Re: [Ace] draft-ietf-ace-key-groupcomm-oscore

Jim Schaad <ietf@augustcellars.com> Fri, 31 January 2020 19:06 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF392120815; Fri, 31 Jan 2020 11:06:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3SFpaPMtVfNa; Fri, 31 Jan 2020 11:06:52 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1EBB1200F6; Fri, 31 Jan 2020 11:06:51 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 31 Jan 2020 11:06:46 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Marco Tiloca' <marco.tiloca@ri.se>, draft-ietf-ace-key-groupcomm-oscore@ietf.org
CC: ace@ietf.org
References: <010b01d5d7c3$47d36ad0$d77a4070$@augustcellars.com> <9dea28ee-c4c0-40b9-68bc-c78cfad9d40c@ri.se> <013701d5d84d$8cdfdb60$a69f9220$@augustcellars.com> <856e7de6-c11d-5ef0-3077-047b10537609@ri.se>
In-Reply-To: <856e7de6-c11d-5ef0-3077-047b10537609@ri.se>
Date: Fri, 31 Jan 2020 11:06:44 -0800
Message-ID: <015201d5d869$95b35020$c119f060$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHFG8xRdUfVvrWtM6BhE83phS1mMgCYQ/zgASMwPMoCiBnPQagEfM8g
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ZyB1CTNd1DaBJMxZznwQdNMem-Y>
Subject: Re: [Ace] draft-ietf-ace-key-groupcomm-oscore
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2020 19:06:55 -0000


-----Original Message-----
From: Marco Tiloca <marco.tiloca@ri.se> 
Sent: Friday, January 31, 2020 10:32 AM
To: Jim Schaad <ietf@augustcellars.com>; draft-ietf-ace-key-groupcomm-oscore@ietf.org
Cc: ace@ietf.org
Subject: Re: draft-ietf-ace-key-groupcomm-oscore

Hi Jim,

On 2020-01-31 16:46, Jim Schaad wrote:
>
> -----Original Message-----
> From: Marco Tiloca <marco.tiloca@ri.se>
> Sent: Friday, January 31, 2020 3:24 AM
> To: Jim Schaad <ietf@augustcellars.com>; 
> draft-ietf-ace-key-groupcomm-oscore@ietf.org
> Cc: ace@ietf.org
> Subject: Re: draft-ietf-ace-key-groupcomm-oscore
>
> Hi Jim,
>
> Thanks for these comments!
>
> Please, find some replies below.
>
> Best,
> /Marco
>
> On 2020-01-31 00:16, Jim Schaad wrote:
>> This is not a finished review - but I wanted to get it out.
>>
>> Jim
>>
>>
>> General - Should the concept of a legal requester be part of the 
>> information that is transported with the public key?  I don't believe 
>> that this is currently done, but would additionally allow for a 
>> server to ignore comments from individuals who are not authorized for that role.
> <MT>
> This can be indicated in the public key, and then the Group Manager indicates this "role" to other group members, when providing them with the public key of the legal requester.
>
> However, how can the Group Manager verify that a legal requester is indeed one, as its public key claims? If we stick to raw public keys, this seems not possible as the only thing that the Group Manager really does is verifying possession of the corresponding private key upon joining.
>
> This would probably require certificates rather than public keys, as provided in the 'client_cred' parameter upon joining, which is something that ace-key-groupcomm is anyway admitting, while we are just not doing it here. Then, it becomes about trusting the certificate issuer on legitimately claiming that the certificate owner is indeed a legal requester.
> </MT>
> [JLS] I was assuming that the GM could pull this information from the 'scope' field of the token.

<MT>
Ok, so it should be just about adding one more role to the current valid ones for 'scope', and updating the list of possible role combinations.

Then it's up to the policy evaluation at the AS to confirm that a client is indeed a legal requester, and that that ends up in the token.
</MT>

[JLS]  I just realized we are not talking about the same problem.  I was thinking about propagating the difference between a publisher (client) and a responder (server) from the key server to the users of the keys.  This would mean that a server would be able to say - but this message is not authorized to ask me a question, so don't reply (or fail).


>
>> Section 2.2 - must new security parameters be regenerated on each 
>> membership change?
> <MT>
> If the application really requires forward and backward security, yes.
> This is further discussed in the first security consideration of Section 14.
>
> Related, more general aspects about this are discussed in the security considerations of ace-key-groupcomm. In particular, the Group Manager may want to enforce a more relaxed policy than "on each membership change", though making some compromise on the continuity of backward and forward security.
> </MT>
> [JLS] My problem is that I consider the secret key different from the 
> parameters - might be a semantic issue

<MT>
Other than that, the ID Context (Group ID) is also renewed; the Master Salt may be renewed; the used Sender IDs have to remain the same.

Maybe we can have here some of the text on this from the first paragraph of
https://tools.ietf.org/html/draft-ietf-core-oscore-groupcomm-06#section-2.1
</MT>
[JLS] Perhaps we need to have some type of term for the difference between those items which are "static" over time and those items which are "dynamic" over time.  This might also be a difference in what is returned on the issue you raised today in the virtual.

Jim


>
>> Section 2.2. - Does completion of a group rekeying include confirmed 
>> redistribution before the version number is incremented?
> <MT>
> I would say no, but regardless it's something to clarify, possibly already in ace-key-groupcomm .
>
> Having the Group Manager generated and sent out the new keying material is sufficient to also increment the version number.
>
> It is good that the Group Manager can also get confirmation of distribution, mostly for possible individual re-provisioning, possibly up to a maximum number of retries.
>
> Worst case, some group members remain behind, will not be able to retrieve a context or decrypt correctly, and will eventually go to the Group Manager to understand the current status, including the latest version number, and get the latest group key material.
> </MT>
> [JLS] This is how I read the text - please do some clarification

<MT>
Yes, will do.
</MT>

>
>> Section 4.2.1 - I think that we are going to need a discussion on a 
>> couple of issues related to the OSCORE half of how these values are 
>> going to be created.  Pieces of the discussion are: 1. What is the 
>> POP her going to try and prove.  Specifically is timeliness part of 
>> the discussion.  2. What do we do about  token which grants access to 
>> multiple topics.  Is joining the second group considered to be a 
>> re-join rather than an original join for the purposes of this 
>> discussion?  3.  What are the interactions about cached public keys, 
>> when are these ok and how is this communicated to the client as a failure?
> <MT>
> Sure. Some comments on your points for the discussion:
>
> 1. Ultimately the POP is about the owned private key used to sign by the joining node. Building this part of the challenge this way ties the challenge itself with the OSCORE context the two peers have. This is the same construction we have in [1] for building a signature challenge, so probably both documents would likely be affected.
>
> 2. Tokens covering multiple groups/topics are a next thing to define in ace-key-groupcomm. Adapting this challenge-based POP will follow. As a general case, the client wants to use different public keys in different groups, which would mean providing one POP signature for each key. Then, the N_S challenge can be as follows:
>
> --- If the Access Token is posted to /authz-info , the RS returns an array of N_S, i.e. as many as the number X of groups/topics in the 'scope' of the token. Since the client may then upload Y < X public keys (some of which for more than one group), the client should include in the joining request Y signatures, together with the respective used Y N_C nonces and Y N_S nonces of the X provided by the Group Manager.
>
> --- If a TLS exporter is used, 'context_value' has to be non empty, e.g.
> it can include the public key or a hash of it. For simplicity, we may want to have 'context_value' always non empty, i.e. also when only one public key is involved and even in the simple case of one group/topic only.
>
> --- In the OSCORE case, HMAC-Hash may take as 'salt' one more concatenated element, e.g. the public key or a hash of it. For simplicity, we may want to have 'salt' always including this additional element, i.e. also when only one public key is involved and even in the simple case of one group/topic only.
>
> 3. Cached public keys and how to handle them are discussed later in Section 5. If something goes wrong, the joining process fails and the Group Manager sends error responses as described in Section 4.3.
>
>
> [1]
> https://tools.ietf.org/html/draft-tiloca-ace-group-oscore-profile-01#s
> ection-3.1
>
> </MT>
>
>> Section 4.3 - Does it make sense to return a new rsnoce as part of 
>> these errors?
>>
> <MT>
> That's certainly possible, though I am not sure of the advantage, compared to sticking to the first one returned in the response to the Token POST.
> </MT>
> [JLS] depends on the "nonce" quality - that is one time only use.

<MT>
We can make it optional for the server to return a new nonce in the error response.

If received, the client has to use that latest nonce when building the challenge to sign for the new joining request.
</MT>

Best,
/Marco

> Jim
>
>
> --
> Marco Tiloca
> Ph.D., Senior Researcher
>
> RISE Research Institutes of Sweden
> Division ICT
> Isafjordsgatan 22 / Kistagången 16
> SE-164 40 Kista (Sweden)
>
> Phone: +46 (0)70 60 46 501
> https://www.ri.se
>
>
>

--
Marco Tiloca
Ph.D., Senior Researcher

RISE Research Institutes of Sweden
Division ICT
Isafjordsgatan 22 / Kistagången 16
SE-164 40 Kista (Sweden)

Phone: +46 (0)70 60 46 501
https://www.ri.se