Re: [Ace] second AD evaluation of draft-ietf-ace-mqtt-tls-profile-13
Cigdem Sengul <cigdem.sengul@gmail.com> Wed, 15 December 2021 20:33 UTC
Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id AA9593A0E29;
Wed, 15 Dec 2021 12:33:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 8psj4RONjI4p; Wed, 15 Dec 2021 12:33:50 -0800 (PST)
Received: from mail-vk1-xa2c.google.com (mail-vk1-xa2c.google.com
[IPv6:2607:f8b0:4864:20::a2c])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id B80A13A0E28;
Wed, 15 Dec 2021 12:33:49 -0800 (PST)
Received: by mail-vk1-xa2c.google.com with SMTP id m200so390577vka.6;
Wed, 15 Dec 2021 12:33:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=jSbFZt9n8m/GCodA9j3zppFm5pcH0UJiVwpbr7kNXq0=;
b=Bq5JmRJiVHwRUuKDBkfSaQAut5dJdwUkVAQXwGQkgxrpwH7n+v1f7XJWH1APDrzX7L
x68eG+eWO2xF3hODHPdeiab8pArQ0hyUOGMRi1z9lRaX31DmF+TWSpiALsX9eMV1ykxv
4qcajBXEnmI7xXSvvb3bG8lM7/vffKiTo6cXX5A3fOIXchshUmdocRM5r9tMw01ElCQc
Y6bC6eQokqVpbdmrZx68S0b0wrnQpJmk2/9W21CTzB8+9Vr8B0gqvlPm5HGdyL8pT3hP
k2iONFWpW2vrXKgj73BiE+Z7fz+cMLzl3+OaPwGYLpEbpN+uC14ax24FcOVjmhPeaTLr
HAzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=jSbFZt9n8m/GCodA9j3zppFm5pcH0UJiVwpbr7kNXq0=;
b=uMoqi5CSCMnVDUsJfYY/FhSZ77ZINCHui6neet5deVKO3bzbeZktyOw0aTb/dlW9fk
6TnkkYURhS3zIHRMtgUBIxtSFdVDFTfTtJ8Dw2bsmTAUCGaN7Qxm+0GtEj+fneJD291f
+ix9TSu/jKL7QPKY1lWfv244NLja0kC8btO7CoF5E+rHccwi3DZxbVM9id/VFwUs3mqW
U9JZjGlH/uR9UZwMlZxdcq1H9T2CUkybZmHVcTkxogklPZVzLZ8LsIl5O68+nYGvM5w1
Te517102bObJ6H++GGsD/SdDob9t3JY03DvhztwPpNIGdU/DWv7xe5Hz71D0GCQ2TGZ7
JiCw==
X-Gm-Message-State: AOAM533+kyltFJ/iPrylCq6NRYSfgn9AfYPKvCRdJ1tcQq9Wirx3TQzz
B1CFnuRAeyrmqCYIxyNUFFIpEWUjbKSIBiIG2wQSz5uEdZE=
X-Google-Smtp-Source: ABdhPJxKryNk5HzqSCZfvyz7mXn/l8+/O2BbBfLbJYLwlUU3+Z05nWAAPu5/JJbRL85bVPvtz7Ya7wDRijkhErRM7P4=
X-Received: by 2002:a05:6122:99b:: with SMTP id
g27mr5070538vkd.14.1639600427472;
Wed, 15 Dec 2021 12:33:47 -0800 (PST)
MIME-Version: 1.0
References: <20211207202711.GQ11486@kduck.mit.edu>
In-Reply-To: <20211207202711.GQ11486@kduck.mit.edu>
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Wed, 15 Dec 2021 20:33:43 +0000
Message-ID: <CAA7SwCPkYVuVXTpdzS2+v=NLV5XwKozefeTWbK3HiQ711MYfig@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: draft-ietf-ace-mqtt-tls-profile.all@ietf.org, Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000d9b8205d3353986"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/b3thEoZGMBCJFE5eEyyAF7_kUks>
Subject: Re: [Ace] second AD evaluation of draft-ietf-ace-mqtt-tls-profile-13
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments
\(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>,
<mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>,
<mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2021 20:33:55 -0000
Hello Ben, Thank you for your Pull request. I have asked for clarifications in the following. On Tue, Dec 7, 2021 at 8:27 PM Benjamin Kaduk <kaduk@mit.edu> wrote: > Hi all, > > As promised, here are my comments on the -13. > > > I put some text to this effect in my pull request > (https://github.com/ace-wg/mqtt-tls-profile/pull/96), but technically > RFC 7250 allows independent negotiation of the client using a RPK and > the server using a RPK, but our text is written as if it's > all-or-nothing. We can probably just make that an assumption of how we > work and not have to go into detail about how a mixed mode would work. > > [CS: Yes, that's the assumption made "If the Client authentication uses TLS:Known(RPK/PSK), then the Broker is authenticated using the respective method. Otherwise, to authenticate the Broker, the client MUST validate a public key from a X.509 certificate or an RPK from the Broker against the 'rs_cnf' parameter in the token response." Thank you for the suggested text in the pull request. > Section 1 > > > Publish requests from the Clients to the Broker and from the Broker to > > the Clients > > I'm not entirely sure how much we say about the second half specifically > -- do we need to keep that in? > [CS: We do cover that in section 3.2 - the Broker needs to check all subscribing clients to the topic are still authorised.] > > Section 2.2.3.2 > > The procedures we list here only make sense for TLS 1.3 > If we wanted to support TLS 1.2 with them we'd need to note that a PSK > ciphersuite is needed and how to populate the PSK identity in the > ClientKeyExchange, and reference RFC 4279. I put some text in my PR > that qualifies this scenario as being TLS 1.3-only on the basis that we > don't need to go to so much effort to support TLS 1.2+PSK. > > [Making ietf-ace-dtls-authorise normative, and explaining the extent that profile applies (now that there is a short extension draft for TLS use), could we rely on the text for 3.3.2 psk identity field, and the recommended cipher suite?] > Section 2.2.4 > > Figure 7 and its adjacent prose shows the client nonce as variable > length (or at least, explicit length with no mention of being constant), > but Figure 8 shows the client nonce as fixed length (8 bytes). > > [CS: True. Will revise. We went back and forth variable=length nonce vs fixed length nonce in the group discussions. It ended up being fixed-length nonce for the Broker challenge, and variable-length for Client challenge. I suggest to have both fixed or both variable? The argument for 8 bytes was that it was sufficient as it's a time-bound request/response] > Section 2.3 > > We say that the JWT scope value is a single value with internal > structure as a JSON array, but I think we have to interpret that in the > context of RFC 6749's definition of scope as a list of space-delimted > case-sensitive strings. That is, in the formal grammar, the "scope" > parameter value is a single string, and any internal spaces in it are > delimters between the individual scope values. So, we need to make our > JWT scope value fit into the expected shape, which in particular means > we need to be encoded as a string with no internal spaces. However, > MQTT does allow spaces in topic names, so the naive formulation of > encoding the JSON object as a string would artificially limit what > topics we can authorize the use of. If we stick with using the "scope" > like this, we may find ourselves needing to do some percent- or base64- > encoding of the JSON array to produce a usable scope value...but we > could also consider something more drastic and switch to using the OAuth > "Rich Authorization Requests" > (https://datatracker.ietf.org/doc/draft-ietf-oauth-rar/) that defines a > new "authorization_details" parameter that is like scope but allows a > much richer structure. My understanding is that, while use of > structured "scope" like we propose is regularly observed in the wild, > OAuth purists really don't like it, since it's not what scope was > intended to be about. > > (Also, the example in Figure 10 does include spaces in it.) > [CS: That's right. I lean towards encoding JSON array base64. It's because I understand in RAR, we need to format the "authorization_details" using the authorization data elements defined in that draft. I feel, with AIF-MQTT, we have the sufficient detail for MQTT permissions on topic filters.] > Section 5 > > Apparently I didn't comment on it the first time I read this, but it's > very interesting to say that the Broker "MUST continue publishing the > retained messages **as long as the associated tokens are valid**" > (emphasis mine). That seems to imply a model where the authorization > check happens at the Broker->consumer leg, in addition to (or instead > of?) at the publisher->Broker leg. To some extent the right behavior > here depends on what one uses as the definition for "publishing" > something, but this does set us up for a scenario where a retained > message will disappear after some amount of time. That seems to be a > divergence from stock MQTT, and in some sense also from what we've > specified for Will messages, so if we're going to keep it, I think we > should mention in the security considerations that performing > authorization checks in this way will result in future new subscribers > not receiving a retain message that was valid when originally sent. > If, on the other hand, this "as long as the associated tokens are valid" > refers to the tokens of the subscribers, that would be a less surprising > situation, but still merit some clarification. > [Yes, I will clarify. We have considered the will messages different as once accepting the CONNECT with a Will, the Broker agrees to send that message on an unexpected disconnection. We assumed for any other "publication" (including retained wills) the publisher should still be authorised to send that message, and the subscribers should still be authorised to receive those messages. When a subscriber subscribes to a topic filter, where there are retained messages, according to subscription options for retained messages, we expect the broker would publish some messages. For that, we assumed it would do a check for those retained messages to see if they are still OK to publish. The other option was that broker does not allow retained messages and signal that in connack setting RETAIN AVAILABLE to 0. That could be cleaner but more restrictive. We thought in constrained scenarios, a client may choose to briefly connect, publish with retain 1 e.g., their sensor state, and then disconnect, expecting the broker to publish that info to any new subscriber. However, we did not want to allow a scenario a publisher client connects, publish a message with RETAIN 1, disconnects, and never shows up again. In this case, we felt the broker should not continue publishing indefinitely, especially when the token of the publisher expires. The MQTT draft says this with regards to RETAIN messages. "If the Server receives a PUBLISH packet with the RETAIN flag set to 1, and QoS 0 it SHOULD store the new QoS 0 message as the new retained message for that topic, but MAY choose to discard it at any time. If this happens there will be no retained message for that topic." "If the current retained message for a Topic expires, it is discarded and there will be no retained message for that topic." So, I assume for QoS>1, the message expiry interval would dictate how long the retained message is kept; if it is not set, it should be kept indefinitely. This would be something we would like to avoid. In the draft, we do deviate from MQTT, where the server MUST forward the publications to all matching subscriptions i.e., the Server does not always forward a publication message if the publication is not authorised or the subscriber is not authorised. So, we considered having an authorisation policy on retained messages in the same vain. ] > > Appendix A > > It looks like the template doesn't actually have a "Content format" line > in it, so I'm not sure if we need to keep that in here. > > [+1] Thanks again. Kind regards, -Cigdem
- [Ace] second AD evaluation of draft-ietf-ace-mqtt… Benjamin Kaduk
- Re: [Ace] second AD evaluation of draft-ietf-ace-… Cigdem Sengul
- Re: [Ace] second AD evaluation of draft-ietf-ace-… Benjamin Kaduk