IETF Logo Mail Archive

[Ace] WGLC review of draft-ietf-ace-mqtt-tls-profile-07

Francesca Palombini <francesca.palombini@ericsson.com> Tue, 15 September 2020 13:38 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9F413A08A9; Tue, 15 Sep 2020 06:38:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.796
X-Spam-Level:
X-Spam-Status: No, score=-3.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id smfbHLodJeAY; Tue, 15 Sep 2020 06:38:03 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60077.outbound.protection.outlook.com [40.107.6.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70BB63A0F90; Tue, 15 Sep 2020 06:38:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jPcL4ZaSFmZIPVLGJNp/kdOvyYx/sxrLQ3jMcizGQWfdFdgdcr8W1+nvu1MHKbdGuKiyWM6TzO+4OwGkYSOjyJ+qx5WVpz9+2S0M1xbzGGeMERTyAFXopFSFAuIQwjD8Qy+Lj//Jcu08TWJRxtRllpH6PVqa/9drXWS26tGaVxAb/m8qSNMvLEUGuzdUWWCyZQqR5xtkMc4ir6ElC2xwJOxo+I9Qen9mQyh3L4gPhdfYSj89M7kAzQXnIV4W+NKQkYnbXFet2tEUyy1Y7fQnYP2FBhp5NA/TJdamwYlM1hQ2UZBRIprxahdhA/MrN2ipIw8s1gVkq/rWNSKC6cpJCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NznK7q+P8q3Rpu7xdimZ0Y62eRUcsKJlzgLOoz1hGPo=; b=Js4cYG2C70Lok5sd4YcXc1tev2efSpcmpicVy1Ck7d4yzXFVOEAX4whMlxlyrMSn41/MKHLL+M/1XfP6sQOkwszxWHXHBykR7zXKkXny02vCVrwHTJ6/n7H9S+QavK7hr3hthbpI7l55whSlYwREFJHqlrDpfWp37bXoMdUZKzEow5BmEAta9LFrVijZTVxU06fsyls1gcmOAyplhWrkE54WHWwM6UFy1G3RF3qa2l36uQauGjO0PhIOsno9sr8dE3ElhzJj/w7u5d4F3vXYtFUZiSkYugMfcEuj6hWdwx7sTHSCHXyp8Wi6vWDWh9VugNK8ictwT7x0YkpaIhiT5g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NznK7q+P8q3Rpu7xdimZ0Y62eRUcsKJlzgLOoz1hGPo=; b=a8SrGNbEWz0yD3+/9Pke9AaId8etJ/OooynQGTY9j19iOZqU4KJQdsVOtx/DDP7GUgkIJXLyvjrIbCyEs0vcmEPNA4YbqvnT4dXDwZcq6+ZrPcpZcP738BtFV6nha/WBwnCVMWA4lfx1nS3yclC8Ybt7/BOMPARqeUcPU4s9q3w=
Received: from VI1PR07MB4477.eurprd07.prod.outlook.com (2603:10a6:803:74::33) by VI1PR0701MB6959.eurprd07.prod.outlook.com (2603:10a6:800:194::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.5; Tue, 15 Sep 2020 13:38:00 +0000
Received: from VI1PR07MB4477.eurprd07.prod.outlook.com ([fe80::cba:ac03:353c:2d1f]) by VI1PR07MB4477.eurprd07.prod.outlook.com ([fe80::cba:ac03:353c:2d1f%7]) with mapi id 15.20.3391.009; Tue, 15 Sep 2020 13:38:00 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Ace Wg <ace@ietf.org>, "draft-ietf-ace-mqtt-tls-profile@ietf.org" <draft-ietf-ace-mqtt-tls-profile@ietf.org>
Thread-Topic: WGLC review of draft-ietf-ace-mqtt-tls-profile-07
Thread-Index: AQHWi2Vt4kA8WzEEoEqqVXT3Bt2veg==
Date: Tue, 15 Sep 2020 13:38:00 +0000
Message-ID: <D68C212C-FD3A-4900-86DE-B138DD0CFCD0@ericsson.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.219.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9aab2226-3c5d-4d4c-4efa-08d8597c908e
x-ms-traffictypediagnostic: VI1PR0701MB6959:
x-microsoft-antispam-prvs: <VI1PR0701MB6959BE80820A57DDE98F273E98200@VI1PR0701MB6959.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AnV+G6829TSSJfXbOM2+EpFYRSqTmPIL8PSQ4z9SM/SnIsM7Tjh0in3HMzCzm0xjSoxVnIjszm/swA60XDih4XqNrPmZCiT0g9YR74I+c/TNwnt13g0e+VECOW+t5alZFj6x3hye+CzdHgWZOahNJtG+8z7K9lFvHMf0tKV0TopO5TkgT8LtTQCAm5wevoaiQ4BaUKr7JHbIe9kf0ndkVnNLVogFNzxx8XAU6wzFVnXuf15Kn9Gto1OAro30f/yRS/FnAL4VQ/JCjPrwRD/pdBL1y/pUOqcv54dLN30FE+CmMsj6H4Z9yxxNbiurHV2d63EDLGnxDrL49+gG2ANjiA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB4477.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(39860400002)(346002)(366004)(136003)(26005)(83380400001)(36756003)(316002)(71200400001)(44832011)(8936002)(86362001)(6512007)(2616005)(8676002)(450100002)(6506007)(6486002)(478600001)(33656002)(186003)(2906002)(110136005)(5660300002)(91956017)(76116006)(66446008)(66556008)(66476007)(64756008)(66946007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: 3hA0YfjcPmUjNcNzRA9YvF5NO74rJN18+AkIfAcMnnKstra0gOdMcuBC7MOy72xahCDL9wjKGRXFM+dJhxVyyIZbF425DD75d7QkyP0XAl08061qpRsXUKq0hf7/XD9bVfFXIXasnZmLHFdMBjDIB+rf1gUaOjlc9gnVhZKCSzYYMT2aVsQ61MDBoHS7BoUrJ5U8oISZtpu41KrCrDcODaIFR+iDSc4qG4zeNcQv1k1nHS7iNvEiRFq9guVwyCO4ka9DWBFL0X/18BqOQg+HkkZAx98PUViw+5r4q8+um+CCwEEQeZ3CDKnAs3EuSc1dDeMyFc+7PxTsMlXZZFh240vuXzIfELpK4StdKzgtnNhwIxzlktHkC5u6bTBnro7FdbK0t9OpK6A/ogKEOXNaDhSqH6iI5GPstYlAUkCiNllLqo86r1kKf6qJcM1z8EiX+ab3xH92Hv49Bx0HD13h8GZwWqkR9NzCF9qLNKSjVEADoEv824cpkTSRc6J+vFzmiD8DpPPjX28+l13Wur4B5IQBPq61qzXDytOt4QTKb4v7vv27FhIJHDcYp7thcA8wwOCfURfeXP0wdm6iCYWLdWWyEtNiDW7KI7JAwEPb3OEjnAZRO8gdSnQIZTCAhuj4X6juXAEiGM9HC3ViQvTRRA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <C359665C8E116549AD87622D990D04FF@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB4477.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9aab2226-3c5d-4d4c-4efa-08d8597c908e
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Sep 2020 13:38:00.8047 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LmfgrPnlOE3bd9Uj/Q2IOJg/R17AYChJuo0S7CfZz504fYElpyfnV8Pi4y5jgOeWODqFh1MMLqZ0chG+wTzyYjzegxmHwOeMP5aQvFg+SLT4sGg+kBsLoBq1OLcu23Lu
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB6959
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ORJuLOqpZYFzbpiXRT35hOBvdPM>
Subject: [Ace] WGLC review of draft-ietf-ace-mqtt-tls-profile-07
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2020 13:38:06 -0000

Hi,

Thank you for this work! Here is my review of the document.

Thanks,
Francesca

  The response includes the
   parameters described in Section 5.6.2 of the ACE framework
   [I-D.ietf-ace-oauth-authz].

The fact that the profile parameter with value "mqtt_tls" is included in this response must be specified here.

--

" The Client and the AS MUST
   perform mutual authentication."

I am not sure this is a testable statement. What about specifying that they MUST use a protocol that provides mutual authentication instead?

--

 The Client requests an access token
   from the AS as described in Section 5.6.1 of the ACE framework
   [I-D.ietf-ace-oauth-authz], however, it MUST set the profile
   parameter to 'mqtt_tls'. 

Why adding this here? This is in practice implementing a negotiation of profile. If this is necessary in this MQTT profile I am wondering why it is defined here and not in the framework. In general, I dislike the profile to contradict what defined in the framework.

--

 When CBOR is used, the
   interactions must implement Section 5.6.3 of the ACE framework
   [I-D.ietf-ace-oauth-authz].

normative MUST?

--

The Client and the Broker MUST perform mutual authentication.

Same as before, is this a testable statement? Maybe this sentence does not need to use normative language, but rather descriptive. The details of what Client and Broker MUST do is in the following sentences.

--

"TLS:Known(RPK/PSK)-MQTT:ace": This option SHOULD NOT be chosen.

Any reason why this is a SHOULD NOT? Can we add motivation of when this would be allowed (although not recommended)

--

 It is RECOMMENDED that the Client follows TLS:Anon-MQTT:ace.

I think it would be helpful to say when this option is recommended vs the others. In the next section, it is described in more details that the communication with authz-info is done with "TLS:Anon-MQTT:None" and then after that TLS:Known(RPK/PSK)-MQTT:none. This seems to not agree with the recommendation, which is why I think the recommendation needs more context.

--

 In this profile, the Broker SHOULD always start with a
   clean session regardless of how these parameters are set.

Does this mean that when the Broker recognize that this spec is used, it SHOULD disregard the parameters value and start a clean session? What are the cases where this is not done ("If necessary" in the next paragraph)?

--

 includes state on client subscriptions, QoS 1 and QoS 2 messages

At this point I don't know what QoS 1 and QoS messages are, they have not been introduced. Only QoS levels have. Maybe a reference or a pointer would help.

--

RE Authentication Data (Sections 2.2.4.1, 2.2.4.2 etc): I haven't read MQTT in details, but I don't really see any encoding of the Authentication Data field in this spec, only that it contains one or more parameters. I would assume that is should be in scope of this doc, but if it isn't, that should be clarified.

--

2.2.6.1.  Unauthorised Request: Authorisation Server Discovery

If the Client does not provide a valid token or omits the
   Authentication Data field, the Broker triggers AS discovery. 

Following discussion about AS discovery in this ML: I think this should change to being possible, not mandatory. That means changing: s/the Broker triggers AS discovery/the Broker MAY trigger AS discovery. I still think it is useful to have this section, I am just suggesting it becomes optional.

Also note that not providing a token or omittion the Authentication Data field are not the possible error messages. A malformed token or Authenticated Data are also possible.

--

 Figure 5: AIF-MQTT data model

Need to reference CDDL.

--

Section 3:
What does it mean to have an empty array for scope? (as that is allowed)

--

Scope appears in section 2.1 for the first time, but its encoding is only defined in section 3.

--

  If the Will Flag is set, then the Broker MUST check that the
   token allows the publication of the Will message (i.e. the Will Topic
   filter is found in the scope).

This sentence is not super clear to me: "if the Will Flag is set" in which message? How is the Will Topic filter added to scope? This comes from my ignorance of MQTT, so feel free to skip it, but I think an example would have helped me here.

--

Section 4 talks about reauthentication. What described for reauthentication should work also for update of access rights, is that correct? Does that add any considerations? Anyway I think update of access rights should be discussed in this document.

--

If a client's permissions get revoked but the access
   token has not expired, the RS may still grant publish/subscribe to
   revoked topics. 

What does it mean in practice that client's permissions get revoked? (also nit s/permissions get/permission gets) Do you mean that there is no way to do access right revocation? If that's the case, I did not understand "the RS may still grant ..." as being a negative consequence, so maybe it needs some clarification.



=============

Nits:

framework to enable
   authorization in an Message Queuing Telemetry Transport (MQTT)

s/an/a

--

The token may be a reference or JSON Web Token
   (JWT)

add a reference to rfc7519
You could also add a informative reference to 8392 for the CWT.

--

Missing references to CoAP (informative) and HTTPS (or rather references to HTTP and TLS). 

--

 Topic Filters may include wildcards

This might be me, but I would have liked some explanation of what wildcards are in MQTT.

--

AUTH Properties
           include Authentication Method and Authentication Data.

I assume "Properties" is specific term from MQTT terminology, but I don't see it defined in this section, so maybe either generalize ("field/parameter"? or I see you also use "information" for the Will message) or explain it.

--

If the Client is resource-constrained, a Client Authorisation Server
   may carry out the token request on behalf of the Client,

I might have missed this, where is a "Client Authorization Server" defined? I am fine with the terminology used in the figure though, "Client - Authorization Server interface".

--

  If the
   Client authentication uses TLS:Known(RPK/PSK), then the Broker is
   authenticated using the respective method.

s/respective/same? (just to understand better, please disregard if you think it is clear as is)

--

"authz-info" is a public topic, this response is not expected to
   cause confusion.

Maybe s/public/not protected ?

--

 Similarly, the server MUST NOT process
   any packets other than DISCONNECT or an AUTH that is sent in response
   to its AUTH before it has sent a CONNACK.

add "from that client"

--

If the Will Flag is set to 1 and the
   Broker accepts the connection request, the Broker must store the Will
   message

I understand that these are not requirements set by this document but rather inherited by the MQTT spec, so I would suggest remove the use of must etc (here and in other parts of the document) to avoid any question about if this should be normative or not later on.

--

which have have not been completely acknowledged or pending

remove one of the "have"

--

  In case of an invalid
   PoP token, the CONNACK reason code is '0x87 (Not Authorized)'.

This is in the section about success, while there is a separate section for unauthorized request, where imo this would fit better.

--

   To transport the token to the Broker inside the CONNECT message, the
   Client uses the username and password fields.  

This is just a question rather than a nit: is there no way to register new names for these fields in MQTT?

v2.23.0 | Report a Bug | By Email