Re: [Ace] OSCORE Profile status update and way forward

Daniel Migault <> Thu, 15 October 2020 17:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 16E3F3A0AE0; Thu, 15 Oct 2020 10:22:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KNv94z7l8bwa; Thu, 15 Oct 2020 10:22:53 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1BC8D3A07F0; Thu, 15 Oct 2020 10:22:53 -0700 (PDT)
Received: by with SMTP id x185so1955153vsb.1; Thu, 15 Oct 2020 10:22:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Hq6In/wr6G5UsVUq2Yn9LN1uJlv4MGMNbxyCMGlfSds=; b=Zk7dr/5uzZweJkCi7jE5wDp2uuk1Ww+o4l+C1siMPyV6GZszX1iVk5lWwpWLeGep1L WU3nWgUot/fp7VZO55NzTYPNAo6UOtAXb6v0UPTq9ccFn4HJszsfb+rhutLNRQKseCEY j9JZrjIBnoroSnwVntdaOKALGN7wOY1JvHg1X/5xCUy934lkD2fjrBIVUtl1D/d101T9 IBhoP0ZtI+m1FRcnI+sDrtGwH6wSIcBOMcQLtHHyJhtnCU4Bmwajts1FrV9sLfHCOUeO grnnbYNS/Z3zSUU7ltj8rl2NeuuhZY4gERbNJD/ihK0XlCqVuC3tgI5HBZcG6v57/1uA qrUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Hq6In/wr6G5UsVUq2Yn9LN1uJlv4MGMNbxyCMGlfSds=; b=R3hmB6mwhAyMllR3QMASg7EwdBa35/2+vIuG9QMY+z9sJmr6Zdvy5zZFr8e5rbGp48 yP1ImmEDztUts6RXHRuLUGm66K9k29nvQrOx0WT0x1UsL3auiSZY1WenDpWnAYS0vgZa FJRYjDfLkkCMY2Fo9ceqZ+8WFvN/cjqUK9Wgt3RziwDSwn1h+6+hKKd5ja8PSB71RgmA pjGWLJxXYBnsHbaM+BL57ZOCwMJxjMu3/9dk8X4OnjBANjsUg/06BO/5QimCBYUgNIT5 vqG+AKdnWUQ/3MF3mCmaRWwNZinVQVSv5ntK5lhTSaF69S2kgOzYdAv8mEzIg1fGJNFw SoHg==
X-Gm-Message-State: AOAM530mo4lcF9ZN8wAZpE7jYAmFsx1HtcSelj18j5poOTsCrFL6BzJH CCR4Jzk1jXAS+rX0Pyuq00Dx5xLOHvYdO/fwnqxs0WVmd/Q=
X-Google-Smtp-Source: ABdhPJxWdgNnKr+10ybd2cOnJsnHHREzSmqKyOZOkpem2PM4wpn5aZoDOMmXY7dIVmC9Oi58d0KTm6FUmQarJbM5Tcg=
X-Received: by 2002:a67:1e02:: with SMTP id e2mr3711246vse.40.1602782572100; Thu, 15 Oct 2020 10:22:52 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Daniel Migault <>
Date: Thu, 15 Oct 2020 13:22:41 -0400
Message-ID: <>
To: =?UTF-8?Q?Christian_Ams=C3=BCss?= <>
Cc: Francesca Palombini <>, "" <>, Ace Wg <>
Content-Type: multipart/alternative; boundary="000000000000dcc2f005b1b8e54a"
Archived-At: <>
Subject: Re: [Ace] OSCORE Profile status update and way forward
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 15 Oct 2020 17:22:55 -0000


To follow-up this thread, we discussed with Ben and found out that the best
path would be to go through an official WGLC before sending the document
back to the IESG. This should not change much as a careful review of the
document was needed anyway (C), so the WGLC would just consist of these
reviewers to confirm their reviews.


On Tue, Oct 13, 2020 at 9:10 AM Daniel Migault <> wrote:

> Dear WG,
> If I attempt to balance the different 3 proposals, my perception is we may
> address a specific scenario into the core profile with no additional
> complexity versus via extensions. This leaves working on a profile v2
> (option 2) or updating the to-become soon profile v1 (option 3). I prefer
> to avoid specifications being deprecated before they are even published and
> would prefer to consider updating the current version.
> I suspect that multiple versions of a profile can co-exist and that the
> problem of having a profile v2 that interoperate with a profile v1 - which
> does not seem mandatory.
> In order to move forward, I propose that by October 20:
> * A)  WG member state their opinion regarding that we revise the oscore
> profile document
> * B) Francesca refines the proposed changes, so the document is ready for
> review
> * C) WG member state whether they volunteer to review the updated
> document. I would like to avoid the document re-opened once considered
> updated.
> With A, B and C I will be able to discuss with Ben how to move forward the
> document. I am happy to get your feed backs or suggestions.
> Yours,
> Daniel
> On Fri, Oct 9, 2020 at 11:45 AM Christian Amsüss <>
> wrote:
>> Hello Francesca, hello ACE group,
>> On Mon, Sep 21, 2020 at 01:48:33PM +0000, Francesca Palombini wrote:
>> > - clarified that Appendix B.2 of OSCORE can be used with this profile,
>> > and what implementers need to think about if they do.
>> I understand B.2 to be something that the involved parties need to agree
>> on beforehand; after all, the ID context may be something the server
>> relies on (at least for the initial attempt) to find the right key,
>> especially when multiple AS are involved. (For example, the RS could
>> have an agreement that the AS may issue any KID as long as they use a
>> particular ID context). If the server expects B.2 to happen (which, as
>> it is put now, it can as long as it supports it in general), it needs to
>> shard its KID space for the ASs it uses. (Generally, B.2 is mutually
>> exclusive with ID contexts's use of namespacing KIDs).
>> Is the expectation that clients that do not anticipate B.2 by the time
>> they are configured with their AS just don't offer B.2 to their peers?
>> Given B.2 is in its current form client-initiated only (AFAIR we had
>> versions where ID1 could be empty in draft versions, but currently it
>> reads as client-initialized), does B.2 have any benefits for ACE-OSCORE
>> clients? After all, they could just as well post the token with a new
>> nonce1 to the same effect.
>> Kind Regards
>> Christian
>> --
>> To use raw power is to make yourself infinitely vulnerable to greater
>> powers.
>>   -- Bene Gesserit axiom
>> _______________________________________________
>> Ace mailing list
> --
> Daniel Migault
> Ericsson

Daniel Migault