Re: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication

Daniel Migault <daniel.migault@ericsson.com> Wed, 14 April 2021 15:13 UTC

Return-Path: <daniel.migault@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 636873A1288 for <ace@ietfa.amsl.com>; Wed, 14 Apr 2021 08:13:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NWuU497GedoS for <ace@ietfa.amsl.com>; Wed, 14 Apr 2021 08:13:29 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2066.outbound.protection.outlook.com [40.107.92.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 470683A1286 for <ace@ietf.org>; Wed, 14 Apr 2021 08:13:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NcuHjVZlBjyGE4VGH9p4RCuV5qzABs+syUWtVKH1wH2d3OHq9je9eZHFtXY2/9j9sz3RXstJ9FhoQmKFACQwVlQiPIpbdxDN11uJpxCtMtjQlLJJDthIM7G+QuEAICIgxvih46f95dn2L4vvjfl5BwpkGevEB8tlz7Z9FcsL6/azvVW8D75QJ+ii+4WUh4HX0Ku16pJr6yZzon8wSjuClPdAGjajjgGHQ7ugwhBAu68YwuCyoP5tkrOpKEEyG3Pz1vaJr6YpRdVavm6cv/e4o9EhvQ1xsZaKtnzk84jGI/92yUOgofP163LVwzLu19QauxUag0HMa8kQxmX/eyYkUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ehmP0I8nFLnPNIsEBo4S0hXbl/07uSLzH4LjI3LDpoU=; b=D16chlMtS7WmnPeOSkHfvdoVYIfRbyvtRUuQ0xZB+YXhN6lvflW6h9JoTTucIOrNXoueMssyuLcOmXdsPcP0/lRnwG5BjZzx8drnmCEJHXqGktfEGBKNuM02jbCuroDXnyaYxMBqdLrc7/thCI1kkrnFVRrjfNmkHH5p42YSrj80sAWyKFhwTLi8LjpSGba0NsiNP6nxzsXeYiXz/jgqDq6lCn3ISvMs/aQrSEbiG1X8eOvmSgp4Htv+zlwrRgHtB6OvXqmWIKBQukkn+TtkYDUDbKfRfP/JV9VHrbMxegwtj4vHc++Dj7h7HOyqQo+Nzfr2TBh4qRkm09BsmnVwhQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ehmP0I8nFLnPNIsEBo4S0hXbl/07uSLzH4LjI3LDpoU=; b=b6nqYAg3z+1ORnf58jlPkL9zWGNV6CM5y6P3PJivfmdmt90htLq8VtpEl9PbxbglHj2JKVNwywYiLQzutlYznmaziJVRucPeQUMdeBbc4FOn0WDXCAmUjWX3iPzmNMc9VT1ZtAlxsiJjuIxT0arHY5MSnnTDVn4hc9BJt72BdSc=
Received: from DM6PR15MB2379.namprd15.prod.outlook.com (2603:10b6:5:8a::16) by DM5PR15MB1772.namprd15.prod.outlook.com (2603:10b6:4:56::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4020.21; Wed, 14 Apr 2021 15:13:25 +0000
Received: from DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::98bf:c687:dcef:f893]) by DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::98bf:c687:dcef:f893%4]) with mapi id 15.20.3933.040; Wed, 14 Apr 2021 15:13:25 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Cigdem Sengul <cigdem.sengul@gmail.com>
CC: Daniel Migault <mglt.ietf@gmail.com>, Ace Wg <ace@ietf.org>
Thread-Topic: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication
Thread-Index: AdcR/JJKBqAZJjuZQzq6TyD8//pPGQeZia8AAAB5JoAAKe/XAAAG2BE9AAGj7QAABI5H9w==
Date: Wed, 14 Apr 2021 15:13:24 +0000
Message-ID: <DM6PR15MB23791CC9031ED616BDBDDD6CE34E9@DM6PR15MB2379.namprd15.prod.outlook.com>
References: <DM6PR15MB237941DDA59DF2A67A2F52B7E3969@DM6PR15MB2379.namprd15.prod.outlook.com> <CAA7SwCNmxax3F222eeYyQ1rEOq+cOZzZwT1Y4+CPBrJB+8XtXw@mail.gmail.com> <CADZyTkk4j0TJMFFPZ0j4zXo1miRBdG4A=jQUJQdiePdsiiMkVA@mail.gmail.com> <CAA7SwCNJ6wkzz=JS4s4xUgZ-rZTf5XFBuHMNe04ijRU1Z9ppmg@mail.gmail.com> <DM6PR15MB2379A0F88237CF5F7B8DD619E34E9@DM6PR15MB2379.namprd15.prod.outlook.com>, <CAA7SwCO=gXCa1kCmxacQTW4+vGaAaE7xWSYrwF3Smr90q8g0Lg@mail.gmail.com>
In-Reply-To: <CAA7SwCO=gXCa1kCmxacQTW4+vGaAaE7xWSYrwF3Smr90q8g0Lg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [96.22.11.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 51ca9db3-d5d3-4678-9572-08d8ff57d999
x-ms-traffictypediagnostic: DM5PR15MB1772:
x-microsoft-antispam-prvs: <DM5PR15MB1772DF625B2A72BF63306CF3E34E9@DM5PR15MB1772.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: T0doOg2EAX9p4umsMMwBdhEVw261sQG1oYijz30axKMiN0xpA75wBP4J9sumbDl8ys0RRCchNAZUf+lJNDAroRcuqjkA9vjs7NwcR95nj2vR02/pVRs23443lUvVx69m5g3PNXGFWaAcOPXfoZb0vKVHwxad12LX8FmjXlsTVWTrww0gKs1ov594vFMzqfaKApWMjUVKTqk9z3WSTNVi6GHRIfaSdFCKJPPZ58+hrM2/ZDr6wWaWw7JVxKZkxvLBeIsrHm8bLXz49zkyJVsNYf3oRgb0/VaSlWc1DsirPy1PWR4NeAFPNaInRSeMccmvP9PT5P7uw9IGM/gm4V154m/WPmv1fF26jo1EziUiectnlNMS3T2mG9F3td7d/SG6fVTBx3pHBEMBBbNxPkzJAfrNm9Pcpw6OO2hCHmjHwNqxW+I/DrFhE1V/PqGv+jF8gg6Rvghj6NSXwP9O97KrhPxksULcLPtvhLRwzgYa+ETGvMnciI6KATxJpiihtNyXqJnghpp87z8zgyjVv7GsZIMkewG20qR4hoH2m+lwXmtaJGVXBDWM+IZmihElUemTdKOC4gwmYHKYoT7y45ZRXHY8CibkNRksxX1D7/BeqEJftebcZuBDbHFrTQp+YuBSw76TRE0i0uZhLz50Lcp34fSXC/OiE4l0ezmuhoTO2lPJKmHD0IMPshx0sRzQr5O0
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB2379.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(39860400002)(366004)(376002)(396003)(136003)(6916009)(86362001)(44832011)(6506007)(76116006)(91956017)(966005)(53546011)(186003)(478600001)(166002)(66556008)(66946007)(66476007)(26005)(33656002)(64756008)(19627405001)(66446008)(7696005)(52536014)(83380400001)(122000001)(2906002)(9686003)(38100700002)(316002)(4326008)(54906003)(55016002)(71200400001)(5660300002)(8936002)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?oEEkLZmATcTd7DmJa5PcYB/jqBTKrjaH9XfLgYdiy/tvK8RGUer0aQHK?= =?Windows-1252?Q?eLtZauvjQ5EzTnDFBI8WcRihLe9GuVTWag1PmY84JB/gT4ftheycSzGy?= =?Windows-1252?Q?2AcfO4/dxgayBJ65t+CCS7YrUVSvaSw8gNZ3YlVAiw8jm6sP5szBf0Fm?= =?Windows-1252?Q?4NNZOpWQ3gdgnmEn8jtj/Ok4p26DozY+enBBD4lmxxrkYJSUY6uI/RJT?= =?Windows-1252?Q?A7iQhMoGspqofqxERaZX/Zg+zMSbpsRK/ItqKpCTctNhw029Dw8jXolX?= =?Windows-1252?Q?QBFPsTJGOGiXQN6CtVCBSxfVMAEz2Vv0C8HZy1Z3qkUvgjf7Sav/uqVq?= =?Windows-1252?Q?khqTMBbeYC3io+1UEOXF4W4f4q5DcqjcxXqw/Kg9ZZ4I0UOlIQiFsELP?= =?Windows-1252?Q?u7BZp/DZlrJhiiwlMRFTGLPs9QAHfi0DkPuRN0JeR6hcYEUslHv6rFCJ?= =?Windows-1252?Q?UlYU22Jov9EenZ44nNfQbrmB5Zb1vxgIl/ZUKu3gh2RV0GezwfOwMp0r?= =?Windows-1252?Q?v4GE7QMY1oNNFM9/NpXW2fhbmrM0Wt75fcTi3bZa4DA4nvE3R58oP597?= =?Windows-1252?Q?9Wy1cXIHCY3MLyZloTI627jIctkAkpMvKDsF5Ne3KVMQWIn1db2PYq3P?= =?Windows-1252?Q?ncn6v8T1B+aRxWfl0CJbRJV+BqD3v+NjENuJnDIpx9Sbdy8D8Q3+o3z5?= =?Windows-1252?Q?FoSIbXp03HDwv+Ta4vCYB7E2n/YaN+2qy/n/4mb6XVaIOFcyaF+eE65L?= =?Windows-1252?Q?Bzsnb14tJtJLoEu3Lz74kXD2pb8rnOdH1vo5l9r62pi1v5dYAFH+x4g3?= =?Windows-1252?Q?uaq8njbA4LtkcrVKaTpQLO3+YrDEnccykGILHxEdx4eyZ9aNU4V6Hjwl?= =?Windows-1252?Q?o8PtspUKuVxKZKqX9QQiD61VCOc3Ad+VS4asmFfu5PD/m74jJYTWB455?= =?Windows-1252?Q?MsBP/4cMNkBViVkIB3NSdwwKkztwe62ZA8awjXC6PJiRtZgp7gQCiDVl?= =?Windows-1252?Q?G1c1L8FnrAdbsBluTRH2juBdxA3jtNfdmp968NlT8vk4swewJYXI0hap?= =?Windows-1252?Q?xc7Q2RfN6yaVXe0bPAvsyHr4Q6AnQDKztwxQj/e3PX9Q7R0rTbJbR7pf?= =?Windows-1252?Q?Praq2tHr1NuhlOZbvWdBig/4JdcA5A4GYGLTd5D2EDY//iHYE+3UWTQA?= =?Windows-1252?Q?n18irrS/tJBUPtQqmfFRug4LqjkGqtJOVHyKr0k9R+W+ai6QsSttSact?= =?Windows-1252?Q?phNgKfqbc3BCikqz7mTPjJpLQIbDh3ceJGxCrnU+Fz3pkVV6NfkB0p0h?= =?Windows-1252?Q?Gs6WCLoHM/wk1FlGeziYfI7vO4ms3FDFRwo5i1zLm89KW2M4/LKUoT6O?= =?Windows-1252?Q?eQNcrMItKoDS8Q0XmQ4tadcOkbYlWLhwBCo=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR15MB23791CC9031ED616BDBDDD6CE34E9DM6PR15MB2379namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2379.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 51ca9db3-d5d3-4678-9572-08d8ff57d999
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Apr 2021 15:13:24.9854 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pmrjO9refIkhZNGpRur7+aNmMw6fnNreQc/tYp9mHbSwhjtwAT3Kica7IVNLf6EgmTWcqZdBOGEP9rNvrbSWCKI5yNJyaqW4mjl95iCiOp8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR15MB1772
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/QviiJ5VIikMsgY3NbTofeQCh25w>
Subject: Re: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 15:13:34 -0000

Hi,

I do not see this as an issue but would like the WG to state their opinion.

Yours,
Daniel
________________________________
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Sent: Wednesday, April 14, 2021 9:01 AM
To: Daniel Migault <daniel.migault@ericsson.com>
Cc: Daniel Migault <mglt.ietf@gmail.com>om>; Ace Wg <ace@ietf.org>
Subject: Re: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication

Hello Daniel,
I should clarify: I did not mean it was not compliant - it was more asking whether anybody objects to registering ace+json when the framework talks about a different method.
Kind regards,
--Cigdem

On Wed, Apr 14, 2021 at 1:50 PM Daniel Migault <daniel.migault@ericsson.com<mailto:daniel.migault@ericsson.com>> wrote:
Hi,

I am certainly missing something, but it is unclear to me why "application/ace+json" does not comply to "application/x-www-form-urlencoded". In other words, what would the update of the mqtt draft consist of to be aligned with the framework. I also have the impression that the use of "application/x-www-form-urlencoded" is a MAY and that the framework does not specify MUST. In general I am tempted to think it is better to be aligned with but It would probably need to understand better the issue and I am encouraging the WG to state rapidly their thoughts so we can move the draft forward.

Regarding the second point, yes, the draft that introduces ace+json should register it.

Yours,
Daniel
________________________________
From: Ace <ace-bounces@ietf.org<mailto:ace-bounces@ietf.org>> on behalf of Cigdem Sengul <cigdem.sengul@gmail.com<mailto:cigdem.sengul@gmail.com>>
Sent: Wednesday, April 14, 2021 4:58 AM
To: Daniel Migault <mglt.ietf@gmail.com<mailto:mglt.ietf@gmail.com>>; Ace Wg <ace@ietf.org<mailto:ace@ietf.org>>
Subject: Re: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication

Hello Daniel,

One thing I didn't have a chance to ask yesterday in the interim was about the registration of the 'ace+json' application type.
Francesca brought this up as the MQTT profile describes the HTTPS interactions differently than the core draft  which says " When HTTP is used as a transport then the client makes a request to the token endpoint by sending the parameters using the "application/
x-www-form-urlencoded" format with a character encoding of UTF-8 in the HTTP request entity-body, as defined in section 3.2 of [RFC6749]."

As I discussed with Francesca, we had discussions on the mailing list with Jim using ace+json as well. I recalled the view that the draft that introduces it should register it - I want to check if this is the general agreement, or you (or the group) has a different view
    - (1) registering this new type, or (2) MQTT draft is modified to comply with framework description
    - do we still agree that (1) it should be the  MQTT profile registering it or (2) it should be done elsewhere?

Kind regards,
--Cigdem

On Tue, Apr 13, 2021 at 1:58 PM Daniel Migault <mglt.ietf@gmail.com<mailto:mglt.ietf@gmail.com>> wrote:
Thanks for the update, that works for me.

Yours,
Daniel

On Tue, Apr 13, 2021 at 8:44 AM Cigdem Sengul <cigdem.sengul@gmail.com<mailto:cigdem.sengul@gmail.com>> wrote:
Hello Daniel,
I propose the following change to clarify the TLS use - if you are happy with it, I will update the document:

To provide communication confidentiality and RS authentication to MQTT clients, TLS

   is used, and TLS 1.3 [RFC8446] is RECOMMENDED.  This document makes

   the same assumptions as Section 4 of the ACE framework

   [I-D.ietf-ace-oauth-authz] regarding Client and RS registration with

   the AS and setting up keying material.  While the Client-Broker

   exchanges are only over MQTT, the required Client-AS and RS-AS

   interactions are described for HTTPS-based communication [RFC7230],

   using 'application/ace+json' content type, and unless otherwise

   specified, using JSON encoding. The Client-AS and RS-AS MAY also use

   protocols other than HTTP, e.g.  Constrained Application Protocol
   (CoAP) [RFC7252] or MQTT; it is recommended
    that TLS is used to secure the communication channels between Client-AS and RS-AS."

Since it is in this paragraph, one thing that Francesca brought up to do is to register the 'application/ace+json' content type.
Kind regards,
--Cigdem

On Fri, Mar 5, 2021 at 9:11 PM Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:

Hi,



Now that the authz document is being consolidated, I do have some minor concerns regarding the recommendations mentioned in the profile documents, that might require an additional update.

The update to the authz document indicates more more clearly than before that profiles need to provide some recommendations for the RS – AS communication.



“””

Profiles MUST  specify for introspection a communication security protocol RECOMMENDED to be used between RS and AS that provides the features required above. “””



It seems to me the MQTT profile text makes it pretty clear that TLS is recommended for all communications but I am wondering if additional clarification would be beneficial – see below. That said I agree this is a very minor point in this case that could be handled by the RFC editor.

For the OSCORE or DTLS profiles, unless I am missing the RS – AS recommendations in the documents , it seems to me it has been omitted and needs to be added -- see below.





Yours,

Daniel



## MQTT - draft-ietf-ace-mqtt-tls-profile-10



“””

   To provide communication confidentiality and RS authentication, TLS

   is used, and TLS 1.3 [RFC8446] is RECOMMENDED.  This document makes

   the same assumptions as Section 4 of the ACE framework

   [I-D.ietf-ace-oauth-authz] regarding Client and RS registration with

   the AS and setting up keying material.  While the Client-Broker

   exchanges are only over MQTT, the required Client-AS and RS-AS

   interactions are described for HTTPS-based communication [RFC7230],

   using 'application/ace+json' content type, and unless otherwise

   specified, using JSON encoding.

“””



I am wondering if that would not be more appropriated to specify in the first line RS and AS authentication or simply authentication.









  *   OSCORE draft-ietf-ace-oscore-profile-16

“””

This

   profile RECOMMENDS the use of OSCORE between client and AS, to reduce

   the number of libraries the client has to support, but other

   protocols fulfilling the security requirements defined in section 5

   of [I-D.ietf-ace-oauth-authz] (such as TLS or DTLS) MAY be used as

   well.

“””



  *   DTLS draft-ietf-ace-dtls-authorize-15



“””

It is RECOMMENDED that the client

   uses DTLS with the same keying material to secure the communication

   with the authorization server, proving possession of the key as part

   of the token request.  Other mechanisms for proving possession of the

   key may be defined in the future.

“””



_______________________________________________
Ace mailing list
Ace@ietf.org<mailto:Ace@ietf.org>
https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
Ace@ietf.org<mailto:Ace@ietf.org>
https://www.ietf.org/mailman/listinfo/ace


--
Daniel Migault
Ericsson