Re: [Ace] Review of draft-ietf-ace-mqtt-tls-profile-03
Cigdem Sengul <cigdem.sengul@gmail.com> Tue, 14 January 2020 16:25 UTC
Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8287F1208E8; Tue, 14 Jan 2020 08:25:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rpqmiGtrFwvO; Tue, 14 Jan 2020 08:25:13 -0800 (PST)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 292481200B3; Tue, 14 Jan 2020 08:25:12 -0800 (PST)
Received: by mail-vs1-xe2e.google.com with SMTP id n27so8595554vsa.0; Tue, 14 Jan 2020 08:25:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=p7fwAJTABmgwMfmR+emRITRf+bM8Mt7V2MPe26CMaGA=; b=RvkLvoHrbY9OBmVhccIzYPYOyYUixv8HiJfprcuqbjhCvUDv8Vuiz0eLCdkC0CoOee fpSbiCJ/1xz+g58FpzYqGPtPY/j1duOAJxzQrEfhcgkjvdkhUwKc6i0uhyiWzHrojmVj FSuShipaH9mWItRRJ82CiPv8wybIUl7zXKZIUw6yVQP2JGQ8PIXBrWD9hbJuT/k/czRd 98JnQbZZzSzZWuQu93T2SCo3IiOt9zLaPlGCc7072wC/tKL63LeX9FJSzGa7kkr2GRda gH7W/xRi4N6/CnfTg/m/sw2I5lptm1dlE6Zksy49wU7JJed36bl/UMZK1aorM/E/bd+B agaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=p7fwAJTABmgwMfmR+emRITRf+bM8Mt7V2MPe26CMaGA=; b=hkOUPnECvrYXR77qGoeo0tYbVwFtDlocJC30T1KdZ/yhYiyZJLJSgYfgWphHiuEdoE lY3R8asMIbRGOk8uUhWH72PmHe8scGzr0c6PpCEOoHWICC/b960ADDfJDGVyHp5TGgzS OYVLYtdtIW3i11sp2Nhcbk9JvU1GrfATjdu67Ezn06OeegCee2nFzUPAM2tFY8752Lnm u88fOjckhL/LogyD5YB1EW4t3vAbhvZL2T18vluN+jkscOFKhWnB73gUxMxDJbq0smkS REYYa4NC8MsMNxPTV5tlR+scY0cjpx2FD/wj/DgNURzRawXz3L7ViiqB6Z4vCbmgph4j gQGw==
X-Gm-Message-State: APjAAAVDVcf9RVnmlrXq84d6hXsfh8Q3fBrxzJfWNiHoP9ma8et0wOUJ AuPhmFD2+SgTRqg/EqWe2goFzAsPWsLzwmwcQnc=
X-Google-Smtp-Source: APXvYqyuoKNQWTw5i3v+9gY9gMZzYmQtbjrhDPBjtz68UBMBiJnAa7AkiQv5WmDKxikkBTfI2hKpmvdwD3eLihvKdYI=
X-Received: by 2002:a67:c798:: with SMTP id t24mr1796352vsk.62.1579019111030; Tue, 14 Jan 2020 08:25:11 -0800 (PST)
MIME-Version: 1.0
References: <007401d5c0f3$6e80d320$4b827960$@augustcellars.com>
In-Reply-To: <007401d5c0f3$6e80d320$4b827960$@augustcellars.com>
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Tue, 14 Jan 2020 16:25:08 +0000
Message-ID: <CAA7SwCNfzur2=VJ9O+76vWBeECn62EdREXRbOgK8=O-LgYUa_Q@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: draft-ietf-ace-mqtt-tls-profile@ietf.org, Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000034eb2c059c1c09d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/gXGT1KChD4h_SffWc3fY72LYP6s>
Subject: Re: [Ace] Review of draft-ietf-ace-mqtt-tls-profile-03
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 16:25:20 -0000
Thank you for this review, Jim. Responses inline. On Wed, Jan 1, 2020 at 10:33 PM Jim Schaad <ietf@augustcellars.com> wrote: > > 2.2.2 - para 1, the last sentence seems to imply that the first connection > to publish to authz-info is not being done over a TLS connection. But the > sentence before that states that a TLS connection MUST be used for this. > Perhaps s/and is expected to try reconnecting over TLS./and reconnects, > potentially using client authentication with TLS./ > [CS] Yes, that part reads confusing. The aim was to say client authentication is not done over TLS, but connection can be over TLS. What it should be saying: Client can use either mqtt or mqtts to connect to the broker, but does only server validation, to push the token. After pushing the token, it is expected to do TLS:Known(RPK/PSK)-MQTT:none. (Although for PSK the token can be in psk_identity). Issue created: https://github.com/ace-wg/mqtt-tls-profile/issues/37 > 2.2.2 - I am unclear under what circumstances you could end put with a > token > which does not parse when processing a PUBLISH message. If the token > cannot > be parsed at connection time, that I can understand. However having parsed > the token then it does not make sense that the token becomes not parsable > at > the time of publishing. Am I missing something? > [CS] There is a misunderstanding. The PUBLISH message refers to the actual PUBLISH message to the "authz-info" topic which contains the token i.e., this may not parse to a token. (The PUBLISH message is not for other messages that are permissioned in the token.) The client connects (without much security), publishes the token to the public "authz-info" topic, which only the broker can read. Then, disconnects, and tries to connect with ace security. Since MQTT v5 can return error messages in response to PUBLISH messages, here, this is used to signal to the publisher that there is something wrong with its token. Added: https://github.com/ace-wg/mqtt-tls-profile/issues/38 > > 2.2.2 - The last paragraph is causing me confusion. Is this supposed to be > referencing the RS or the AS? If it is the AS, then I don't see how there > could be any confusion. Please expand this so it is clearer. > [CS] This is a typo - it should be RS. https://github.com/ace-wg/mqtt-tls-profile/issues/39 > 2.2.4 - I am having a problem with trying to parse the content of the AUTH > property. I have no problems with 2.2.4.3 because this is a zero length > sequence of bytes. However for 2.2.4.1 and 2.2.4.2 there is a token > (possibly binary with no length prefix) followed by an optional binary > cryptographic value. For introspection, I would need to figure out the > length of the token before I could make a guess at the length of the > cryptographic value. However given that there is no divider this does not > seem possible. This may also become a problem for the response from the > client in the event that there is a change from an 8-byte nonce to a > variable length one. > [CS] Not specified a format, because I thought we discarded the idea of using the variable-length nonce based on the meeting in Singapore. What would you suggest - introduce a specific format to accommodate variable length? length_of_token+binary data for token+(the rest is cryptographic value)? https://github.com/ace-wg/mqtt-tls-profile/issues/40 > 2.2.4.1 - In my view it is not the secret, but the content that is being > obtained from the TLS exporter. That is one is signing (or MACing) the > exporter value not using that value to compute a MAC on something else. > While it is true that only the two parties know that value, exposure to a > third party does not lead to a compromise. > [CS] I see - so reword "secret" to "content". Or do you have a suggestion for wording? https://github.com/ace-wg/mqtt-tls-profile/issues/41 > > 2.2.4.3 - I am not sure if the text is supposed to require an empty > authentication data field or to allow for the authentication data field to > be absent as well. > [CS] I checked whether it would be a protocol error to have only Authentication Method in MQTT, and it is not. Then it is best to omit authentication data field. Will correct the text that the document allows the CONNECT message to have an Authentication Method set to 'ace' and allows to omit the Authentication Data field. https://github.com/ace-wg/mqtt-tls-profile/issues/42 > > 3 - It might be worth while to put a pointer to section 4.7 of the MQTT V5 > spec here so that there is an indication of what the different wild card > characters do. I had to pop over there to make sure that I could figure it > out. > [CS] Will do. https://github.com/ace-wg/mqtt-tls-profile/issues/43 > 3.1 - Should you state that for a QoS of 0, the client should close the > connection w/ an '0x87' in the event of an authorization failure? I think > that this is supposed to happen but you have left it open. > [CS] Yes, I must have cut some text out. QoS of 0, the client is disconnected. Will add. https://github.com/ace-wg/mqtt-tls-profile/issues/44 > 6 - It is not clear to me if the authentication method described in this > section is permitted with MQTT v5 or not. It does not say, but it appears > to be a true statement. This should probably be explicit. > [CS] Yes, MQTT v5 broker can support this method as well - we say at the beginning something around backward compatibility to MQTT v3.1.1. Will make it more explicit. https://github.com/ace-wg/mqtt-tls-profile/issues/45 > > 2.2.4.3 - What is the name of the user property that is being returned > here? > > [CS] This is under-defined. It should say, the name pairs follow the same optional (name, value) parameters for AS request creation hints as defined in the core document. There could be multiple user properties in a CONNACK, one needs to make sure the size of the message does not grow beyond the Maximum Packet Size specified by the client. https://github.com/ace-wg/mqtt-tls-profile/issues/46 > > I am going to play with something else. I am sure I will find other issues > at a different time. > Thank you for your review. Much appreciated. --Cigdem > > Jim > > > > > > > > > > > > > > > Nits: > Section 2 Para 1 s/Broker.Figure 1/Broker. Figure 1/ > Section 2 Para 1 s/setup.The/setup. The/ > Section 2.2.2 Last Para s/when the AS/when the RS/ > > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace >
- [Ace] Review of draft-ietf-ace-mqtt-tls-profile-03 Jim Schaad
- Re: [Ace] Review of draft-ietf-ace-mqtt-tls-profi… Cigdem Sengul
- Re: [Ace] Review of draft-ietf-ace-mqtt-tls-profi… Jim Schaad
- Re: [Ace] Review of draft-ietf-ace-mqtt-tls-profi… Daniel Migault
- Re: [Ace] Review of draft-ietf-ace-mqtt-tls-profi… Cigdem Sengul
- Re: [Ace] Review of draft-ietf-ace-mqtt-tls-profi… Daniel Migault