[Ace] Secdir last call review of draft-ietf-ace-extend-dtls-authorize
tirumal reddy <kondtir@gmail.com> Fri, 13 January 2023 06:32 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33D4BC15E404; Thu, 12 Jan 2023 22:32:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Icv_L-lnlgpq; Thu, 12 Jan 2023 22:32:14 -0800 (PST)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1124C15949E; Thu, 12 Jan 2023 22:32:11 -0800 (PST)
Received: by mail-lf1-x12a.google.com with SMTP id f34so31703789lfv.10; Thu, 12 Jan 2023 22:32:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=cJPdapV8wK9TYu3Flw8C2n4m23fqFmOyNoUtivLEy10=; b=T5nWCgsh4u7IKalvawKNo7ouzjfBuuetJNZ3mSbe+maaYLnh4SYJBRFmDY39rdYBeF NrMbHhmHcoY02Mln0GF1m1yOJo5CWfC178zvs3g112AmkccladxexOYFMSywsvzQDrgB 47sKRa84woJwGLD3JGZATDdnmUYqJ8T0SSi5G16WnL4Ui4GYygVgt0CYwQrFhcyWc5Jh M2yGjV97DkJsbV9GfnkfYe5dveVAa4lIsFv5MnPM5SidJzQFeHSzSe+1F+XZhE8UtwSm zBvhDrzwkXWl2oqn4MUDRHfn5kafAw710XUEGhl4ftqdG6ZMglc7JJ7zXHTRDfYeNoeb 9HIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=cJPdapV8wK9TYu3Flw8C2n4m23fqFmOyNoUtivLEy10=; b=kCxxLHwGaNtny5KfRQqXf0t6CgZNZG+vyfU/98IIXpLrv2M0sVpL9p9qtISHmB1D/a OGMWQ4b60DiMZqpCjZ52+IBzUtUNGbicV7lQstdfpYYDFDFUwpUSC0oMR1wv3kpqQiNZ 9O0IeDsoaejulmHUM/0zMJ+qJHiR3KFuad4IwL/0nziXOYi8N4l9U5xvh4xs0xXDMbmV rzx81Zh+LrSH/aHOSQnRr1hBCe+zmW41sYUGI76tjCWHoc3kcWHKvKaAkDNn9P2uexLs JQwFng4c8xwCLYF5U8wTrtL8u6VrThPvs5CQgtnaUMYQgeU8+WrvWVOrKohbXGb3eeAM xU5g==
X-Gm-Message-State: AFqh2kqzkgLmrevnPe1uA8xPqkV96axJeUF6asd4rmYIm4rJrPY5XRrO g0h5XpdR3ksMSmjPPM+Q5aL/yE2USSrZs223CT1cWNZTczU=
X-Google-Smtp-Source: AMrXdXs9ZWH3Ux0+j3xM6/utWGH9TmrZow3d9Fwf1x4OnOPDQKeu52JdrbneMSzX+bd64tRm+NFDvdIu0z6eU6hEAQ8=
X-Received: by 2002:a19:f616:0:b0:4cc:9ee7:68b8 with SMTP id x22-20020a19f616000000b004cc9ee768b8mr654017lfe.328.1673591529482; Thu, 12 Jan 2023 22:32:09 -0800 (PST)
MIME-Version: 1.0
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 13 Jan 2023 12:01:58 +0530
Message-ID: <CAFpG3gcNF_z4=mun0YCwv6GC9YHYdU+VXrwsbT84edgTQSK8jQ@mail.gmail.com>
To: secdir@ietf.org, last-call@ietf.org, ace@ietf.org, draft-ietf-ace-extend-dtls-authorize.all@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009d2e9a05f21f649c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/liYwSqo9WHw3BoOZm6ZQa3JmqHM>
Subject: [Ace] Secdir last call review of draft-ietf-ace-extend-dtls-authorize
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2023 06:32:15 -0000
Reviewer: Tirumaleswar Reddy Review result: Ready with Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document updates the CoAP-DTLS profile for ACE by specifying that the profile applies to TLS as well as DTLS. Comments below: 1) In case the ace_profile parameter indicates the use of the DTLS profile for ACE as defined in [RFC9202], the Client MAY try to connect to the Resource Server via TLS, or try TLS and DTLS in parallel to accelerate the connection setup. It is up to the implementation to handle the case where the RS reponds to both connection requests. Comment> DTLS should be given higher precedence than TLS as CoAP over UDP is the first choice of implementation. 2) As resource-constrained devices are not expected to support both transport layer security mechanisms, a Client that implements either TLS or DTLS but not both might fail in establishing a secure communication channel with the Resource Server altogether. Comment> If the IoT device cannot support both TLS and DTLS , is it mandatory for the device to support TLS ? Otherwise, if a device supports DTLS only and a firewall blocks the communication channel over UDP with the RS, it will fail to function. Cheers, -Tiru
- [Ace] Secdir last call review of draft-ietf-ace-e… tirumal reddy
- Re: [Ace] Secdir last call review of draft-ietf-a… John Mattsson