[Ace] Zaheduzzaman Sarker's No Objection on draft-ietf-ace-extend-dtls-authorize-06: (with COMMENT)
Zaheduzzaman Sarker via Datatracker <noreply@ietf.org> Wed, 15 February 2023 09:44 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: ace@ietf.org
Delivered-To: ace@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 647D8C14CEE4; Wed, 15 Feb 2023 01:44:17 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Zaheduzzaman Sarker via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-ace-extend-dtls-authorize@ietf.org, ace-chairs@ietf.org, ace@ietf.org, mglt.ietf@gmail.com, mglt.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 9.9.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Zaheduzzaman Sarker <Zaheduzzaman.Sarker@ericsson.com>
Message-ID: <167645425740.56154.924062641772474585@ietfa.amsl.com>
Date: Wed, 15 Feb 2023 01:44:17 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/nDA3A97hsVGS5gomGswBJKFMNFQ>
Subject: [Ace] Zaheduzzaman Sarker's No Objection on draft-ietf-ace-extend-dtls-authorize-06: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.39
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2023 09:44:17 -0000
Zaheduzzaman Sarker has entered the following ballot position for draft-ietf-ace-extend-dtls-authorize-06: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ace-extend-dtls-authorize/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks for working on this specification. Like others I have also stabled upon section 4, where it says - "The ace_profile parameter indicates the use of the DTLS profile for ACE as defined in [RFC9202]. Therefore, the Client typically first tries using DTLS to connect to the Resource Server. If this fails the Client MAY try to connect to the Resource Server via TLS. The client can try TLS and DTLS in parallel to accelerate the connection setup. It is up to the implementation to handle the case where the RS reponds to both connection requests. As resource-constrained devices are not expected to support both transport layer security mechanisms. Clients and Resource Servers SHOULD support DTLS and MAY support TLS. A Client that implements either TLS or DTLS but not both might fail in establishing a secure communication channel with the Resource Server altogether." It seems to me that according to RFC9202 and as it is already out in the deployment, there is a preference of using DTLS for secure comm channel with RS. This specification allows that TLS could also be used that MAY be supported by some RS and clients. Hence, my understanding would be that clients with only DTLS support SHOULD at least be able to establish secure communication channel, and clients with only TLS support MAY also be able to secure the channel to RS. This is however, is not the interpretation I get by reading the mentioned text from the specification. I would actually prefer that the RS SHOULD support both DTLS and TLS, and clients SHOULD support DTLS but MAY support TLS as well. In that case we can do a failover to TLS or race the DTLS and TLS in parallel. This would maximize the use of secure channel. However, the current recommendation might work hence no objection from me.
- [Ace] Zaheduzzaman Sarker's No Objection on draft… Zaheduzzaman Sarker via Datatracker