Re: [Ace] Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)

Olaf Bergmann <> Tue, 08 June 2021 09:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 284663A2ACF; Tue, 8 Jun 2021 02:59:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_FAIL=0.001, SPF_HELO_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id W2qQnm2QHEr8; Tue, 8 Jun 2021 02:59:11 -0700 (PDT)
Received: from ( [IPv6:2001:638:708:32::19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 36CFA3A2AD2; Tue, 8 Jun 2021 02:59:11 -0700 (PDT)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPSA id 4Fzm0q1S9Bz2xD0; Tue, 8 Jun 2021 11:59:07 +0200 (CEST)
From: Olaf Bergmann <>
To: Francesca Palombini <>
Cc: Stefanie Gerdes <>, The IESG <>, "" <>, "" <>, "" <>
References: <> <> <871r9smnad.fsf@wangari> <>
Date: Tue, 08 Jun 2021 11:59:06 +0200
In-Reply-To: <> (Francesca Palombini's message of "Tue, 8 Jun 2021 09:33:28 +0000")
Message-ID: <87k0n4fzit.fsf@wangari>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Ace] Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 08 Jun 2021 09:59:17 -0000

Hi Francesca,

On 2021-06-08, Francesca Palombini <> wrote:

> My turn to apologize for the late reply :) I went through the comment
> again and I believe I must have misread something. I am ok with the
> current text, or the previous one as well, if you'd rather not add
> this sentence.

Thanks for the followup — we have kept the new text in version -18.

> I do have one additional comment, which came out while looking this over again - about the following text:
>    correct public key in the DTLS handshake.  If the authorization
>    server has specified a "cnf" field in the access token response, the
>    client MUST use this key.  Otherwise, the client MUST use the public
> The access token is opaque to the client (as defined the ace
> framework), so the client is not necessarily able to read and extract
> the key it is supposed to use from it. If I am not mistaken, the
> correct way for the AS to tell the client what key to use would be to
> use the "cnf" field defined in Section 3.2 of oauth-params.

You are correct. That is basically what this text says (= if the AS has
provided the cnf in its response, the client has to use it).