Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile
Cigdem Sengul <cigdem.sengul@gmail.com> Wed, 23 September 2020 13:10 UTC
Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D51073A0869 for <ace@ietfa.amsl.com>; Wed, 23 Sep 2020 06:10:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sMmKIHoEv3ws for <ace@ietfa.amsl.com>; Wed, 23 Sep 2020 06:10:47 -0700 (PDT)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71E0F3A0813 for <ace@ietf.org>; Wed, 23 Sep 2020 06:10:47 -0700 (PDT)
Received: by mail-vs1-xe32.google.com with SMTP id w25so3047125vsk.9 for <ace@ietf.org>; Wed, 23 Sep 2020 06:10:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Jl9EOgl/vEokX31IJpmzlS7F9EedvfNUXLFUgdseOLo=; b=iuDO+RV+VjWi9plXf8T2FrXrBSPyrFrXqab5fIDSad4Zj/CzUGNKPLkxpCOweJZLcS bv/UtH9dU6fIXeiw753DMEWJQrrY8fFfIHGxeJJgcSVWoqznEVVJcXcXDEEVn3zNijD/ qs+hJbvIPzyevrdrtMwV2ri5G8+z6z1pxnwc9KOtVkibyujwLDYGhqUob4Am0gkwjmfR wSp08YFGHtUPGM+LnhI6xx9vfptlmWRNsX7+ucHUUOpUBN1GApbktwtbDY5Z3Rs1YRGJ MgrEFXD3HP/4aMKodRwEGTBp9TlCwdQ9ayd80CLaOPm/EymxQtg6DfP9hKCyJFJjDqgj gLxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Jl9EOgl/vEokX31IJpmzlS7F9EedvfNUXLFUgdseOLo=; b=Sq3DYcz2juAvUaxp+p500VxB/NWB5pxwhxkiCZ8vvLRB0kVfsGUuyqpUx8wlCrKizS srKLhA8qTEJYAV0vDguO0WD1YdgUIoDLO22EhenLqPguTTF6QSeGxGDi+yQO0sieMKb5 7hWIjrzGA6dwi0r7L3zn1FlL9lWMuRTxe2u5aztApMtoSiepGV/atvwh5FcxWrbN++++ ZjvbYYWNjPmMAFqEdSD+kUGl7W3EXe0PBLmqXC+r4/UysW2eBVIKQVFbPg6idQjI09PV qPOmCuQRzSU3C+Bears/9CFBXgHflZJe5GUx+cOQnKtRIurdJqNX7ehxW3yatGJ7+hga b+CA==
X-Gm-Message-State: AOAM533MZdxJcHos6qrBbzs1ceJfxUxDWhSiTa0Zcg6MsPCZfKFZ93gp 4vf5tsXLMqLM445l6kYif+s0z0ZQJfecrEVjU+s=
X-Google-Smtp-Source: ABdhPJwvI5nDLQ1NuNZeq97kiy4rSoZrFLwdFfG5no7CIt03VBQjw9eAspmMSmZfAfjSoMY6m9ryxWlwTw4+aszvGMU=
X-Received: by 2002:a67:e248:: with SMTP id w8mr6935460vse.39.1600866645580; Wed, 23 Sep 2020 06:10:45 -0700 (PDT)
MIME-Version: 1.0
References: <CADZyTkmMd7iO3jo359QSS+y1LoSKvoDw+vJonD8VUfheEgXLTA@mail.gmail.com> <CADZyTkm9x62oTxHp8EwqWxkQT3Tn6szZ4myuM5XJWt-4FQS92g@mail.gmail.com> <CAA7SwCPOsn5nd=H9EHDn451VZ0MhJEk6vR+qMHBcuC3kaA55wQ@mail.gmail.com> <CADZyTkmpwx68YJGeoh9Tki8A_eqMMhJVzQwF6_9mZanurj_CsA@mail.gmail.com> <CAA7SwCNevGqv641ZRCJPJiUaJ4TEZ2gsx=7BBTN678CN0EYeWA@mail.gmail.com> <CADZyTkncWgUHaFH3q-3eqf3ZTcxQsUTOva==5VTdUOtgQh9B0w@mail.gmail.com>
In-Reply-To: <CADZyTkncWgUHaFH3q-3eqf3ZTcxQsUTOva==5VTdUOtgQh9B0w@mail.gmail.com>
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Wed, 23 Sep 2020 14:10:34 +0100
Message-ID: <CAA7SwCOc75Xmb6Ywku3Pg9wa_vSEeUFC0=BjuKdrjoF5p8oOGw@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000be4d8205affacf3f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/SDDEZohcHnKtE2B3T1igm714Mk4>
Subject: Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 13:10:49 -0000
Hello Daniel, My responses are as follows: <mglt> > Just one clarification. TLS 1.3 provides two ways to authenticate the > client. One way is sending a certificaterequest during the TLS handshake > and another way is to send it after the handshake occurs. The ability to > support the first authentication is not advertised by the TLS client. The > ability to support the second is advertised with the post_handshake_auth > extension. I just wanted to make sure we agreed there are two ways. > </mglt> > [Cigdem: Yes, I agree. In both cases, what I read is: "If the client does not send any certificates (i.e., it sends an empty Certificate message), the server MAY at its discretion either continue the handshake without client authentication or abort the handshake with a "certificate_required" alert." I suggest continue the handshake and fallback to MQTT Connect authentication for the RPK case. ] > [Cigdem : Yes, actually, this is what I described above. Due to absence of >> a certificate, I suggest it can fall back to CONNECT] >> >> > <mglt> > You are correct. What might need to be specified is that the server MUST > support the two ways to authenticate the client. It MUST try during the > handshake and if the client as not provided the sufficient credentials and > the client has the post_handshake_auth, it MUST send one after the > hanshake. The reason I think that maybe more text is needed is that I have > the impression a minimal TLS server implementation may not necessary > support both authentications. This would prevent the use of an TLS > implementation that only supports post_authentication for example. > Similarly, I am wondering if the MQTT client does not have similar > requirements regarding the support of TLS authentication as well as the > CONNECT or if it may support only one. I tend to think that the client may > only support only one way. > > To sum up, I am just trying to evaluate how to prevent a situation where > the client will not be abel to authenticate itself to the server. > </mglt> > [Cigdem: I think what I would prefer is that: the MQTT client will support one way (one of PSK, or RPK, or over MQTT Connect then). The server MAY support multiple ways. Given we recommend the MQTT Connect for client authentication, the server MUST implement that. (That's why if RPK fails, MQTT connect can be fallback.) If we agree, I will revise the document. ] Kind regards, --Cigdem
- [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Daniel Migault
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Daniel Migault
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Marco Tiloca
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Cigdem Sengul
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Cigdem Sengul
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Marco Tiloca
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Cigdem Sengul
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Daniel Migault
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Cigdem Sengul
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Daniel Migault
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Cigdem Sengul
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Daniel Migault