profiles.

The question is: do we really need to specify one different profile for each security protocol used between C and AS? I hope not.

So my preference would update the text in the DTLS profile:

NEW:
   The use of CoAP
   and DTLS for this communication is RECOMMENDED in this profile, other
   protocols fulfilling the security
   requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] MAY be
   used instead.

Francesca

On 28/01/2021, 18:11, "Ace on behalf of Olaf Bergmann" <ace-bounces@ietf.org on behalf of bergmann@tzi.org> wrote:

    Hi Daniel,

    On 2021-01-28, Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org> wrote:

    > Apparently, the change on the DTLS profile has not been noticed by
    > everyone in the WG, so I am bringing the discussion here.
    >
    > The change has been made as a response to a comment from the security
    > directorate. Please provide your feed backs by Feb 4 (but preferably
    > before)- and potentially propose the text you would like to see if you
    > disagree with the change.

    I agree with the change (although I do not care very much but the new
    text makes more sense than the old) because the change suggested in the
    secdir review is not about mandating one protocol or the other. It is
    about which protocol you need to implement if you want to use that
    protocol between C and AS. In short:

    * the OSCORE profile mandates that "if you want to use CoAP over OSCORE
      between the C and the AS, you need to follow the steps in the
      OSCORE specification and look somewhere else if you want to use
      another protocol", and
    * the DTLS profile mandates that "if you want to use CoAP over DTLS
      between the C and the AS, you need to follow the steps in the
      DTLS specification  and look somewhere else if you want to use
      another protocol"

    Grüße
    Olaf

    _______________________________________________
    Ace mailing list
    Ace@ietf.org
    https://www.ietf.org/mailman/listinfo/ace