IETF Logo Mail Archive

Re: [Ace] draft-ietf-ace-mqtt-tls-profile-03

Cigdem Sengul <cigdem.sengul@gmail.com> Fri, 28 February 2020 09:45 UTC

Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1500D3A144F for <ace@ietfa.amsl.com>; Fri, 28 Feb 2020 01:45:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k3ejvdprxIP6 for <ace@ietfa.amsl.com>; Fri, 28 Feb 2020 01:45:35 -0800 (PST)
Received: from mail-vk1-xa34.google.com (mail-vk1-xa34.google.com [IPv6:2607:f8b0:4864:20::a34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3EFB3A144E for <ace@ietf.org>; Fri, 28 Feb 2020 01:45:35 -0800 (PST)
Received: by mail-vk1-xa34.google.com with SMTP id i78so755306vke.0 for <ace@ietf.org>; Fri, 28 Feb 2020 01:45:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XnZoyQXzOtF+2BP9H91EzXnwPVD3L3K+wQY0OwuO2B8=; b=PfIO+tFNoyODPx4LqdKr4IZwD74fShzuD6zSMTuJ8SFinEMZz6muc6ILXjfgVfkreZ 23V1G01kpf6ThhV12Nh474/5zT+fZtDcDGuGvj4ww8ziZWiouxuDpCNkgpzdkMRzF4O4 B+gjywGdOiLY0SAcZ/vwx5IAoJNoUO3GnsTbFefUtM3W6Mpkj1E+umrZg/N13TiZoDEu s2Tz8wvkrLVTfongdeklm2EG66YB53BX+0YJ3Dnc/JWCC8y3IXRFammeJiRQWtfnIoYh rpGFZB2Tt+08iuph+CJrKOnQOGobX2+7tytSMCdXQTEYOtjRa0tzY9ZizPnmZTy5dhZZ +KOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XnZoyQXzOtF+2BP9H91EzXnwPVD3L3K+wQY0OwuO2B8=; b=U1RdB+DBLptzK0bH8dSWIDIroViEvY5xdLnSjTQ51OKp3Kh7Fz4uC37Z1Me8HRek5y R+Mwl6SyYYuZMtKZaauIS1aOHcdnU7Jibvw9/eU117ULD6Geqr2PZOaEVL9rl8hcf7+y ixl+6hcft2WvL82FGqLaoM7Nsdsp59unYlX00lRLxQO2hR6YhjzszUcISuvb+p4j/bsa rBwpdO7QrCPRJC/QnAiktnmnaCeoIavp6ZuJ4MDMpwj0t5SLKGILhZf2iLOIkqxzGJgh WjuiczG6ETlNw9BkeTpFDr6iRETd3BRK7vCKmZZkLbKwg63vBcUwjFpWqeCMobieEHNl Ej5A==
X-Gm-Message-State: ANhLgQ3VsKOa7WH+c8pKev+6tol/gbMrJbA4Q+xaWqWrVfHccgjsOrFH nc2wPpVOWFVl9QBARfR5hCAl3IyxAt7gx17HNicSEBO+nHo=
X-Google-Smtp-Source: ADFU+vuBkr92zmH4FmVRKbS6zfjTexKMSh5fUm0Hayjm/GNUVWBqOwasayjtCjVuZ+XnEk+dc/PR6EZnph3hXmJ+Zng=
X-Received: by 2002:a1f:1bc3:: with SMTP id b186mr560955vkb.96.1582883134745; Fri, 28 Feb 2020 01:45:34 -0800 (PST)
MIME-Version: 1.0
References: <AM0PR08MB371601D0F66969D7ECB504AAFAED0@AM0PR08MB3716.eurprd08.prod.outlook.com> <CAA7SwCOnY1K=b=fYYMHH57ho0rFZRmN+EuT1K7qt7qxtN3fghw@mail.gmail.com> <AM0PR08MB37165CE98F43A5AEBDA3F411FAE80@AM0PR08MB3716.eurprd08.prod.outlook.com>
In-Reply-To: <AM0PR08MB37165CE98F43A5AEBDA3F411FAE80@AM0PR08MB3716.eurprd08.prod.outlook.com>
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Fri, 28 Feb 2020 09:45:25 +0000
Message-ID: <CAA7SwCMVnO2-SUNyH7bDQ1jEwdbxVsL5bySG72b8GD=HH16=3g@mail.gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: "ace@ietf.org" <ace@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f7b140059f9fb250"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/iqjH9IpiIhHdpmj6GPAGHRdfcT8>
Subject: Re: [Ace] draft-ietf-ace-mqtt-tls-profile-03
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 09:45:38 -0000

Hello Hannes,

Thank you very much for your comments. My responses are inside.

>
> From the text you cited regarding MQTT v5 it is not backwards compatible
> to version 3.1.1. The exact impact of working between two devices of
> different versions has not been described in the spec either. The follow
> sentence in your introduction can easily give readers the impression that
> the two versions are backwards compatible. Here is the sentence:
>
> " It is expected that MQTT
>    deployments will retain backward compatibility for MQTT v3.1.1
>    clients, and therefore, this document also describes a reduced set of
>    protocol interactions for MQTT v3.1.1 - the OASIS Standard
>    [MQTT-OASIS-Standard].
> "


> Maybe you want to change the wording a little bit.  I think the reason why
> you want to describe a solution for v3.1.1 is that this is the widely
> deployed version.
>
>

I see where I am creating confusion. I should distinguish better that I
expect solution providers to still support MQTT v3.1 clients by
implementing both MQTT v5 and MQTT v3.1.1 servers, as you said because
3.1.1 is widely deployed. I was not meaning spec backward compatibility.



> Regarding the broker term: It is probably a matter of taste but I would
> refer to the terms used in the spec and would not replicate the terminology
> from the OASIS MQTT specs in the draft.

Someone who implements the draft will have to become familiar with MQTT
> anyway. But that’s just me. For example, I often see people using the term
> “certificate authorities (CA)” in their write-ups. RFC 5280 defines and
> uses the term “certification authority (CA)". While the two sound and look
> similar only one is actually correct.
>

OK, you suggest we use MQTT server. I expect broker is more widely-used in
practice, and it is not a misspelling of another term either. I would want
to keep it, but I would like to see if others prefer MQTT server rather.


>
> I noticed you have put a normative dependency on
> [I-D.palombini-ace-coap-pubsub-profile]. I don't think it is necessary
> because it is not a requirement to implement the spec.

You could use it on top of it -- or you could use something else as well. I
> would move it to the informative part.  The added benefit of doing that is
> that you do not block your spec till that draft becomes RFC.

  True. Will fix.


> On the other hand, RFC 6749, RFC 7800, and
> I-D.ietf-ace-cwt-proof-of-possession cannot be informative references when
> you use PoP tokens in your solution.
>
> Yes, indeed. Will fix.


> You might be interesting to hear that there is currently no way to obtain
> the keys for a PoP token over HTTP, which your solution requires. The
> virtual interim meeting in the OAuth group should probably be of interest
> to you.
>

I plan to join. I  have been aware of the issue, but could not follow how
it was planned to be resolved.
I was looking at this: draft-ietf-oauth-pop-key-distribution

Thanks again,
--Cigdem


>
> From: Cigdem Sengul <cigdem.sengul@gmail.com>
> Sent: Tuesday, February 25, 2020 3:10 PM
> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
> Cc: ace@ietf.org
> Subject: Re: [Ace] draft-ietf-ace-mqtt-tls-profile-03
>
> Hello Hannes,
>
> We used  broker as it is a widely accepted term in the MQTT Community for
> "server" e.g.,
> majority of the provider would list also a broker implementation to refer
> to their server implementation.
>
> With respect to whether 3.1,1 clients talking to v5, there may be some
> issues. This is what the spec says:
>
> Non-normative Comment
> If the Server distributes Application Messages to Clients at different
> protocol levels (such as MQTT V3.1.1) which do not support properties or
> other features provided by this specification, some information in the
> Application Message can be lost, and applications which depend on this
> information might not work correctly.
>
> The spec also defines a protocol version error message:
> If the [Client's] Protocol Version [in the CONNECT packet] is not 5 and
> the Server does not want to accept the CONNECT packet, the Server MAY send
> a CONNACK packet with Reason Code 0x84 (Unsupported Protocol Version) and
> then MUST close the Network Connection
>
> So, whether a broker provides dual support would depend on the provider.
> E.g., the Mosquitto broker supports the different protocol versions.
>
> Thanks,
> --Cigdem
>
> On Tue, Feb 25, 2020 at 10:01 AM Hannes Tschofenig <mailto:
> Hannes.Tschofenig@arm.com> wrote:
> Hi Cigdem, Hi Anthony, Hi Paul,
>
> Why are you using the term MQTT broker? My understanding of the MQTT spec
> is that there are only clients and servers - nothing more.
>
> Is a MQTT v3.1.1 client able to talk to a MQTT v5 server? Would a MQTT
> v3.1.1 client talk to a MQTT v5 client via a server that supports both
> v3.1.1 and v5?
>
> Ciao
> Hannes
>
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
>
> _______________________________________________
> Ace mailing list
> mailto:Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
>

v2.23.0 | Report a Bug | By Email