IETF Logo Mail Archive

Re: [Ace] WGLC draft-ietf-ace-extend-dtls-authorize

Marco Tiloca <marco.tiloca@ri.se> Thu, 03 March 2022 22:37 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B99003A0955 for <ace@ietfa.amsl.com>; Thu, 3 Mar 2022 14:37:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.111
X-Spam-Level:
X-Spam-Status: No, score=-7.111 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OC3OduzT8gla for <ace@ietfa.amsl.com>; Thu, 3 Mar 2022 14:37:36 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-ve1eur02on061c.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe06::61c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7F7F3A095C for <ace@ietf.org>; Thu, 3 Mar 2022 14:37:34 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MrY3/5gGr7bfcZeLqwsqMdTbeZTmLq35KOulxqrWWIN1NvtQk+Y3zVJYGV+H+GbLyC6c/IJzG5rQBEHHSiGHDwBqongwxPTReLOsIr6oHwwJmY3e3tHqEvQ7G/XwEM9U+eexWmhNS52LDQ00V9FcGNHXlQTacLm9s8+imnP4ESvhZUJw2YA7dQJOLTMG4G3obwAZREEOYRMCZJonBBxN0oNEXZaZyHpA/3BgPTOTsHrIjVEV2cFjLhUiB2VrKjH0Jqg16dqO/Jpj6L+OF8/2Lxl+ke64lCkSwTuxfsyiC4vSc2AQQoSnstvNKJcimW2sDR9LDb7NcqAnWi79DlZAGw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2/QyOUpSj4LX2hmjAXRyO8/PtHJbHeaY0Jp9RDwtLKs=; b=OEXfcyWMcUJBnH6zhKfzhQ8VAt5c/su6LfQrXgKjwNPKZh0nJLxD561vGpQTTcEXBWvEEjECvfN5d7lYbKAPM6Ovx73C8/5TGE1FNGkRAcs/rYBKUJSPuhVJjNS/X49UBHrZzlbguzZvBhWrHXc70VJR04BCXwSZxin5EHu66kjr4phzVstxSGOsMemoh09zxXiIefj/Bp1W5wQh265Ee5rgTENJ3WLaPrgfhchTARWx319p+rXPJI9jzbkWabRzoLF+GIUPxIO48/lZ/vYB7Kj0Aw21zjpf3xk6cs3KruHdH1YEsBNw+yQKZSY2TmNmZbXFYxDjbHik9XYizWnW8Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2/QyOUpSj4LX2hmjAXRyO8/PtHJbHeaY0Jp9RDwtLKs=; b=GqQruRvDR714cmvcI/ipCsFWbmrZ3tFbgRce9+Kx46w0jEQ1UpHChjRMESvYmM5E/gxxlImdC0g6dus34Chc0RMrHhXxC3ORPjHxZEw219rq3O9E45l3d6fbnhuqjBi42frwXhw+0DT0l07LpXotezaqNebTJNGOx1/jqdhIYdA=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14) by PAXP189MB1832.EURP189.PROD.OUTLOOK.COM (2603:10a6:102:288::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5017.25; Thu, 3 Mar 2022 22:37:27 +0000
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::b0ea:12ff:4a7e:a24c]) by DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::b0ea:12ff:4a7e:a24c%6]) with mapi id 15.20.5038.014; Thu, 3 Mar 2022 22:37:27 +0000
Message-ID: <ee278ca2-87f0-0880-36b9-92780ad94f9e@ri.se>
Date: Thu, 03 Mar 2022 23:37:24 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: Olaf Bergmann <bergmann@tzi.org>
Cc: Daniel Migault <mglt.ietf@gmail.com>, Ace Wg <ace@ietf.org>, Loganaden Velvindron <loganaden@gmail.com>
References: <164396483981.22307.17112641331652425403@ietfa.amsl.com> <CADZyTk=BKLPUBBp88c6W0baYjjfpgJb7R=p9H+XkZ_4YoRTGiQ@mail.gmail.com> <1c0c1db5-926f-31bc-10b6-7edc2f5da773@ri.se> <87h78wz6px.fsf@wangari> <8e507770-8438-9721-7e42-b0fcd5c08360@ri.se> <875yov12o0.fsf@wangari>
From: Marco Tiloca <marco.tiloca@ri.se>
In-Reply-To: <875yov12o0.fsf@wangari>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------HMtm3C3kEcjdu9SKVGmcUVCV"
X-ClientProxiedBy: HE1PR0902CA0011.eurprd09.prod.outlook.com (2603:10a6:3:e5::21) To DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: df68606c-d920-4496-c38d-08d9fd666506
X-MS-TrafficTypeDiagnostic: PAXP189MB1832:EE_
X-Microsoft-Antispam-PRVS: <PAXP189MB18321F9FC7303D401943804899049@PAXP189MB1832.EURP189.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: vq7moebsxszyImt3b5JbwxKK79+LsphQzeniC5pAgcXqdsn20mYmxYYlt8qZQ6a3yiWfl1hRtGJbEPf9ObNUyzTre+opXL4qzJ31xjbqJscLNOfXKBPdixJYd7JSYSfqKrACXsaYDv6xyEoVtnuyp5ZksjhARyfyuY57Wv/ToL4/JMMsmfjb6/ntzLl/ogawIYB1sxWnKKaSpBCAG2lV89WWtv4zNHl6L1faDJLC0t3I9d/awRJ2hNPdnE/PgrwD+yAvTE0tgJBfK6XDMszNc3UrlSEt5l7xs88GmjXK3B//NddFjdZ8j9f1hIM8vGNjpHyPT8tVOVF6fQywV4c5eNXnHGbjQ2COaPEwwvGwD/qjBkzEH/k+Zpx0ODycJC9zv9lwSQ4A4SqOAB9iDGVzP2nFmqz+ldfuzSr4Wc0KZ2x1RgYscOPo7/9Iwo4lTiF7g1BJoaV67WIsBwdmKXdOs1ZyXqoZjvCBzQUmTRI/ZI4fPZJeKUAk+goP2oqt7K5H/L0Z7lf1YCcc5rLVV0RvedKVXem9hfcV2e607K3/8bPMwyY+0qq1Z2Rj/OjKZEMo0ykO1kItQrtM2iKj0FRRKZ2WcKhqMyPlfu03bPhQVsQRXmvW8nsXO4gberWrsqJHWT0hHmKFFXIY4G7mhJ2JEB2CGcP/vhdr9QliltkKKL7+kn2/73TEIVdPIH/4YJ7vCrgqXR1vn8XdjvYOxR3CrCzo710XRuY/415+iU4frEfPKH6cP5wZo2KT9LQS/ibxkXNj4kFoc/poCKtxJzozRHCAh4faFgz2J10k+W6rlXZ/xQ2FC+dihiAENVLm/YXn
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB8P189MB1032.EURP189.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6666004)(4326008)(33964004)(44832011)(54906003)(508600001)(5660300002)(6506007)(6512007)(2906002)(38100700002)(53546011)(36756003)(66476007)(66946007)(66556008)(8676002)(235185007)(316002)(31686004)(6916009)(86362001)(21480400003)(26005)(31696002)(6486002)(966005)(83380400001)(8936002)(2616005)(66574015)(186003)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: t005iVMskzgjv9m5Qhw6OLbIT3StQ37QjNZB2RIpbqvaMDu5y+1cZ7o/xxpIPBVNGpfHpzT0yEXbpqzUSu9oEHeHRBWBo5ZQ1cXTrKt3vDIAopAoZLNHfWCNBvk9AXw7hl96u4qL/jv6SyL00O87lF+vCIUC28k07JRHjPG06+bDu3pXRaat1w8HKl1lJpN1GnDucMuurJPWnTk/16OxfjtdPZFy/T4wsgiYJTLwzcLWPr9SvOicig14bT6Q3NqzTumrzeNh6DM+RGrT30FTHhSYtem/wgOV7fSO17elAJMHcfqRYNjyxe04VQ/o9GcpwaR9KRTwWaAvJyHQSxOTLw5cBXmNTBcP1WbMdxKD8T1rWKOhBOjP0Da8HdAsSaxHEEn8BmW3U6LfoNjNnm55WNIvgG4fVcbkHrc9H1vDCwrnpt1/Nk5ZIIgrrmWLJwaYwLldSe3cnMUyDg1ay02F+XfP2e1GQR9p4WzpjpdPu0WCvO9krGncfHCipWo/4Rba+LeeMTAK42LOsqkCwpbdoxiFzKufHhs2JpPC9i07XtN/+VoLUWRXTvk5U97X0XpkJysfEHZnAEfG1GG4bu4rDtys9yjRHdsFrl4Af7P86xurfb8dzNTYDkNBjIdXJpjpT5B+U/HEyVtrKFV2IEY7t30JDf81Qhrosdr5FDPmcOSb06amuTGNxhtYffh0cxkeSEhKP2uAqA9gTXNpPoFchQIG4hUPTM1+Tak5uV1tiCBjROK7N4ueMY/u09ARvGHd99xr3VJYHRGDwZqC8lFQrf23G2lthILZ+zwgOtBSNSb6jwyqXrEt3C2/td9jOFbT2NuU58yr4NhiEEsT+ZjrRv12KbudsFJ2hNfX11nQo89fmznH01b/KfN4KyQcUhXq6uO5FnnzYIpFcCwwjAEEawUrbrQkgmDnPfjmrLHEBXgfmeSzrKpj3AUOL8PAhJmDa8fJUZq+yCzzGTIswWEg4Ozj8vMahpA6/My9EJxiBc0PkY6M/HZzU1hCY4tI3Kdaf7C6VXOhKXYkuiROB3TY0uE98XaNXcvOz0YstRz7Oqhy86pP+FEoe0B3xyw85zBcZEc7rPa+Wgur3Ln3ffQjhvhJmoVvVkTVpJaF3UqaDVELKqyd60HM/EB+sOdRHygvr1BU1cjVigLO1RDPljKMmu4YxDgxZZkTQNW797TiDakU6nZ4TcEC+uOD3hlWdunDp0Iu36cP2Zc9ju3kz/pGRLrhzV/I34bo+tLrGE6YqWo/X/U5K6UAmLdvHPKzJjCpTorU3J6UZcdWKus/ZyRy7gZ8BFcd9EdcUAd0RxKDXbpUhbeMZ8LHfETcDU1ywLPcjp8yFeM2eJ9H+YKAESnLDDVpFY7IfJfstqMGXDUjnIdvumKuW1EaMmqGkLnptABePr0WupE7EksVznF8xN8Up1o5ouKs/fLBaa5gjMgajZMT25PNQZnuhlwOCJS+eTHDJpeyGbV37n7ufmD/E3yTX4DiASzmz6qpuV61ktmdRk2pce+FdM5r3pttRcD6+ySP31m+WFGNAekPDj6mlgTExo208xCyWKOnAcJmBkljaxVRsRALFC471Zi75ClCqbsw5ERlgNHH6qHd9WHf+vDa+qRkcnnW0y5naL0FTjXHG8E=
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: df68606c-d920-4496-c38d-08d9fd666506
X-MS-Exchange-CrossTenant-AuthSource: DB8P189MB1032.EURP189.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Mar 2022 22:37:27.5098 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: fEPq7O0Z/Mk1TWM3BnfS2iJPG3fb9I3WZc+Q3XDyLZZ82uf6OZcYEVuuksaVZWDMIv7+ZFTr8dLcidtnkoZFlQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXP189MB1832
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/PLWDk5l0Tcb64O0vB4Z8LFdLXkM>
Subject: Re: [Ace] WGLC draft-ietf-ace-extend-dtls-authorize
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2022 22:37:41 -0000

Hi Olaf,

Thanks! It looks good overall, please see below some suggestions.


* s/connect the Resource Server/connect to the Resource Server


* "SHOULD be prepared that no communication channel with the Resource 
Server can be established"

    Suggested alternative text: "might fail in establishing a secure 
communication channel with the Resource Server altogether."

    I'm just trying to phrase an uncontroversial fact, while I'm not 
sure how "SHOULD be prepared" is practically enforceable.


* "This error SHOULD be handled by the Client in the same way as 
unsupported ACE profiles."

    I think this sentence is fine, but it might practically be limited 
to the Client somehow obtaining a better pre-configuration (if it has 
any at all already) about how to communicate with the Resource Server.

    That's because the only relatable text seems to be the last sentence 
in Section 6.5 of [1]. However, here the AS cannot help to distinguish 
exactly between TLS and DTLS, hence obtaining a good/better knowledge of 
the Resource Server through some other means is probably what's best 
left to do for the Client (unless if can be promptly upgraded to support 
the transport layer security protocol it is currently missing).


* "the Client SHOULD use the same underlying transport protocol for the 
establishment of the security association as well (i.e., DTLS for UDP, 
and TLS for TCP)."

    Perhaps you mean "SHOULD first use" ? I'm thinking of the 
(admittedly weird) case where:

    - The Resource Server supports both TCP and UDP, but only DTLS.
    - The Client supports both TCP and UDP, as well as both TLS and DTLS.
    - The unauthorized resource request successfully happens over TCP.
    - Based on the previous step, the Client starts a TLS handshake with 
the Resource Server, which fails since it is not commonly supported.

    What I'd expect next is the Client trying again with a DTLS 
handshake over UDP, which would work fine.

    Also, if the Client supports only DTLS (TLS) and performs an 
unauthorized resource request, it SHOULD do it over UDP (TCP) in the 
first place, even when supporting both UDP and TCP. That is, the Client 
would have no use in performing this exchange over a transport protocol 
if it does not support the corresponding transport layer security protocol.


Best,
/Marco

[1] https://datatracker.ietf.org/doc/html/draft-ietf-ace-oauth-authz-46

On 2022-03-03 16:22, Olaf Bergmann wrote:
> Hi Marco,
>
> as you have suggested before, I have now included more test in
> draft-ietf-ace-extend-dtls-authorize that elaborates on the caveats
> of session establishment for the extended DTLS profile.
>
> Please see [1] for the new text. (To use keywords from BCP14 and ACE
> terminology, I also had to add a new section Terminology.)
>
> [1] https://github.com/ace-wg/ace-extend-dtls-authorize/pull/1
>
> On 2022-02-18, Marco Tiloca <marco.tiloca@ri.se> wrote:
>
>>> You are raising an interesting point. It might happen that the
>>> client supports either DTLS or TLS, and the resource server has only
>>> support for the other transport layer security, they might not be
>>> able to talk to each other at all. The same might happen for other
>>> values of 'ace_profile' but for different profiles, the
>>> AS-to-clientn response would make this transparent.
>>>
>>> Do you feel that we should elaborate on the case where ace_profile:
>>> coap_dtls is returned in the AS-to-Client response but client and
>>> resource server still will not be able to setup a (D)TLS connection?
>> ==>MT
>> Yes, it would help to elaborate on that. As you say, there is a
>> possibility of no commonly supported transport security protocol,
>> although within the commonly supported profile.
>>
>> In that case, and assuming that neither of the two parties can be
>> (promptly) updated to broaden its support, the client would just have
>> to give up after failing to establish a channel with the only
>> transport security protocol it supports.
> Grüße
> Olaf

-- 
Marco Tiloca
Ph.D., Senior Researcher

Division: Digital Systems
Department: Computer Science
Unit: Cybersecurity

RISE Research Institutes of Sweden
https://www.ri.se

Phone: +46 (0)70 60 46 501
Isafjordsgatan 22 / Kistagången 16
SE-164 40 Kista (Sweden)

v2.39.1 | Report a Bug | By Email | System Status