IETF Logo Mail Archive

Re: [Ace] [Emu] New Version Notification for draft-ietf-ace-wg-coap-eap-04.txt

Dan Garcia Carrillo <garciadan@uniovi.es> Tue, 07 December 2021 22:11 UTC

Return-Path: <garciadan@uniovi.es>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 391DB3A193D; Tue, 7 Dec 2021 14:11:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.751
X-Spam-Level:
X-Spam-Status: No, score=-3.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-1.852, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=unioviedo.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5P2rrRAw-LoJ; Tue, 7 Dec 2021 14:11:16 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2069.outbound.protection.outlook.com [40.107.20.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 832A63A1965; Tue, 7 Dec 2021 14:11:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MSLyvl1chSDGVfS/61LjxMH8L/Yuf09rBdO3ljiOKr708B1s/kLZHxEQKTJ9Pw43LoMgaFwJ97fjSnOnTKywRtZmtI5nm2bIixmcyAylIRNwH9v3DcZGxgNQ25xv/gxjxFNeoxxglu37N6x335WUXiqJ1LBHrTOXgOn6EBthsiALSDXf3MDUmqLIxvoFOlK3cyVJoU3oRUPUyJUC8Kqla64jDujuWCKjJrIUqt5tLXoKZiur8W3Wg0tDZh6VbD7IEQeoeyOh5BmUKfcKLK3rzM0Hl1nahpUH5+WzmNEYsI8jNT74zJq7Anx5kUa5M5k+7r8Bh+oPmju64MKNaPnPbw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WebHgrYavmuPfdkg50QG+RQPOu2ns22bIgCZTsd6sgw=; b=hPn7iamMrWgHYqxXqrNKUgLUsePrkBwd6sIN4uQjz2FAEOWt9X9PMLBFXq3RBzctR3NR4Y8UqSaDvtBq1bTsOO1l7pDnx1F2UBDEyyUXUbQZI+fQ6OCcOM0MJEHho78dCSOIWB69qiLLTOsDqMe8UdO/YKbRa1FOhF1oOQgMgSMODlihOLx2IvK+StL4XIu7QzqDV5JReHUrSxwCq0Q9Gf+ydqKhb8fcR+KyX/nrG+jX46iZ5KcAse5ssuD4/JztgAJbNutNceYjA+YHzd0NpXb7XtbMhn1HZpDyGGnjwlGFgThhD1y2I4hDYJvqflQnXugprdPyUBC/pHCHof+/mQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uniovi.es; dmarc=pass action=none header.from=uniovi.es; dkim=pass header.d=uniovi.es; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unioviedo.onmicrosoft.com; s=selector2-unioviedo-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WebHgrYavmuPfdkg50QG+RQPOu2ns22bIgCZTsd6sgw=; b=TU52XJzSn/gygMV7UMQRfK32Hp1KDVHE3FCVczY29QMNhulDgj8spd26xgq/kpLCCLs66hmLU7HWRwGkbrKMBG4XBpqpgYICEvcfBmfCH14sqrrfK2tMsVkjFACone3rU9JJRltYtRbLlBVDFwusgdKIiOpaW6Tz6eKFMCjsdms=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uniovi.es;
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9) by DB9PR08MB6732.eurprd08.prod.outlook.com (2603:10a6:10:2af::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.13; Tue, 7 Dec 2021 22:10:56 +0000
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::1434:d823:a6b5:6f50]) by DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::1434:d823:a6b5:6f50%9]) with mapi id 15.20.4755.022; Tue, 7 Dec 2021 22:10:56 +0000
Content-Type: multipart/alternative; boundary="------------EmCZrj0QNJ04eyjVKqbCKvs4"
Message-ID: <fe79c222-d9bd-ff22-37ba-9f94980d3a94@uniovi.es>
Date: Tue, 07 Dec 2021 23:10:54 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
Cc: garciadan@uniovi.es
To: Göran Selander <goran.selander@ericsson.com>, EMU WG <emu@ietf.org>, "ace@ietf.org" <ace@ietf.org>
References: <163516103436.11405.13911066633297545379@ietfa.amsl.com> <bc792146-39c4-73a3-63e2-7db7acf7aa2f@uniovi.es> <HE1PR0701MB3050A49DC2D32180B2831D6889839@HE1PR0701MB3050.eurprd07.prod.outlook.com> <AM4PR0701MB219545F3A90E17FD18844F13F4629@AM4PR0701MB2195.eurprd07.prod.outlook.com> <821f9e4b-c052-6b46-0a72-7974017bf335@uniovi.es> <AM4PR0701MB2195FA695541F76CE88B7178F46D9@AM4PR0701MB2195.eurprd07.prod.outlook.com>
From: Dan Garcia Carrillo <garciadan@uniovi.es>
In-Reply-To: <AM4PR0701MB2195FA695541F76CE88B7178F46D9@AM4PR0701MB2195.eurprd07.prod.outlook.com>
X-ClientProxiedBy: LO4P123CA0400.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:189::9) To DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9)
MIME-Version: 1.0
Received: from [IPV6:2a0c:5a80:3c13:f000:9821:3c33:7b3f:7d2e] (2a0c:5a80:3c13:f000:9821:3c33:7b3f:7d2e) by LO4P123CA0400.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:189::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.20 via Frontend Transport; Tue, 7 Dec 2021 22:10:55 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 8f08e6c8-f90b-4e53-9b11-08d9b9ce7124
X-MS-TrafficTypeDiagnostic: DB9PR08MB6732:
X-Microsoft-Antispam-PRVS: <DB9PR08MB6732773C83D7866C06EFA5A4B46E9@DB9PR08MB6732.eurprd08.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 1JVOTZQKZ/0t2HEc0axoPU+aIl2bTrC/j1YshAiFd+fgxJPsAnL1mjlbeA2Vw9+i3I0OBPVm8X7sJYHFzwkKuNBWcBzaXFIfGHEetIE+T/rF781RmmtmvZuEjnyDcadpupbokCY2VuhfWUIKAftaEhNCAkGuozJUL0U6tDT8ab/bQFFPhK9HWIyCjjtdgL6Vw4lWK+0mOHwqx7qHTewkP+ytISw41myuvTqriQHfGQ4hDjDbhK5dFs5AAGt7uUOq83RB/mqf7tybxbPOG+2tvMptE0EYM+S9Z8lm0WGjqz3dA1AxQ4z+NiX31lHsZ7Yaa7Ef2b6eSNz29ST+Omt2K/QfSw/SOY3rwnCVAHX3GS0UF+0IWBeKPIeQ+Opj+rMyICtZASDWfcg9+LOWJORImgJkn1fFNqP9pr3lWKIIinekXSyhfSBin1QjVNYcjsn4PxUbKAjMedtSHsURecYGnO0Ow4pIPsW8TFC7zvZi0tIdBsgqyljD3X9gV/2WUCDdc01pQNRkiAYoVOwjgNO7HHyKQNfehPwCPzz9ML+XlOvfc9iIavjBTqNt/hgoejLzqQxT+V65lE0dv0mEItSdSeFq+foDP4OXHQkufRGEvu3GV+7Jzxs+o7RYv9uWRe/ueT8U6YRvJVar7O10/0lIhkZcmpkm6YixblgPRnHwlgFOJBBCcfVOlCcZYybkaZtuLIgNKf41Q5gQTUKysUuokh86KxaUbzavBD50VKY8z9aYVKsujPXqhMRU61JRxs3I80Pg9ISLgCpkpVznny4VNwEQu3KXUMMoRZ975EWc2HpveK+Pc3E3NE7GLiOWpg7+
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB6202.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(36756003)(66556008)(786003)(107886003)(38100700002)(5660300002)(33964004)(166002)(66476007)(2906002)(53546011)(52116002)(8936002)(4326008)(6486002)(316002)(83380400001)(8676002)(186003)(66946007)(66574015)(86362001)(15650500001)(110136005)(508600001)(31696002)(31686004)(2616005)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: DCmAB9n6EHpCblhdjZsTPGelEZrAzNFl70CzDlPxKnIC5HeUxUc+uDaIooc934AqKSrplInuCmJvZHXYhUzvaOhwTtYAVHi4/EpEpL0mvgqAqVEjtIXU9qlCw0UbEmLGLWZq7gJ/nbJMiQYyYfAEmfbUPWltBS4L7Z6lh9pBMa4CbDonZ9aSO6wdcynoyR6M8m+qsPKo93l4WEcNSKgM9a1s8/16LulVwTO3xBB7a/DCYziGWD89kXyoogLtQWf+YqaBxyTgDyewczapgTVRmyrl3MbBeBhMv48L/Ko35QCbeznpJoC9OIe69LJglW2GQMpr9sYfz0VbCwV6PiTf1R42ZuI7WGb+8TFYjbnCkC64VGpG7txXmeiR7LUi7hG2LfMsAJGbq3rD/uATVby86tGoY0EtYD996n5q+TcLeKY5ByGtnLe9B+Z4RdE7F9RaS4eKmLlKcXepKoP7iDdL4jlu2T0sC2aDNhUlfH6XxjLj9Jmi/TizDMh1xNXpV95O6uc/xoaxTisz01XkptKlbJ0Lz3q9uHhY3cRSIlo1O7PCa+qQwfWz/vzXF+fFWeT8JafF2ldZTrqD1775Emkg8VoyJyWTGLpkghVODtdqrrLBbZxu5CiXO9lcM2wfrSaGxQGeY2bspQvPpBhbe2w38HWa6v7GwEzlqDU94yQZkjmfA8P6rpQz//BAW8/WzwRfVpbmledp4wpaJ3RT7YA+mN5OiI4F8bKOU484nm+Uvydf4nXYDcb0mGXqTtlS6kmSVw/xiFBPevryddKxEMEbwVMRU7F4OlSkv6eXgQC+wAywt4iO3ock/bIN2kJm1cJ9IX3DNVaoduCURwuouZNBBxG8NyQ8jLhbgRUkjpjQlJYpQEJNPohdb/c+cHn3Xnqqc0AYLkU8GmVlmJzLdwQ/40ynIJcN9q+zLVkHtNC9tXTcPx1OEu9e7Ot4bvvu0U3FdZBbSyYwtOLZIukrlrh2DPx6UyL/etuaQ6uvK0hKinYEYOekFSobFJ1h+emufi/spOaDWK4Ay8mvJEIRJ6F/MkDvjjKWlOdmT82Vrrh+uU9CXl9AHn6olJ25cFXeCjH7gYxw3ROZ8UH5q5Wny504HitT5o8fAMCmpo8UouyfZxCEaIyQHzCTGocB/gQ6siLF6xyp/YdU6Dqq5IIr/cZRExnyLh9eE6oph5TRMqgwMw+NYN1vL336ROUsXyKnAAiuXjpoZJHbxaF8Ww46ZWshIn9SwI8CbN/WnU3wg+voPBMssCa7u+20m0PQ84qhbqGlGrs4hKx1kI5f5oE/gGkXo/JQXt7ZVVN9m40GEttULBN/NDZUw0bPLtSH079EYeLV1dq+rjwykVfIzgLzfigK6ZRBdAGR78sQLwu8sgn+M7SRnK1Mmt37/jElAlaPeLQxlAavX9F9s0sDGgtS0aCtXQ6/ZEKLVxKiERfzlfYcMLDHj/4yTDma0+SOBvuMkBA0KLP2lTHPG2YRt2ngE6g1xJ9RcHfX4JtzihnmJ0U7ZoPBjjjB+FC9RUuWQxGPlmr9k9xq4jtMUW9HazVeOOij7cXkU1qji5EGcqxCfb9zJrnUuNdEA3XqXtycGKo685MxCiZxiEPh1h9wCx0kZecRtxI0LK8fkiHTGRmtgpzL8ess8nv5wjeUF/2DX6WthBEOspEHjJ8zP2CAKyWOLEsu2q4Use6V9f273cv0qhqIBIY=
X-OriginatorOrg: uniovi.es
X-MS-Exchange-CrossTenant-Network-Message-Id: 8f08e6c8-f90b-4e53-9b11-08d9b9ce7124
X-MS-Exchange-CrossTenant-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2021 22:10:56.8165 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 05ea74a3-92c5-4c31-978a-925c3c799cd0
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: +0kL0rOUM3P0wzbCzR2ALjZApQsXD5/NMKQ9Gnyu7qWVKePDzAaybgxsKBVZhnPqkMmlFccjLxhe+rz7tLB5qw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR08MB6732
X-MS-Exchange-CrossPremises-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 06
X-MS-Exchange-CrossPremises-Mapi-Admin-Submission:
X-MS-Exchange-CrossPremises-MessageSource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 2a0c:5a80:3c13:f000:9821:3c33:7b3f:7d2e
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: DB9PR08MB6732.eurprd08.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/nNkvcaHuBDct-xdIgu363oGXKZY>
Subject: Re: [Ace] [Emu] New Version Notification for draft-ietf-ace-wg-coap-eap-04.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Dec 2021 22:11:22 -0000

Hi Göran,

Thank you again for your comments.

We have incorporated them into the a new 06 version of the draft that we 
just submitted.

Best Regards,
Dan.


On 6/12/21 12:13, Göran Selander wrote:
>
> Hi Dan,
>
> Please find my replies to your two questions about the update inline 
> below.
>
> Best regards
>
> Göran
>
> *From: *Dan Garcia Carrillo <garciadan@uniovi.es>
>
>     "The communication with the last resource (e.g. '/a/w') from this
>     point MUST be protected with OSCORE except during a new
>     (re)authentication (see Section 3.3)."
>
>     I don't understand why there is an exception. OSCORE seems to be
>     applied to communication with the last resource in all cases:
>
>     * In the case of new authentication the procedure explained in
>     Section 3.2 applies protection with OSCORE in communication with
>     the last resource.
>
>     * In the case of re-authentication, the procedure is explained in
>     Section 3.3 to be "exactly the same" as in Section 3.2.
>
> [authors] Yes, we agree. We can remove that part from the sentence to 
> avoid any confusion. Nevertheless, after your comment, it would be 
> worth stating that if the access to any other resource requires OSCORE 
> protection can use the generated OSCORE context. Does it sound 
> reasonable?
>
> [GS] Yes, the established security context can be used between other 
> resources if allowed by the application's security policy. Proposed 
> rephrasing of step 8:
>
> OLD
>
>   "The IoT Device answers with '2.04 Changed' if the EAP
>       authentication is a success and the verification of the "POST"
>       protected with OSCORE in Step 7 is correctly verified.  The
>       communication with the last resource (e.g. '/a/w') from this point
>       MUST be protected with OSCORE.  Any other resource that requires
>       OSCORE protection MAY be protected with this OSCORE security
>       context."
> NEW
>   "If the EAPauthentication and the verification of the OSCORE 
> protected "POST"in Step 7 is successful, thenthe IoT Device answers 
> with an OSCORE protected '2.04 Changed'. From this point on, the 
> communication with the last resource (e.g. '/a/w')
> MUST be protected with OSCORE. If allowed by application policy, 
> sameOSCORE securitycontextMAY be use to protect communication toother 
> resources between the same endpoints."
>
> ----
>
> Another editorial comment refering to the recent update:
>
> OLD
>
>      "The reception of the POST
>
>       message protected with OSCORE with Sender ID equal to RID-I
>
>       (Recipient ID of the IoT device) sent in Step 2 is considered by
>
>       the IoT device as an alternate indication of success ([RFC3748 
> <https://datatracker.ietf.org/doc/html/rfc3748>])."
>
> I would avoid the term Sender ID since it is all about verification of 
> a received message, e.g. like this.
>
> NEW
>
>      "The verification of the received OSCORE protected"POST"
> messageusing RID-I(Recipient ID of the IoT device) sent in Step 2 is 
> considered by
>       the IoT device as an alternate indication of success ([RFC3748 
> <https://datatracker.ietf.org/doc/html/rfc3748>])."
>
> ----
>
>     Section 5.1
>
>     "If the Controller sends a restricted list
>
>        of ciphersuites that is willing to accept, and the ones
>     supported by
>
>        the IoT device are not in that list, the IoT device will
>     respond with
>
>        a '4.00 Bad Request', expressing in the payload the ciphersuites
>
>        supported. "
>
>     Make clear (here or in a security consideration) that in case of
>     an error message containing a cipher suite, the exchange of cipher
>     suites between EAP authenticator and EAP peer cannot be verified.
>     For example, a man-in-the-middle could replace cipher suites in
>     either message which would not be noticed if the protocol is ended
>     after step 2.
>
> [authors] That’s right. However, after your comments, we believe this 
> could be improved. The reason is that by default we can assume that at 
> least cipher suite 0. AES-CCM-16-64-128, SHA-256 is implemented in 
> both entities. As such, if the controller includes option 0 in the 
> list of cipher suites, the controller will not receive a bad request 
> since at least the IoT device can select cipher suite 0 and therefore 
> the authentication will follow until the end cipher suite negotiation 
> can be verified.  We think it is simpler and we can get rid of a bad 
> request. Does it sound reasonable?
>
> [GS] Sounds OK to me.
>

v2.23.0 | Report a Bug | By Email