Re: [Ace] Roman Danyliw's No Objection on draft-ietf-ace-key-groupcomm-17: (with COMMENT)
Marco Tiloca <marco.tiloca@ri.se> Fri, 15 December 2023 17:04 UTC
Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75747C14F5E3; Fri, 15 Dec 2023 09:04:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4497VPNnuUYq; Fri, 15 Dec 2023 09:04:26 -0800 (PST)
Received: from MM0P280CU005.outbound.protection.outlook.com (mail-swedensouthazon11010001.outbound.protection.outlook.com [52.101.74.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0F0CC14E515; Fri, 15 Dec 2023 09:04:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GKQSTTIWhWM1DG575MquievQhMJ8tQ5DWa4hBstmSFWGacF/+8OMfgPH5brJD87KgG77WsujmOdztJGb0+KaLqvPeNMtf3ia0sQLeALVMNcRABdMiYHm6Xsv1eH3sbJArpF7C1EQfO/zPI8vS3AhK2hzABp/RVJtCf0C7E0BTjDNYb5GxA0bBcwG98lYtIaAi8yVZLLvW8avf6fLTVKOi+64e7103R0WQCGf92FPoq71y4SM198HUVf7HT2X44QyFKx+yRug+fj4DidptSFY1Hv1kgEu1tIwgdELOVpmKXlgasKpHnNjRusHOY6hKN5w9CAQC4/dpbup6Kv5QdU/Yw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Vr+Prd/Gs6vGKw6bLDvmkouRRmTZFm53QFSFF+SRRuc=; b=JSvCDi0Twi1PQ3aPd6tvkms3q4ntevV500QA/ofUe0hh9Jga1uZY+7MiZE4O8nMM634yY7luCL45r9nMyT6hRQJyosZoPMqQp5DFmaTvM98HgXrUc6oUP3WQH4Tsi6iMAyuOv1Kmq2iAhKSKwBTLlpGjkg6xHO0A53vJQuN6BSNi231Vbe9Bp9jnYiGYa7hpLORA69IeK11fzDynAB68OIZY5FQuVkv/EdeFNDNHSYWmMqakPL2lcGA4K8JanlgaKRfr/+AcL9ODRixJCMq9FR8bTi8pMZtwV7Bqkx4zmRQcUDUp//vD2f3i8lcCgmgMdhrosAWJKuNy/+vtrOSJZw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Vr+Prd/Gs6vGKw6bLDvmkouRRmTZFm53QFSFF+SRRuc=; b=WMHk409RBMcrWwcUv+Ilo+ASdZZKwvTRlj4AxSjFSSG+6fTj1xYT7V5thi7y03RcaZywuEU1YkfuwvPLXcFcqN/ooHDM6aPdKHq98UTBNkPKx6aVzDGCiPOdObdMuLUPRLoHLC0GT/eSWFF7P+sG2GcxYP7XaBiqtLzfE60LZGo=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17) by GV3P280MB0740.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:f2::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.28; Fri, 15 Dec 2023 17:04:20 +0000
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::49f4:9d27:4b68:cdab]) by GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::49f4:9d27:4b68:cdab%4]) with mapi id 15.20.7091.030; Fri, 15 Dec 2023 17:04:20 +0000
Message-ID: <eb09c68b-89bc-4bb7-999e-a39a533bb27b@ri.se>
Date: Fri, 15 Dec 2023 18:04:17 +0100
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
Cc: draft-ietf-ace-key-groupcomm@ietf.org, ace-chairs@ietf.org, ace@ietf.org, mglt.ietf@gmail.com, Francesca Palombini <francesca.palombini@ericsson.com>
References: <170026478173.54684.14317566205469304884@ietfa.amsl.com>
From: Marco Tiloca <marco.tiloca@ri.se>
Autocrypt: addr=marco.tiloca@ri.se; keydata= xsBNBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAHNNk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPsLAdwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzzsBNBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAHCwF8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
In-Reply-To: <170026478173.54684.14317566205469304884@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------0HKrDgCXiUxHdG7tlWKe9EfY"
X-ClientProxiedBy: FR4P281CA0401.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:cf::7) To GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GVYP280MB0464:EE_|GV3P280MB0740:EE_
X-MS-Office365-Filtering-Correlation-Id: d505458a-d61b-43af-7bbb-08dbfd8fe11b
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: oQ22XZ9/HIcaSBJjzfaWSGAQO80yghgMPr2WHmCHfq+KnxElRujstq2IVARb2XWup0WRqEM15nwx6eH6Zk6PTXfpAjVIvgti2glsgUslZS1srqE24nhkcgy27TMR9+6WiKgYrmMmnUmQ0h9kNUlCR4/EAn/UpA0gfH6s1EPfcZulMKhdCz2l9btW5QKuRdjyR2GKU08COzBeJnFheilEblUPIsf82hkrbet5MH08QLJjoTUiPJxTDmtVkZru6tqEcgVrNaDOdYZ8gNhXYjXmVdtkdxQyqzO8ZpC2WLqN6wEin+C8vO5B4tmqBUGKLD7NNW+SQ6+L+80cH6UWUPGsgqJrSSiBu0y+4B1UXxiO2ROAasl6fYOmV48RGXDAKmqjtdUBOfbL4pS44fSqBd+qblibMMaoYvSMOa1x3Xx7F99SizzwZzCwsVEKGzlVclINuB+IEQS8bS34pq5x/ngVZq1/fY1w2Cx1vstIYrTzMh6GA1zS4/epTnULif1ehU08m9LnRCHvkLrCvF8GjryKSo8dNrVixZVe8AKCiiDYl7aL8v6BO7x32BQV+n8BprZ/i2mL3lYPPidgmGgpct1+Ir1KtqcTfyAExHdowZ+0DdBimgqioC0IMs9xGWdxBn9Vt0VA/RvlvAj8N93DU6KZug==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(376002)(396003)(136003)(346002)(366004)(39860400002)(230922051799003)(451199024)(64100799003)(186009)(1800799012)(21480400003)(966005)(6486002)(66476007)(478600001)(44832011)(83380400001)(6512007)(6666004)(41300700001)(8936002)(36756003)(4326008)(8676002)(53546011)(6506007)(45080400002)(86362001)(26005)(33964004)(31696002)(2616005)(30864003)(2906002)(4001150100001)(166002)(110136005)(66556008)(66946007)(38100700002)(31686004)(5660300002)(316002)(235185007)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: uVINSxBPO3bobVMKp381DRbgtscBlg55oqpX1ul6Rym8OmbEAtUJ/YGrxaG/s67bnp1K8KAlzyi4DlIYk74XZYm1SicIr1JOX8KW0Soq6K5NMxbwohKQ2PGe+vkMoABIy2UhzbzABoYG35nke/KgPdvT09T9BqfzM0arQDrXjVMbvHQ4U/c7VjEs2i/aUfusUJBiNH4DqRYJD7v1OhazTUQwJ3pR9Z//0JB2iBt561e4HRtG4TmkJ+40zdpRgt2EeJ7ON5xza9FPTqfEmzgMU6G1szTf5YN1ua9OhdJ7hEiJ/etNbJouqxok8HDuVDD+bdlrqCXMg+2HV5ET6dIlYBZDonrZuvTG1aT7CGcWJdcQLxHxgOdi6uqlpnx7DfE1x4m2R2WqSaQ7IY+jhs5Vj1CtNko+SCWXER0jQX5WML5dtX3uUuaRmvb/HXb7JWgUUfPl1XDeq9uCi5qp0214DhtmquE6AVShvSAuNKWF49azEUlOS6T4qL9g16es5XeUXo18TpCk0E/zeUB1EMnip0t+6MKFzZWkQ+/j0/b0gOwmy9UaOnjyYZKorsD08XKlbfvcFgQgPKxLXU7f/895U3mSxpPrM3QACjVNq2ruAR00mCoQuXbjI38cnKJJTMT2Mr1UJVvetkH0HEd9tupWHIRNoBrQmujAMPd3b5zKYQrdBtlBqK5lO5lAuxAyP60WGuDZ0iPu1qyxle8QwELAevm+KBOhSyQpJv8aF1G3Nll/A1ml+g5LjHUl+YB9prZdK6karXiUFU0SVC/sxZPx0+7W8oYigs6G4leg1kBASr2ooht3ZAKZHjaaFAf7mcayxGRMFOOqjdkvWsRGTUuSOgrS/laPfPgmJhq4uKRdCj8MoSaR0B2DN7za1gEQPAZmTQ8o892Igp1OPwL8zPomaWHe68m0yuVSzIK8v/kp0Qem+S82RCImKqBj/SRa3fjSqh1/dJOo/XcdJjuKq73xDBbhhTMMA66Ou03AqZqLlN97axM4XSY+uHgVezUgTogqg19Rnp2WSaDPX7W5570SzGz2M0UGxN4ILr6bLX+RU2gGgGuH8E/HOjUJpSJezjVP6IR/veIg3tp+39DMx7+rLtFhF8sCKoAJUXKRKE3JBcUAKqfga/VE2LCFR9MgwXZRFaVJWIetoMMAHKn+mES5i5Yml7d22+Y2drI8czzlKW3bNTDaNleyNmKQdlgTQmilfppwJZjwcOpzPEEsNTl39gr3SXB72fnKwFFMLU9tN1nphyBKjyH2MvDzsYAxnMTBA33hziQRKfwOP9J6Q8qI2Vsp2enqJmfg5jkGnAhydm9H7FAZPHz9nD8dczUHCFqEIqRys845Hd749yywWqxBIrBKBGqjGgjVUuJWq1mJgvPdyjVcl+TUo2WL7mNikUUywOr8A41xbS9RMw9rzftDSOeIawWxB6KgBuc/2d3Wh9roljKrjHClxkbB62VZpjhmigvUFwm5R8S1L7rJQhMOMuBPoahoeHgayDHYhdyura8t1QPN93CsX40Ffi7rPOnIfg485of4bE8ZfQp803DVgT3acYd+hezw0mcKZy8Bt2yOPl1oK+TGkXWnqcwpqt2H
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: d505458a-d61b-43af-7bbb-08dbfd8fe11b
X-MS-Exchange-CrossTenant-AuthSource: GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Dec 2023 17:04:20.3282 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: MLLGOBq/lTrpKIQ3Ve8hdrxEAU/YkZgwlmAn0XKdBelCBmaMKKLgaKBV2T8+WjK8GCSJ6+sHEgAKp51qtmllDA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV3P280MB0740
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/kpbd1lNqU5eCksGOdSam1Jx95iE>
Subject: Re: [Ace] Roman Danyliw's No Objection on draft-ietf-ace-key-groupcomm-17: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2023 17:04:30 -0000
Hello Roman, Thanks a lot for your review! Please find in line below our detailed replies to your comments. A Github PR where we have addressed your comments is available at [PR]. Unless any concern is raised, we plan to soon merge this PR (and the other ones related to other received reviews), and to submit the result as version -18 of the document. Thanks, /Marco [PR] https://github.com/ace-wg/ace-key-groupcomm/pull/161 On 2023-11-18 00:46, Roman Danyliw via Datatracker wrote: > Roman Danyliw has entered the following ballot position for > draft-ietf-ace-key-groupcomm-17: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer tohttps://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fabout%2Fgroups%2Fiesg%2Fstatements%2Fhandling-ballot-positions%2F&data=05%7C01%7Cmarco.tiloca%40ri.se%7C5ff64a69992349e291ac08dbe7c7686f%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638358615879941733%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=C5pPlP9PcO9Y4%2F5EQfWSIH8%2BhSOcDCamoEL8vrSaHIE%3D&reserved=0 > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ace-key-groupcomm%2F&data=05%7C01%7Cmarco.tiloca%40ri.se%7C5ff64a69992349e291ac08dbe7c7686f%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638358615879941733%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nFjixy8p0Ljocl6G2VzbisJF%2FULDZ1y%2BcjABa3MAXQM%3D&reserved=0 > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > ** Section 1.1. Per the definition of “Group name” and GROUPNAME. The latter > is defined as a “text string used in a URIs”. The former has no definition > beyond saying it is an identifier. Is it not a text string? ==>MT Right, we have revised the definition of both group name and node name as below. NEW > Group name: the identifier of a group, as a text string. Once established, it is invariant. NEW > Node name: the identifier of a node, as a text string. Once established, it is invariant. <== > > ** Section 1.1. > * Individual keying material: information exclusively pertaining to > a group member, as associated with its group membership and > related to other keying material and parameters used in the group. > For example, this can be a member identifier that is unique within > the group. > > -- unlike group and node identifier, member identifier is not defined > > -- how is a member identifier an example of “keying material”? Is it an > identifier for a key? ==>MT We have clarified by expanding one sentence as follows. OLD > For example, this can be a member identifier that is unique within the group. NEW > For example, this can be an identifier that the secure communication protocol employs to uniquely identify a node as a group member (e.g., a cryptographic key identifier uniquely associated with the group member in question). <== > > ** Section 2. Per the comment “Defined in the ACE framework” in Figure 2, > which framework is this text referencing? This document? RFC9200? ==>MT Yes, we have added a reference to RFC 9200. <== > > ** Section 3.1. Editorial > * 'scope', specifying the name of the groups that the Client > requests to access, > > Should this be “name_s_ of the groups ...”? Otherwise, it reads as if there is > a single name for a collection of groups. ==>MT Yes, now fixed. <== > > ** Section 3.1 > > * 'audience', with an identifier of the KDC. > > The definition of audience from Section 5.8.1 of RFC9200 points to RFC8693 > (OAuth’s definition of audience). It says: > > ==[ snip ]== > The logical name of the target service where the client intends to use the > requested security token. This serves a purpose similar to the resource > parameter but with the client providing a logical name for the target service. > Interpretation of the name requires that the value be something that both the > client and the authorization server understand. ==[ snip ]== > > Does the application profile have to specify the semantics of this audience > value (just like the scope parameter)? ==>MT No; we are intentionally keeping this as open as in RFC 9200. Practically, we expect the audience to be an identifier of the KDC. <== > > ** Section 5. > 2. The node has been found compromised or is suspected so. > > What triggers this behavior in #2? How does the KDC know about compromise? > Can Clients tell it that? Can a Client evict another Client? ==>MT We have extended the quoted bullet point as follows. NEW > 2. The node has been found compromised or is suspected so. The KDC is expected to determine that a group member has to be evicted either through its own means, or based on information that it obtains from a trusted source (e.g., an Intrusion Detection System, or an issuer of authentication credentials). Additional mechanics, protocols, and interfaces at the KDC that can support this are out of the scope of this document. <== > > ** Section 6.2.1. Reading this text as normative guidance seemed odd since the > parent section 6.2 stated that the specifics of one-to-many is effectively out > of scope and this document only provides high level guidance. ==>MT We have rephrased as below, to emphasize upfront that the section only describes one possible method. In the text after that, we think that it is appropriate to use normative language to describe how this particular method has to work if the KDC uses it. OLD > Then, the KDC can protect the rekeying message as defined below. The used encryption algorithm which SHOULD be the same one used to protect communications in the group. The method defined below assumes that the following holds for the management keying material specified in the 'mgt_key_material' parameter of the Join Response (see Section 4.3.1). > > * The included symmetric encryption keys are accompanied by a corresponding and unique key identifier assigned by the KDC. > * ... NEW > The following describes one possible method for the KDC to protect the rekeying messages. > > The method assumes that the following holds for the management keying material specified in the 'mgt_key_material' parameter of the Join Response (see Section 4.3.1). > > * The encryption algorithm SHOULD be the same one used to protect communications in the group. > * The included symmetric encryption keys are accompanied by a corresponding and unique key identifier assigned by the KDC. > * ... <== > > ** Section 10. > Security considerations are inherited from the ACE framework > [RFC9200], and from the specific transport profile of ACE used > between the Clients and the KDC, e.g., [RFC9202] and [RFC9203]. > > And from application profiles too which specify the details of the keys and > tokens? ==>MT No, that would be a circular dependency and would require to know such application profiles in advance. (After all, the security considerations of RFC 9200 do not inherit those from its transport profiles, such as RFC 9202 and RFC 9203). <== > > ** Section 10 > > Unless otherwise defined by an application profile of this > specification, the KDC SHOULD renew the group keying material upon a > group membership change. > > ... > > Instead, the KDC might > rekey the group after a minimum number of group members have joined > or left within a given time interval, or after a maximum amount of > time since the last group rekeying was completed, or yet during > predictable network inactivity periods. > > The first sentence seems to be encouraging rekeying but subsequent text points > out that this might not be reasonable. Should the initial “SHOULD” text be > harmonized with this other more nuanced guidance? ==>MT We have rephrased as below, by mentioning exceptions upfront when using "SHOULD". OLD > Unless otherwise defined by an application profile of this specification, the KDC SHOULD renew the group keying material upon a group membership change. In particular, since the minimum ... NEW > Unless otherwise defined by an application profile of this specification, the KDC SHOULD renew the group keying material upon a group membership change. As a possible exception, the KDC may not rekey the group upon the joining of a new group member, if the application does not require backward security. As another possible exception discussed more in detail later in this section, the KDC may rely on a rekeying policy that reasonably take into account the expected rate of group membership changes and the duration of a group rekeying. > > Since the minimum ... <== > > ** Typos > -- Section 1. Typo. s/recommeded/recommended/ > -- Section 2. Typo. s/membrs/members/ > -- Section 3.1. Typo. s/ specificaton/specification/ > -- Section 3.3.1. Typo. s/acces/access/ > -- Section 4. Typo. s/trasferring/transferring/ ==>MT Already fixed in https://github.com/ace-wg/ace-key-groupcomm/pull/156 <== > > > -- Marco Tiloca Ph.D., Senior Researcher Phone: +46 (0)70 60 46 501 RISE Research Institutes of Sweden AB Box 1263 164 29 Kista (Sweden) Division: Digital Systems Department: Computer Science Unit: Cybersecurity https://www.ri.se
- [Ace] Roman Danyliw's No Objection on draft-ietf-… Roman Danyliw via Datatracker
- Re: [Ace] Roman Danyliw's No Objection on draft-i… Marco Tiloca
- Re: [Ace] Roman Danyliw's No Objection on draft-i… Roman Danyliw