Re: [Ace] [Emu] New Version Notification for draft-ietf-ace-wg-coap-eap-04.txt
Dan Garcia Carrillo <garciadan@uniovi.es> Fri, 26 November 2021 09:05 UTC
Return-Path: <garciadan@uniovi.es>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88EB93A0C3E; Fri, 26 Nov 2021 01:05:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.751
X-Spam-Level:
X-Spam-Status: No, score=-3.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-1.852, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=unioviedo.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rPuCHA0uN6FZ; Fri, 26 Nov 2021 01:04:58 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130043.outbound.protection.outlook.com [40.107.13.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F041E3A0C41; Fri, 26 Nov 2021 01:04:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RoUOy18HPnIubtHxF2zV6LW9E58aq/DHgbeTpcdPlYKNIJBm/ajR2aPqc3vIyFwCpRfEz0+iJWP2ZP/8WJVN3BsysDf0MUCpp0ojzIN6iUL52XL9VOmKMttlNBGL7Lqaw7JN0vM66emp23nkJSlO3DMblZBv7Teppo5wR3fEjVmHdSjIS/8wo1QNJkOYTGuPFEmmsbsgL8cQpfpAxhD/eBEbNaLQnbZQxBlRDJy/mUzj+kO6VMdvrgJcMd9fCBMYAwW9gBWqRLLFFVWNl3A/WcZIqUGJOloxCLZu+ts4PvWua5lSKqd+SSYRtY2xq2acz68PG4ZSEgmv+G9oSf0taQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PSgg0I2qa2KtUpROV3z/LQnfHw2WQ2gBynBlvoqYBmE=; b=aqmnoynBlErMnVS/DlAoDSFGTXmWskzT/sJikfN1kMlKkX8fdle5idA0a/31hbw/a0gNLVSWy2fHKQhOs4ohVdQoObpU81aJHNwHf1aKlmxddTwNN83zoQ63+4DbrFTju/BFCPUQJPeOxRiucSVuQ8IUAQLmdizt+EAuqDfYBR8IreS2Mas/NxJ3a1xRvTySuKQy4nkcZVlniyTEnHKCYQJ6RB8VJPTey/2hqFSkwcP2Km8pr7p0F0kPBJMUH9Y7P0xcBonOtBvxIMF6y4q6ya5Bq/fe6RSXYB7lglDSv2sup+z5uo4Q4SNKpN0zEHZ3rQc1g6VbNpN6cSbCsPmy/A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uniovi.es; dmarc=pass action=none header.from=uniovi.es; dkim=pass header.d=uniovi.es; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unioviedo.onmicrosoft.com; s=selector2-unioviedo-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PSgg0I2qa2KtUpROV3z/LQnfHw2WQ2gBynBlvoqYBmE=; b=cM3pK+d4IeEdKjHYM02K+xM1oooJWNCXJIv7pZAIKM7wzR1tDM0UlkPY2XdImG0Uy5yKrVn56Uux0cqfIsqGSqbYcx8lF1CyReKRoV5SiKOEkBO/Sg2MgVH6WeinXZ/P8s7WcJs1gFZbPuHMAnuB8bLm6amAO6Fk8pNpAmwGakc=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uniovi.es;
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9) by DBBPR08MB4283.eurprd08.prod.outlook.com (2603:10a6:10:c3::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4734.22; Fri, 26 Nov 2021 09:04:52 +0000
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::1434:d823:a6b5:6f50]) by DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::1434:d823:a6b5:6f50%7]) with mapi id 15.20.4713.027; Fri, 26 Nov 2021 09:04:52 +0000
Content-Type: multipart/alternative; boundary="------------WN9HLnoRfRw0LbN5nsax5tgr"
Message-ID: <0f93f791-6861-f5d3-d215-27b130790e97@uniovi.es>
Date: Fri, 26 Nov 2021 10:04:50 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
Cc: garciadan@uniovi.es
To: Göran Selander <goran.selander@ericsson.com>, "ace@ietf.org" <ace@ietf.org>, EMU WG <emu@ietf.org>
References: <163516103436.11405.13911066633297545379@ietfa.amsl.com> <bc792146-39c4-73a3-63e2-7db7acf7aa2f@uniovi.es> <HE1PR0701MB3050A49DC2D32180B2831D6889839@HE1PR0701MB3050.eurprd07.prod.outlook.com> <AM4PR0701MB219545F3A90E17FD18844F13F4629@AM4PR0701MB2195.eurprd07.prod.outlook.com>
From: Dan Garcia Carrillo <garciadan@uniovi.es>
In-Reply-To: <AM4PR0701MB219545F3A90E17FD18844F13F4629@AM4PR0701MB2195.eurprd07.prod.outlook.com>
X-ClientProxiedBy: LO2P265CA0160.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:9::28) To DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9)
MIME-Version: 1.0
Received: from [IPV6:2a0c:5a80:3c13:f000:589f:2891:1b30:6314] (2a0c:5a80:3c13:f000:589f:2891:1b30:6314) by LO2P265CA0160.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:9::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4734.22 via Frontend Transport; Fri, 26 Nov 2021 09:04:51 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 731ea258-0332-4c28-98b6-08d9b0bbce89
X-MS-TrafficTypeDiagnostic: DBBPR08MB4283:
X-Microsoft-Antispam-PRVS: <DBBPR08MB4283EA59E91570DBDFEA703FB4639@DBBPR08MB4283.eurprd08.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: npXNN9998OsaQyjhoFEjqiUJcw3uJOzct4ttewlxoy/rQOVEkRivEqG4XDnX92QjloP2V+AC9hQEBRSwNdvsBBRzQ2HNHTvfEo1hbNDIdbqbLC4FwjRlURszRMbToqr0YbiQ9OZ9PQ2vJFFKvSrwnfvHsufRSKCkwhRMlWsy3l9lydWF1nyn9vqPHKumoT0r71TTCSuNHlOevY9q6Cfg39q8jltNPJWTD+DbNcQ2YP27rRez4rVvwATekHJlPOIG3ET7hGqzVJtFx+b7cTe6LFO9jibvKCeIbX2DrH2DhY6FRnIA2e+qMMMgZJgQpE4qkRhFfX2Uht7PoivodFAjVGOxzadximBq2jJzGOV3YQ8XVSWKVv3Idh5Zp1GoyqmGit61uYjpYQj+P1e7GjwGuxfCucpxnEDB+lGaLeAlRPtQvipqwg3SYExpnG5JcNMK/J3hqX1b5EEsbquK5l9z1YFrLgOMgjKR31bw2JaYuYefqC7Jn8URNM7Thnek3i6ZHFWudJiP7Ag68OawfuOvFdA+wJ+mdj1Iy0K7ZikTq76/wcQrAIWcUUGgzBnuJlW+lPOvshcJjWkMtOBzB1LrLN9qoMC/d6KahB0bVmbQzIZC0ryxTXC/ZQmvQ5kpzOB8WLLROxhdnpPKRVEf82scggfQIrvPaRcNkPEjcx1p+ww68wPQzynVNPIXt8nJ3zPDxdIPkEnfsI7BcuZWF9YuCB3krtd3MGAKq8m3fPH4udmNRd3JQOvHkcMu4wSDWdt6FoTL/okFtJRVSi+c0Oa5hVqb0rOxbWg8S5MR7gg4xGDgD7NxqczD/f05uhXNtKeY
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB6202.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(31686004)(4001150100001)(66946007)(107886003)(53546011)(2616005)(5660300002)(66476007)(166002)(15650500001)(31696002)(66574015)(966005)(316002)(786003)(83380400001)(30864003)(36756003)(52116002)(110136005)(508600001)(38100700002)(66556008)(86362001)(186003)(33964004)(8676002)(2906002)(6486002)(4326008)(8936002)(45980500001)(43740500002)(559001)(579004); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 64G8mmLcRpkN/Gf2X9VpcHN7DOlQBesgMwSOlS1JOHR1wsXK47NDVLLPS4YGr7oDnG4U4zkS/zIXrE10ZohPg7cHfOjRYfwA8uuC25/5PVumNEpkpr2qGkK4/YensZTYz3UL7IQ1HGDUuLCARwGmhnqd6XfLXiDArmKdudDsYkGMIsyc824wHRXJzNPpvbvR/QNNk7mGmImlo0Ujsw6/NErUp1Ul1Gl29FApg67kPwYXmdQkqahgtZfuUJn0LUS5hZaW8uRC0+uI+ZziGvysxo2XJh1nrWQVlMJ/ErS1u7vK/tu6VWxSuGF6KFyUIeCj0sSJX3NufEm08sQrpFkTxw+UKIG6ThYY5pRdxGBYvIjr7evHOsiy1De7iOyLPhk9l4Xj0Pfj9giMXyJjqFmay1DwoCBCgnwdgmq1fe0rVSWaFfdg0ZdAlKluLjvL7AdpEJkJiXQyuM7W12tD8hE0+dyfLRw7XkGN9W3dX1uz8u1YfeLwOvHFzL0/z9aH6FMP1ePuMvwUPC6Z6JjXK9DCC2mOyWl5TmRwe6DGRJCIHH7xoZ/usFRdfKpIbZfi5EvGqxdkEM9xqwLiJWw4C80n1rMB/NUO29JD+76nhLke89Nbsy6XazNtOgNx/YRLn3d3wt68np/sgpti+X3mrdlCk+EpG1dEPkyQRC+yFBchjhVmRFpaanqURrHhWMtHAOG1licDV4xsJbHNbtisg+osPA0up9rf43P/LHuT1AzEcU8X9yRaP6yCJvfSWBvS52WBFdgdDQDu94sJtKj5VcWHbEKLGD3xHtn26a54Z8Gph23DyAOGlvlV77lZTQIpP7tg76aJ4vUM8ZDHe/cMvWNYb95L3MUZLewbJ+vZBb3EhrcVhBbkDgGfuKwqcMdvYi2Pn9Ovfyk3zTTfJAIqygZ/7JGxoO4uL09M8MJIlKOHoEU6ZTVxZZTBjb0WWrHtz8vrLkRopX/rKGZgc0Q6eM3U+eo6CkmR/HgbDBwfC+NGXBvVRXVc2zlJn+PcAQtqiLwf+WQRP0lc0x7S/CpLgGkr9nHT8Gfh//3NSqcpmcfpCQbpFTOQzL9GLdI9qyIQJE1Q8TT27TLp1mChkhZSPGOefdHMcxD3je8PNv64+NoLlj/0yPTGEXZ3XjZHlvVma4SqEggPYuAQbKNvbSvo2kyZT1dAHp2plEzNpZ7ZBtgudZFNUR4mNYBnzU9KTwMy5+tPLuE+BG+BtBGAzgGM92tfjZ1MdHaRikEAWlnp9pnLrJ60FbyzWzC/phCd6aszFQMZq16amutwE6Pyp5EDiWo8HmDB0vDt8xGeMlMOnYxlrTDRECOrzpTxDm6MqYVoZhb+qdUF99SgBG9q97UozoBdGz7447rt/oTSHdHbgvCSWEJx/zaxml5LWXmQn3BDtWVS2w+9accDYGvA7t3apfkqSH2wuh8ctNI2BXt2q6E24G5PqGpuBSsaQPI9Tvi2vKqmOKo/HN/zmJWspOK0rMzdg0s6DXmgpWNgVT3RPuRZh+0G1Dts08rarD4+6BYT3c3yXAghLDPcPRxj+4wiOGbnM5F0FxMZ6xg0wF+RRpz3mqLVT8prLKJQJbtc1EMvkBbPX0PNnYHT06USC07XNLympVQw/dtYNh83PpnNpdToVtEdHe4PF50ioNb/daVQlT1GZ046C473gF7my+R2w8x8pLnlzI30X5/75u+sb92laic=
X-OriginatorOrg: uniovi.es
X-MS-Exchange-CrossTenant-Network-Message-Id: 731ea258-0332-4c28-98b6-08d9b0bbce89
X-MS-Exchange-CrossTenant-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Nov 2021 09:04:52.2661 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 05ea74a3-92c5-4c31-978a-925c3c799cd0
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: JNLE7QL/Lq6sIxBj2FUcSTTeeOjXwUpafGwN8f7Q1wT2h0Kr0Rm+VaM2UFz6v+J6+/00MYfa5IqYyG5dxgfw/g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR08MB4283
X-MS-Exchange-CrossPremises-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 06
X-MS-Exchange-CrossPremises-Mapi-Admin-Submission:
X-MS-Exchange-CrossPremises-MessageSource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 2a0c:5a80:3c13:f000:589f:2891:1b30:6314
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: DBBPR08MB4283.eurprd08.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/eDwychorAnCScgIvO_ok5Yjness>
Subject: Re: [Ace] [Emu] New Version Notification for draft-ietf-ace-wg-coap-eap-04.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Nov 2021 09:05:05 -0000
Dear Göran, Thank you for your review, it is much appreciated. We will address your comments and answer as soon as possible. Best Regards. Dan, On 25/11/21 10:09, Göran Selander wrote: > > Hello authors of draft-ietf-ace-wg-coap-eap, > > Thanks for working with this draft. Here is a mix of nits/editorials > and more substantial comments in the order as they appear in the draft. > > Abstract > > OLD > > One of the primer goals is to > > NEW > > One of the main goals is to > > Section 1. > > "EAP methods transported in CoAP MUST generate cryptographic material > > [RFC5247] for this specification. " > > The term “cryptographic material” is used multiple times in this > document but is not defined. RFC 5247 uses “keying material”, does > that match the intended meaning? > > Section2. > > Figure 1 is perhaps too informative containing endpoints, stacks, what > is CoAP, and scope of this document. There is no line/arrow between > IoT Device and Controller, presumably because there is too much other > information. Section 2 don’t talk about the stack at all. > > * Proposal: Make two figures: one with nodes and lines/arrows > (“architecture”); another with the stack, which is essentially the > same in the two nodes in scope of this document. > > * It is confusing that CoAP role allocation is shown in the figure > since those only apply to one step of the operation in section 3.2. In > all other steps the roles are reversed. Proposal: omit the CoAP roles > in the figure, and/or provide an explanation in section text or > caption. The section text talking about CoAP client also needs to be > modified accordingly. > > * Nit: RFC8323 calls the layer between request/response and reliable > transport “message framing”. Perhaps you want to have a common layer > renaming the "Messages" layer with “Message /framing/”. > > Section 3. > > "It is RECOMMENDED a light EAP method for the case of constrained link > and constrained IoT devices." > > If this will remain a normative recommendation, then there needs to be > a definition (reference) of "light EAP method". Perhaps consider just > explain the intention of "light" ("lightweight"?) and remove the > normative recommendation? > > --- > > OLD > > The article [eap-framework], highlights the benefits of the EAP > > framework. > > NEW > > The benefits of the EAP framework are highlighted in [eap-framework]. > > 3.1 > > "resource directory" > > Provide a reference or at least as an example, like > draft-ietf-core-resource-directory, > > --- > > OLD > > Example of this protocols > > NEW > > Example of such protocols > > 3.2 > > Step 0 > > "The message also includes an URI in the payload of the message to > indicate to what resource (e.g. '/a/x') the Controller MUST send the > first message with the EAP authentication" > > The DoS issues with requiring the Controller to send a message to an > unknown URI need to be considered. > > Step 1 > > "the Sender ID for OSCORE selected by the Controller" > > Is this the Sender ID *of the IoT device* selected by the Controller? > In other words, is it the Recipient ID of the Controller selected by > the Controller? That would correspond to how OSCORE identifiers are > chosen in EDHOC: > > https://datatracker.ietf.org/doc/html/draft-ietf-lake-edhoc-12#section-3.3.2 > > Best not to use the terms "SID" or "RID" unqualified in message fields > since they are reversed on the IoT device and Controller. Better use > terminology like e.g. RID-I and RID-C for RID of IoT device and > Controller, respectively. > > Step 2 > > "the EAP response, the Recipient ID and the selected ciphersuite for > OSCORE are in the payload." > > Is this the Recipient ID *of the IoT device*? See comment above. > > --- > > OLD > > In this step, the IoT device MAY create a OSCORE security context with > the Sender ID and Recipient ID. > > NEW > > In this step, the IoT device MAY create a OSCORE security context with > its Sender ID and Recipient ID. > > Step 7 > > OLD > > The reception of the POST message protected with OSCORE using the > Sender ID sent in Step 1 is considered by the IoT device as an > alternate indication of success ([RFC3748]). > > The unqualified "Sender ID" is confusing here. Why does the ID sent in > step 1 indicate success to the IoT device? I would expect the ID > selected by the IoT device itself and sent in step 2, if used by the > Controller to derive the OSCORE security context to protect the > message in step 7 would be a stronger indication of success. Proposal > (check if this is correct): > > NEW > > The reception of the POST message protected with an OSCORE security > context derived using the Recipient ID of the IoT device sent in Step > 2 is considered by the IoT device as an alternate indication of > success ([RFC3748]). > > --- > > "The communication with the last resource (e.g. '/a/w') from this > point MUST be protected with OSCORE except during a new > (re)authentication (see Section 3.3)." > > I don't understand why there is an exception. OSCORE seems to be > applied to communication with the last resource in all cases: > > * In the case of new authentication the procedure explained in Section > 3.2 applies protection with OSCORE in communication with the last > resource. > > * In the case of re-authentication, the procedure is explained in > Section 3.3 to be "exactly the same" as in Section 3.2. > > Also I find the expression "new (re)authentication" confusing - what > is the the difference between "re-authentication" and "new > re-authentication"? > > Section 4. > > " 1. SID: It contains the Identifier for the Sender ID to be used in > > the OSCORE security context. > > 2. RID: It contains the Identifier for the Recipient to be used in > > the OSCORE security context." > > Same comment as above to qualify SID and RID: is SID the Sender ID of > the IoT device or of the Controller? > > Section 5.1 > > "If the Controller sends a restricted list > > of ciphersuites that is willing to accept, and the ones supported by > > the IoT device are not in that list, the IoT device will respond with > > a '4.00 Bad Request', expressing in the payload the ciphersuites > > supported. " > > Make clear (here or in a security consideration) that in case of an > error message containing a cipher suite, the exchange of cipher suites > between EAP authenticator and EAP peer cannot be verified. For > example, a man-in-the-middle could replace cipher suites in either > message which would not be noticed if the protocol is ended after step 2. > > Best regards > > Göran > > *From: *Ace <ace-bounces@ietf.org> on behalf of John Mattsson > <john.mattsson=40ericsson.com@dmarc.ietf.org> > *Date: *Monday, 25 October 2021 at 17:03 > *To: *Dan Garcia Carrillo <garciadan@uniovi.es>, ace@ietf.org > <ace@ietf.org>, EMU WG <emu@ietf.org> > *Subject: *Re: [Ace] [Emu] New Version Notification for > draft-ietf-ace-wg-coap-eap-04.txt > > Thanks, > > I think this is a very useful mechanism and a well written draft. Some > quick comments. > > - "ciphersuite" > > Note that both TLS and EDHOC spells this with space "cipher suite" > > - Section 2. I don't understand what "SM" in Figure 1 is an > abbrevation for. > > - Section 2. "UDP/TCP/Websockets" Why is the Websocket protocol in plural? > > - Section 3. "EAP method that exports cryptographic material" > > This can probably be reformulated in terms of MSK, EMSK or "Key > derivation" which > > is the property that RFC 3748 uses. > > - "EAP-MD5 cannot be used since it does not export key material" > > MD5 should really not be used at all for security resons. Highlighting > it like this might > > be the idea that it would be ok if EAP-MD5 had the "Key derivation" > property. > > - "The required key, the Master Session Key (MSK), will be available > once the > > EAP authentication is successful." > > Does this belong in step 2? > > - In Figure 2. I do not think you have to wait until EAP-SUCCES to > make MSK available. > > The authentication can be successful before EAP-SUCCES. > > - In section 3.3. it might be good to state that "Reauthentication" > might be needed to rekey MSK/EMSK and to increase protection against > key leakage. > > (An important mitigation of pervasive monitoring is to force attackers > to do dynamic key exfiltration instead of static key exfiltration. > Dynamic key exfiltration increases the risk of discovery for the > attacker [RFC7624]. While OSCORE will soon be augmented with a > rekeying mechanism with forward secrecy, attackers can still get away > with doing static key exfiltration. This is similar to TLS 1.3 with > KeyUpdate, after leakage of application_traffic_secret_N, a passive > attacker can passively eavesdrop on all future application data sent > on the connection including application data encrypted with > application_traffic_secret_N+1, application_traffic_secret_N+2, etc.) > > - "4. The values from 65000 to 65535 are reserved for experimentation" > > what does "The values" refer to? Lifetime? In that case it would fit > better under 3. > > - In addition to AES-CCM-16-64-128, only ciphersuites only cipher > suites with AES-GCM is included. My feeling was that most IoT people > are more interested in ChaCha20-Poly1305 than AES-GCM. I don't have a > strong personal opinion. > > - "which is considered fresh key material" > > “considered fresh”? Maybe "uniformally random"? > > - With normal use of DTLS, Appendix A violates “The CoAP-EAP operation > is intended to be compatible with the use of intermediary entities > between the IoT device and the Controller”. This limitation should be > clearly stated. > > - Probably good if the labels have “CoAP-EAP” in all the labels to > guarantee that they do not collide with anything else. > > Cheers, > > John > > *From: *Emu <emu-bounces@ietf.org> on behalf of Dan Garcia Carrillo > <garciadan@uniovi.es> > *Date: *Monday, 25 October 2021 at 13:27 > *To: *ace@ietf.org <ace@ietf.org>, EMU WG <emu@ietf.org> > *Subject: *Re: [Emu] New Version Notification for > draft-ietf-ace-wg-coap-eap-04.txt > > Dear ACE and EMU WG, > > We have submitted a new version of the draft (draft-ietf-ace-wg-coap-eap) > > This version provides information on the different comments, from the > reviews and interim meetings. > > Best Regards. > > > El 10/25/2021 a las 1:23 PM, internet-drafts@ietf.org escribió: > > A new version of I-D, draft-ietf-ace-wg-coap-eap-04.txt > > has been successfully submitted by Dan Garcia-Carrillo and posted to the > > IETF repository. > > > > Name: draft-ietf-ace-wg-coap-eap > > Revision: 04 > > Title: EAP-based Authentication Service for CoAP > > Document date: 2021-10-25 > > Group: ace > > Pages: 29 > > URL: https://www.ietf.org/archive/id/draft-ietf-ace-wg-coap-eap-04.txt > > Status: https://datatracker.ietf.org/doc/draft-ietf-ace-wg-coap-eap/ > > Htmlized: > https://datatracker.ietf.org/doc/html/draft-ietf-ace-wg-coap-eap > > Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-ace-wg-coap-eap-04 > > > > Abstract: > > This document specifies an authentication service that uses the > > Extensible Authentication Protocol (EAP) transported employing > > Constrained Application Protocol (CoAP) messages. As such, it > > defines an EAP lower layer based on CoAP called CoAP-EAP. One > of the > > primer goals is to authenticate a CoAP-enabled IoT device (EAP peer) > > that intends to join a security domain managed by a Controller (EAP > > authenticator). Secondly, it allows deriving key material to > protect > > CoAP messages exchanged between them based on Object Security for > > Constrained RESTful Environments (OSCORE), enabling the > establishment > > of a security association between them. > > > > > > > > > > The IETF Secretariat > > > > > > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu >
- Re: [Ace] New Version Notification for draft-ietf… Dan Garcia Carrillo
- Re: [Ace] [Emu] New Version Notification for draf… John Mattsson
- Re: [Ace] [Emu] New Version Notification for draf… Göran Selander
- Re: [Ace] [Emu] New Version Notification for draf… Daniel Migault
- Re: [Ace] [Emu] New Version Notification for draf… Dan Garcia Carrillo
- Re: [Ace] [Emu] New Version Notification for draf… Dan Garcia Carrillo
- Re: [Ace] [Emu] New Version Notification for draf… Dan Garcia Carrillo
- Re: [Ace] [Emu] New Version Notification for draf… Dan Garcia Carrillo
- Re: [Ace] [Emu] New Version Notification for draf… Dan Garcia Carrillo
- Re: [Ace] [Emu] New Version Notification for draf… Göran Selander
- Re: [Ace] [Emu] New Version Notification for draf… Dan Garcia Carrillo
- Re: [Ace] [Emu] New Version Notification for draf… Daniel Migault