[Ace] Planned updates to draft-ace-key-groupcomm

Marco Tiloca <marco.tiloca@ri.se> Fri, 29 July 2022 16:21 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37519C14CF01 for <ace@ietfa.amsl.com>; Fri, 29 Jul 2022 09:21:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aMXclxm4lzcW for <ace@ietfa.amsl.com>; Fri, 29 Jul 2022 09:21:26 -0700 (PDT)
Received: from emea01-obe.outbound.protection.outlook.com (mail-swedencentralazon11010012.outbound.protection.outlook.com [52.101.75.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C162EC14F743 for <ace@ietf.org>; Fri, 29 Jul 2022 09:21:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EaJyPkm4JNKbhrNQw6dvlIPCxuCsMz0MXpPOIuYaUkOQgJM0onOC64KOYvHOgA5sJAtNRpsXXq2IK6K/liFD9winSLe+GDx3IeJkm4baUnOnZV7NZuaSelBsjManjkbeWe6Vl3p3M9cL7P9/1kQXoLgojC2fCFG+6RNEf/n/2MPiR2CYPl6ZOrA0zC61ZdWikgtt3J8BJlZRIqQCl0+4RfuadxmbEXl8lShKHbDS4qbCXIDpPdQZZ+9L2GlR1FWXbSNryvPCR1PJL9MQfv7J4M4BJQ4pk+1e0nGmSlQ3p/mRbsCqZDSBu8OVcSrAHxuEE4U4YSuV1/cFjjC75QebaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/8tTeeJZSYgGMd0uk5sltIzyry5DPHmiau/CxINA7Rg=; b=Zlp26ZWYDq2VQVUA4erra5zW/rzvWoDsadpkD4dWDKyiIHtTBmgGCj/cb8ywurYlKdQ69pshny06mGf6Bs/7ZVYrybqyIXbWYT5Rss01128hEFpHyJYgh+2veLOO6bOdWhiUSwUB4YuMAx07e0rmXB7/ZdVxsKYF3mIaQOB5c9O6JblTSXlVG/8vnoY9MEQaoYLwje80mTruk9GoYtz3MPH22EGjd7X2yMwxkpX1hDs93kerDOE2MGvvfYkWl3fBGw683XaGCHvIhaLv0uuMNXzV+jwJUZxRvYriRrhO/eBv3JbyLYYTbP9CpgtGOYy+sW/zI9WmUy5VtCW1ugnnMw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/8tTeeJZSYgGMd0uk5sltIzyry5DPHmiau/CxINA7Rg=; b=U/SolX6Ck70AP1b6oiWnfqgVboKRb/Lvxk7eFRmkuPJ8Uq3C5bBV3+bg8ox+HbsgsWDt//jKmkMAx+vX3piNktyFHqkL7W3EExKCXILIOvo/0f3kYte9D9zPpjvQMw8J4r0sY8sW6DOyVl1oFf1nhRI03rv562He958TOCqn+oI=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17) by GVZP280MB0250.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:45::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5482.6; Fri, 29 Jul 2022 16:20:56 +0000
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::8db3:9c84:949b:b1fc]) by GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::8db3:9c84:949b:b1fc%8]) with mapi id 15.20.5482.012; Fri, 29 Jul 2022 16:20:56 +0000
Message-ID: <21f28cd5-5d8e-f37c-00a3-3b016597cebc@ri.se>
Date: Fri, 29 Jul 2022 12:20:44 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: "ace@ietf.org" <ace@ietf.org>
From: Marco Tiloca <marco.tiloca@ri.se>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------02hOLWFTXOTR2722GHujf3lb"
X-ClientProxiedBy: MN2PR02CA0005.namprd02.prod.outlook.com (2603:10b6:208:fc::18) To GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: e0bac49e-3b1e-462b-4950-08da717e50f8
X-MS-TrafficTypeDiagnostic: GVZP280MB0250:EE_
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: XVRq3ajglgZUzXtkk0r+rBI/+kzv+t+ruOop7Qh1sX1+nl0qPBko4OFjWRvWgQQnO+lItgIPCIOhab313dtg/HapCUYVLLAuO4S0xYGQ532ELMF9yxnwzDKDD5CtuQaEXOI4AtnRRW7fRPZfRSd9sCJcb+CS/Jpa+Sg5a5gtQ9nHroTRJJkWL/uMwIMxli0fD74lzbOhK9xa0pEPgxCPOzgnysYHgxktL/pWRMSgyx3juGVQ/xdpObf5Dc+cPstqr2F/uXRxIL46Zk7oMtkwIT7c8tcFkxt2BGEH+JGCnHLlQxGhz5XtpR3ozz+soqkMU9394SEVc5wiz4FiumInVirbBSPiWko+lqcIURlhOcwVqlS7UkM+617Ws0z0h7kD5l3d7tb9O9NCL9eb7O+xGHswGfRhZB+xO9FNEjFdQvByaalfDHFuxxMkYWQUaJkd/hSyqewN4SPbduS/2ErTQA0LanJcRdfoqk2dx59iWubOMcoXcnjIJ7ueIyPs4oEP4jr2+7SC7mZ7NwSVmM8St3qMCNd4f6tTxm8PLHMr5rCCXDTPN5xZBmb1ChXdz+ikRU/S9SJo/PqRZVPZxOrv4srsjnOxBBN/5dH2RT27p9KhihAru38W0Q1N3QQhbGYWfIuNCPaXti3G9rbAW2VxiQu0uIQ1aJ8k+jMUKRyGzmv0a2SG3iw2xXAIWD8cZdpwTZoCD6nX+KrssWBsclWep8sU4sZrehNZ/mfpXimLK9ObsD10BY97d0qph2EwiHWVCp+u7NJCJ10FsmwnnxMZzf4/OfIIgqmXZ4eNvuXywrVdJzCxCVfibPtRKLA42SFqjMy8pUZEgFBj3RbqQPv0gj/T6MpcHswMrmSkGfBZ0A8=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(136003)(39850400004)(376002)(366004)(346002)(396003)(8936002)(8676002)(44832011)(36756003)(5660300002)(235185007)(478600001)(31686004)(6916009)(66946007)(66556008)(66476007)(966005)(6486002)(316002)(186003)(6506007)(2616005)(21480400003)(6512007)(15650500001)(2906002)(41300700001)(6666004)(26005)(33964004)(38100700002)(86362001)(31696002)(83380400001)(43740500002)(45980500001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: ZBk6/Z67E3fbTXZ88+8lFNXv9kOxCiJW7PPIbQygtQLQwakQrzYVRKhnDgLr1ziMFZ01k/7mOxlWMBo2L4lQCLCITz+6spjDBGDWQQwMxVknjKi/hERJ7IuEdE/v+2c1WUUKf/SsenqLRbV9DzJBZsIG2xKEskqe9hX9B3D8zRsCat+eTAQ97XnccyrLiq3XzAWYT4UCZ3pa6+HlC6CIZ3KzeSqj6R4EkMXgEv+dYz5QJBykhgbfJgNK+fR/S1wNRFsyKt0/7ZnhlUqkUGz5UUuSsPAzMUBriM8s/pcP0Ht9nKBlN7B0NGgDATz6Ag8UktiXkPjdSocW8W6AkOcTt+0S3G2BIIrj8Pi6C2qvQKmRQ4VZ7pLt1bhCzDq4XHwMp3aGNDZ93pS6tfEQgSK6MzMb0ynoalmFV7ipTfdWGotRH2MIn6CG3CMl+nTAyNfbs1baZfpnKuSDS+WVadMMKPGonVS0mAKxZaTxe0mZIwO9pOxHGAJfl9hoXhD7hxhtBD1qe67rNz7I/Q2Ie65EC+Dpz7lhUjbVoAny1QX8R1wOWvdg44IPfU2CPW/nnQYoZ+S353dlbo0hs1DQsxlD4vXLhidTcHmz5OczrawFLEaP26fbHUeIXfUqVPfGCvLLAO/hyZvpg1wVTBvgqE/1Ulf30EpX5pToofI4XQ9mwLuPER61VAi5nanMJjcfq8fbMDwD8esKOZAQBUDhNCFUaBbY4ahbGD+8jO2A7rjPBnH7XDsnm+ZAvO/GBrDOlWW1DKv0X7JDQ0JJOfD4yRa3j/LbGubJzP4LI2AxakERUle6kBpw+p3bnpDydO8iKdKz5u6HJecjOvNrH3ijRUXTLKnE3fCFpbX4edTfV4JF62h908kYYjYGCDaOyiXiRvc19J/lrDvTkcXXdB19uQAouRa2dNoHu2Gyee+10xB6OkPChsTEtcP6wesbGaHZEfsUfLStXEiLRt1f//V2duhN6eKY1D6k4BhflYwP7uSmzZx2j9tQhRHfTYwjyrotomRL6GU14WFhryXXPBuF+nsvKzcWqEdlRwqYKarin3vcmBsKqQi3mjBcVAHSqEAES36QPPslpkhz6ORjOFnwG4ytskHPJx/70/OOGQK2o3Blpds5LpGPveDPuetXYidy9D0sFE5zCUNr+NofvvsFbGmBx6kA5jFar4/yCMxTeacJIp75Zh4ubC+NDOropM2O7mApRMyMnSZwLjSZgQPxmfAlEUqn2S53XE01uehxVwJ0kJMbTdoeN+OlMIS3Kbuga9kfm5XtLus3kF9dFgjMepcyJlS9IX4l938uOTBtqXYpL7kqcL2Qyy/WfBO5JwNsq2fPN5r+mSJwwUezGNIfg+I86kManDDFnpFY6HyACKIGghz0gQZdrdklI4yZVGjY/PLmenzimYqFTPs/EhcEJkJcYK92XqTLTqoNP5g+RhAwHxxr/B0njhHznwvow8203h+XUEZ1Tt9jN5/+Dj/ZbtHMcPvFYV2NZsFnOT5VSRj+qghjEFGbWrdJcJAaDF2dBJugdenKvmvojJpcYiAOaKNQsy7yDycWMhCVQRlRehuA1QgbMjhR/qPRMQo5hMKIIuv4
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: e0bac49e-3b1e-462b-4950-08da717e50f8
X-MS-Exchange-CrossTenant-AuthSource: GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Jul 2022 16:20:56.5706 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 6wLCLOwTeSIGjokDKoWwdAAMLvkT237lhjV2Iv85vcKE4EyqQPhWQ/h7IlYh6i/wD4tcY6f9qDfyJSZH8al23g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVZP280MB0250
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/cWlidk1FS8h00HSkzgubk_LJ0kI>
Subject: [Ace] Planned updates to draft-ace-key-groupcomm
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2022 16:21:30 -0000

Hello ACE,

Following some discussions in the past months, I was planning to make 
two non-invasive changes to draft-ace-key-groupcomm-15 [ACE-KG], which 
is currently in AD Review.

After giving a heads-up to Daniel and Paul at IETF 114, this mail is to 
check with the Working Group if there are objections to make the changes.

---

UPDATE 1

Following IETF 113, there was a proposal from Christian about updating 
Section 7 "Extended Scope Format" of [ACE-KG]. The defined approach is 
optional to use, it signals the semantics of a binary encoded "scope" 
claim of an access token, and is referred to in the documents 
[ACE-KGO][ACE-ADMIN].

The result of the change, also proposed in [GH-ISSUE], would be a 
simpler and more efficient signaling of the scope semantics. In turn, it 
automatically takes advantage of the work done in CBOR at [CBOR-FM].

Question: is there any objection to update Section 7 of [ACE-KG], based 
on the proposal at [GH-ISSUE]?

---

UPDATE 2

At IETF 113, it was discussed that the "scope" claim of a same access 
token could specify, at the same time, both: i) scope entries related to 
roles of members in an OSCORE group, as per [ACE-KGO]; and ii) scope 
entries related to admin permissions for Administrators of OSCORE groups 
as per [ACE-ADMIN].

Following that discussion and in order to make things simpler, a single 
AIF data model "AIF-OSCORE-GROUPCOMM" is now defined in Section 3 of 
[ACE-KGO]. This still builds on the general requirements from Section 
3.1 of [ACE-KG], and primarily serves what is specified in [ACE-KGO].

Then, the same AIF data model is extended in Section 3 of [ACE-ADMIN] to 
serve what is specified therein. That is, in each Administrator scope 
entry <Toid, Tperm>, Toid indicates a pattern of group names, while 
Tperm indicates admin permissions on groups whose name matches the 
pattern. In particular, Toid can be: i) the CBOR Simple Value "true" 
used as wildcard, also part of a suggestion from Ben at IETF 113 
[ACE-113]; ii) a CBOR text string specifying a literal group name; iii) 
a tagged CBOR item specifying a complex pattern of group names, with the 
CBOR tag indicating the pattern semantics (e.g., a regular expression 
provided by a text string).

With the above background in mind, the small update for [ACE-KG] would 
be in its Section 3.1, about having consistent general requirements when 
using AIF. The requirements are currently mandating "Toid" to always be 
a CBOR text string, while in fact "Toid" is only _often_ a CBOR text 
string (also highlighted by Ben at IETF 113 [ACE-113]). The change can 
simply mandate the use of exactly a CBOR text string only for scope 
entries related to group members, i.e.:

OLD:
If the AIF format is used, each scope entry is encoded as specified in 
[I-D.ietf-ace-aif]. The object identifier "Toid" corresponds to the 
group name and MUST be encoded as a CBOR text string. The permission set 
"Tperm" indicates the roles that the Client wishes to take in the group.

NEW:
If the AIF format is used, each scope entry is encoded as per 
[I-D.ietf-ace-aif], according to the used AIF specific data model. If a 
scope entry expresses a set of roles to take in a group as per this 
document, the object identifier "Toid" specifies the group name and MUST 
be encoded as a CBOR text string, while the permission set "Tperm" 
specifies the roles that the Client wishes to take in the group.

Question: is there any objection to update Section 3.1 of [ACE-KG] as above?

---

Reminder: there are also some minor, editorial changes that are pending, 
as already mentioned at point 1 of [MAIL] and during the IETF 113 
presentation of [KGO]. These updates are about consistently aligning 
terminology and parameter names, as triggered by the WGLC review of 
[ACE-KGO] at [REVIEW] and by the latest updates to the CoRE document 
[GROUP-OSCORE].

I can certainly process these small pending changes together with the 
two main ones above.


Thanks,
/Marco


[ACE-KG] 
https://datatracker.ietf.org/doc/html/draft-ietf-ace-key-groupcomm-15

[ACE-KGO] 
https://datatracker.ietf.org/doc/draft-ietf-ace-key-groupcomm-oscore/

[ACE-ADMIN] https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-gm-admin/

[GH-ISSUE] https://github.com/ace-wg/ace-key-groupcomm/issues/144

[CBOR-FM] https://datatracker.ietf.org/doc/draft-ietf-cbor-file-magic/

[ACE-113] https://notes.ietf.org/notes-ietf-113-ace?both

[MAIL] 
https://mailarchive.ietf.org/arch/msg/ace/wBpceZW1qT1YYICzECnKqvdwQb8/

[REVIEW] 
https://mailarchive.ietf.org/arch/msg/ace/SIB_rte0orqkvDEtTAw-1F7Cdzo/

[GROUP-OSCORE] 
https://datatracker.ietf.org/doc/draft-ietf-core-oscore-groupcomm/

-- 
Marco Tiloca
Ph.D., Senior Researcher

Phone: +46 (0)70 60 46 501

RISE Research Institutes of Sweden AB
Box 1263
164 29 Kista (Sweden)

Division: Digital Systems
Department: Computer Science
Unit: Cybersecurity

https://www.ri.se