Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14

Olaf Bergmann <bergmann@tzi.org> Tue, 02 March 2021 15:21 UTC

Return-Path: <bergmann@tzi.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30DE33A1CCC for <ace@ietfa.amsl.com>; Tue, 2 Mar 2021 07:21:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IG7XKB_Uv0uw for <ace@ietfa.amsl.com>; Tue, 2 Mar 2021 07:21:08 -0800 (PST)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEB1D3A2941 for <ace@ietf.org>; Tue, 2 Mar 2021 07:20:42 -0800 (PST)
Received: from wangari.tzi.org (p5b36f033.dip0.t-ipconnect.de [91.54.240.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4Dqgn3703hz107Y; Tue, 2 Mar 2021 16:20:39 +0100 (CET)
From: Olaf Bergmann <bergmann@tzi.org>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: =?utf-8?Q?G=C3=B6ran?= Selander <goran.selander@ericsson.com>, Olaf Bergmann <bergmann@tzi.org>, Russ Mundy <mundy@tislabs.com>, "ace@ietf.org" <ace@ietf.org>, Stefanie Gerdes <gerdes@tzi.de>, Francesca Palombini <francesca.palombini@ericsson.com>, Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org>
References: <871rdqihww.fsf@wangari> <FD569111-85F8-40A2-8C97-764977309B87@ericsson.com> <CADZyTk=HB26o=mUpUdbYEhfhrGZar+oe28c5PZ2_j-vKYVA6xg@mail.gmail.com> <c6d42d18-f1f3-ec00-fff9-3540fa222d23@tzi.de> <9911269D-AA7F-458C-AA1A-2D59A79C5A00@ericsson.com> <CADZyTkn=3GigtTiihQX0ORYyO0dV0qCfVMtTn37vbsqJuQUJxw@mail.gmail.com> <026242c2-2c6a-485b-cb51-34b2b2d70975@tzi.de> <DM6PR15MB23796DF01885DC7F86C15583E3879@DM6PR15MB2379.namprd15.prod.outlook.com> <6b5368a6-b8ba-81eb-0c10-6a052fcbad67@tzi.de> <DM6PR15MB23798EE51BDED9BB7D0438E3E3869@DM6PR15MB2379.namprd15.prod.outlook.com> <2C5A1AA5-6124-407B-A342-AA367CB6D536@tislabs.com> <DM6PR15MB23799382A92C9B2074B1BF42E3859@DM6PR15MB2379.namprd15.prod.outlook.com> <F6B1D3C5-DE79-42B4-8CEA-620C86EABF4B@ericsson.com> <CADZyTk=y7Zf3Atvt7d5c17KEbnc5CESoOyBsa0TgpMchX4FcPQ@mail.gmail.com> <CADZyTk=gc8ybr5+wQhN0P_Vyz2P+g6TtwWcAGYGbofeMeq0cjQ@mail.gmail.com>
Date: Tue, 02 Mar 2021 16:20:39 +0100
In-Reply-To: <CADZyTk=gc8ybr5+wQhN0P_Vyz2P+g6TtwWcAGYGbofeMeq0cjQ@mail.gmail.com> (Daniel Migault's message of "Tue, 2 Mar 2021 09:27:02 -0500")
Message-ID: <87v9a94m60.fsf@wangari>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/dJTI7zkT6TB2wTz_Xial9SoTNvs>
Subject: Re: [Ace] secdir review of draft-ietf-ace-dtls-authorize-14
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 15:21:14 -0000

Hi Daniel,

On 2021-03-02, Daniel Migault <mglt.ietf@gmail.com> wrote:

> This is just a follow-up. I would like to be able to close this issue
> by the end of the week, and so far I have not heard any issues for
> profile mandating a protocol. On the other hand, not mandating a
> specific protocol comes with interoperability issues. So unless more
> feed back is provided, I am currently leaning toward ensuring
> interoperability.
>
> It  would be good for me to hear from the WG and understand what concrete deployment
> issues the two statements below would raise:
>     * OSCORE profile mandating the AS to support OSCORE and have the C <-> AS using
> OSCORE. 
>     * DTLS profile mandating the AS to support DTLS and have the C <-> AS using DTLS. 

I think the major issue is that a client that implements both OSCORE and
DTLS cannot just switch from one mechanism to the other because it must
stick to either one or the other. This also raises the question what
happens if an AS is contacted by the client via OSCORE but the RS only
supports DTLS: Is the client allowed to switch from OSCORE to DTLS if
the AS says so?

Another aspect is that we would need to add another specification if a
client implementing the DTLS profile wants to contact the AS via TLS. As
CoAP over TLS is well-defined, this would not make any difference
regarding the security or the handling in the application, but mandating
DTLS in the profile would currently preclude the use of TLS.

Grüße
Olaf