Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2

Benjamin Kaduk <> Mon, 23 September 2019 22:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F0E14120090; Mon, 23 Sep 2019 15:48:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rtsPEqcgDwiP; Mon, 23 Sep 2019 15:48:46 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3C79B120088; Mon, 23 Sep 2019 15:48:46 -0700 (PDT)
Received: from ([]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id x8NMmTca032248 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 23 Sep 2019 18:48:31 -0400
Date: Mon, 23 Sep 2019 15:48:28 -0700
From: Benjamin Kaduk <>
To: "Panos Kampanakis (pkampana)" <>
Cc: "" <>, "" <>, Jim Schaad <>, Michael Richardson <>, Peter van der Stok <>
Message-ID: <>
References: <> <> <> <> <> <> <007901d5674b$9bc75e00$d3561a00$> <008e01d56788$985bbda0$c91338e0$> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <>
Subject: Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Sep 2019 22:48:51 -0000

Hi Panos,

Sorry for the slow response here -- I was in telechat-prep mode last week.

This is in pretty good shape, and I wanted to especially thank you for the
presentation in the github issue -- that format was extremely helpful for

I think we will probably need to upload one more minor revision before I
initiate the IETF LC; please seem my comments below.

In Section 4, I think we need to put the "for" back in "requests for a
trusted certificate list".

Also, refresh my memory: did we decide that there's no need to
explicitly mandate the use of the "extended_master_secret" TLS

I'd also change the note about supported_groups vs. Supported Elliptic
Curves to read "In addition, in DTLS 1.3 the Supported Elliptic Curves
extension has been renamed to Supported Groups."

I think we can move /csrattrs to the bottom of Table 2 (thank you for
changing Table 1!).

With the changes to the example in Figure 3, can you walk me through the
block-size negotiation?  Quoting:

    POST [2001:db8::2:1]:61616/est/sen(CON)(1:N1/0/256){CSR (frag# N1+1)}-->
       ... Immediate response when certificate is ready ...
      <-- (ACK) (1:N1/0/256) (2:0/1/256) (2.04 Changed){Cert resp (frag# 1)}
    POST [2001:db8::2:1]:61616/est/sen (CON)(2:1/0/128)           -->
      <-- (ACK) (2:1/1/128) (2.04 Changed) {Cert resp (frag# 2)}

So the ACK to the final fragment of the POST includes (2:0/1/256), or
the first fragment of a 256-byte-fragmented version of the response.
The client then goes and asks for (2:1/0/128), which is the second
fragment of a 128-byte-fragmented version of the response.  Is that just
going to be the last 128 bytes of the thing it already got from the
server?  If so, is that something it would actually do (e.g., if it had
to drop part of the server's response due to a buffer-size limitation)
or is it not possible to only have part of a fragment (so it would need
to either ask for (2:0/0/128) or (2:2/0/128)?

It looks like you removed the text about "[the two representations] do
not have to be in a particular order since each representation is
preceded by its Content-Format ID" based on my remark about
core-multipart-ct; that document has since been approved by the IESG and
is explicitly confirming that there is no specific ordering requirement
(in contrast to multipart/mixed), so we could put that clause back in
this document if desired.

I consider it more likely than not that a directorate reviewer will want
to tweak the added language at the end of Section 5.8 explaining our
divergence from RFC 7030; if you want to preemptively reword, my
suggestion would be "Although [RFC7030] strongly recommends that clients
request the use of CMS encryption on top of the TLS channel's
protection, this document does not make such a recommendation; CMS
encryption can still be used when mandated by the use case."



On Mon, Sep 16, 2019 at 05:38:59PM +0000, Panos Kampanakis (pkampana) wrote:
> Hi Ben,
> I think we have now addressed all your feedback from the AD review. A big chunk of the changes were agreed upon in the list emails threads. 
> The iteration that we are planning to upload that includes all the changes is at 
> The summary of all your comments and what went into the text is in the git issue To break it down 
> - has most of the changes agreed on the list.
> - has an answer to your question about addressing the tls-unique issue in a new draft. 
> - has the last changes in response to your feedback that went into the draft after Peter uploade the -13 iteration. 
> Two places to pay attention to is that I removed the 
> >   It is strongly RECOMMENDED that the clients request that the returned
> >   private key be afforded the additional security of the Cryptographic
> >   Message Syntax (CMS) EnvelopedData in addition to the TLS-provided
> >   security to protect against unauthorized disclosure."
> and the 
> >   The corresponding longer URIs from [RFC7030] MAY be supported."
> The rationale behind that is in the git issue. 
> Please have a look and let us know if there is anything missing. Otherwise we will upload at the end of the week. 
> Rgs,
> Panos
> -----Original Message-----
> From: Ace <>; On Behalf Of Panos Kampanakis (pkampana)
> Sent: Tuesday, September 10, 2019 12:18 AM
> To: Jim Schaad <>;; 'Michael Richardson' <>;
> Cc:; 'Benjamin Kaduk' <>;;
> Subject: Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2
> Hi Jim,
> We are tracking all of Ben's feedback here 
> The fixes that have gone in the draft so far are after each comment. There are still some that we still need to update after the threads converged. 
> Panos
> -----Original Message-----
> From: Ace <>; On Behalf Of Jim Schaad
> Sent: Monday, September 09, 2019 11:34 PM
> To: 'Michael Richardson' <>;
> Cc:; 'Benjamin Kaduk' <>;;
> Subject: Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2
> Authors,
> Are we ready to produce a new draft that addresses most, if not all, of Ben's comments?  Do we have a pull request to deal with this that we can point to?
> Jim
> -----Original Message-----
> From: Jim Schaad <>;
> Sent: Monday, September 9, 2019 1:17 PM
> To: 'Michael Richardson' <>;; 'Benjamin Kaduk'
> <>;
> Cc:;
> Subject: RE: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2
> -----Original Message-----
> From: Michael Richardson <>; 
> Sent: Monday, September 9, 2019 9:38 AM
> To: Benjamin Kaduk <>;
> Cc:;
> Subject: Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2
> Benjamin Kaduk <>; wrote:
>     >> So, on a constrained device, I'd like to know what to expect (what to
>     >> code for).  While I do'nt particularly care for server-generated
> keys,
>     >> it should probably be specified correctly.  I see that the complexity
>     >> of sorting this means that I think that Content-Format 284
>     >> (unprotected) will get used most often.
>     > Your constrained device is probably only going to implement one cipher
>     > [mode], too, right?  If it's an AEAD mode, you use AuthEnvelopedData;
>     > otherwise, classic EnvelopedData.
> Yes, but each constrained device type might have a different set, and the
> EST server for such an installation has to figure out how to send the right
> thing.
> [JLS] This is the function of section in RFC 7030 which says that
> the DecryptKeyIdentifier must be present.  This will provide the EST server
> a method to identify the correct key and the correct symmetric encryption
> algorithm.
>     >> I think that we could go to TLS Exporter right now, but it would take
>     >> some work.
>     > I'd rather have both classic-EST and coap-EST benefit than just
>     > coap-EST.
> So you'd agree to deferring this to a document (maybe in LAMPS?) that would
> Updates: 7030 and this document.