Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14

Daniel Migault <daniel.migault@ericsson.com> Mon, 08 March 2021 16:50 UTC

Return-Path: <daniel.migault@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52B473A0FC5; Mon, 8 Mar 2021 08:50:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.348
X-Spam-Level:
X-Spam-Status: No, score=-2.348 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGE20flRRpPi; Mon, 8 Mar 2021 08:50:10 -0800 (PST)
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (mail-eopbgr680087.outbound.protection.outlook.com [40.107.68.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCB573A102B; Mon, 8 Mar 2021 08:50:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CaSN1YED2Latu7DGmUFMItv6n4oXFjTHGJHo2Qow+gy/BOxEpjffrsFdXNERAuZvJNVzO1rwUUYOyC2RuQppa4qL/x2GuHchC7zymCJih+MJ1bSZDxTMrP6yU7LfPutitBnmztxk40hwoLZFRWhnOx/b4G/XT137K8h++f1Z4d/2M7EUs2nLYf95G3FuLd6Tucx08M+RLty/NemqO8sAOTL5Jmrxb49xm8b+kxDnGGgwfUtBkHlGlo+I5QBSiW0I98D+jshTD6qcD68Mpx4Je++m4f7+YQQnCRl2EBCugepBz+N/YTi8CTLh/QvInxjrr65Bt7ZhUtPmeNJHiKHXhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=40x55KgSrQGT7txjHh+JL0ORRmtxGMTS8mnqSx/OTaE=; b=HO7HBERVNtJ99GOLktkcFY9xQvCt7iB20gkvxZtNyYNL77gCisbl+xa+p26Bpqvd/i7+piJ2lneOJr/r+NqQ2gYWaFFet5brqVi/24ApV6TrPb6XYRUTpdcHXBz7uhR4e+IREGuwylipdqVaJLAgWw7kOEeieWTZvi3riD7C5ZnC6oX8mfknpUL9oqnFNA8QN0umibrOx+XTB7ZKLkgOlIRUkqqZlcjLHFhoVI72mx1SN37UCzsKp4n/aczn5p7B0oOvNJBmkXtbHihjzhcEqGxc1/ybN5vtEUUGy4CoQ1zW2hfkqyrNip0OZIb1prRczTacyTNAWPWhHjyTqt53/Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=40x55KgSrQGT7txjHh+JL0ORRmtxGMTS8mnqSx/OTaE=; b=PENuiTLoFOdDNqBzit4sxmAaPOVn0i9mqdIMtG8adwRJ2cPf4wJsZV1diLUkTyuQxyiYjwpxTAp6CXcEr02uQpczg9jWAvsOmTF6Ntwvqfw77MxRhb0es9VJf5WslUACc4vu2/m+7RD1dZb3SwdVeyCB25zj7qXbkftNcaDlrJ8=
Received: from DM6PR15MB2379.namprd15.prod.outlook.com (2603:10b6:5:8a::16) by DM6PR15MB3564.namprd15.prod.outlook.com (2603:10b6:5:1f8::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Mon, 8 Mar 2021 16:50:01 +0000
Received: from DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::98bf:c687:dcef:f893]) by DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::98bf:c687:dcef:f893%4]) with mapi id 15.20.3890.038; Mon, 8 Mar 2021 16:50:01 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander=40ericsson.com@dmarc.ietf.org>, Daniel Migault <mglt.ietf@gmail.com>
CC: Loganaden Velvindron <loganaden@gmail.com>, Olaf Bergmann <bergmann@tzi.org>, "draft-ietf-ace-oauth-authz@ietf.org" <draft-ietf-ace-oauth-authz@ietf.org>, Russ Mundy <mundy@tislabs.com>, Ace Wg <ace@ietf.org>, Stefanie Gerdes <gerdes@tzi.de>, Francesca Palombini <francesca.palombini@ericsson.com>
Thread-Topic: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14
Thread-Index: AQHXBHa1eigM3cSArEe6Mc/hYixa66pa7vCAgAFwIICAAChkgIAB24wAgAAXrwCABX2oAIAAVZsAgAyJWQCAAA8KQIAA1qoAgAJGS4CAABYqAIAACiIAgAGWZYCAAEh/gIADz7QAgABN7ACAAC0VgIAAH6sN
Date: Mon, 8 Mar 2021 16:50:01 +0000
Message-ID: <DM6PR15MB2379C8EADA9515BA4454730CE3939@DM6PR15MB2379.namprd15.prod.outlook.com>
References: <871rdqihww.fsf@wangari> <FD569111-85F8-40A2-8C97-764977309B87@ericsson.com> <CADZyTk=HB26o=mUpUdbYEhfhrGZar+oe28c5PZ2_j-vKYVA6xg@mail.gmail.com> <c6d42d18-f1f3-ec00-fff9-3540fa222d23@tzi.de> <9911269D-AA7F-458C-AA1A-2D59A79C5A00@ericsson.com> <CADZyTkn=3GigtTiihQX0ORYyO0dV0qCfVMtTn37vbsqJuQUJxw@mail.gmail.com> <026242c2-2c6a-485b-cb51-34b2b2d70975@tzi.de> <DM6PR15MB23796DF01885DC7F86C15583E3879@DM6PR15MB2379.namprd15.prod.outlook.com> <6b5368a6-b8ba-81eb-0c10-6a052fcbad67@tzi.de> <DM6PR15MB23798EE51BDED9BB7D0438E3E3869@DM6PR15MB2379.namprd15.prod.outlook.com> <2C5A1AA5-6124-407B-A342-AA367CB6D536@tislabs.com> <DM6PR15MB23799382A92C9B2074B1BF42E3859@DM6PR15MB2379.namprd15.prod.outlook.com> <F6B1D3C5-DE79-42B4-8CEA-620C86EABF4B@ericsson.com> <CADZyTk=y7Zf3Atvt7d5c17KEbnc5CESoOyBsa0TgpMchX4FcPQ@mail.gmail.com> <CADZyTk=gc8ybr5+wQhN0P_Vyz2P+g6TtwWcAGYGbofeMeq0cjQ@mail.gmail.com> <87v9a94m60.fsf@wangari> <CADZyTkkf3qj=ZXvH1QYe1Kg=wUxMug2y6e=9-b31mkUAeC4Qrw@mail.gmail.com> <CADZyTknPLSvfixtM1JTXnKia6ooSwWssV-zAhWi-fPoBrwMBdA@mail.gmail.com> <1932F1CD-7296-4266-B234-1FD30A019522@ericsson.com> <CADZyTknSmX8tqhce7bfUvtm7S11GPru5Swuxx7fLkUTr-yaPqg@mail.gmail.com> <0C8BC190-95F3-4A88-B683-09E22EBD54AB@ericsson.com> <CADZyTkmyRpQWYsM+-XeOmKf=dUvjP1Oe2WdEN69hVbhi_-rLuQ@mail.gmail.com> <CDE70DE7-EFBF-44C6-A350-DE02B5587635@ericsson.com> <CADZyTkm2kcV0DV3NZ42cUWDMN_6Y+teA9MdEnRw9S4P0qSL1nQ@mail.gmail.com>, <1523E048-0D8E-4B51-A639-D7D3FBBD0DBD@ericsson.com>
In-Reply-To: <1523E048-0D8E-4B51-A639-D7D3FBBD0DBD@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [96.22.11.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8a718b50-608e-43a3-5cab-08d8e252376e
x-ms-traffictypediagnostic: DM6PR15MB3564:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM6PR15MB356497A20C9E432417E097EAE3939@DM6PR15MB3564.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: JVqGuRWTvOWbgvERGERO8AVvGba45Bjk3yxTyFwToeGSomo8i63nCiodm+QfsXv5FMKIG9OgAo0vw9iziOWcbntqZ/KwPi589gATeQ3iy+tRlIVYA1ly6yU8XLJmO5ek32kwrcBgdWoUQsn+LfpvFIYleRAEFDkIGYquiYN7B24x3eBFZDn7FrpJJX3r8wjtD1ft0iG0Y/qmXBKWVmmdKSuLbG0su2laPk9PgiaZTFRlVQR55uG1OWQU9fZXW9yu5CRaJ2VjtdO0oD9+Ta5Ebqbbhlvh6klCcfIns27jIbDXRd96uKbljacStGiFKbBT2q7fI9iYUbqWPrnKfi/lL3lsjZstzp81LzWqqqzCE96y98sAPONDOMwtsYse0Yx+pT30sEMIAY4QkVuk7yLBTegOOe9UA0Dg9t3blKRkePRVp8Ei52/kreEsmG0+nxtWFyRSaZMT+GsU4ZMoseDt1I0kwz8jb8slqP1io/2RcPs1g/LvBeighmQW9T+GHj3X0FSMPAPHjrTlzPbOmWg752mR1wbTbO1m/qJxJJH7daapaTBKS+/zr6ByxEaQINqVrJh2kaJSgx2HSSr6nbxwJ3Lz3XTVdK5mRjRPp24/uuo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB2379.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(136003)(376002)(346002)(366004)(39860400002)(8676002)(4326008)(316002)(186003)(966005)(30864003)(33656002)(7696005)(52536014)(478600001)(110136005)(54906003)(26005)(86362001)(64756008)(66446008)(66556008)(91956017)(6506007)(53546011)(76116006)(66476007)(66574015)(66946007)(19627405001)(166002)(8936002)(55016002)(9686003)(83380400001)(44832011)(71200400001)(5660300002)(107886003)(2906002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?aHBHL1pqTFhsV1hEZjI2NllXRUN0OTdIOEl1QUdNSVFDRkdQTjE1U1pSbGQz?= =?utf-8?B?b1gwSHVad0UyOGtmdXhZK0VOemh6bjFSYkVtTDNObCtINVJnK0FEc2xIRTg3?= =?utf-8?B?ZVNnT3YxeHdpcldBVndOVVhVNDhFeS9PR09vYkZFbi82V2pZYUJ1cFg5WFRH?= =?utf-8?B?VEdMWjVNZDJjVHJ2RENDR0d3ZWVIQ1lBdFFtTWtkMytaNUc0am5hZ0VYMDZU?= =?utf-8?B?RnNWZ1RhUmdRU2JrY2g2VXV3RnhVNDZZRGV2Mm96emo5VFZCRGE4RWZFK2Zq?= =?utf-8?B?WjZPS3k3M0N4TmkxWi9EMGgxaVQ4VGRZZEs4MjE1Y0x2ZEVXb1BnR2crVk56?= =?utf-8?B?WXd0MUQzZTNxa1Rwb2J1NVVyMGxld2trb1RmTGJHYzVHZm1sTk9QeHhmR0lU?= =?utf-8?B?Y3hOMWRLK3VkY3IxY2xhQU82MVUweUloM1FlSlFUakVaa3BnalJUbnlrSWMw?= =?utf-8?B?KzN0Y2dIVGhsdWcvNXVvTG5RbFZyaWNRdkh4c1VzR29jUTNxalZtTk40aVRY?= =?utf-8?B?WUZhelJBZVh0MW9IcGdVbjdkRXdxMVRDNVlxcmFoS3NYbERMU09mai9hbW1U?= =?utf-8?B?dnIyT2E3eENUOHlkS0ZnUHE5NG14aS9QZUM4ZlZKZnk3NVFySzlxTUJ3OTJr?= =?utf-8?B?b0FTeEJQcVdMdzhEZTdTR0hBUjFyTUNTUHhLUVFSbnk5U1RZOUIwSTRIMXFG?= =?utf-8?B?U2ZZcmdjbmNWMTFZdVQwb0VFMjFjcWczOXM0WlcyOUNScVY4V3dobmZoelVV?= =?utf-8?B?czRva3Q4TEJlZTRLUkRYeWlPMGt2Z0taY0daeUpwQkk3Z1huaDB4WjlJRHZm?= =?utf-8?B?Wk51L2hWYzZhSEVrYnJWajBMZ3E5ck5acGExamNacmkxV0t5bWpWb3lsamJk?= =?utf-8?B?ZXkxblFISHk2Z3VmZ1lzdmgxZkpBTmFNTlBEcG1BMmUzN1NOeHNIdjB2UnQ4?= =?utf-8?B?RksxZGNYd2Q4RXFWRWRSeDF1K0xKR1RaMGQ2VTBtN3JhMGFaRTY3Rm9MOG9z?= =?utf-8?B?VUFWNk9SQVUxVllxRENNRkhvYnRlZmNiUmg5NittUmNxREwzelBQWi96QW5S?= =?utf-8?B?amhZMzRUNlRWVkd2bkZLTWJEZ0tsM29acnRRRHBEKzNzblpmMlJhNklOUFI0?= =?utf-8?B?TEd1dTVkbzB0cGVSSkY3VG9tVkVBVHNtd3RWeGUxemY2ajJYeDBoZXNDdlNv?= =?utf-8?B?RGQzUSswZ0l5V1Q5bENIZHZmcXVyWWR2eEU1QWxPWUJuK3lrejl1VmJob0tI?= =?utf-8?B?Z2p5aWlxb2l2d0wrN1NsbGNCUDN2bHg4S21TN0Q4NEhBdm1Zb0lnN3c1Nk9D?= =?utf-8?B?VUtRd0VNcW1pVXNMM0s2QzlsdFVBTytpYW1oR1lxZW80b2dLeUMvVTRMNUJI?= =?utf-8?B?bzZZQlVKVlpWMTFZRlIvSWk2UHFUWEl1UCtQRmMxMWpSTitjZGlnT2hsSEpD?= =?utf-8?B?LytCK0RXVCtzazh1QmQ4ODVIVENRcFBENlJsNlhGWjFjYVIxdnEvUURyV25Z?= =?utf-8?B?Qzc3Rld4YldYdDRkemJ0WjVsaW1aeUtmdW1SRCtlMXFTd2V3T05YVWx3R0pO?= =?utf-8?B?REV2WkwvRlIvK3h6RkRLeEhwY2dhT1I4UEs2WEdzM0F0cjZuZFBPeXBMN2xt?= =?utf-8?B?REdXa3huUXNOQUZiVUVtRUFpdW14L1pWdjVCRktFckhIa0gxVmJLMkFOOFBT?= =?utf-8?B?MWxPNTl6aDlKZVZEQktDTk03L3pJb1g4UWtPTnZhWjNWdjB5eHRyYm42SFYr?= =?utf-8?Q?TuSPgCPpptLQt+J1A4=3D?=
Content-Type: multipart/alternative; boundary="_000_DM6PR15MB2379C8EADA9515BA4454730CE3939DM6PR15MB2379namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2379.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8a718b50-608e-43a3-5cab-08d8e252376e
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2021 16:50:01.7480 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VzZhlpF9NtboeuBj7VB/A8nXLXLhpRgPcV6LtFpCiSazxZDCJ7OoMUfpE3osIVdVjhZDXitKJ07mL70jeA1YdJIc40l1ALVNRyxVbE6Hf/c=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR15MB3564
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/XuqAekCzzzwsQGcm6syR6uabCqg>
Subject: Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 16:50:14 -0000

Thanks! My understanding is that these documents are ready to be moved forward to the IESG.

Anyone thinking otherwise, please let us know as soon a spossible.

Yours,
Daniel
________________________________
From: Ace <ace-bounces@ietf.org> on behalf of Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>
Sent: Monday, March 8, 2021 9:55 AM
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: Loganaden Velvindron <loganaden@gmail.com>om>; Olaf Bergmann <bergmann@tzi.org>rg>; draft-ietf-ace-oauth-authz@ietf.org <draft-ietf-ace-oauth-authz@ietf.org>rg>; Russ Mundy <mundy@tislabs.com>om>; Ace Wg <ace@ietf.org>rg>; Stefanie Gerdes <gerdes@tzi.de>de>; Francesca Palombini <francesca.palombini@ericsson.com>
Subject: Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14

Hi Daniel,

I just submitted -38 which includes these changes and some nits.

Göran

On 2021-03-08, 13:14, "Daniel Migault" <mglt.ietf@gmail.com> wrote:

    Thanks Goran, It looks good to me. I believe that a new version can be published to reflect the changes and close this issue.
    Yours,
    Daniel


    On Mon, Mar 8, 2021 at 2:35 AM Göran Selander <goran.selander@ericsson.com> wrote:


    Hi Daniel,

    Here is a proposed changed to the last sentence:

        Section 5:
        OLD
            "Profiles MUST specify a communication security protocol that provides the features required above."

          NEW
            "Profiles MUST specify a communication security protocol between client and RS that provides the features required above. Profiles MUST  specify a communication security protocol RECOMMENDED to be used between client and AS that provides the features required above. Profiles MUST  specify for introspection a communication security protocol RECOMMENDED to be used between RS and AS that provides the features required above. These recommendations enable interoperability between different implementations without the need to define a new profile if the communication between C and AS, or between RS and AS, is protected with a different security protocol complying with the security requirements above."


    Göran


    On 2021-03-05, 22:23, "Daniel Migault" <mglt.ietf@gmail.com> wrote:

        Thanks. "C/RS and AS" may not be very clear as it seems - at least to me -  to include the communication between the client and the RS. It seems to me that  only communications between Client and AS as well as between AS and RS are in scope. If that is correct, I would suggest expanding "C/RS and AS" accordingly.
        Yours,
        Daniel


        On Fri, Mar 5, 2021 at 11:03 AM Francesca Palombini <francesca.palombini@ericsson.com> wrote:


        Hi,

        (Adding back the ace ml that was dropped at some point)

        Here is a proposal for the paragraph in Section 5 with a different last sentence to hopefully clarify the need for recommendations but not mandate only one sec protocol per profile:

        Section 5:
        OLD
            "Profiles MUST specify a communication security protocol that provides the features required above."

          NEW
            "Profiles MUST specify a communication security protocol between client and RS that provides the features required above. Profiles MUST  specify a communication security protocol RECOMMENDED to be used between client and AS that provides the features required above. Profiles MUST  specify for introspection a communication security protocol RECOMMENDED to be used between RS and AS that provides the features required above. These recommendations enable interoperability between different implementations, without the need to define a new profile if the communication between C/RS and AS is protected with a different security protocol complying with the security requirements above."


        The proposal for the other section looks good to me.
        Francesca

        From: Daniel Migault <mglt.ietf@gmail.com>
        Date: Thursday, 4 March 2021 at 17:49
        To: Göran Selander <goran.selander@ericsson.com>
        Cc: Stefanie Gerdes <gerdes@tzi.de>de>, Olaf Bergmann <bergmann@tzi.org>rg>, Francesca Palombini <francesca.palombini@ericsson.com>om>, Russ Mundy <mundy@tislabs.com>om>, "draft-ietf-ace-oauth-authz@ietf.org" <draft-ietf-ace-oauth-authz@ietf.org>rg>, Loganaden Velvindron <loganaden@gmail.com>
        Subject: Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14



        HI Goran,



        sure any wordsmithing / alternative are fine to me. For the second alternative the repetition of "with" may sound to me a bit strange.


        Unless anyone objects that would be greatly appreciate to have a new version submitted. Thanks!



        Yours,
        Daniel







        On Thu, Mar 4, 2021 at 11:12 AM Göran Selander <goran.selander@ericsson.com> wrote:


        Hi Daniel,

        The proposal coincides with the text I proposed Feb 22 except for one sentence:

        "Such recommendations are expected, among others, to guarantee independent implementations interoperate."

        This sentence does not read well to me, perhaps we can change it? For example:

        "These recommendations are expected to enable interoperability between independent implementations."

         . . . or even add the reason why it is only a recommendation:

        "These recommendations are expected to enable interoperability between independent implementations, without preventing this profile to be used with other security protocols with the AS complying with the security requirements."

        I can make the changes and submit a new version of draft-ietf-ace-oauth-authz in the beginning of next week when ID submission has reopened.

        Regards
        Göran



        On 2021-03-04, 15:54, "Daniel Migault" <mglt.ietf@gmail.com> wrote:


            Hi all,
            I know everyone is very busy by now, but I am wondering if you could provide your input so that we can think of closing this issue before the IETF 110 - or at least as soon as possible. Our initial milestones were to send these doc in February ;-)

            Yours,
            Logan and Daniel
            ---------- Forwarded message ---------
            From: Daniel Migault <mglt.ietf@gmail.com>
            Date: Tue, Mar 2, 2021 at 11:09 PM
            Subject: Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14
            To: Olaf Bergmann <bergmann@tzi.org>
            Cc: Göran Selander <goran.selander@ericsson.com>om>, Olaf Bergmann <bergmann@tzi.org>rg>, Russ Mundy <mundy@tislabs.com>om>, ace@ietf.org <ace@ietf.org>rg>, Stefanie Gerdes <gerdes@tzi.de>de>, Francesca Palombini <francesca.palombini@ericsson.com>om>, Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org>



            Thanks for the feedbacks Olaf. So I understand why we need such flexibility on the client side. The main reason seems that the communication with the AS is seen as bootstrapping the communication between the client and the RS and as such we would like to keep them as independent as possible.
            I see interoperability being achieved when a) client, RS, and AS implemented by independent vendors and b) all three follow the framework and the given profile is sufficient to make them work together. Currently the client - RS communication is well defined, but the client AS communication is left to a RECOMMENDATION.

            RFC2119 defines RECOMMEND as follows:
            SHOULD   This word, or the adjective "RECOMMENDED", mean that there
               may exist valid reasons in particular circumstances to ignore a
               particular item, but the full implications must be understood and
               carefully weighed before choosing a different course.
            The question becomes how RECOMMENDED is sufficient or not.




            It seems to me the definition above makes it clear that the recommended protocol is expected to be supported, and AS or clients that are independently developed are expected to support the recommended protocol. To ensure the implementers are well aware of the consequences of the implication we could clarify this explicitly. Of course this does not provide a formal proof for interoperability, but this seems acceptable in the scope of a framework.

            From the latest suggestion, I would propose the following changes, - that I expect will reach consensus. Please let us know by Friday  March 5 if you agree or disagree with the proposed changes.


             Section 5:
            OLD
            "Profiles MUST specify a communication security protocol that provides the features required above."

            NEW
            "Profiles MUST specify a communication security protocol between client and RS that provides the features required above. Profiles MUST  specify a communication security protocol RECOMMENDED to be used between client and AS that provides the features required above. Profiles MUST  specify for introspection a communication security protocol RECOMMENDED to be used between RS and AS that provides the features required above. Such recommendations are expected, among others, to guarantee independent implementations interoperate."

            Section 6.2:
            OLD
              "Profiles MUST specify how communication security according
               to the requirements in Section 5 is provided."
            NEW
            "The requirements for communication security of profiles are specified
            in Section 5."


            Yours,
            Daniel






            On Tue, Mar 2, 2021 at 10:20 AM Olaf Bergmann <bergmann@tzi.org> wrote:


            Hi Daniel,

            On 2021-03-02, Daniel Migault <mglt.ietf@gmail.com> wrote:

            > This is just a follow-up. I would like to be able to close this issue
            > by the end of the week, and so far I have not heard any issues for
            > profile mandating a protocol. On the other hand, not mandating a
            > specific protocol comes with interoperability issues. So unless more
            > feed back is provided, I am currently leaning toward ensuring
            > interoperability.
            >
            > It  would be good for me to hear from the WG and understand what concrete deployment
            > issues the two statements below would raise:
            >     * OSCORE profile mandating the AS to support OSCORE and have the C <-> AS using
            > OSCORE.
            >     * DTLS profile mandating the AS to support DTLS and have the C <-> AS using DTLS.

            I think the major issue is that a client that implements both OSCORE and
            DTLS cannot just switch from one mechanism to the other because it must
            stick to either one or the other. This also raises the question what
            happens if an AS is contacted by the client via OSCORE but the RS only
            supports DTLS: Is the client allowed to switch from OSCORE to DTLS if
            the AS says so?

            Another aspect is that we would need to add another specification if a
            client implementing the DTLS profile wants to contact the AS via TLS. As
            CoAP over TLS is well-defined, this would not make any difference
            regarding the security or the handling in the application, but mandating
            DTLS in the profile would currently preclude the use of TLS.

            Grüße
            Olaf





            --
            Daniel Migault

            Ericsson





            --
            Daniel Migault

            Ericsson







        --
        Daniel Migault

        Ericsson










        --
        Daniel Migault

        Ericsson






    --
    Daniel Migault

    Ericsson

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace