IETF Logo Mail Archive

Re: [Ace] Shepard comments on draft-ietf-ace-oscore-profile

Francesca Palombini <francesca.palombini@ericsson.com> Mon, 18 February 2019 12:55 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CE4E130EFC for <ace@ietfa.amsl.com>; Mon, 18 Feb 2019 04:55:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=Kii1VJw7; dkim=pass (1024-bit key) header.d=ericsson.com header.b=ldDykAUm
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVPWKax0OzDo for <ace@ietfa.amsl.com>; Mon, 18 Feb 2019 04:55:47 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 670E9127AC2 for <ace@ietf.org>; Mon, 18 Feb 2019 04:55:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1550494544; x=1553086544; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=63fO8dd/TclKFNkOPKy+6s3lRjSkZ8818JnAJRywaw4=; b=Kii1VJw7V3y2YP9nFvyta2AoJViU8YbZPryYl/DV2STP8VlfKnRN6/GgIuXza+Cy d/3ST/GxVDEHPEYUe+S93wlDB1DyqgFtATDvoXnbDxGEMfI3Qig1sDejKYqbLtPn QnIcTnApxVI50O+4Jj80WH3WIzzI/NWLzXMZs+mlRSk=;
X-AuditID: c1b4fb2d-2198b9e00000062f-f7-5c6aab4d6800
Received: from ESESSMB505.ericsson.se (Unknown_Domain [153.88.183.123]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 57.34.01583.D4BAA6C5; Mon, 18 Feb 2019 13:55:41 +0100 (CET)
Received: from ESESBMB504.ericsson.se (153.88.183.171) by ESESSMB505.ericsson.se (153.88.183.166) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Mon, 18 Feb 2019 13:55:25 +0100
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Mon, 18 Feb 2019 13:55:25 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=63fO8dd/TclKFNkOPKy+6s3lRjSkZ8818JnAJRywaw4=; b=ldDykAUm1YfBq7Gdny7gNSqoSR9Lp12azV5k1YDzkQ0kBhrG1cjAin5KBOYWFOYUEYDwFtK/Ludw/HQwmki2LI3NbkfdUes4RXjbwpnrC4JfbRwICZR6vSZmScS1akpb86RZccMK06vXhYOSNurT+OYEysWABbZRJxjovoHBsxo=
Received: from DB6PR0701MB2743.eurprd07.prod.outlook.com (10.169.215.11) by DB6PR0701MB2184.eurprd07.prod.outlook.com (10.168.58.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.11; Mon, 18 Feb 2019 12:55:24 +0000
Received: from DB6PR0701MB2743.eurprd07.prod.outlook.com ([fe80::61b7:d0e5:39a8:6c6e]) by DB6PR0701MB2743.eurprd07.prod.outlook.com ([fe80::61b7:d0e5:39a8:6c6e%8]) with mapi id 15.20.1643.008; Mon, 18 Feb 2019 12:55:24 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Jim Schaad <ietf@augustcellars.com>, "draft-ietf-ace-oscore-profile@ietf.org" <draft-ietf-ace-oscore-profile@ietf.org>
CC: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Shepard comments on draft-ietf-ace-oscore-profile
Thread-Index: AdS4+whFigFTKC1DQi2kqlxsKsGuhgAfkBIAAALIkgADg0teAA==
Date: Mon, 18 Feb 2019 12:55:24 +0000
Message-ID: <5D9AA2B5-FF39-4DE6-AA1A-6CF10684D33B@ericsson.com>
References: <023901d4b8fc$b72658c0$25730a40$@augustcellars.com> <B145CB00-EF21-408F-8D71-7B872BBEA02D@ericsson.com> <026c01d4b984$6d36b330$47a41990$@augustcellars.com>
In-Reply-To: <026c01d4b984$6d36b330$47a41990$@augustcellars.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=francesca.palombini@ericsson.com;
x-originating-ip: [192.176.1.88]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2c76f626-ec8c-4d78-f85b-08d695a0595f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:DB6PR0701MB2184;
x-ms-traffictypediagnostic: DB6PR0701MB2184:
x-ms-exchange-purlcount: 1
x-microsoft-exchange-diagnostics: 1;DB6PR0701MB2184;23:2J4hXDWGasiqnsp9WKEt5IzmWpv3Ftq8bYCb5MdoLIjJCrREr1x8uAyktSm1Rg3CoAPnH4QgB82uFTNAjVepoWBdalNRqA/aiUGHnvEYa+EygtoyIDhZILfNSubO59Zn91PWyiFxR1LdYaV6BhIDl/UH96xe4HFtAoL8PJrgdMs5SGELbVVp8bluyfeEToh5Qeqz9/l1tma0IKjRgTB6BIOgRj1kPNB75k3dIPxDhT1FupZB75r48PmI4Hs7Wo7CnbYzFYuUi2XPYwFbGgyr1K7ND/YP/UfujMGSwaZxaY9xGlG76UjwZyc/czM7W6gFK4K16ClxTArKfGtSaW3UgegjcLIA8TWLQMmLaaxWlHV3Z1QdKAvg8Rqnk8rjoHzQud46rqbr2AuHZ6kQ9nxTTRZjOkLzVtIUDNsxTyLQM+DJxmRYvsaAa5KzV6dVPyoh2uQaBQ7Ptxq3gh3oFGKnCry5HkW8XLVY2dFgOjs5A8EWBYTl5Nc+vZSwl3ZnZgH35YiDznUywTopvaKCJaRbX8A92/BmPDb/fHBDkPZ+hxwcpvXSmidCid+7iQYhZualVZZ1z29H/Ml0eHupIZurAMlcoPRPIzMu/Dq0EuOMXYoKiqAX9ZUFLU9ZKgLZp7AkbOZ0DR7eVlXPBqqFsd0MnzYdZF0rF7q1ZDPCa56vh8XyCqd8yQmMExK0zmrwsa0aTYrtb1eA+SU5mik/4fKrBECYDU8yQhf7/6nZCnXLIua5rdByvZw+y6Zkx7dwxfa/KAacITfKrwawzCGOe2YxBpKXsNfmdPXBGvaLUyVDwhPX/VkwcC4qL92TXJpdxhmgKdEnPFEr0iaIIaDpAaXIwaooD9J8unB+mcjMR83tleCsc8wlGSVOabmgD45J/4JLLDdy2eEyzfAcUH1SXwHVeyL+zF5jP+LzmxuqSlmQ7Y+mQNubH/f60woUxBRLGIhpTEL6T1vRy/YCK6ovjtJF8FRCPtZBGSJXksv1m+xnrAnmc1LS32oga0SUv6P4zH9wC26Zioc+vPc3PW6Xan6YZ4uF2q5t3vhW1H27ZmTpSXP3eUdtD+v7oQF6GN7mTrbHFRuPK3k6Um+TvdpU/LqJVKS7ohqNTSUGod6CAHke+o72k+8XOrcPkkaj3XQuqHZGqQjR7qBHJgUcgckN5pYgaxKw+BCNN0MlngBN6fD5tQHEUzRuxZgmmQw3HqppImtVMuQW04RFXmapSM39+3c4nWQFkeyu5x0Dlm5TK3eZAs/0YzxyqLr+SsIPzlsGcEwwCKmN71HI9UR6QETOtNhQx1XZYjDZ5RHZzOR7wL6J9U641lT4pQ7Y01VwH7l1ZugycZiVTlwcfVIcWom/blTvMcucLydV/mcl3uHZoHDDVgk=
x-microsoft-antispam-prvs: <DB6PR0701MB21842AF375ABF0AC96C0D4F398630@DB6PR0701MB2184.eurprd07.prod.outlook.com>
x-forefront-prvs: 09525C61DB
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(136003)(396003)(376002)(346002)(366004)(13464003)(199004)(189003)(71190400001)(6486002)(4743002)(71200400001)(105586002)(106356001)(4326008)(6436002)(446003)(11346002)(229853002)(83716004)(25786009)(305945005)(7736002)(316002)(110136005)(26005)(478600001)(966005)(476003)(44832011)(186003)(2906002)(33656002)(486006)(2616005)(81156014)(8676002)(86362001)(2501003)(81166006)(82746002)(6512007)(8936002)(36756003)(14454004)(14444005)(6306002)(256004)(6246003)(76176011)(97736004)(102836004)(53936002)(3846002)(6506007)(53546011)(99286004)(6116002)(5660300002)(68736007)(66066001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6PR0701MB2184; H:DB6PR0701MB2743.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: rqYv1nv3s17VQdt4oDuSWkdGZSkZp9xpxAzsycl/ewcIm6UKKEqGsJdip8yGZw6q/wwWuDdNijB+Pr8elOX3/Xkg+Egog0wUBfMbviUnKg2ehf5dgrhO4NTMWS75DLmuZpXqk0/2xOeIZBO003g9FeTBR0sXrdOHEOM8EGql6pmj9ybRSgduO/dpMotzWdm1kvl7ytNFbLn/s/k41jKRyg7hvmielwVPtiLTCCZNVebWgsRAfa0e8/Z24DVWPAkuoTIHayY8rVW3zc0WmstWhw5Y0gT1fb6yJAXGjHS6PYcB9N0INAKcWb+wM0/c3NPFgvKkQMYEHpf7o4CaR0OdW3kjtG+hUmFLS0tmxZNfIuQkXonNVSlN1ZwUreteLZKl+Ox2vf9B1PDSyJiEZS7k3o00ZrCgtqiK0vdaKNblTyM=
Content-Type: text/plain; charset="utf-8"
Content-ID: <99489A2325ABA341BDDF596BD7CFF4D6@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 2c76f626-ec8c-4d78-f85b-08d695a0595f
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2019 12:55:24.5330 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0701MB2184
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Se0hTURzHO/feXa/D5XEp/rIEXRglqWlCEuKjv6QQhAhCpBx68T1l13yC GVKWL7T5XIqVQuAiS00l/cf5yKiYbSKSifiYOUeOxBymRbs7Bv33Pd/v55zfg8PRco3Eh8tQ 5fNqlTJbwUqZthtDpUEJusyk8+tVoRH23Ro6wjz4gI7QtdjZGDrudXsLG9fdvUclUInSyFQ+ O6OAV4dEJUvTJx/b6bw+/6ItjUFSjib8qpArBzgclt+Z6Sok5eR4AsEzwxYrBnK8i+BXQwkJ uimY+jSHxAOD62kwb348pJop0E8XEmodQfvUbyQGLI6EmWWbRNSeuAyWbP2MqGnsDy/b6yhR H8PRYNUvuVQhzsHEwN7wTYJfhkWjiRZtBgfAznapaMsc9Pf9XURK6RA06546n3d1XJ3vX3aW RdgXdu7qaFLKG76sdVJkTAzdowaaaC+wrP6RED4FZhfqXIjvB1sdH1iifcHYWY2IjoeDHwPO FQFeQLCmqWXE5gCfg/GlIML4wPTnSQlhTHIYbBphSJALppk9ivAnYXj7ImFqWbhvMlL1KET7 X69aB0bjs9D79tCOg8G5FVZ7uLnG6mUXrXMXHvC+bY15giQ9yEvgBSEnLexCMK/OSBGEXFWw is/vQ46vMjawHzSMdNZYPcIcUrjJYhozk+QSZYFQnKNHwNEKT9l8l8OSpSqLS3h17i317Wxe 0KMTHKPwlh3IPZLkOE2Zz2fxfB6v/pdSnKtPOVJmGaz3roVVxFc8kv2MPNIzLZ1vq30TXlNU NLQqDYDxfYulcsR+J80avzE0pkkeuBS9/sq01XTFdiaqvLGgfvTFjdMH5lj8XPGtzHXO0uVb mBM4y2taW8IbNnunO1Lnopv9jW6LGw0rie4Lp3I7j1Z2HLe5G/jWmhrp16vX+x8qGCFdGRpI qwXlXz5SDfcmAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/eGmUiaVmTjqckddxu-YMzfsbZnQ>
Subject: Re: [Ace] Shepard comments on draft-ietf-ace-oscore-profile
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2019 12:55:51 -0000

Hi Jim,

Here is the update including your comments. It also includes minor comments from Marco (thanks!) that we had missed before.

https://tools.ietf.org/rfcdiff?url1=https://tools.ietf.org/id/draft-ietf-ace-oscore-profile.txt&url2=https://ace-wg.github.io/ace-oscore-profile/draft-ietf-ace-oscore-profile.txt

Concerning the error caused by unrecognized fields in the OSCORE_Security_Context, I only defined that for the RS: in fact, the client does not validate the token, so stopping the processing because of an unrecognized field would open up for easy DoS attacks by intermediaries. If the AS actually sends unrecognized fields, the RS will anyway stop the process itself when receiving the token.

This was the last change, so if you are ok with this, I will go ahead and submit a new version.

Francesca

On 31/01/2019, 17:46, "Jim Schaad" <ietf@augustcellars.com> wrote:

    
    
    > -----Original Message-----
    > From: Francesca Palombini <francesca.palombini@ericsson.com>
    > Sent: Thursday, January 31, 2019 6:26 AM
    > To: Jim Schaad <ietf@augustcellars.com>; draft-ietf-ace-oscore-
    > profile@ietf.org
    > Cc: ace@ietf.org
    > Subject: Re: Shepard comments on draft-ietf-ace-oscore-profile
    > 
    > Hi Jim,
    > 
    > Inline.
    > 
    > Thanks,
    > Francesca
    > 
    > On 31/01/2019, 01:34, "Jim Schaad" <ietf@augustcellars.com> wrote:
    > 
    > 
    >     1.  Please update the text for MUST/SHOULD/MAY to include the language
    > from
    >     RFC 8174.
    > 
    > FP: Right, thanks. Updated now in the github.
    > 
    >     2.  Section 3.2.1 - What to do is clear if a field is not missing.  What is
    >     the correct behavior if a field is present that the client and/or resource
    >     server does not recognize.  Is this a fatal error or is it sufficient that
    >     they may not behave the same?
    > 
    > FP: Assuming you are referring to fields missing in the
    > OSCORE_Security_Context, (please correct me otherwise) this is a good
    > point. We currently do not define what happens if the security context has
    > unrecognized parameters. We don't foresee this happening, as the AS
    > should know what the client and RS implement. However, to cover this case
    > (bad implementation or something went wrong), to be on the safe side, we
    > propose that there is a fatal error in that case. In fact, we don't know what
    > additional parameters might be registered in the OSCORE_Security_Context,
    > and although they could be "risk-free" (as in optional additional information
    > non-necessary for the security context derivation), they could also be input
    > to the key derivation for example, in which case the endpoint non-
    > recognizing them would end up storing a "wrong" security context. What do
    > you think?
    
    Sounds good.  I had a vague thought that perhaps some of the group items might be added in the future but no hard items to add.
    
    Jim
    
    > 
    >     Jim
    > 
    > 
    >

v2.23.0 | Report a Bug | By Email