Re: [Ace] Call for adoption draft-tiloca-ace-oscore-gm-admin (with some review items)
Christian Amsüss <christian@amsuess.com> Fri, 03 July 2020 06:56 UTC
Return-Path: <christian@amsuess.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E54683A0D5C for <ace@ietfa.amsl.com>; Thu, 2 Jul 2020 23:56:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mcctnQyEEYxE for <ace@ietfa.amsl.com>; Thu, 2 Jul 2020 23:56:05 -0700 (PDT)
Received: from prometheus.amsuess.com (prometheus.amsuess.com [5.9.147.112]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDFD63A0D5A for <ace@ietf.org>; Thu, 2 Jul 2020 23:56:04 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bd]) by prometheus.amsuess.com (Postfix) with ESMTPS id 783E9406AE for <ace@ietf.org>; Fri, 3 Jul 2020 08:56:01 +0200 (CEST)
Received: from poseidon-mailbox.amsuess.com (hermes.amsuess.com [10.13.13.254]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id C8AC1AB for <ace@ietf.org>; Fri, 3 Jul 2020 08:55:59 +0200 (CEST)
Received: from hephaistos.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a474:524e:673d:d8f5]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id 7002164 for <ace@ietf.org>; Fri, 3 Jul 2020 08:55:59 +0200 (CEST)
Received: (nullmailer pid 696368 invoked by uid 1000); Fri, 03 Jul 2020 06:55:58 -0000
Date: Fri, 03 Jul 2020 08:55:58 +0200
From: Christian Amsüss <christian@amsuess.com>
To: ace@ietf.org
Message-ID: <20200703065558.GA559393@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr"
Content-Disposition: inline
In-Reply-To: <CADZyTknUKEazjkfQvC_r0_bzEvuYwHMTP1pF_-HYVL6y15_DUw@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/gLr5NgAURoi5P9f6RcgHkL2jFr8>
Subject: Re: [Ace] Call for adoption draft-tiloca-ace-oscore-gm-admin (with some review items)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2020 06:56:07 -0000
Hello ACE, I've read through draft-tiloca-ace-oscore-gm-admin. Its value is in that it fixes a gap in the set of current drafts on the topic: Without (something like) this, group deployment applications need application specific group managers, and as the GM is not trivial to implement, I'd expect that they would bundle the GM with their on-at-deployment-time tools rather than ship a constrained and well-specified always-on GM that's just managed by their deployment tools -- leading to much more error prone deployments that can't leverage OSCORE group communication in full. I don't quite see myself in a position to advocate adoption in this WG I haven't actively contributed to before, but I do support this document being processed somewhere in the IETF. Best regards Christian PS: Small by-catch issues for the authors: The pct-encoded names in the group name sound odd to me. What do those names have to do with URI components? The "is fixed" and "is a default name" terminology around resources is probably confusing to people who don't know ahead of time what it's supposed to mean; moreover, demanding that the URI be fixed is a pretty harsh requirement for something that may move around in the network; furthermore, while an I-D should avoid creating URI aliasing, it shouldn't rule out that the server may do that either. (And if it supports different transports, right now it needs to). Later in 2.5.3, it even sounds like the path is prescribed. Other than this being an ACE document, is there a particular reason "Getting Access to the Group Manager" is prescribed to use ACE? The whole 2.1 section sounds quite repetitive when read in the context of ACE, and unnecessary when different methods are employed. Maybe if there were talk about different admins and whether they may change each other's groups that'd be conveniently be expressed in terms of ACE scopes (not sure), but as of now it isn't. Why is "Update a Group Configuration" a PUT and not a PATCH? It does not replace the resource, it just modifies it. -- To use raw power is to make yourself infinitely vulnerable to greater powers. -- Bene Gesserit axiom
- [Ace] Call for adoption draft-tiloca-ace-oscore-g… Daniel Migault
- Re: [Ace] Call for adoption draft-tiloca-ace-osco… Francesca Palombini
- Re: [Ace] Call for adoption draft-tiloca-ace-osco… Christian Amsüss
- Re: [Ace] Call for adoption draft-tiloca-ace-osco… Göran Selander
- Re: [Ace] Call for adoption draft-tiloca-ace-osco… Marco Tiloca
- Re: [Ace] Call for adoption draft-tiloca-ace-osco… Daniel Migault