[Ace] AD review of draft-ietf-ace-oscore-gm-admin-13
Paul Wouters <paul.wouters@aiven.io> Wed, 01 October 2025 02:47 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: ace@mail2.ietf.org
Delivered-To: ace@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id EB3CE6B96DF3 for <ace@mail2.ietf.org>; Tue, 30 Sep 2025 19:47:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4nyldaRb6D-e for <ace@mail2.ietf.org>; Tue, 30 Sep 2025 19:47:12 -0700 (PDT)
Received: from mail-ej1-x62c.google.com (mail-ej1-x62c.google.com [IPv6:2a00:1450:4864:20::62c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7F25B6B96DE8 for <ace@ietf.org>; Tue, 30 Sep 2025 19:47:12 -0700 (PDT)
Received: by mail-ej1-x62c.google.com with SMTP id a640c23a62f3a-b3d196b7eeeso587168166b.0 for <ace@ietf.org>; Tue, 30 Sep 2025 19:47:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1759286831; x=1759891631; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=l27qTeSJr4TRC7YZGDX4G+hDtEkSXajoFD0TywZqvP8=; b=cJRaiGirxLi3+e6gqkB42lXGVbX3Nr4FAnJrdjOMqRLabQeBi+c02PVy3xH5ynYY7r Q5iBh0ZkZEY0z8rdgNLgnxC64UODwOjIS6k0a3kiT/OoPugaJpHbjNPwV4SbUH0GQWSe 8nYFp5c8Ua9/5JofwH2SaA16ob34FwDd6GK8U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759286831; x=1759891631; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=l27qTeSJr4TRC7YZGDX4G+hDtEkSXajoFD0TywZqvP8=; b=kt9SBZuyO83xElj7AorvB7/LdUPRr1HOhPKUX12ZWsWPsZS4Y/1hIOdTkt3pZKFu0L k9GGi/pUgHmNEHgHpg0HCcUUtM52N0ZJPEqGtUpkSW8GYZtHhoXd8yO+hMhdqSF+2Byn sg4PpbD5RCgL56kwMCrDI5CgHBebWHi1N6Tp2ofzjZb7/G5KDY+LtFTrsHwzdfkAEtn0 fcnUpnTXnaHd4M2NIC77H3lmZ3bXMT/leYbkimS8NZqEAeFWRFvyZrJLBF+JiDpm29ci EbpQyCydzd9wFO2QlU/qA/fNGMM61lWdHhFDj2h4eGC2apd1I9WCFWDwpjg6AR9aXMzm axaA==
X-Gm-Message-State: AOJu0YwHA45IIFPuMi6uvQqBgOMf6Ff8IbemC08SP5OB8o6GvQmK5cVi uBBrSgDe9iDXn76QBUeHCTMOGzefjmQkO1j4c1jn3AfSKXBuD9pG85dkgwKqO6TsgCbwyDKpRLG zNcsn3/z+Z0DGX6EjSbALBEsRldEn8pb2l8uMOWqpwZFWQ5r05zP+AtzUjw==
X-Gm-Gg: ASbGncv3g5ZTESXNNNC2Oa1CrRzE3APkOPl8EW2f9V8qQLClwqIGXiiv6tK1hoinFCm jxDc8cIEvrR8CoGjy6CDB/sngwAVZoPmg0W86ZDT4z73ysvwfrTBw3qkuPsI7sru0p93XIovFQ7 wwPGXXBKf0LVjFPT/jcW5sGm3v5se1kFyqCO1Ejuy1Oos+3wIAwvu1hotDVtsP5crJF5UGH+VgX RqXUyh3yONwtsDTRxu38Bkv61DW5A==
X-Google-Smtp-Source: AGHT+IFlJNb3Op5LChNLOL2r5SB0kyJE0v4Xxj2F9Py9gJcoUlcfbXWxkjfP2ogG7lnErMC47we0ycz37QV6unVK7RM=
X-Received: by 2002:a17:907:3d94:b0:b3f:f66b:268a with SMTP id a640c23a62f3a-b46e30e957amr213007066b.19.1759286831256; Tue, 30 Sep 2025 19:47:11 -0700 (PDT)
MIME-Version: 1.0
From: Paul Wouters <paul.wouters@aiven.io>
Date: Tue, 30 Sep 2025 22:47:00 -0400
X-Gm-Features: AS18NWAKJyLC9essx1W7TUOxptMjbVY-J7BhwY3Hz963jwaMBZuW__im--RPN_w
Message-ID: <CAGL5yWbyVV-bCOn7XHmNHt_9LpRszPUQ6ZB3nuBs8=gqhSWd3Q@mail.gmail.com>
To: Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a30b6206400fe2dd"
Message-ID-Hash: FCUGROG27VNWX2THHSRYLBIH4QU6TBXC
X-Message-ID-Hash: FCUGROG27VNWX2THHSRYLBIH4QU6TBXC
X-MailFrom: paul.wouters@aiven.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ace.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [Ace] AD review of draft-ietf-ace-oscore-gm-admin-13
List-Id: "Authentication and Authorization for Constrained Environments (ace)" <ace.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/_vuImZK7vlnIRB-m4F3XnGT8Jxw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Owner: <mailto:ace-owner@ietf.org>
List-Post: <mailto:ace@ietf.org>
List-Subscribe: <mailto:ace-join@ietf.org>
List-Unsubscribe: <mailto:ace-leave@ietf.org>
AD review of draft-ietf-ace-oscore-gm-admin-13
Thanks for this document. All in all it is very clear.
I do have some questions and comments/nits:
TLS version
this can rely on DTLS [RFC9147] as per [RFC9202]
Does this mean it requires DTLS 1.3, or is DTLS 1.2 allowed? Should this
be made more explicit?
Default values and their use
While the defaults use RECOMMENDED, things like Section 6.6 state the
value from defaults MUST be used. It is a little unclear to me what
this means when the RECOMMENDED value was not used. Should it use the
different value or the RECOMMENDED to comply to the MUST ?
Fix reference on draft-amsuess-core-cachable-oscore
det_hash_alg refers to draft-amsuess-core-cachable-oscore but this should
be draft-ietf-core-cacheable-oscore.
default values
This section defines the default values that the Group Manager
uses for the configuration and status parameters.
But the next sentence says these are the RECOMMENDED values. So perhaps it
should say that here too?
Section 6.6.1
Why is this listed here? Isn't this regular operation unrelated to this
document?
Section 6.6.2
6.6.2 also repeats this text:
If the value of the status parameter 'active' is changed from true
(0xf5) to false (0xf4):
The Group Manager MUST stop accepting requests for new individual
keying material from current group members
Should this not read that the group members MUST stop sending requests ?
If not, why is this text repeated from 6.6.1? Note that it does say so
in the second bullet point:
* Every group member, upon learning that the OSCORE group has
been deactivated (i.e., 'active' has value false (0xf4)), SHOULD
stop communicating in the group.
then:
Every group member, upon learning that the OSCORE group has
been reactivated (i.e., 'active' has value true (0xf5) again),
can resume communicating in the group.
Am I correct in that group members "learn" this via the pairwise connection
with the GNM by requesting a LIST command filtered by Active state?
Section 6.8
Otherwise, the Group Manager continues processing the request,
I am not sure where this "Otherwise" comes from. Eg if "otherwise" is the
"else" part, what was the "if" part? What part of the processing was done
before this statement was reached?
I wonder if [I-D.amsuess-core-cachable-oscore] should be normative?
[I-D.tiloca-core-oscore-discovery] is definitly normative.
RFC9176 is probably normative too
NITS:
The Constrained Application Protocol (CoAP) [RFC7252] can also
be used for group communication [I-D.ietf-core-groupcomm-bis],
where messages are exchanged between members of a group
I would remove "also" and the comma before "where.
as well as how it should be configured and later on updated
or deleted, e.g., based on the current application state or
pre-installed policies
I had to read this a few times.. how abour "and later on how it should
be updated or deleted"
and is poorly flexible
and is not very flexible.
- [Ace] AD review of draft-ietf-ace-oscore-gm-admin… Paul Wouters