Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile
Daniel Migault <daniel.migault@ericsson.com> Wed, 23 September 2020 13:58 UTC
Return-Path: <daniel.migault@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D3E13A0F87 for <ace@ietfa.amsl.com>; Wed, 23 Sep 2020 06:58:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.795
X-Spam-Level:
X-Spam-Status: No, score=-3.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KPL3rT3I_9fM for <ace@ietfa.amsl.com>; Wed, 23 Sep 2020 06:58:46 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-eopbgr760053.outbound.protection.outlook.com [40.107.76.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 402C23A0A9E for <ace@ietf.org>; Wed, 23 Sep 2020 06:58:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ILbE/9zlO7jHambybIGUcKzPds1oMMMxkqcdS/TxG4SUpX3eM7qA77gXs8B6H+L0/TUYb9oqjALL3ih/hFAzs3K41MT2NEewP7A9ESHObvqAfCYFPZIhpJIm6CziZmIrOKgIaLaay+ssKYoNFP4oRNq7wo3/y5RZCsT4M+vyNaW24vwhqGoTRmkKbPC2PJpdIAarbAFdiEJ8It24RZVJM6tWtGzDuu7pwuCm3h/XSYbFEKMC/x/hS+LuprbKPcbhTolCmCzLurm7wvX04U4mPrFE/2hEO/R8lH7X9wil05tgAzgbtfnW+wGI6NP+n3R24SwRc6Mjgc9CHPnpRF5aCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nthuUoPetskS83jFQPdQcwBiyQdOLaTegl0aOd+7gCE=; b=B5416tmQrAnh6ZCtkSjv44plg3zdeRJjiQYaSaEsIb6byLPTuR8U5otx52kALMNRgMwXDpKpHtApHgZG+ZSU9a4l8jX8Q9lkUNnhOZMhBRHeiX7WcFitIAJPvbr72YTRgEBwP0JrogucXkw8aKHlTHCBDnseBlv+0BbsMj6Xn9Bpo1c5e5CMfY0308NeByvISKOFloU7DfHQf4OmTAhCUPXW5Up6ft1boCErpi8rbzk8MfgGK0/f+lEGS36aphA4hNITRNXsRhQRw3PXRighMQ0O526RMUCsiJUYpOfrue9N8liibkDXLBCwKmyAAhSkF/OU+bUNo1ZAmDxmlBvvYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nthuUoPetskS83jFQPdQcwBiyQdOLaTegl0aOd+7gCE=; b=Ep9ryRivIy4XIglcheOlii2XRT+dcu4MaaR34bmnOxaSEtjkemf0wg6xtEfLPyRmxwL4lV+EmaAyPb7GbVi3WJ41d9AHOA+DLLY+EJTM0EuC0OsoBaq9xEpNJn6Ybqon5isqMTXVHpQGvbfiX7Wawm8EGKw5ZCnsVkjochZ99nA=
Received: from SA0PR15MB3791.namprd15.prod.outlook.com (2603:10b6:806:8d::10) by SA0PR15MB3821.namprd15.prod.outlook.com (2603:10b6:806:8e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.20; Wed, 23 Sep 2020 13:58:43 +0000
Received: from SA0PR15MB3791.namprd15.prod.outlook.com ([fe80::b13f:64b1:b76c:4650]) by SA0PR15MB3791.namprd15.prod.outlook.com ([fe80::b13f:64b1:b76c:4650%9]) with mapi id 15.20.3412.020; Wed, 23 Sep 2020 13:58:43 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Cigdem Sengul <cigdem.sengul@gmail.com>, Daniel Migault <mglt.ietf@gmail.com>
CC: Ace Wg <ace@ietf.org>
Thread-Topic: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile
Thread-Index: AQHWgKIhLFsXaDWi+ECg4nhL2qvsb6lXzSKAgBhePQCAAyTzAIAB7t4AgABSLYCAAMM2AIAADRVm
Date: Wed, 23 Sep 2020 13:58:43 +0000
Message-ID: <SA0PR15MB37911D960FF093CC03AC6456E3380@SA0PR15MB3791.namprd15.prod.outlook.com>
References: <CADZyTkmMd7iO3jo359QSS+y1LoSKvoDw+vJonD8VUfheEgXLTA@mail.gmail.com> <CADZyTkm9x62oTxHp8EwqWxkQT3Tn6szZ4myuM5XJWt-4FQS92g@mail.gmail.com> <CAA7SwCPOsn5nd=H9EHDn451VZ0MhJEk6vR+qMHBcuC3kaA55wQ@mail.gmail.com> <CADZyTkmpwx68YJGeoh9Tki8A_eqMMhJVzQwF6_9mZanurj_CsA@mail.gmail.com> <CAA7SwCNevGqv641ZRCJPJiUaJ4TEZ2gsx=7BBTN678CN0EYeWA@mail.gmail.com> <CADZyTkncWgUHaFH3q-3eqf3ZTcxQsUTOva==5VTdUOtgQh9B0w@mail.gmail.com>, <CAA7SwCOc75Xmb6Ywku3Pg9wa_vSEeUFC0=BjuKdrjoF5p8oOGw@mail.gmail.com>
In-Reply-To: <CAA7SwCOc75Xmb6Ywku3Pg9wa_vSEeUFC0=BjuKdrjoF5p8oOGw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [96.22.11.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3e26b359-e2a2-4d8b-3adb-08d85fc8c8a6
x-ms-traffictypediagnostic: SA0PR15MB3821:
x-microsoft-antispam-prvs: <SA0PR15MB3821BD11B2D49C8FDF14643AE3380@SA0PR15MB3821.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KGPUwTTddQ8jlZGkoSiEZgqc04EVTFCMOK7QPcVlkXpz8bJltfxkVy1p5qoLSjI5Tb2PS0ZKiPB8PMcm86EDqfs8RLVDK6xr9o9imv4j6I5gOSdsp0PqNQWyBIGVgitJBd8NfLluQvHz3fQazZ9FqVWlT5c1kXPYe9Aw9B1ajas37aHxBf995dBYH8PeIvPPgpbZ+3ZZCLXS0dGjBuRg6W7f3Wp3F8DnGVHVqFGgQU1e2XW36+C+7eQ6mtMVbRuwcO+mtRoIzg57kSEiaRahSF4hS1JjH9Bzh53bCiz8AbyMyMVNpwPysJ0m0/VDFQsP0X3WrWGuXV3FvkethhQA7A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA0PR15MB3791.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(136003)(366004)(396003)(39860400002)(52536014)(53546011)(6506007)(71200400001)(9686003)(110136005)(4326008)(5660300002)(316002)(33656002)(86362001)(83380400001)(7696005)(66476007)(66556008)(478600001)(186003)(26005)(8676002)(44832011)(2906002)(64756008)(66946007)(55016002)(76116006)(66446008)(91956017)(8936002)(19627405001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: W5dALCzxgojXxs1YKmvzjfIyTJM5778rmaUpirx8rQTMUoYZi6St75/VccS/eMF4iZwtDeKDlfDLC+RRYl3BykCXK4Zf80X/T2PzP1v3aI1LSC067nRAqqEDrn23rlufBZTiLI+ShtIuXMV9EKb2MtJ9hdy6wmVlFMRJWDD+L45ApilHBwQ1WKjm16m68yRd9GpqIhD32sKN+isTmadQt5GYzik5RBE/tB2UKlTJIHf90J3lqPq59iRHoyqbtAwTNZ1kEgaD+Iiy9SbpKr2Mx+PLZIBdd3UVZsifEpnSNACE7Qhh4V4xqa8V0Z7Gg7AJ7dadMtsDfP9EgwaEND69W16R7UmJ6O7xRVIoxjVM1LNTaUDyq0oc5E29sD4lgI/LdXhJsW/+VZ1yIpMuXauoOuggE3UAfsjoLGWRvd3rtp5s8+PBymaACr9baAvp1AWUCb5ByfCzRuInmsNbiGVkdwKUi5rrUB1IyZbhn11CMjCaU1aRPRsdOlXUtkxYh3U3bbvkcu481a0mzdAGc1YIwPpQ+mSb4coa5G73T75kqmw/ETGh11VTcJFW+HiDxStkQjEt2tejvM+4IGgBrVzBOCh4EFTVeCX4wAG+zuIuA2ZHUnmhqesZ6Obc8WA7OMIhfkkpZ0DzmLYmhMXmEJFHlQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SA0PR15MB37911D960FF093CC03AC6456E3380SA0PR15MB3791namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA0PR15MB3791.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3e26b359-e2a2-4d8b-3adb-08d85fc8c8a6
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Sep 2020 13:58:43.6175 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Pef1SuIO4yUYoMx47kO7nSzWAyktGXexEYzzm7GAnPKFkIF9Ig7d+KoMiyVcTybBDP8Hz3Ng4wdKhEKaNPZ1xH7C9TozqjsNtm+HD/aG/Ts=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR15MB3821
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/eN6ei5JP-kRMqgmv2hm7o8L6K0w>
Subject: Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 13:58:48 -0000
Hi Cigdem, This works for me. Thanks for the responses. Yours, Daniel ________________________________ From: Ace <ace-bounces@ietf.org> on behalf of Cigdem Sengul <cigdem.sengul@gmail.com> Sent: Wednesday, September 23, 2020 9:10 AM To: Daniel Migault <mglt.ietf@gmail.com> Cc: Ace Wg <ace@ietf.org> Subject: Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Hello Daniel, My responses are as follows: <mglt> Just one clarification. TLS 1.3 provides two ways to authenticate the client. One way is sending a certificaterequest during the TLS handshake and another way is to send it after the handshake occurs. The ability to support the first authentication is not advertised by the TLS client. The ability to support the second is advertised with the post_handshake_auth extension. I just wanted to make sure we agreed there are two ways. </mglt> [Cigdem: Yes, I agree. In both cases, what I read is: "If the client does not send any certificates (i.e., it sends an empty Certificate message), the server MAY at its discretion either continue the handshake without client authentication or abort the handshake with a "certificate_required" alert." I suggest continue the handshake and fallback to MQTT Connect authentication for the RPK case. ] [Cigdem : Yes, actually, this is what I described above. Due to absence of a certificate, I suggest it can fall back to CONNECT] <mglt> You are correct. What might need to be specified is that the server MUST support the two ways to authenticate the client. It MUST try during the handshake and if the client as not provided the sufficient credentials and the client has the post_handshake_auth, it MUST send one after the hanshake. The reason I think that maybe more text is needed is that I have the impression a minimal TLS server implementation may not necessary support both authentications. This would prevent the use of an TLS implementation that only supports post_authentication for example. Similarly, I am wondering if the MQTT client does not have similar requirements regarding the support of TLS authentication as well as the CONNECT or if it may support only one. I tend to think that the client may only support only one way. To sum up, I am just trying to evaluate how to prevent a situation where the client will not be abel to authenticate itself to the server. </mglt> [Cigdem: I think what I would prefer is that: the MQTT client will support one way (one of PSK, or RPK, or over MQTT Connect then). The server MAY support multiple ways. Given we recommend the MQTT Connect for client authentication, the server MUST implement that. (That's why if RPK fails, MQTT connect can be fallback.) If we agree, I will revise the document. ] Kind regards, --Cigdem
- [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Daniel Migault
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Daniel Migault
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Marco Tiloca
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Cigdem Sengul
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Cigdem Sengul
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Marco Tiloca
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Cigdem Sengul
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Daniel Migault
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Cigdem Sengul
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Daniel Migault
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Cigdem Sengul
- Re: [Ace] WGLC draft-ietf-ace-mqtt-tls-profile Daniel Migault