IETF Logo Mail Archive

Re: [Ace] draft-ietf-ace-mqtt-tls-profile-03

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Fri, 28 February 2020 08:59 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81C1D3A1383 for <ace@ietfa.amsl.com>; Fri, 28 Feb 2020 00:59:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=CgLv43do; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=CgLv43do
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XDPp-AURn3ZX for <ace@ietfa.amsl.com>; Fri, 28 Feb 2020 00:59:22 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50070.outbound.protection.outlook.com [40.107.5.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08C223A1382 for <ace@ietf.org>; Fri, 28 Feb 2020 00:59:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DSsF/RObCVi2mS5cp3HDEjpKjKQNT5whO8oK2+nDsMw=; b=CgLv43doasTS8eUWxafT0bpDAVD4zbh54/kaHthdS+c87uBHrTJ7zPh2gnGCpCdsUJTprsyxW7tTX2y/k5D/elhJBoBtkpTOzIW5ReYeHvr0nw0Q81i1z43x8hCKJP5YNBhW9S+2mYuSpQtBSo0HLBY+his5tlpI9IHpKel+rGo=
Received: from VI1PR0801CA0084.eurprd08.prod.outlook.com (2603:10a6:800:7d::28) by VI1PR08MB3182.eurprd08.prod.outlook.com (2603:10a6:803:46::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.16; Fri, 28 Feb 2020 08:59:19 +0000
Received: from DB5EUR03FT033.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e0a::202) by VI1PR0801CA0084.outlook.office365.com (2603:10a6:800:7d::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.14 via Frontend Transport; Fri, 28 Feb 2020 08:59:18 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT033.mail.protection.outlook.com (10.152.20.76) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.15 via Frontend Transport; Fri, 28 Feb 2020 08:59:18 +0000
Received: ("Tessian outbound 0420f1404d58:v42"); Fri, 28 Feb 2020 08:59:18 +0000
X-CR-MTA-TID: 64aa7808
Received: from 44bec648fd12.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id E2219CA0-6DBB-4735-9CD8-DB8868B2F626.1; Fri, 28 Feb 2020 08:59:13 +0000
Received: from EUR03-VE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 44bec648fd12.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 28 Feb 2020 08:59:13 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nTZrW6NTMGp5u4H8GhVCSByns8qPrR1XoutFkXbU9eRTAPZM7592Uh/lUBB/8Jqei2Jn1x5IBTbswMfDOmJ6El2KQJRT7xAj9SDj+U5yS/S40PZH4C7VREt/wuVkgjUsx+SH0ooQLpAbddAV1GsBPQDm27SrZyaXeRdviE/K8cAxodv6CiYNOTCkxs96fwM0O1G+GM3gd8PpGrTSpDjohV09kpIUV7FmpQBcjgXBLmZhH3m9sb6e2P/cmbbCNJqGIoa1DV7QEJPBRKSrg4VsqDeFhfsN/Q0IPlinFvvTLhFl6Faxmox6oGeYzAO+J0PKawtFycPenMHNKjcAuLbgkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DSsF/RObCVi2mS5cp3HDEjpKjKQNT5whO8oK2+nDsMw=; b=exWFyQ09ovxN8klcu7Z64Hd1lPWA6DYpB6JQpiyre84zYghzbqUUQ7qawL90j3R8VpnbXM9+0YsoarSG+0TeCeXCd3SLLKXmdqDV9uBfKxZUCCkzxz4zDTuSyciUblKOBhk7pH1nMTfFSUs+DV7WgJejpEooXQItLwrf7ppvGfH3y/uj5ooB4JAiWahZiRaOwEH54OWTowme04zbZ5QAjnMl9L2HbSs40kNtvRM/YegV+LzQbR+rAsZvZQ1ufRQ/mhSJi1xfIJgr/e3Gv+bkYX1A6JIFvHDhQGkUj+6e6SyyXtB/pDQEQpcKGYTdc0G4M5q7fsrr+y+DV9acqYt1rA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DSsF/RObCVi2mS5cp3HDEjpKjKQNT5whO8oK2+nDsMw=; b=CgLv43doasTS8eUWxafT0bpDAVD4zbh54/kaHthdS+c87uBHrTJ7zPh2gnGCpCdsUJTprsyxW7tTX2y/k5D/elhJBoBtkpTOzIW5ReYeHvr0nw0Q81i1z43x8hCKJP5YNBhW9S+2mYuSpQtBSo0HLBY+his5tlpI9IHpKel+rGo=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (20.178.23.205) by AM0PR08MB3218.eurprd08.prod.outlook.com (52.134.92.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.17; Fri, 28 Feb 2020 08:59:11 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::2159:870b:25df:e612]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::2159:870b:25df:e612%5]) with mapi id 15.20.2772.018; Fri, 28 Feb 2020 08:59:11 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Cigdem Sengul <cigdem.sengul@gmail.com>
CC: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] draft-ietf-ace-mqtt-tls-profile-03
Thread-Index: AdXrwPKVlOWry/rCSraJ6rVcwUtPZQAJFd8AAFsSKHA=
Date: Fri, 28 Feb 2020 08:59:11 +0000
Message-ID: <AM0PR08MB37165CE98F43A5AEBDA3F411FAE80@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <AM0PR08MB371601D0F66969D7ECB504AAFAED0@AM0PR08MB3716.eurprd08.prod.outlook.com> <CAA7SwCOnY1K=b=fYYMHH57ho0rFZRmN+EuT1K7qt7qxtN3fghw@mail.gmail.com>
In-Reply-To: <CAA7SwCOnY1K=b=fYYMHH57ho0rFZRmN+EuT1K7qt7qxtN3fghw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: e7281a8d-4486-4699-9c69-ecd1b6a298b6.1
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.119.84]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: e511eead-10b9-4aa2-8025-08d7bc2c7eb4
X-MS-TrafficTypeDiagnostic: AM0PR08MB3218:|VI1PR08MB3182:
X-Microsoft-Antispam-PRVS: <VI1PR08MB318283FE445E858DC3837483FAE80@VI1PR08MB3182.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0327618309
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(346002)(366004)(396003)(376002)(136003)(39860400002)(199004)(189003)(52536014)(66946007)(66446008)(66556008)(71200400001)(66476007)(2906002)(8936002)(64756008)(316002)(478600001)(86362001)(81156014)(8676002)(81166006)(5660300002)(9686003)(26005)(55016002)(186003)(76116006)(6916009)(6506007)(33656002)(966005)(7696005)(4326008)(53546011); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR08MB3218; H:AM0PR08MB3716.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: fq2VQyF/Kud2BxAPxG/yh5u8X/7yEtxixMNd2zS2M8lU5Ru6Mmp3iSy6bi/UVHuMGdMPWPUOox/rwdvuJ4G0YuF3iOixugwoFtMXylJlqn0QzEo0Zaw9Sj6X+SjJXHIBtXqFFNJ3HZSZtjJp8TJlwS6sb9vuOpsPVK5W39FjhSPTNlQMKE4U0EfR2pF30yOpMeTYzMPdG3IC3flSYRjnMo+Fdu5gxROcbMHNUr8LPORv4yYwsRm/F5FEFFeRJolYBoG/0kpTXQoE5PCHoGY6lyrRKu98zM9q9r8KncVRpbrIiEZkbAbGRrQRvG0iHEat3ndb3vp1bIh7DKoYlk0Dwy/y9F22qTNQd7WSjNrBxy+dQy86o/KnmG7RUyQD4RBnjMJ/oHc2b+1m0JhBwus17xi+xm9eH2wZOsDboP6tEt3zEWz8dqFf0iaF4wD8CvrTLpKoqSBZuQ/T6CIM/uZ8jLHp+q92B0FjeH8qtQsEVoeYr3EBJsMUSx76Rpd83I9LDemXkaHv04LrDfmN3NC5vQ==
x-ms-exchange-antispam-messagedata: 4q4B5C2zDcjCig3CBi7geGedyZ+1kkZG4EnG5zC5DfOJG2HwTKaIARXnUHLOhVhPvixri45DvkQLxhIUVi2cHvjcHD5h0De2EPIU2MEAqu2gf/YkM0kruxS+hqs2VrlZCnhiLNhBHJojEBQDDB4U4g==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3218
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT033.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(136003)(39860400002)(346002)(396003)(376002)(199004)(189003)(70206006)(33656002)(70586007)(52536014)(5660300002)(86362001)(7696005)(356004)(2906002)(9686003)(4326008)(55016002)(316002)(6862004)(53546011)(8676002)(336012)(478600001)(81156014)(81166006)(8936002)(26005)(6506007)(966005)(186003)(26826003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR08MB3182; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: c13a0e88-b887-48dd-c414-08d7bc2c7a83
X-Forefront-PRVS: 0327618309
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: gvj72U6bGwH/4G0psJTM3F6JZGASSLCZKwF0UgIy0Gceu22L3i5xJEtNpwW1FHbuW3iqbmz9Dd9F354aQR/Ba4upmcHf9yq++CokEcf6nESrSDm+S+KqDoPwGD9rXj/lM42vCi5BLFAlxP3RpvUXHeiO3eCMfaVqy6WMQa0+qLYCBx3LP0aslrwhoavkLapV4Sw0WU8DruuF4zfFcbOt4xEGq4bkxyWkz5uLem+OHgXd54TDIvAVETd99EKLap5/3OVWeSChEOiEAlHEj4bfp68+tOTCtc+UXvMq/554GfeJOkGb6/dRv0JloNW2UB0ofQ+/gc9reSPSyX7ltFOPgzdli9IDljuzwWeHDvkb2d9lbZ/thi6xk/gXUbpd9/xRJUVDs/3/gCh8WUlLydkBBf/fWIX+ulzLL1X8Y0MiRp6JRYEUeXW903Ren9N/5jhs0CLbsWlpTVTVqxKsHl47Y7/uYPJKbtmk67QCncQ0yMLQH3nycEpKF6Lmt77RXyQHsEmryb1EbTl+UPBXHVW+kA==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Feb 2020 08:59:18.6495 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: e511eead-10b9-4aa2-8025-08d7bc2c7eb4
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3182
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/uOIBkfh6gBUDJdll8cDuB4Usz5g>
Subject: Re: [Ace] draft-ietf-ace-mqtt-tls-profile-03
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 08:59:25 -0000

Hi Cigdem,

Thanks for your quick response.

From the text you cited regarding MQTT v5 it is not backwards compatible to version 3.1.1. The exact impact of working between two devices of different versions has not been described in the spec either. The follow sentence in your introduction can easily give readers the impression that the two versions are backwards compatible. Here is the sentence:

" It is expected that MQTT
   deployments will retain backward compatibility for MQTT v3.1.1
   clients, and therefore, this document also describes a reduced set of
   protocol interactions for MQTT v3.1.1 - the OASIS Standard
   [MQTT-OASIS-Standard].
"

Maybe you want to change the wording a little bit.  I think the reason why you want to describe a solution for v3.1.1 is that this is the widely deployed version.

Regarding the broker term: It is probably a matter of taste but I would refer to the terms used in the spec and would not replicate the terminology from the OASIS MQTT specs in the draft. Someone who implements the draft will have to become familiar with MQTT anyway. But that’s just me. For example, I often see people using the term “certificate authorities (CA)” in their write-ups. RFC 5280 defines and uses the term “certification authority (CA)". While the two sound and look similar only one is actually correct.

I noticed you have put a normative dependency on [I-D.palombini-ace-coap-pubsub-profile]. I don't think it is necessary because it is not a requirement to implement the spec. You could use it on top of it -- or you could use something else as well. I would move it to the informative part. The added benefit of doing that is that you do not block your spec till that draft becomes RFC. On the other hand, RFC 6749, RFC 7800, and I-D.ietf-ace-cwt-proof-of-possession cannot be informative references when you use PoP tokens in your solution.

You might be interesting to hear that there is currently no way to obtain the keys for a PoP token over HTTP, which your solution requires. The virtual interim meeting in the OAuth group should probably be of interest to you.

Ciao
Hannes

From: Cigdem Sengul <cigdem.sengul@gmail.com>
Sent: Tuesday, February 25, 2020 3:10 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: ace@ietf.org
Subject: Re: [Ace] draft-ietf-ace-mqtt-tls-profile-03

Hello Hannes,

We used  broker as it is a widely accepted term in the MQTT Community for "server" e.g.,
majority of the provider would list also a broker implementation to refer to their server implementation.

With respect to whether 3.1,1 clients talking to v5, there may be some issues. This is what the spec says:

Non-normative Comment
If the Server distributes Application Messages to Clients at different protocol levels (such as MQTT V3.1.1) which do not support properties or other features provided by this specification, some information in the Application Message can be lost, and applications which depend on this information might not work correctly.

The spec also defines a protocol version error message:
If the [Client's] Protocol Version [in the CONNECT packet] is not 5 and the Server does not want to accept the CONNECT packet, the Server MAY send a CONNACK packet with Reason Code 0x84 (Unsupported Protocol Version) and then MUST close the Network Connection

So, whether a broker provides dual support would depend on the provider. E.g., the Mosquitto broker supports the different protocol versions.

Thanks,
--Cigdem

On Tue, Feb 25, 2020 at 10:01 AM Hannes Tschofenig <mailto:Hannes.Tschofenig@arm.com> wrote:
Hi Cigdem, Hi Anthony, Hi Paul,

Why are you using the term MQTT broker? My understanding of the MQTT spec is that there are only clients and servers - nothing more.

Is a MQTT v3.1.1 client able to talk to a MQTT v5 server? Would a MQTT v3.1.1 client talk to a MQTT v5 client via a server that supports both v3.1.1 and v5?

Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

_______________________________________________
Ace mailing list
mailto:Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email