Re: [Ace] AD review draft-ietf-ace-key-groupcomm-16

[Paul Wouters <paul.wouters@aiven.io>]

Thanks for the feedback to my review. I'll await the publication of a new
draft version and then move the document further through the process.

Paul

On Fri, Sep 22, 2023 at 12:16 PM Marco Tiloca <marco.tiloca@ri.se> wrote:

> Hello Paul,
>
> The authors have discussed your review comments and compiled detailed
> replies in line below.
>
> Based on those, we will now proceed updating the Editor's copy on Github
> [1] towards version -17, also taking into account any follow-up feedback
> from your side.
>
> Thanks,
> /Marco
>
> [1] https://github.com/ace-wg/ace-key-groupcomm
>
>
> On 2023-09-01 15:53, Marco Tiloca wrote:
>
> Hi Paul,
>
> Thank you for your review, we will start working on it.
>
> When addressing your comments, we will also process a few more recent
> points tracked as Github issues [0]. In particular:
>
> - Issues 148, 150, and 151 are about editorial fixes/improvements.
>
> - Issues 147 is about clarifications, while issue 149 is about fixes in
> the IANA considerations.
>
> - Issue 146 is about relaxing the now-mandatory inclusion of one parameter
> in a message.
>
>    This issue 146 was first brought up to the WG at the ACE interim
> meeting on 2022-09-12, further elaborated on its Github entry, and then
> confirmed at the ACE interim meeting on 2022-12-19.
>
>
> Best,
> /Marco
>
> [0] https://github.com/ace-wg/ace-key-groupcomm/issues
>
>
> On 2023-09-01 02:26, Paul Wouters wrote:
>
>
> You don't often get email from paul.wouters@aiven.io. Learn why this is
> important <https://aka.ms/LearnAboutSenderIdentification>
>
> Hi,
>
> Thanks for this document and my apologies for the long wait time.
>
> I think this document is mostly ready to go. I have a few questions and
> some comments on what I think are changes needed for the IANA
> Considerations section.
>
>
>
> 1) Race conditions with group rekey
>
> Section 2:
>
> When a group rekeys so an new member joining won't be able to read
> old messages, how are race conditions prevented? eg one node wants to
> send a message, but processes a group rekey, then sends the message it
> had. Then the new member join is complete and that message can be read
> by the new member.
>
>
> ==>MT
>
> As you also noticed, a discussion on these aspects comes later in the
> security considerations, i.e., in Section 10.2.1 "Misalignment of Group
> Keying Material" (about which we give a specific reply to your comment
> further below).
>
> At this point in the document, we should better clarify what we mean with
> "old messages". Those are messages exchanged in the group and protected
> with keying material older than the one provided to the joining node.
>
> Clearly, once the joining node obtains the new keying material, the
> joining node becomes able to read any message protected with it, even if
> those messages were sent before the joining procedure was completed.
> However, the joining node will not be able to read "old messages", i.e.,
> messages protected with keying material having a strictly lower version
> number num.
>
> For the sake of simplicity, we preferred not to discuss and analyze
> different strategies (each with pros and cons) that the KDC can follow,
> e.g., fully rekeying the group first and then providing the new keying
> material to the joining node, or vice versa, or a hybrid approach. We can
> however clarify in: Sections 2 "Overview" (within the bullet point 3 above
> Figure 2); in Section 6 "Group Rekeying Process"; and in Section 10.2
> "Update of Group Keying Material" (in the security considerations).
>
> <==
>
>
> Section 6:
>
>         The KDC MUST increment the version number NUM of the current
>         keying material, before distributing the newly generated keying
>         material with version number NUM+1 to the group.
>
> So when the KDC increments the version, and starts distributing the new
> keying material, any client requesting "num" will believe it is behind
> and request a new copy? Wouldn't this cause duplicate rekeys?
>
>
> ==>MT
>
> Trying to clarify, let's consider this general sequence of events.
>
> 1. The current keying material has version num=1
> 2. The KDC generates new keying material, with version num=2
> 3. The KDC starts rekeying the group and distributes the new keying
> material with version num=2
> 4. (the group rekeying is ongoing)
> 5. A group member that has not yet received the new keying material via
> the group rekeying sends a GET request to the KDC at ace-group/GROUPNAME/num
> 6. The response from the KDC specifies num=2
> 7. (maybe the group rekeying is still ongoing or maybe not, it doesn't
> really matter ...)
>
> At step 5, since the group member has not already received the new keying
> material, the group member still has the old keying material with version
> num=1 and wrongly believes it to be the latest one, until receiving the
> response from the KDC at step 6. Therefore, at step 6, indeed the group
> member learns and believes to be behind, because it actually **is** behind.
>
> The group member can now do two things:
>
> * Assume that a group rekeying is ongoing, and just wait for receiving the
> group keying material through such a rekeying process; or
> * Send a request to the KDC resource at ace-group/GROUPNAME, thus
> retrieving the new keying material with version num=2.
>
> In either case, there is no "duplicate rekey".
>
> In the first case, a rekeying is in fact already ongoing and no further
> one is expected to follow back-to-back.
>
> In the second case, the request from the group member is not going to
> trigger yet another group rekeying (and, in general, scheduling group
> rekeying instances is a prerogative entirely of the KDC). That is, any
> group member can request the keying material from the KDC at any time, and
> will get the latest keying material as a result (nothing more will happen).
>
> Therefore, we believe that no addition or change to the document should be
> required, as we cannot see text that contradicts the above or suggests
> anything different.
>
> <==
>
>
> I see this is partially addressed in the Security Considerations, but
> I feel handling these race conditions is part of the actual protocol,
> not merely a security consideration?
>
>
> ==>MT
>
> Please see the reply to that later comment, as also considering to move up
> that text from the security considerations and have it earlier in the
> document.
>
> <==
>
>
> 2) IV/counter re-use
>
> Section 4:
>
> Symmetric keys are shared between group members. How is it prevented that
> same IVs/counters are used by different members of the group? (there is
> some talk about Base IV and Partial IV, but that didn't seem to answer
> my question
>
>
> ==>MT
>
> We talk about "Partial IV" and "Base IV" only much later in Section 6.2.1
> "Point-to-Point Group Rekeying", when discussing specifically about how to
> protect group rekeying messages in the proposed rekeying protocol. That is,
> that section does not refer to the use of the group keying material to
> protect the communication between the group members.
>
> Instead, with respect to the secure communication among the group members,
> the proper use of counters/IVs as well as avoiding the reuse of pairs (AEAD
> Key, AEAD Nonce) is strictly related to the particular secure communication
> protocol used in the group. While that protocol determines the specific
> group keying material, such a protocol and its security are out of the
> scope of this document, which defines only a common stub of ACE application
> profiles for the provisioning of group keying material with ACE.
>
> That information is instead expected from an application profile of this
> document, and even such an application profile may take these aspects for
> granted, as already defined by the used secure communication protocol
> indicated by the application profile. To give two concrete examples:
>
> * The application profile in draft-ietf-ace-key-groupcomm-oscore
> incarnates this document to support secure group communication for CoAP
> protected with Group OSCORE, and takes Group OSCORE "as is" per its
> definition in draft-ietf-core-oscore-groupcomm, which relies on
> constructions that ensure a proper, safe use of keys, sequence numbers, and
> IVs.
>
> * The application profile in draft-ietf-ace-pubsub-profile incarnates this
> document to support secure group communication in CoAP Pub-Sub scenarios,
> protecting end-to-end the content of messages between publishers and
> subscribers using COSE. This application profile is directly specifying
> aspects such as handling of IVs, since it is also defining the actual
> protocol for end-to-end protection of messages between the group members.
>
> If this was not clear enough, a possibility is to extend the text of one
> paragraph in Section 1 as follows:
>
> OLD
> > Therefore, this document delegates details ... provided to group members.
>
> NEW
> > Therefore, this document delegates details ... provided to group
> members. The actual protection of group communication can be defined in a
> further specification (e.g., as a self-standing secure communication
> protocol) that application profiles of this document can seamlessly rely
> and build on if they do not define it themselves.
>
> <==
>
>
> 3) IANA port registration?
>
>         optionally together with a port number (which defaults to 5683 if
> omitted)
>
> Is this port going to be registered with IANA ?
>
>
> ==>MT
>
> Quoting the full sentence for completeness:
>
> > The URI MUST specify addressing information intended to reach all the
> members in the group. For example, this can be a multicast IP address,
> optionally together with a port number (which defaults to 5683 if omitted).
>
> We think that your comment can be referring to two different aspects.
>
> A first one is about the exact port number 5683 (which is already
> registered), and we can improve the text by rephrasing it as follows.
>
> NEW
> > The URI MUST specify addressing information intended to reach all the
> members in the group. For example, this can be a multicast IP address,
> optionally together with a port number that, if omitted, defaults to 5683,
> i.e., the default port number for the "coap" URI scheme (see Section 6.1 of
> [RFC7252]).
>
> The second aspect is about registering a new port number used as
> destination port number in the mentioned multicast request. We think it is
> not absolutely necessary to register such a well-known port number.
> Application profiles might have a reason for defining and registering a
> specific port number, and in such a case they are free to do so.
>
> <==
>
>
> 4) PoP evidence with own nonce
>
> Section 4.5.1:
>
>         The PoP evidence is computed over the nonce specified in the
>         'kdc_nonce' parameter and taken as PoP input, by means of the
>         same method used when preparing the Join Response
>
> What is the point of the nonce here? Since the nonce comes from the same
> party that
> uses the nonce, it doesn't "prove" anything, eg it could be a replay of a
> previously
> observed/triggered nonce. Can you explain what the purpose of the nonce is?
>
> Similar in Section 4.9.1.1 where the Client updates its Authentication
> credential,
> and uses its own nonce to prove possesion of the private key.
>
>
> ==>MT
>
> TLDR; Good point. The following describes a simple fix, to always involve
> in the computation of the Proof-of-Possession evidence also a nonce from
> the other peer.
>
> As discussed below, this review comment applies also to Section 4.3.1, but
> it actually does not apply to 4.9.1.1.
>
> **Change 1 - Section 4.3.1, first part**
>
> This part covers the Join Request, i.e., a POST request to
> ace-group/GROUPNAME
>
> In this request, the joining node specifies a PoP evidence in the
> parameter 'client_cred_verify', to prove possession of its private key
> corresponding to its authentication credential conveyed in the parameter
> 'client_cred'.
>
> The PoP input is: (scope | N_S | N_C) , where:
>
> - 'scope' is as specified in another parameter of the same Join Request
> - N_S is typically the latest 'kdc_challenge' that the joining node has
> obtained from the KDC, either as a response to the Token upload to
> /authz-info, or from an error response from this ace-group/GROUPNAME
> resource. Alternative methods rely, e.g., on TLS exporters as defined for a
> corner case in the application profile for Group OSCORE.
> - N_C is a nonce generated by the joining node and included in the
> parameter 'cnonce' of this Join Request.
>
> What needs to change here? (as useful in the following points ...)
>
> OLD
> > 'cnonce', encoded as a CBOR byte string, and including a dedicated nonce
> N_C generated by the Client. This parameter MUST be present if the
> 'client_cred' parameter is present.
>
> NEW
> > 'cnonce', encoded as a CBOR byte string, and including a dedicated nonce
> N_C generated by the Client. This parameter MUST be present.
>
> **Change 2 - Section 4.3.1, second part**
>
> This part covers the Join Response, i.e., the response produced by the
> POST handler of ace-group/GROUPNAME
>
> In this response, the KDC specifies a PoP evidence in the parameter
> 'kdc_cred_verify', to prove possession of its private key corresponding to
> its authentication credential conveyed in the parameter 'kdc_cred'.
>
> Currently, the PoP input is only a nonce generated at this point in time
> by the KDC, and specified in the 'kdc_nonce' parameter of this response.
>
> What needs to change here?
>
> OLD
> > The PoP input is: kdc_nonce
>
> NEW
> > * The PoP input is: (N_C | kdc_nonce), where N_C is the nonce specified
> by the joining node in the 'cnonce' parameter of the Join Request (now to
> be always included there, per the "Change 1" explained above).
> > * After sending this successful Join Response, the KDC stores N_C as
> associated with this group member.
>
> **Change 3 - Section 4.5.1**
>
> This section covers the GET request-response exchange to
> ace-group/GROUPNAME/kdc-cred . A group member can send such a GET request
> to retrieve the latest authentication credential of the KDC.
>
> In the response to this request, the KDC specifies a PoP evidence in the
> parameter 'kdc_cred_verify', to prove possession of its private key
> corresponding to its authentication credential conveyed in the parameter
> 'kdc_cred'.
>
> Currently, the PoP input is only a nonce generated at this point in time
> by the KDC, and specified in the 'kdc_nonce' parameter of this response.
>
> What needs to change here?
>
> OLD
> > The PoP input is: kdc_nonce
>
> NEW
> > The PoP input is: (N_C | kdc_nonce), where N_C is the nonce specified by
> the joining node in the 'cnonce' parameter of the Join Request (now to be
> always included there, per the "Change 1" explained above) and that the KDC
> stored after having sent the corresponding Join Response at that point in
> time.
>
> **No change - Section 4.9.1**
>
> This section covers the POST request-response exchange to
> ace-group/GROUPNAME/nodes/NODENAME/cred . A group member can send such a
> POST request to upload its own, updated authentication credential.
>
> In this request, the group member specifies a PoP evidence in the
> parameter 'client_cred_verify', to prove possession of its private key
> corresponding to its authentication credential conveyed in the parameter
> 'client_cred'.
>
> The PoP input is: (scope | N_S | N_C) , where:
>
> - 'scope' is as specified in the original Join Request
> - N_S is the value of 'kdc_challenge' the group member has received from
> the KDC, irrespective of how exactly.
> - N_C is a nonce generated by the joining node at this point in time, and
> included in the parameter 'cnonce' of this request.
>
> The text in Section 4.9.1 already says (emphasis mine):
>
> > In particular, the PoP evidence included in 'client_cred_verify' is
> computed in **the same way** considered in Section 4.3.1 and defined by the
> specific application profile (REQ14), with a newly generated N_C nonce and
> **the previously received N_S**.
>
> Therefore, the raised issue does not apply in this section. The PoP input
> in fact includes not only a brand new N_C from the group member, but also a
> nonce N_S generated by the KDC and that the group member already knows from
> earlier steps. In other words, even though N_S is indeed not sent again on
> the wire (see Figure 32), it is used as part of the PoP input to compute
> the PoP evidence. This section should thus be ok as is.
>
> <==
>
>
> COMMENTS:
>
>
> Section 1:
>
>         If the application requires backward and forward security
>
> What is "backward security" ? I assume a new member not seeing old
> msgs. Maybe explain that?
>
>
> ==>MT
>
> Correct; this is later expanded in the security considerations of Section
> 10.2, but we can try to give the intuition here. Proposed rephrasing:
>
> OLD
> > If the application requires backward and forward security, new keying
> material is generated and distributed to the group upon membership changes
> (rekeying).
>
> NEW
> > New keying material is generated and distributed to the group upon
> membership changes (rekeying), if the application requires backward
> security (new group members must be prevented from accessing communications
> in the group prior to their joining) and forward security (former group
> members must be prevented from accessing communications in the group after
> their leaving).
>
> <==
>
>
>
> Section 2:
>
>         The full procedure can be separated
>
> The full procedure being "add member to group" ?
>
>
> ==>MT
>
> Quoting the full paragraph in question (that's how Section 2 starts):
>
> > The full procedure can be separated in two phases: the first one follows
> the ACE Framework, between Client, AS and KDC; the second one is the key
> distribution between Client and KDC. After the two phases are completed,
> the Client is able to participate in the group communication, via a
> Dispatcher entity.
>
> "Full procedure" does not refer to adding a member to a group. Per the
> document title, the "full procedure" is the "key provisioning for group
> communication using ACE".
>
> Instead, "adding a member to a group" is only (a specific case of) the
> second phase, when a new node is added to the group and it is also provided
> with the necessary keying material.
>
> Proposed rephrasing of the same paragraph:
>
> **NEW**
> > At a high level, the key provisioning process is separated in two
> phases: the first one follows the ACE Framework between Client, AS, and
> KDC; the second one is the actual key distribution between Client and KDC.
> After the two phases are completed, the Client is able to participate in
> the group communication, via a Dispatcher entity.
>
> <==
>
>
> The overview for "Dispatcher" does not make it clear whether it can read
> the content to be dispatched from the client, or not.
>
>
> ==>MT
>
> Quoting the definition of "Dispatcher"
>
> > * Dispatcher: entity through which the Clients communicate with the
> group, when sending a message intended to multiple group members. That is,
> the Dispatcher distributes such a one-to-many message to the group members
> as intended recipients. A single-recipient message intended to only one
> group member may be delivered by alternative means, with no assistance from
> the Dispatcher.
> >
> >    Examples of a Dispatcher are: the Broker in a pub-sub setting; a
> relayer for group communication that delivers group messages as multiple
> unicast messages to all group members; an implicit entity as in a multicast
> communication setting, where messages are transmitted to a multicast IP
> address and delivered on the transport channel.
>
> Short answer: yes, it can. We can extend the definition above by adding
> the following note.
>
> > If it consists of an explicit entity such as a pub-sub Broker or a
> message relayer, the Dispatcher is comparable to an untrusted on-path
> intermediary, and as such it is able to read the messages sent by Clients
> in the group.
>
> <==
>
>
> Section 4:
>
>         As most important operation after trasferring the access token to
>         the KDC, the Client can perform a Join Request-Response exchange
>         with the KDC, by specifying the group it requests to join
>
> Should "group" be "group(s)" ?
>
>
> ==>MT
>
> No, it is correct as is. To quote the full paragraph (emphasis mine):
>
> > As most important operation after transferring the access token to the
> KDC, the Client can perform a Join Request-Response exchange with the KDC,
> by specifying **the group** it requests to join (see Section 4.3.1.1).
> Then, the KDC verifies the access token and that the Client is authorized
> to join **the specified group**. If so, the KDC provides the Client with
> the keying material to securely communicate with the other members **of the
> group**.
>
> The access token can indeed specify multiple groups that the client is
> authorized to join. However, the Join Request is specifically about joining
> one group.
>
> <==
>
>
>         to join the specified group
>
> Should "group" be "group(s)" ?
>
>
> ==>MT
>
> See the answer to the previous comment, also referring to the same
> paragraph.
>
> <==
>
>
>
>         /ace-group/GROUPNAME/creds : this resource is invariant once
>         established, and contains the authentication credentials of all
>         the members of the group with name GROUPNAME.
>
> How is this "invariant" when it changes depending on group members? Am
> I misunderstanding the term "invariant" ?
>
>
> ==>MT
>
> "Invariant" does not mean that the representation of the resource does not
> change. If we meant that, then that statement would be indeed wrong for all
> the resources for which we use it.
>
> We actually refer to the resource path, and we can rephrase as below.
>
> OLD
> > this resource is invariant once established
>
> NEW
> > the path of this resource is invariant once the resource is established
>
> For completeness, this applies to all the resources for which we are
> making that statement, i.e.:
>
> * /ace-group
> * /ace-group/GROUPNAME/creds
> * /ace-group/GROUPNAME/kdc-cred
> * /ace-group/GROUPNAME/policies
> * /ace-group/GROUPNAME/num
> * /ace-group/GROUPNAME/nodes/NODENAME/cred
>
> <==
>
>
> Section 4.1
>
>         The KDC can provide a list of group names that exist. Can this
>         access be restricted to a partial list depending on the client?
>
>
> ==>MT
>
> This operation is intentionally meant to serve any authorized client, also
> to facilitate a possible group (re-)joining. In fact, this operation is
> permitted both to members and non-members of the groups indicated in the
> request to the KDC.
>
> As long as the access token grants permission to access the KDC resource
> at /ace-group, then any node can send a FETCH request to that resource, and
> retrieve the names and joining URI of all the groups for which the current
> group identifier was specified in the request.
>
> <==
>
>
> Section 4.3.1
>
>         Group members MUST stop using the keying material to protect
>         outgoing messages and retrieve new keying material at the time
>         indicated in this field.
>
> Don't you mean "retrieve new keying material before this time" and "start
> using the new key material after this time"?
>
>
> ==>MT
>
> This sentence can be confusing, as it's discussing two aspects blended
> together. Proposed rephrasing:
>
> > Group members MUST NOT use the keying material after the time indicated
> in this field, and they can retrieve the new group keying material from the
> KDC.
>
> <==
>
> Related in 4.8.1.1 it says:
>
>         In either case, if it wants to continue participating in the
>         group communication, the node has to request the latest keying
>         material from the KDC.
>
> and:
>
>         if the Client wants to be sure that it has the latest group keying
>         material. If that is the case, the Client will receive from the
>         KDC the same group keying material it already has in memory.
>
> Seems to suggest key material is not available before expiry time. That is,
> there is always a downtime of a few RTTs when the keying material expired,
> as
> clients cannot prefetch new keying material ahead of time ? I think it
> would
> be a lot more robust if clients could prefetch the new key slightly before
> the expiry time. Then adjust for group membership changes to ensure a rekey
> is done if the leaving member could (or has) obtained the num+1 keying
> material?
>
>
> ==>MT
>
> That's not a suggestion that we want to give. It's ultimately up to the
> KDC to decide when to exactly produce the new group keying material, in
> order to distribute it through a group rekeying and make it available for
> manual fetching.
>
> That can even happen after the expiration of the old group keying
> material, if it's acceptable or there are reasons to put on pause the
> secure communications in the group for a while, after the old keying
> material expires.
>
> At the same time, there is no possible "prefetching": only one, latest
> version of the group keying material is available at the KDC. Retrieving it
> can be interpreted as a "prefetch", in the sense that "the new group keying
> material is available to retrieve before the old keying material reaches
> its expiration time".
>
> On the comment:
>
> > Then adjust for group membership changes to ensure a rekey is done if
> the leaving member could (or has) obtained the num+1 keying material?
>
> This does not require any adjustment. In the considered situation, as long
> as the application profile mandates forward security (like in the case of
> draft-ietf-ace-key-groupcomm-oscore), a group rekeying has to happen, in
> order to distribute a new version of the keying material with value num=2.
>
> This can be clarified by extending a paragraph of Section 4.8.1.1 as
> follows:
>
> OLD
> > In either case, if it wants to continue participating in the group
> communication, the node has to request the latest keying material from the
> KDC. To this end, the Client sends a CoAP GET request to the
> /ace-group/GROUPNAME/nodes/NODENAME endpoint at the KDC, formatted as
> specified in Section 4.8.1.
>
> NEW
> > In either case, if it wants to continue participating ..., formatted as
> specified in Section 4.8.1. The Client can request the latest keying
> material from the KDC before the keying material reaches its expiration
> time.
>
> Also, we can make the following addition in Section 6 "Group Rekeying
> Process":
>
> OLD
> > Reasons that can trigger a group rekeying are a change in the group
> membership, the current group keying material approaching its expiration
> time, or a regularly scheduled update of the group keying material.
>
> NEW
> > Reasons that can trigger ... of the group keying material.
> >
> > The KDC can perform a group rekeying before the current group keying
> material expires, unless it is acceptable or there are reasons to
> temporarily pause secure communications in the group, following the
> expiration of the current keying material.
>
> <==
>
>
> Section 4.8.2:
>
>         Not providing the Client with newly generated, individual keying
>         material, but rather rekeying the whole group
>
> Doesn't this open up a denial of service possibility with a malicious
> client?
> The Security Considerations do warn about this and that requests for rekeys
> can be ignored by the KDC, so this is okay.
>
>
> ==>MT
>
> Good. Note that a following paragraph in the same section says:
>
> > Note that this handler is not intended to accommodate requests from a
> group member to trigger a group rekeying, whose scheduling and execution is
> an exclusive prerogative of the KDC.
>
> We can extend this paragraph, by adding a pointer to the security
> considerations, i.e.:
>
> > ... prerogative of the KDC (see also related security considerations in
> Section 10.2).
>
> Furthermore, note that the quoted text is immediately preceded by:
>
> > However, application profiles of this specification MAY also extend this
> handler in order to achieve different akin outcomes (OPT12), for instance:
>
> This is in fact what happens in the corresponding Section 9.2 "Request to
> Change Individual Keying Material" of the application profile
> draft-ietf-key-groupcomm-oscore for Group OSCORE, which says:
>
> > The Group Manager SHOULD perform a group rekeying only if already
> scheduled to occur shortly, e.g., according to an application-specific
> rekeying period or scheduling, or as a reaction to a recent change in the
> group membership. In any other case, the Group Manager SHOULD NOT rekey the
> OSCORE group when receiving a Key Renewal Request (OPT12).
>
> <==
>
>
> What is "individual keying material" ? Is based on the security
> association the client <-> KDC have based on the transport protocol?
>
>
> ==>MT
>
> No, it is not related to the Client <-> KDC secure association; it is
> related to the membership of that Client to the secure group GROUPNAME,
> hence to the keying material and other information pertaining to that group.
>
> Note that the Client <-> KDC secure association has nothing to do with the
> secure communication within the group; the former is based on whatever
> transport profile of ACE (e.g., RFC 9202, RFC 9203), while the latter is
> based on what is specified by an application profile of this document.
>
> Consistent with the intended generality of this document, in the earlier
> Section 4.8.1 we say:
>
> > The specific format of individual keying material for group members, or
> of the information to derive it, and corresponding CBOR label, MUST be
> specified in the application profile (REQ27) and registered in Section 11.6.
>
> To better clarify, we can add the following new entry to the terminology
> in Section 1.1:
>
> > * Individual keying material: information exclusively pertaining to a
> group member, as associated with its group membership and related to other
> keying material and parameters used in the group. For example, this can be
> a member identifier that is unique within the group. The specific nature
> and format of individual keying material used in a group is defined in
> application profiles of this specification. The individual keying material
> of a group member is not related to the secure association between that
> group member and the KDC.
>
> <==
>
>
> Section 5:
>
>         A Client identified by NODENAME may be removed from a group
>         identified by GROUPNAME where it is a member, due to the
>         following reasons.
>
> I don't think the following list is a complete set of possible reasons. I
> would
> rephrase this along the lines of "for example, for the following reasons".
>
>
> ==>MT
>
> Correct. Proposed rephrasing:
>
> > A Client identified by NODENAME may be removed from a group identified
> by GROUPNAME where it is a member, for example due to the following reasons.
>
> <==
>
>
> Section 6:
>
>         In case the KDC deletes the group, this also allows the KDC to
>         send an unsolicited 4.04 (Not Found) response
>
> What does "this" refer to? Making the resource Observable ?
>
>
> ==>MT
>
> Indeed. Proposed rephrasing:
>
> > In case the KDC deletes the group (and thus deletes the
> ace-group/GROUPNAME resource), relying on CoAP Observe as discussed above
> also allows the KDC to send an unsolicited 4.04 (Not Found) response ...
>
> <==
>
>
> Section 6.2.1:
>
>         COUNT, as a 1-byte unsigned integer associated with the used
>         encryption key. Its value is set to 0 when starting to perform
>         a new group rekeying instance, and is incremented after each
>         use of the encryption key.
>
> This limits the key to only be used for 256 messages. Is that enough for
> large groups of thousands of devices? Or are groups to be expected to be
> smaller? Or should those groups anticipate this and switch to one-to-many
> rekey methods? Wouldn't 2 bytes create a much larger safety margin at
> a very little cost?
>
>
> ==>MT
>
> Good point; 2 bytes is better. Then, we can update the text to be as
> follows.
>
> > - COUNT, as a 2-byte unsigned integer associated with the used
> encryption key. Its value is set to 0 when starting to perform a new group
> rekeying instance, and is incremented after each use of the encryption key.
> >
> > - NEW_NUM, as the version number of the new group keying material to
> distribute in this rekeying instance, left-padded with zeroes to exactly
> NONCE_SIZE - 2 bytes.
>
> Also, after the paragraph
>
> > Then, the KDC computes a Partial IV as the byte string concatenation of
> COUNT and NEW_NUM, in this order. Finally, the AEAD nonce is computed as
> the XOR between the Base IV and the Partial IV.
>
> it's also better to add the note:
>
> > In order to comply with the security requirements of AEAD encryption
> algorithms, the KDC MUST NOT use the same pair (encryption key, AEAD
> nonce). For example, this includes not using the same encryption key from
> the administrative keying material more than (2^16 - 1) times during the
> same rekeying instance.
>
> <==
>
>
>
> Section 10.2:
>
>         The KDC should renew the group keying material upon a
>         group membership change. Since the minimum number of group
>         members is one, the KDC should provide also a Client joining
>         an empty group with new keying material never used before in
>         that group. Similarly, the KDC should provide new group keying
>         material also to a Client that remains the only member in the
>         group after the leaving of other group members.
>
> Why are these "should"s not normative, eg SHOULDs ?
>
>
> ==>MT
>
> Proposed rephrasing also addressing the comment:
>
> > Unless otherwise defined by an application profile of this
> specification, the KDC SHOULD renew the group keying material upon a group
> membership change. In particular, since the minimum number of group members
> is one, the KDC SHOULD provide also a Client joining an empty group with
> new keying material never used before in that group. Similarly, the KDC
> SHOULD provide new group keying material also to a Client that remains the
> only member in the group after the leaving of other group members.
>
> <==
>
>
> Section 10.2.1
>
> This (finally) addresses my race condition questions....
>
>
> ==>MT
>
> This relates to "race conditions" as to possible misalignment of group
> keying material among group members when a rekeying has been happening.
>
> We can make the following changes to make this content more and earlier
> visible:
>
> * This Section 10.2.1 can be moved up, when presenting the group rekeying
> in Section 6. For example, it can become a new Subsection 6.3. Note that
> its content is independent of the specific approach used to rekey the group.
>
> * Early in Section 2, we can include a forward pointer about these
> considerations to be found in Section 6.
>
> <==
>
>
>         In any case, the recipient should actively ask the KDC for the
>         latest group keying material according to an application-defined
>         policy, for instance after a given number of unsuccessfully
>         decrypted incoming messages.
>
> Seeing that the KDC presumably is hard at work distributing new keying
> material,
> would nodes sending more requests to the KDC not just make things worse?
>
>
> ==>MT
>
> Interesting point, although it's not exactly about DoS (like discussed at
> the end of Section 10.2.0) since it's about requests to the KDC done in
> "good faith".
>
> This applies pretty much to every possible access to the KDC, but
> especially to the operations referred by the comment and defined in
> Sections 4.3.2.1 and 4.8.1.1.
>
> To clarify, we can point especially to the operations defined in Sections
> 4.3.2.1 and 4.8.1.1, and add the following text in Section 6.0 "Group
> Rekeying Process".
>
> > In order to facilitate the completion of a group rekeying instance, the
> KDC MAY stop serving requests pertaining to the group in question until the
> group rekeying is completed. This especially applies to Key Distribution
> Requests (see Sections 4.3.2.1 and 4.8.1.1) and Join Requests (see Section
> 4.3.1.1). The KDC MAY reply to those requests with a 5.03 (Service
> Unavailable) error response, including the Max-Age CoAP Option to indicate
> after how long a new request can be sent (see Sections 5.9.3.4 and 5.10.5
> of [RFC7252]).
>
> <==
>
> Maybe
> it should also mention that it MUST first verify the signature of the node
> sending
> the encrypted payload before deciding it might need to ask for the updated
> group
> key material to prevent spoofed messages trying to trigger all clients to
> send
> requests to the KDC to overload it ?  (I can also see that this is a very
> obvious
> thing to do anyway, so perhaps this advise is meaningless)
>
>
> ==>MT
>
> We understand that, in the sentence
>
> > it MUST first verify the signature of the node sending the encrypted
> payload before deciding it might need to ask for the updated group key
> material ...
>
> the subject "it" is a group member that receives a protected message,
> fails to verify the message, and decides to ask the KDC for the current
> group keying material.
>
> First of all, we cannot just generally talk of signed group messages and
> verification of their signatures in this document. The exact protection of
> messages within the group is up to the security protocol used by an
> application profile of this document, and their protection does not
> necessarily rely on signatures.
>
> For example, when considering exactly the application profile
> draft-ietf-ace-key-groupcomm-oscore and therefore the security protocol
> Group OSCORE: i) messages protected with the group mode are signed, and
> indeed the signature verification happens before decryption; ii) messages
> protected with the pairwise mode are not signed (although still providing
> source authentication through their tags).
>
> The quoted text specifically talks about decryption. If a signature is
> included in the message, it should be verified first and (several) failed
> verifications are not a sufficient trigger to ask for the current group
> keying material (although they can be a trigger for asking for the current
> authentication credential of the sender group member). However, this is
> ultimately about the secure communication protocol defining in which order
> the different message processing steps occur, and it's not something we can
> really dictate in this document.
>
> <==
>
>
> Section 11:
>
> The IANA section mentions the IESG as Change Controller, but it is
> prefered to use
> IETF instead. (IANA will bug you about this later if not changed)
>
>
> ==>MT
>
> Yes, let's use "IETF".
>
> <==
>
>
> Under which collection/grouping should the a "ACE Groupcomm" registries
> appear ?
> Under https://www.iana.org/assignments/ace/ace.xhtml
> <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.iana.org%2Fassignments%2Face%2Face.xhtml&data=05%7C01%7Cmarco.tiloca%40ri.se%7C90f845f51ae441a280f808dbaa821350%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638291247875827690%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Vh6usMKEgwgUsG%2FxjgtT493TD7%2Fh3o9jI6ZKH0%2B2b6k%3D&reserved=0>
> or under a sub-registry ace-groupcomm ?
> Either way, it should be clarified to IANA.
>
>
> ==>MT
>
> Correct, the plan is to have all the new 7 registries added to the
> registry group "Authentication and Authorization for Constrained
> Environments (ACE)" at https://www.iana.org/assignments/ace/ace.xhtml
>
> The proposal to fix this is also already compiled in
> https://github.com/ace-wg/ace-key-groupcomm/issues/149
>
> <==
>
>
>         It should be noted that, in addition to the expert review, some
>         portions of the registry require a specification, potentially
>         a Standards Track RFC, to be supplied as well.
>
> Possibly rephrase as:
>
>         Values in this registry are covered by different registration
> policies as indicated
>
>
> ==>MT
>
> We plan to add the suggested phrase to prepare the reader about the
> different ranges coming later on.
>
> At the same time, the original text (also used in other document) covers a
> different point, which also comes back in following comments and related
> replies from our side.
>
> <==
>
>
> Section 11.10 describes this as well, but it does indicate how/when
> different policies apply.
> (likely based on the Value field?)
>
> Section 11.11 doesn't list the maximum/minimum values (or limiting size of
> the value)
>
>
> ==>MT
>
> Correct; these IANA sections have different and inconsistent level of
> details about what they say.
>
> The proposal to fix this is also already compiled in
> https://github.com/ace-wg/ace-key-groupcomm/issues/149 , and further
> elaborated in replies to comments below.
>
> <==
>
>
> Section 11.13:
>
>         The IANA Registries established in this document are defined as
> expert review.
>
> It's a bit contentious whether a registry can be Standards Track PLUS
> Expert Review. To
> avoid issues around this, I would remove this entire sentence.
>
>
> ==>MT
>
> We are defining 7 new IANA registries.
>
> * "ACE Groupcomm Parameters"
> * "ACE Groupcomm Key Types"
> * "ACE Groupcomm Profiles"
> * "ACE Groupcomm Policies"
> * "Sequence Number Synchronization Methods"
> * "ACE Groupcomm Errors"
> * "ACE Groupcomm Rekeying Schemes"
>
> Considering also the clarifications in
> https://github.com/ace-wg/ace-key-groupcomm/issues/149 and depending on
> the specifically considered value range, each registry uses the policy:
>
> * "Standards Action With Expert Review"; or
> * "Specification Required"; or
> * "Expert Review"
>
> It is true that RFC 8126 does not define a single policy "Standards Action
> With Expert Review". However, its Section 4.12 says (emphasis mine):
>
> > In some situations, it is necessary to define multiple registration
> policies.
> > ...
> > Thus, a particular registry might want to use a policy such as "RFC
> Required" or "IETF Review" sometimes, with a designated expert checking a
> "Specification Required" policy at other times.
> > ...
> > Such combinations will commonly use one of {**Standards Action**, IETF
> Review, RFC Required} in combination with one of {Specification Required,
> **Expert Review**}.
>
> Based on the above, we believe that the current text is appropriate and
> legitimate.
>
> Also, as long as it is done appropriately, this is quite common practice;
> see, above all, selected value ranges of several COSE registries at
> https://www.iana.org/assignments/cose/cose.xhtml
>
> <==
>
>
>
>         Specifications are needed for the first-come, first-serve range
>         if they are expected to be used outside of closed environments
>         in an interoperable way.
>
> I think for all non-private use entries, this is "expected", so I would
> remove the part
> starting at "if they are expected ....".
>
>
> ==>MT
>
> This does not seem to be the case; see a longer reasoning in the response
> to the following comment.
>
> In short, registrations with policy "First-Come-First-Serve" (or "Expert
> Review") do not necessarily need a specification (see Section 4.4 of RFC
> 8126).
>
> Given that baseline, in this document we have an additional expectation
> that we are raising, since it is otherwise not to be assumed.
>
> Also, the quoted sentence is used in other RFCs, such as in
> https://datatracker.ietf.org/doc/html/rfc9203#section-9.7
>
> <==
>
>
>         When specifications are not provided, the description provided
>         needs to have sufficient information to identify what the point
>         is being used for.
>
> That feels a little odd to me. Not sure this makes much sense, since even
> FSFC needs
> a specification. Private use is well, private use. So which registration
> cases would
> there be that can leave out a specification?
>
>
> ==>MT
>
> Based on RFC 8126, the first registration policy requiring a specification
> is, in fact, "Specification Required" defined in
> https://www.rfc-editor.org/rfc/rfc8126.html#section-4.6.
>
> Instead (emphasis mine):
>
> * https://www.rfc-editor.org/rfc/rfc8126.html#section-4.4
>
>    > For the **First Come First Served policy** ... There is no
> substantive review of the request, other than to ensure that it is
> well-formed and doesn't duplicate an existing assignment.  However,
> **requests must include a minimal amount of clerical information**, such as
> a point of contact (including an email address, and sometimes a postal
> address) and a brief description of how the value will be used.
>
> * https://www.rfc-editor.org/rfc/rfc8126.html#section-4.5
>
>    > For the **Expert Review policy**, review and approval by a designated
> expert (see Section 5) is required. While **this does not necessarily
> require formal documentation**, information needs to be provided with the
> request for the designated expert to evaluate. ... The required
> documentation and review criteria, giving clear guidance to the designated
> expert, should be provided when defining the registry.
>
> In this document, we are defining also registries with "Expert Review"
> policy, so the quoted text in Section 11.13 should be correct.
>
> Also, the quoted sentence is used in other RFCs, such as in
> https://datatracker.ietf.org/doc/html/rfc9203#section-9.7
>
> <==
>
>
> NITS:
>
>   ** Downref: Normative reference to an Informational RFC: RFC 7967
>   ** Downref: Normative reference to an Informational RFC: RFC 9053
>
> These downrefs are okay.
>
>
> ==>MT
>
> Ok.
>
> <==
>
>
>   == Outdated reference: A later version (-19) exists of
>      draft-ietf-core-oscore-groupcomm-14
>
>   == Outdated reference: draft-ietf-cose-countersign has been published as
>      RFC 9338
>
>   -- Possible downref: Normative reference to a draft: ref.
>      'I-D.ietf-cose-countersign'
>
>   == Outdated reference: draft-ietf-ace-mqtt-tls-profile has been published
>      as RFC 9431
>
>   == Outdated reference: A later version (-12) exists of
>      draft-ietf-core-coap-pubsub-10
>
>   == Outdated reference: A later version (-09) exists of
>      draft-ietf-core-groupcomm-bis-07
>
>   == Outdated reference: A later version (-06) exists of
>      draft-ietf-cose-cbor-encoded-cert-04
>
>   == Outdated reference: A later version (-13) exists of
>      draft-tiloca-core-oscore-discovery-11
>
> These need updating (because of my long time to do my AD review. Again my
> apologies)
>
>
> ==>MT
>
> Ok. (draft-ietf-cose-countersign has also been published as RFC 9338)
>
> <==
>
> typoes/grammer:
>
> for those that aim to  -> for those that aim for
>
> trasferring -> transfering
>
> consistently with the roles it has in the group -> consistent with the
> roles it has in the group.
>
> the handler reply with a -> the handler replies with a
>
> Due to different reasons - >  [remove entirely]
>
> ameliorate -> [pick a different more common term for this]
>
>
> ==>MT
>
> All to be fixed as proposed, except for the following ones:
>
> * > trasferring -> transfering
>
>    While "trasferring" is certainly a typo to fix, "transferring" is
> correct but "transfering" is wrong, both in American and British English.
> See:
>    - https://whichiscorrect.com/transfering-or-transferring/
>    - https://oneminuteenglish.org/en/transfering-or-transferring/
>
> * > ameliorate -> [pick a different more common term for this]
>
>    We can change it to: "A possible way to limit the impact of this issue
> ..."
>
> <==
>
> This sentence does not parse:
>
>         As long as both sides get the new group keying material, updating
>         group the keying material in the middle of a transfer will not
>         cause any issue.
>
>
> ==>MT
>
> It should read:
>
> "As long as both sides get the new group keying material, updating the
> group keying material in the middle of a transfer will not cause any issue."
>
> <==
>
> retro-compatibility  -> backwards compatibility ?
>
>
> ==>MT
>
> Yes, or actually "backward compatibility"
>
> <==
>
>
>
> Paul
>
>
>
> ==>MT
>
> Thanks a lot again for this review!
>
> <==
>
> --
> Marco Tiloca
> Ph.D., Senior Researcher
>
> Phone: +46 (0)70 60 46 501
>
> RISE Research Institutes of Sweden AB
> Box 1263
> 164 29 Kista (Sweden)
>
> Division: Digital Systems
> Department: Computer Science
> Unit: Cybersecurity
> https://www.ri.se
>
>
> --
> Marco Tiloca
> Ph.D., Senior Researcher
>
> Phone: +46 (0)70 60 46 501
>
> RISE Research Institutes of Sweden AB
> Box 1263
> 164 29 Kista (Sweden)
>
> Division: Digital Systems
> Department: Computer Science
> Unit: Cybersecurity
> https://www.ri.se
>
>