IETF Logo Mail Archive

Re: [Ace] Artart last call review of draft-ietf-ace-mqtt-tls-profile-14

"A. Jean Mahoney" <mahoney@nostrum.com> Wed, 09 March 2022 23:18 UTC

Return-Path: <mahoney@nostrum.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 818283A12C1; Wed, 9 Mar 2022 15:18:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.446
X-Spam-Level:
X-Spam-Status: No, score=-0.446 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, NICE_REPLY_A=-0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, RCVD_IN_DNSWL_BLOCKED=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fuFz0dmWYnxu; Wed, 9 Mar 2022 15:18:12 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B1193A11EB; Wed, 9 Mar 2022 15:18:10 -0800 (PST)
Received: from [192.168.1.252] ([47.186.48.51]) (authenticated bits=0) by nostrum.com (8.17.1/8.16.1) with ESMTPSA id 229NI4Ka075507 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Wed, 9 Mar 2022 17:18:05 -0600 (CST) (envelope-from mahoney@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1646867885; bh=67qKZJfBlTrm2xA2oYMHF2gUhaW5kRRgfYDtFe0kjZY=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=HHARLk5uLwIsUtU6mzGvlj9DpassShcTk2XIlLXrJzoABJhsxsPamzvmdATNgMLyU oq6hCMfv/Hk6OHSevX/f9o178X7QJeI2re3m/oVposgH37pqvCFpcq1XMlzsNrv8W+ Rqc/+LzvD+uHv3O2wh9zkRc1lgMk617dbdOJmJC4=
X-Authentication-Warning: raven.nostrum.com: Host [47.186.48.51] claimed to be [192.168.1.252]
Message-ID: <8613abde-1c43-8f7f-b85f-a9db4a10b0a7@nostrum.com>
Date: Wed, 09 Mar 2022 17:17:59 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.6.1
Content-Language: en-US
To: Cigdem Sengul <cigdem.sengul@gmail.com>
Cc: art@ietf.org, draft-ietf-ace-mqtt-tls-profile.all@ietf.org, last-call@ietf.org, Ace Wg <ace@ietf.org>
References: <164643005466.28393.1552756094187219874@ietfa.amsl.com> <CAA7SwCOUHYJTpt-0JOVfwxZ1jgpDve87k2sSpxho=iS6q7Mgfg@mail.gmail.com>
From: "A. Jean Mahoney" <mahoney@nostrum.com>
In-Reply-To: <CAA7SwCOUHYJTpt-0JOVfwxZ1jgpDve87k2sSpxho=iS6q7Mgfg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/P92Gbp_Uko-gxgywZFSkzAbCdJw>
Subject: Re: [Ace] Artart last call review of draft-ietf-ace-mqtt-tls-profile-14
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2022 23:18:24 -0000

Cigdem,

Thank you for reply and for incorporating the feedback into a PR. I have 
few comments and questions below.

On 3/8/22 12:36 PM, Cigdem Sengul wrote:
> Dear Jean,
> Thank you for your review.
> I implemented changes and prepared a pull request at: 
> https://github.com/ace-wg/mqtt-tls-profile/pull/102 
> <https://github.com/ace-wg/mqtt-tls-profile/pull/102>
> 
> Below is a summary of how I revised the text according to your 
> suggestions, and corrected references for this document (removing unused 
> references due to changes of text etc.) I have still kept MQTT as 
> normative, as the document is about MQTT, but is it expected to be 
> informative when the reference is a non-RFC?

[JM] I think that is okay. The document shepherd indicated in his 
writeup that he thinks the MQTT reference should be normative 
(https://datatracker.ietf.org/doc/draft-ietf-ace-mqtt-tls-profile/shepherdwriteup/). 


> 
> Kind regards,
> --Cigdem
> 
> On Fri, 4 Mar 2022 at 21:40, Jean Mahoney via Datatracker 
> <noreply@ietf.org <mailto:noreply@ietf.org>> wrote:
> 
>     Reviewer: Jean Mahoney
>     Review result: Ready with Issues
> 
>     This document is ready but has minor issues with wording and references.
> 
>     Minor issues:
> 
>     Section 1: The subject seems to be missing in the following sentence.
>     Should "recommended" be normative?
> 
>     Current:
>         The Client-AS and RS-AS MAY also use protocols other
>         than HTTP, e.g.  Constrained Application Protocol (CoAP)
>     [RFC7252] or
>         MQTT; it is recommended that TLS is used to secure these
>         communication channels between Client-AS and RS-AS.
> 
>     Perhaps (add "exchanges", split into two sentences):
>         The Client-AS and RS-AS exchanges MAY also use protocols other
>         than HTTP, e.g., Constrained Application Protocol (CoAP)
>     [RFC7252] or
>         MQTT. It is recommended that TLS is used to secure these
>         communication channels between Client-AS and RS-AS.
> 
> 
> [CS: Done.]
> 
> 
>     Section 2.2.4.2.2: I'm having difficulty parsing the following normative
>     statements. Does "MUST" also cover the Authentication Data (i.e.,
>     MUST be set
>     to "ace" and MUST contain Authentication Data)? If the
>     Authentication Data MUST
>     NOT be empty, MUST it contain the 8-byte RS nonce or could it
>     contain something
>     else?
> 
>     Current:
>         The AUTH packet to continue authentication includes the
>         Authentication Method, which MUST be set to "ace" and Authentication
>         Data.  The Authentication Data MUST NOT be empty and contains an
>         8-byte RS nonce as a challenge for the Client (Figure 6).
> 
> 
> [CS: Revised as:
> The Broker continues authentication using an AUTH packet that contains 
> the Authentication Method
> and the Authentication Data. The Authentication Method MUST be set to 
> "ace", and the Authentication Data MUST NOT be empty and contain
> an 8-byte RS nonce as a challenge for the Client.
> ]

[JM] This is better, but the last half of the last sentence could be 
interpreted as saying "MUST NOT be empty and MUST NOT contain...". 
Perhaps it could just say "the Authentication Data MUST contain an 
8-byte RS nonce..."?

> 
> 
>     Section 4: I'm having difficulty parsing the following. Is it
>     talking about
>     using a challenge from the current TLS session?
> 
>     Current:
>         To re-authenticate, the
>         Client MUST NOT use Proof-of-Possession using a challenge from the
>         TLS session during the same TLS session to avoid re-using the same
>         challenge value from the TLS-Exporter.
> 
> 
> [CS: Revised:
> If re-authenticating during the current TLS session, the Client MUST NOT 
> use the method
>     described in Section 2.2.4.2.1, Proof-of-Possession using a challenge
>     from the TLS session, to avoid re-using the same challenge value from
>     the TLS-Exporter.
> ]

[JM] Much better, thanks!

> 
> 
>     Section 6.1: Could more guidance or examples of necessary policies
>     be provided
>     here?
> 
>     Current:
>         However, stored Session state can be discarded as a
>         result of administrator policies, and Brokers SHOULD implement the
>         necessary policies to limit misuse.
> 
> 
> [CS: Revised as:
> "However, stored Session state can be discarded as a result
> of administrator action or policies (e.g. defining an automated
> response based on storage capabilities), and Brokers SHOULD implement 
> the necessary policies to limit
> misuse."
> 
> Would this work?
> ]

[JM] I like the added example. As someone unfamiliar with MQTT, I was 
wondering what "necessary policies" might look like. That is, if I were 
to build a Broker implementation, what sort of things SHOULD my 
implementation be doing here? An example or two might clarify.

> 
> 
>     References: idnits identifies the following issues. The three
>     informative RFCs
>     are already listed in the downrefs registry, though
>     (https://datatracker.ietf.org/doc/downref
>     <https://datatracker.ietf.org/doc/downref>).
> 
>        == Unused Reference: 'I-D.ietf-ace-oauth-params' is defined on
>     line 1499,
>           but no explicit reference was found in the text
> 
> [CS: This is fixed based on the revision for genart review, and the ID 
> is referenced.]
> 
> 
>        == Unused Reference: 'RFC7251' is defined on line 1563, but no
>     explicit
>           reference was found in the text 
> 
> [CS: Reference removed; added RFC 8442 for the PSK cipher reference]
> 
> 
>        == Unused Reference: 'RFC8422' is defined on line 1609, but no
>     explicit
>           reference was found in the text
> 
> 
> [CS: Now cited]
> 
> 
>        == Unused Reference: 'RFC8705' is defined on line 1625, but no
>     explicit
>           reference was found in the text
> 
> [CS: Removed as does not apply to the current text]
> 
> 
>        -- Possible downref: Non-RFC (?) normative reference: ref.
>           'MQTT-OASIS-Standard'
> 
>        -- Possible downref: Non-RFC (?) normative reference: ref.
>           'MQTT-OASIS-Standard-v5'
> 
> 
> [CS: OK for these two, I feel on the fence as the document is about MQTT.
> Is the downref suggested because this is a Non-RFC and a standard coming 
> from OASIS]

[JM] The idnits script calls out any normative reference that is not a 
Standards Track RFC. Documents from other standards bodies can be 
approved by the IESG to be listed in the Normative References section. 
The MQTT refs shouldn't be an issue. More info about downrefs can be 
found in RFC 8067.

> 
> 
>        ** Downref: Normative reference to an Informational RFC: RFC 6234
> 
> 
> [CS: Moved to Informative references]

[JM] RFC 6234 should be okay as a normative reference because it has 
been normatively referenced in other RFCs 
(https://datatracker.ietf.org/doc/rfc6234/referencedby/) and the 
following sentence says "mandatory to implement":

    HS256 (HMAC-SHA-256) [RFC6234] and Ed25519 [RFC8032] are mandatory
    to implement for the Broker.

> 
> 
>        ** Downref: Normative reference to an Informational RFC: RFC 7251
> 
> 
> [CS: Reference removed] >
> 
>        ** Downref: Normative reference to an Informational RFC: RFC 8032
> 
> 
>   [CS: Moved to informative]

[JM] Same as RFC 6234, RFC 8032 can be normative.

https://datatracker.ietf.org/doc/rfc8032/referencedby/

> 
> 
>        == Outdated reference: A later version (-04) exists of
>           draft-ietf-ace-pubsub-profile-01
> 
> 
> [CS: Fixed.]
> 
> 
>     Appendix A: Perhaps add a reference to [I-D.ietf-ace-oauth-authz]
>     for the
>     origin of the checklist.
> 
> 
> [CS: Added:
> "Based on the requirements on profiles for the ACE framework
>     [I-D.ietf-ace-oauth-authz], this document fulfills the following: "
> 
> 
>     Nits:
> 
>     Section 1: The following list is somewhat hard to read.
> 
>     Current:
>         Implementations
>         MAY also use "application/ace+cbor" content type, and CBOR encoding
>         [RFC8949], and CBOR Web Token (CWT) [RFC8392] and associated PoP
>         semantics to reduce the protocol memory and bandwidth requirements.
> 
>     Perhaps:
>         To reduce protocol memory and bandwidth requirements,
>     implementations
>         MAY also use 'application/ace+cbor' content type, CBOR encoding
>         [RFC8949], and CBOR Web Token (CWT) [RFC8392] with its
>     associated PoP
>         semantics.
> 
> 
> [CS: Fixed]
> 
> 
>     Section 2.2.3.2 <http://2.2.3.2>: Would it clarify the normative
>     text to split this sentence
>     into two?
> 
>     Current:
>         ...a client MAY omit support for the cipher suites
>        TLS_PSK_WITH_AES_128_CCM_8 and TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
>         but for TLS 1.2, MUST support TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
>         for PSK and TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for RPK, as
>         recommended in [RFC7525] (and adjusted to be a PSK cipher suite as
>         appropriate).
> 
>     Perhaps:
>         ...a client MAY omit support for the cipher suites
>         TLS_PSK_WITH_AES_128_CCM_8 and TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8.
>         For TLS 1.2, however, a client MUST support ...
> 
> 
> [CS: Fixed]
> 
> 
>     Section 2.3: "an an exact" / "an exact"
> 
> 
> [CS: Fixed]
> 
> 
>     Section 2.4.1: Does the authentication check fail for any of these
>     cases?
> 
>     Current:
>         If the Client does not provide a valid token or omits the
>         Authentication Data field and the Broker has no token stored for the
>         Client or the token or Authentication data are malformed, or if the
>         Will flag is set, the authorization checks for the Will topic fails,
>         authentication fails.
> 
>     Perhaps:
>         Authentication can fail for the following reasons:
> 
>         * the Client does not provide a valid token or omits the
>     Authentication
>           Data field,
> 
>         * the Broker has no token stored for the Client,
> 
>         * the token or Authentication data are malformed, or
> 
>         * if the Will flag is set, the authorization check for the Will
>     topic fails.
> 
> 
> [CS: the conditions are separated at each "or", so revised as:
> "Authentication can fail for the following reasons:
> 
>     o  If the Client does not provide a valid token,
> 
>     o  the Client omits the Authentication Data field and the Broker has
>        no token stored for the Client,
> 
>     o  the token or Authentication data are malformed, or
> 
>     o  if the Will flag is set, the authorization checks for the Will
>        topic fails."
> 
> 
>     Section 3.3: "has a token token permits" / "has a token that permits"
> 
> [CS: Fixed]
> 
> 
>     Section 5: Would the following be clearer as a list?
> 
>     Current:
>         The MQTT session state is
>         identified by the Client Identifier and includes state on client
>         subscriptions; messages with QoS levels 1 and 2, and which have not
>         been completely acknowledged or are pending transmission to the
>         Client; and if the Session is currently not connected, the time at
>         which the Session will end and Session State will be discarded.
> 
>     Perhaps:
>         The MQTT session state is identified by the Client Identifier and
>         includes the following:
> 
>         * Client subscription state,
> 
>         * messages with QoS levels 1 and 2 that either have not been
>           completely acknowledged or are pending transmission to the
>           Client, and
> 
>         * if the Session is currently not connected, the time at which the
>           Session will end and Session State will be discarded.
> 
> 
> [CS: Done] >
> 
>     Section 6: Perhaps switching the order here would improve readability:
> 
>     Current:
>         ... MQTT v5.0 clients are NOT
>         RECOMMENDED to use the flows described in this section.
> 
>     Perhaps:
>         ... the flows described in this section are NOT RECOMMENDED for
>         use by MQTT v5.0 clients.
> 
> [CS: Done]
> 
> 
>     Figure 11: endoded / encoded
> 
> 
> [CS: Fixed]
> 
> 
>     Section 6.2:  "and not attempt" / "and do not attempt"
> 
> 
> [CS: Fixed]
> 
> 
>                    "no more authorized" / "no longer authorized"
> 
> [CS: Fixed]
> 
> 
>     Section 7.2: The spacing after the colons is inconsistent.
> 
> 
> [CS: Fixed to have all with a single space after the colon.]
> 
> 
>     Formatting and terminology:
> 
>     According to Wikipedia, MQTT is no longer considered an acronym
>     (i.e., it no
>     longer needs to be expanded).
> 
> [CS: Is it OK that we leave things as they are, as this will affect 
> title etc.]

[JM] That's fine. I was just highlighting that the expansion wasn't 
necessary.

> 
> 
>     Could the terms "RS" and "Broker" be consistently scoped? That is,
>     "RS" is used
>     when talking about OAuth interactions, and "Broker" is used when
>     talking about
>     MQTT interactions? (From Section 1: "In the rest of the document,
>     the terms
>     "RS", "MQTT Server" and "Broker" are used interchangeably.)
> 
> 
> [CS: Revised as much as possible so that Broker is used when we refer to 
> the entity defined in this profile,
> and RS is used more for generic OAuth interactions]

[JM] Thanks for working on this!




> 
> 
>     Check the use of single and double quotation marks, for instance:
> 
>         'application/ace+json' vs "application/ace+cbor"
>         '0x18 (Cont. Authentication)' vs "0x18 (Continue Authentication)"
> 
> 
> [CS: Switched to double quotes, but removed quotation marks around 
> reason codes as in the MQTT standard.]
> 
> 
>     Because the acronym for "proof-of-possession" was given in the
>     introduction,
>     the rest of the instances can be replaced with "PoP". Same with
>     other acronyms
>     used, like PSK. Just expand on first use and use the acronym thereafter.
> 
> [CS: Done for PoP, was done for PSK/RPK for genart review.]

[JM] Thank you for addressing my comments!

Best regards,
Jean

> 
> _______________________________________________
> art mailing list
> art@ietf.org
> https://www.ietf.org/mailman/listinfo/art

v2.23.0 | Report a Bug | By Email