Re: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication

Göran Selander <goran.selander@ericsson.com> Mon, 08 March 2021 07:58 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D55B53A2752 for <ace@ietfa.amsl.com>; Sun, 7 Mar 2021 23:58:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Level:
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SMYbsx7ymNMq for <ace@ietfa.amsl.com>; Sun, 7 Mar 2021 23:58:38 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00080.outbound.protection.outlook.com [40.107.0.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B973F3A2780 for <ace@ietf.org>; Sun, 7 Mar 2021 23:58:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mKB5HMzrYMZjPY359aBhEM0ndxGjvuk84x7gC5PIiK2xQWgbB68m3n9tecNoNLk776gjYTxQFsluASLZfeokhK4IPpuAz6JEfjU4bsTHIb1L24U0vjA2IXUiqiRjt4AiWSc8cjAkl+Vcrih0T9ajikROu1mSFK8MBf+ATXZsxSlhGWgzKx9r439S8OwOxEdg67eLF5m4yjO11xG6/VZzWyXCYKh8O/zQkNNW5rxgVMkPlAK8ZwwloPuDbSWvlIsQBwt+AwAzXxSf5R3MKkk9mFQpwJZKP1AK6Gd1of3Cu3pjHufwcYKHGDDwNrK+bAxEjfmaE5O2CI2EZdKEVPsuJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eEF0vi+1kg/hv9uxgKeWVln4H1UTZpWaMGZhQQhO4RA=; b=TRJGIBQRMHJ2OTQcUx1BYMCJoAGyG3vnlL0UgyzOtOnXzzyOiYss7kcTvljP5tcxyEdOxbRD9pjaXyffS2Ad+niwkIZ+F0K0lmXAfEWf0eTjiU06ce0m4z5E7iiKAteMWOt/BZhxRRo2+tKUW2QQNYEtOQaoMHIKn2JRxVg10J9X3Q/7horC6Wb248kYZ+WlKyqpEn9imzqYM2v/4c81jXht2BvxV7K8Cd6G6ILWx03HV6XwTNOhmscv0j33HI5RwBpiDFwCElkZxE1cAvOvr1/scILNF0EvJK9r8kCozbtkmHwsft7Hx2Y2/D1jP/eodshmcxeQq85LqeF26X3Huw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eEF0vi+1kg/hv9uxgKeWVln4H1UTZpWaMGZhQQhO4RA=; b=XxfC/TIkzwp9DTAud5199/wAhHvQVSrogH2t1JJW2u5Wug/Y4syo5ptaCFgNvgV3KA5qjvOe2u0NLJLyxgvNCU3rsEvO5xr7gFCz2kuKsC5Ov477N5ScQzF6VvFWILNstA3C7lhUoBB5I5bzzqso+KF56ODbN4Hi6Ow51+JSILQ=
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com (2603:10a6:7:82::14) by HE1PR0702MB3578.eurprd07.prod.outlook.com (2603:10a6:7:86::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.9; Mon, 8 Mar 2021 07:58:35 +0000
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::588f:43b1:d981:5bc8]) by HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::588f:43b1:d981:5bc8%5]) with mapi id 15.20.3912.027; Mon, 8 Mar 2021 07:58:35 +0000
From: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander@ericsson.com>
To: Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication
Thread-Index: AQHXE/DWdJBksWLgEEWLLwC36I6VyQ==
Date: Mon, 8 Mar 2021 07:58:35 +0000
Message-ID: <54D2748E-00B4-48B3-BE43-A80F0E791BF2@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21022404
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.249.67.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6ba41a84-6c2c-47ec-8289-08d8e207f98d
x-ms-traffictypediagnostic: HE1PR0702MB3578:
x-microsoft-antispam-prvs: <HE1PR0702MB35783A5984EAB205F02667E5F4939@HE1PR0702MB3578.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7d3apD0d4Ree3B94RhTM0xDhUsir3C/9Uo+2L6ZlTAbEYw0Ynl/mSJO41OytacCF1wU9Tn9+KKX9k/Eaygr/h62l7uow2++sCxLTwVNGIUbFPxAEL9d00JFq5rWzTGZUm3CZc4wLx0eV/l9z++R98kEdfT0si+oO8BZ/ohw3ruYSy4x/YmcDfMwjUeeZERPo7Ij3o0m0ucu5xtAH+jntYIF4ejYjyt1xqtgBoY2nNYKyNoPNEF0JyQ/XFpMswcSNa22UAu7rzzwLypAUFEdvLDLbwDCg5/MiZNgGY747yg9pFuTw1UjlP7mwOb5sZfoIIGvJy7oSuzFOKmWSQakezCWcQSkoxaN9i1x0gwfMdqsMCF11SOhRLt8tIYQmLZpBa2JfC/6Y56u4w/3nE2OuM9fmC4X8aYutVeJbBIhlEeTQtZFsk1LqFC3FLzNH4CuOizEcbXk7NlHeYksp0LrmNOsweVS7tdqQ0E5ArHmh+xwcCpg1lIADl6V/aJxZDiKp4ulO/1TiO1Bh2sKL0X9kFkBEVa6L1tVZaXgFvlLuuLSeyydOwj4X0lR5fekNXWDER3qlnEWKaVFqG5fgo/MObg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3674.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(136003)(366004)(396003)(346002)(376002)(76116006)(66556008)(66476007)(66946007)(26005)(186003)(5660300002)(478600001)(110136005)(2616005)(33656002)(71200400001)(66446008)(2906002)(36756003)(64756008)(83380400001)(85182001)(316002)(6486002)(85202003)(66574015)(8676002)(8936002)(6506007)(86362001)(6512007)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?czFmdXVSV3llcmtUNTBHbGI3SVFCZUV4VklaNDRDOHgxZkdRcG1va1MvVDlV?= =?utf-8?B?YnFkdXJYMkk4a2pwVXZlTEhrRjdwMDVyMElYamtQNVVocFpBa1RadENxbHpn?= =?utf-8?B?RHh2bVZOYzlNWDJ3WnkvS3dWSXJzWkFEZVpHZnMxdzUwa0FvYWxrMkxabWtK?= =?utf-8?B?YU9ERTc4RDV1eG4rc1JVUXE4Tkc1TzRNUWV2RHlpdHpuMUxNajhNUW5jR3hW?= =?utf-8?B?VkxWVWxja0xQWlliVEtXTDVraFZsaE1WWTNKRUE2YVhveHdhL1VYcStXdzJq?= =?utf-8?B?SUtQYkxGNm4wWE5hWEUrMm5QUFRmb2hEbHhQbGJvdzB6MVNkMFZEdWRESjFC?= =?utf-8?B?bnIveU5lcWh2Sis2cm9ReWxiaCtCYWdWZ3MvSEdYM2hvZjJKNEpndlhvdFNE?= =?utf-8?B?MUdEWktBenZIYjk1cU14OEl1YUg4RDdlNUx0bnN4KzZ6YWlNRitCMzEwMzhM?= =?utf-8?B?dkRrZ21HN0hkTUN5MGc3dFRIdlBOUkVwZ1hEV3Zha3hnZ1V6R25jZUpGeEho?= =?utf-8?B?Y3lpVVNLRFFFeDJoc0x3WTlQRVpWSUFtSU9ocVlDaUpBZWtYOG1pb21Ba1Np?= =?utf-8?B?T2hURFpTb1Z4eENYZEs0dkhPMGxUaHZEbStGSG9iRGJodDlVZ1M5Mjh1ckY3?= =?utf-8?B?WG95Rm44TGlEakVXMGZtckVHWndYYTNML0VnMFV5NUN0TzhFaldvclFlbnYr?= =?utf-8?B?T1U0ZHcyZW9LQmdFdzdYRlFxbXhEVmR6Q1hrOURqSWU0dlc5bGpMS2tvMnI3?= =?utf-8?B?YXd4eCtxdlFwR3ROVi9wZWJabzgzZUFFaW1SNDVicC9iMTQ4Zms0MTBiajBm?= =?utf-8?B?LzE5bk04K2s3WUducFo5dUJwTUw1MUs2QVQ2NVVDUkw2YTlwMFdROURNL0dC?= =?utf-8?B?dng0Q0F4N2p1eHo0SVJsQ2NrTUdlK2lZN1RrZ1BUeEFRLzNOeG1ZYTQ2WjNr?= =?utf-8?B?cE5QYkRMK2RiNWw2NGxmSFNjYUcvQThCTkZKa3hlKzdXYWhKR1U4OFpXNnFN?= =?utf-8?B?WlJXa09kYzY4eDZaZlJ0blpwQmZHeXZlYTh0TDN0dC8wdnVBdENJRVkxZXpw?= =?utf-8?B?c3pBZGMrU2swNFNIWGxRZzRsMTBvT05TeFZXN2xRU0RQVTFoY2ZsUmo0L1hU?= =?utf-8?B?SWdURDI1ZUpCVGNTRjFmSXVaTzBqVTA5azI1Q05RQ25PUlczYnJJNmljVEdn?= =?utf-8?B?Z3FHWGlKY1pQNTlMTmlBQkM0cTFNRUhKL2JBK1lVdWpVbzFQaGQ4NVg0NVlP?= =?utf-8?B?bWZBRkpvQzFQSjlBaU51Qi9HUzFrVFRmeGw4Y0JFTE9Fd1htSWp6Mno5WkY1?= =?utf-8?B?T0xSTUg3Nlo5L0c0S003T0J1MGlvcHpjeFhMRFpYTXJtcDZCZHJEY3QvZy9Z?= =?utf-8?B?RmV0VUpLMkVYSzEwSTI0aTFaSUVLaDBRdnRYaStDMXBycGVWZ2hkdWZHWVVm?= =?utf-8?B?Tks2dm1BR0hTMS9tbDdvcVB1dXFsMHJXOTNUdE1OQlJUUmdaWmxJdE5VZG5a?= =?utf-8?B?aDBYOXFnWWZLbUJPaVNKVGJDVFJUMnRQV3F6dDJFU2gyZTZabS9NREJicktk?= =?utf-8?B?VXRPalNYRnQ4V0psaHpGb3RMeTdqZFRHMnhJMWM5YmxCM01nNC90RXNhZFR6?= =?utf-8?B?N0pxRWlSUXZCY0R1TnpNZnkxZ3JKTy85T01ldi9aeDBYRW1VRmhKSXRMZ1lY?= =?utf-8?B?c1ZBWWdrSG9PTUZGSWtKaUMwb0U4YTB3VlJ2SzFydDZTdjhxRVlKZFVueVBS?= =?utf-8?Q?kH4AwK2oxAnzfdzBmMjNM+BW5xD9LplPPrU5nkd?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <92AF30D72993FA42A7A6D990E0A7E88F@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3674.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6ba41a84-6c2c-47ec-8289-08d8e207f98d
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Mar 2021 07:58:35.1774 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ymt2g4ZNdlP5YIgKQi1s/DIOdpeldzGBSg7BWy6ItpMRjvJh4YopUUIn7cq/gogNGY0bH7UoG3RfLBmTtD3tWBB7f5cj7F7JJDU0wRi1A3M=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3578
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ZBp5bzK9T2YsMRgOObdRSFBD3GM>
Subject: Re: [Ace] MQTT, OSCORE, DTLS profiles - recommendation on RS - AS communication
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 07:58:40 -0000

Hi Daniel,

draft-ietf-ace-oscore-profile-16 does recommend a security protocol to be used between RS and AS, see Section 5:

 "As specified in the ACE framework (section 5.9 of
   [I-D.ietf-ace-oauth-authz]), the requesting entity (RS and/or client)
   and the AS communicates via the introspection or token endpoint.  The
   use of CoAP and OSCORE ([RFC8613]) for this communication is
   RECOMMENDED in this profile; other protocols fulfilling the security
   requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] (such
   as HTTP and DTLS or TLS) MAY be used instead."

For draft-ietf-ace-dtls-authorize-15: "The use of introspection is out of scope for this specification."

So it seems your concern is already resolved in these drafts.

We might ask ourselves why introspection is included in one or not the other. It is not heavily used in draft-ietf-ace-oscore-profile-16, only in Section 4.2:

 "The RS may make an introspection request (see Section 5.9.1
   of [I-D.ietf-ace-oauth-authz]) to validate the token before
   responding to the POST request to the authz-info endpoint."

A similar sentence could have been included in draft-ietf-ace-dtls-authorize as well (together with a recommendation to use DTLS). 

Is this something we want to change at this stage?


Göran




On 2021-03-05, 22:11, "Ace on behalf of Daniel Migault" <ace-bounces@ietf.org on behalf of daniel.migault=40ericsson.com@dmarc.ietf.org> wrote:

    Hi, 

    Now that the authz document is being consolidated, I do have some minor concerns regarding the recommendations mentioned in the profile documents, that might require an additional update.

    The update to the authz document indicates more more clearly than before that profiles need to provide some recommendations for the RS – AS communication. 

    “””
    Profiles MUST  specify for introspection a communication security protocol RECOMMENDED to be used between RS and AS that provides the features required above. “””

    It seems to me the MQTT profile text makes it pretty clear that TLS is recommended for all communications but I am wondering if additional clarification would be beneficial – see below. That said I agree this is a very minor point in this case that could be handled by the RFC editor.
    For the OSCORE or DTLS profiles, unless I am missing the RS – AS recommendations in the documents , it seems to me it has been omitted and needs to be added -- see below.


    Yours, 
    Daniel

    ## MQTT - draft-ietf-ace-mqtt-tls-profile-10

    “””
       To provide communication confidentiality and RS authentication, TLS
       is used, and TLS 1.3 [RFC8446] is RECOMMENDED.  This document makes
       the same assumptions as Section 4 of the ACE framework
       [I-D.ietf-ace-oauth-authz] regarding Client and RS registration with
       the AS and setting up keying material.  While the Client-Broker
       exchanges are only over MQTT, the required Client-AS and RS-AS
       interactions are described for HTTPS-based communication [RFC7230],
       using 'application/ace+json' content type, and unless otherwise
       specified, using JSON encoding.
    “””

    I am wondering if that would not be more appropriated to specify in the first line RS and AS authentication or simply authentication.   





    * OSCORE draft-ietf-ace-oscore-profile-16

    “””
    This
       profile RECOMMENDS the use of OSCORE between client and AS, to reduce
       the number of libraries the client has to support, but other
       protocols fulfilling the security requirements defined in section 5
       of [I-D.ietf-ace-oauth-authz] (such as TLS or DTLS) MAY be used as
       well.
    “””



    * DTLS draft-ietf-ace-dtls-authorize-15


    “””
    It is RECOMMENDED that the client
       uses DTLS with the same keying material to secure the communication
       with the authorization server, proving possession of the key as part
       of the token request.  Other mechanisms for proving possession of the
       key may be defined in the future.
    “””