Re: [Ace] Comments draft-palombini-ace-coap-pubsub-profile-04

Francesca Palombini <> Mon, 08 July 2019 14:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 338D4120236 for <>; Mon, 8 Jul 2019 07:35:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id To8MTO3EwYYi for <>; Mon, 8 Jul 2019 07:35:09 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 20EEA1201A0 for <>; Mon, 8 Jul 2019 07:35:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=XF1F4UziWLj1leBIM+01vsiH/dWWHWZglTkQMZQau4NEvT6JqbtqQ2Oeo/BqGw9hfGGht0OUvOEfj3krFbi7y7QH8d0Q5eRPgILH3QtAIslzvg0CGuPd38XqVvaq89giWI10XH7/00fIP4cWHC4vaZYZ8a1a2QCGfk5fES3LxcdkGQxKe42snJjRA8v7r+7BRfDIxADNnlci6C0FCtqbJVxtvR486M/HuDZT+DoKHyn7/pXL9d1S62pLn2Afav62p6Zm76qb1VSFdn6dzDak7Q7ChqOreg8uLDsHcrdyBBtVowFrwHXAAVVl3JvLfCWdyqhCPS4+3EgK5ojb+bUinw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZtfqMElVrIVVpSFUUqIvwytS0cRKs4BY2CJIYtF29xY=; b=QmbrgZxyphyF2a+3mWl1wiIY70MFyXyhxIZlUCSpsW/m4ywiuToAPI2l2g8WMbN/1mLjDotC6t1F+qCacgcfzfiFwjgK7gPJON0fDrXjPECHNRAz+SSHbPBy5yvhSi/Ik9axuAZJB8xbqQ+w8YvsxVGGfKtRhbWFH6dtHDbArVxiILTouptYfWTAkzBCjtU/7cK31/OZx/fwakvLXL3I+wuWWWUrz8MqSCuYYucpQqDyYPc7VP5LUKCQzj9Iw1R4HmwHM9W/9L/eXurvnFPQePDleCDCPBJiQrguKemtpOMin/KHYLVopGWkVEyX9Nnb4gf3eQftJgadXgSanK/69Q==
ARC-Authentication-Results: i=1; 1;spf=pass;dmarc=pass action=none;dkim=pass;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZtfqMElVrIVVpSFUUqIvwytS0cRKs4BY2CJIYtF29xY=; b=BMaqLYP3pMp9A12EN0PXFtwSx7h3WYiQcWLVM1R2s7CqC8bh70L98yXFP7XyC0CufHXW/46TWpK3fEsYFacIOLqxiAVdI7GELudZfWSTb9Wsg2X/aK4hj0agxVVhxS7TVdfHDbgknU6Xt76NIb65W4fue9OpMqmMoL2AetysjjA=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.7; Mon, 8 Jul 2019 14:35:03 +0000
Received: from ([fe80::d958:9685:d091:3b9a]) by ([fe80::d958:9685:d091:3b9a%3]) with mapi id 15.20.2073.008; Mon, 8 Jul 2019 14:35:03 +0000
From: Francesca Palombini <>
To: Marco Tiloca <>, "" <>
Thread-Topic: [Ace] Comments draft-palombini-ace-coap-pubsub-profile-04
Thread-Index: AQHU7qzQFt4F2rm7+kuMJHE7mGDl7abBeNQA
Date: Mon, 8 Jul 2019 14:35:03 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9974bb7a-dcd4-4835-91b5-08d703b1771e
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR0701MB2442;
x-ms-traffictypediagnostic: HE1PR0701MB2442:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00922518D8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(346002)(396003)(136003)(39860400002)(376002)(199004)(189003)(55674003)(53936002)(33656002)(3846002)(478600001)(6116002)(6246003)(25786009)(76116006)(66946007)(66556008)(486006)(36756003)(66574012)(2501003)(5660300002)(86362001)(64756008)(66476007)(73956011)(316002)(66446008)(6306002)(6512007)(6436002)(6486002)(229853002)(110136005)(81166006)(71200400001)(81156014)(8936002)(71190400001)(26005)(2906002)(186003)(76176011)(6506007)(102836004)(99286004)(7736002)(256004)(66066001)(68736007)(305945005)(966005)(44832011)(446003)(11346002)(14444005)(14454004)(476003)(8676002)(2616005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2442;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: MV19jVycKGOZwr+MD8huCFOfCIFiLgwIHORoqXw+K0PWNrLomdmxq3qDFnFuu9e/jgPbGhmi6essso5ofmSMv7ObRPKoLetxSkx3yJWOkfbLammD8lf8k79GI/G1UwPkEb6RFI8mUyreaetuowcrO55N8z2o0+iAKW+Y5neuwtjDvYqdqS1TgHrxKxZQj0OmA/D5Q5rf+Scs24iu+6q72Zp4Pl61hfH1GeoxVhiiPb5u1FKQSzUeV+Nz9I5b76pv5ZPoiYg2wxx25WsbWOqoJHdpQBCpNybrZAwG+1gF3FTmNhqfxqlkOqJenEj/zqehzm2sZWpTRknhTignefQO9gS282M7ZFFZbO0SkBMHUy2nxMFW35a6Ic+8oLH8dIeD1xL19WgLWOChs3YS3Oda2kRmzTbTmRNIGfvRtN9KPhM=
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9974bb7a-dcd4-4835-91b5-08d703b1771e
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jul 2019 14:35:03.4883 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2442
Archived-At: <>
Subject: Re: [Ace] Comments draft-palombini-ace-coap-pubsub-profile-04
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Jul 2019 14:35:21 -0000

Hi Marco,

Thanks a lot for this review! I finally managed to include your comments and update the document, and will be posting a new version soon. You can see the PR to this update here in the meantime: 
Answers inline.


On 09/04/2019, 10:18, "Ace on behalf of Marco Tiloca" < on behalf of> wrote:

    Please, find below some comments on this profile. I hope it helps!
    "This profile relies on transport layer or application layer security to
    authorize the publisher to the broker" is due to the current profiles of
    ACE, right? Otherwise, this can be (even) more general without
    mentioning particular layers.
FP: That is correct, that is due to what profile of ACE is used. I haven't made a change here.
    [Section 1]
    Here the claimed scope is authorizing nodes, but it is actually also
    about key provisioning (Section 3.1) and actual communication (Section 6.1).
FP: Right, I added some text about that.
    [Section 2]
    Here the claimed scope is protecting communication (in a broad sense),
    while it can again mention also authorizing nodes (as per ACE) and key
    provisioning (Section 3.1).

FP: Yes, added text about that as well.
    I believe that the paragraph "There are four phases, ..." and the
    numbered list would read better if placed right before the final
    paragraph "Note that AS1 and AS2 ..."
FP: I tried to make this change but could not split the numbered list from the following paragraph, since it talks about this exchange in particular, so I ended up not implementing this one. We can discuss more about this.
    [Section 3.1]
    I think this will also need a way for clients to agree with the AS2 on
    the correct format of their own public key (if they don't know already),
    similarly to what suggested in ace-key-groupcomm-oscore. The only type
    of approach that would not work is the one embedded with a Token POST,
    since that does not happen with AS2.

FP: Right, I now specified the optional key format negociation in the document. 
    The text says: "... the AS2 is both the AS and the KDC, ... so the
    Authorization Response and the Post Token message are not necessary" .
    Shouldn't we then have the Token POST to the KDC defined as optional
    already in ace-key-groupcomm ? See for instance its Figure 2.

FP: No, we do not need to change that in Key groupcomm, as that would be more complicated to motivate.
    In the Key Distribution Request, only one role can be indicated in
    scope. What if a client wants to be both publisher and subscriber? This
    seems allowed in Section 3.3 of core-coap-pubsub . Should a client
    separately contact the AS2 multiple times?
FP: Fixed that.

    In the Authorization Response, the 'profile' field can point at Section
    8.1 where the profile value is defined.

FP: Ok, done.
    In the Authorization Response, see above for the 'scope' field in case
    of a client that wants two roles.
FP: Yes, same.
    [Section 4]
    Page 8, second bullet point, it can say "... protect the publication
    end-to-end with the subscribers (see Section 6.1)".
FP: Ok, added
    [Section 5]
    Page 9, it can say "... keying material to verify the publication
    protected end-to-end with the publishers".

FP: Ok, added
    [Section 6]
    It would be good to refer to core-coap-pubsub , and its usage of Observe
    for subscriptions.

FP: Ok, added
    The text says: "The (F) message is ... , which is unprotected." ,
    although Section 3 admitted the possibility of communication secured
    also between Broker and Subscribers.
FP: that's right, I added some text about that.
    [Section 6.1]
    In the unprotected headers of the COSE object, what is used as Partial IV?
FP: I added something about this, although this probably requires more thinking.
    [Section 8.2]
    The value of 'Profile' should be "coap_pubsub' , consistently with the
    name of the profile registered in Section 8.1.

FP: Yes, this needed update.
    Marco Tiloca
    Ph.D., Senior Researcher
    RISE Research Institutes of Sweden
    Division ICT
    Isafjordsgatan 22 / Kistagången 16
    SE-164 40 Kista (Sweden)
    Phone: +46 (0)70 60 46 501