Re: [Ace] draft-ietf-ace-dtls-authorize

Olaf Bergmann <bergmann@tzi.org> Thu, 28 January 2021 17:10 UTC

Return-Path: <bergmann@tzi.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C73A3A169D for <ace@ietfa.amsl.com>; Thu, 28 Jan 2021 09:10:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 88CYEHMLjJa1 for <ace@ietfa.amsl.com>; Thu, 28 Jan 2021 09:10:52 -0800 (PST)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 750AB3A168C for <ace@ietf.org>; Thu, 28 Jan 2021 09:10:52 -0800 (PST)
Received: from wangari.tzi.org (p54bde61c.dip0.t-ipconnect.de [84.189.230.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4DRRnP3Xtdz10BP; Thu, 28 Jan 2021 18:10:49 +0100 (CET)
From: Olaf Bergmann <bergmann@tzi.org>
To: "ace@ietf.org" <ace@ietf.org>
Cc: Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org>
References: <DM6PR15MB237928B2B84B18E9AE050EC3E3BA9@DM6PR15MB2379.namprd15.prod.outlook.com>
Date: Thu, 28 Jan 2021 18:10:49 +0100
In-Reply-To: <DM6PR15MB237928B2B84B18E9AE050EC3E3BA9@DM6PR15MB2379.namprd15.prod.outlook.com> (Daniel Migault's message of "Thu, 28 Jan 2021 17:03:30 +0000")
Message-ID: <8735ylc7hi.fsf@wangari>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/m4VODJoqlUWLYq85fSOw4RujddM>
Subject: Re: [Ace] draft-ietf-ace-dtls-authorize
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jan 2021 17:10:57 -0000

Hi Daniel,

On 2021-01-28, Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org> wrote:

> Apparently, the change on the DTLS profile has not been noticed by
> everyone in the WG, so I am bringing the discussion here.
>
> The change has been made as a response to a comment from the security
> directorate. Please provide your feed backs by Feb 4 (but preferably
> before)- and potentially propose the text you would like to see if you
> disagree with the change.

I agree with the change (although I do not care very much but the new
text makes more sense than the old) because the change suggested in the
secdir review is not about mandating one protocol or the other. It is
about which protocol you need to implement if you want to use that
protocol between C and AS. In short:

* the OSCORE profile mandates that "if you want to use CoAP over OSCORE
  between the C and the AS, you need to follow the steps in the
  OSCORE specification and look somewhere else if you want to use
  another protocol", and
* the DTLS profile mandates that "if you want to use CoAP over DTLS
  between the C and the AS, you need to follow the steps in the
  DTLS specification  and look somewhere else if you want to use
  another protocol"

Grüße
Olaf