[Ace] Version -03 prep for draft-ietf-ace-mqtt-tls-profile
Cigdem Sengul <cigdem.sengul@gmail.com> Wed, 18 December 2019 10:56 UTC
Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 232B7120949 for <ace@ietfa.amsl.com>; Wed, 18 Dec 2019 02:56:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QUD2r5ZFPzkD for <ace@ietfa.amsl.com>; Wed, 18 Dec 2019 02:56:53 -0800 (PST)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 797C9120959 for <ace@ietf.org>; Wed, 18 Dec 2019 02:56:52 -0800 (PST)
Received: by mail-qt1-x830.google.com with SMTP id e6so1599601qtq.7 for <ace@ietf.org>; Wed, 18 Dec 2019 02:56:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=pdtdsbnEQNbHnLeggRisVUHuROwlr8BhnOlEH3THvnY=; b=jOkBceDu0pxJsG5Lk2YZYvhu+EZfSnZp8ZAG4WQ9Ulr+0LMQV0dgSEE0P5krKawxWV sL+H4El4hHXa3CErGbNp0tN9NrKV6iImsjOfkWrD6MMFIzskxGNe9uBKvOaZ3ZVYnGHG p3iFI0RE9dyc9xNgLWuKRSDOwzaXVcvawSVnbPe9kWY3g35nbCojNr3upRtXOrxKvuWl FksCsIfhqlUNiAbQKYBcK5qBRXi0+QqPMD2+ayU/uKXbrkRi4TEQnB6VnkDjlBCh1SKZ l2RP+WZjhP0H90HAhlcUleHZiHOf93L4VRIJHRQI7kkKYWdCRID//3yu5GNbPvjTQG6G 2KPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=pdtdsbnEQNbHnLeggRisVUHuROwlr8BhnOlEH3THvnY=; b=jn3Axm8/Thb1GvufciSRAyMFi8dhpvKd/ckNtojokCZxoURCop+1nJDfu5CMkOtjn2 nOpr+UGFpfJ0SVPccsfD+4LiIdkHMFcEHrAQARd2N3i37hSeW5FtefWzm54zmgm0zV7w jZh1PeRmWgAap2YPiqSn3jitw/zeuK4tk9YHApKSEiSpWVbZtHQvlRDQZvx126lnKgHU x0qvcXR+y6wE7OiUPTw/98q9CbYIXKZgBQdYhMQwJxo+LFOKT4bvew3xQKOvkLyrBu0f 5xXXYmgXI3d8/YJ+N1ktp5kzjahQESLSgwKMawZKNAWkjKpRkD0Q44wnvX+3+zjfwdCY EZrQ==
X-Gm-Message-State: APjAAAXqS7uCDDwEZurKDbgxhe8px79VdG2grgoaXN/K3L2xoAyWxbTC Xdq/MWuKIJBTV5HH5I42wzgW+6pmbB7JG5y0cMzWrCEBsck=
X-Google-Smtp-Source: APXvYqwkZmSWEEkSkA+kXpQM6GcVj2JiJCld9F6ikSvVN93UuB6xVq1/VBFAQccAu2xBSsjai4MTS9mqHn6AMpaTT2k=
X-Received: by 2002:ac8:42cd:: with SMTP id g13mr1561921qtm.168.1576666611466; Wed, 18 Dec 2019 02:56:51 -0800 (PST)
MIME-Version: 1.0
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Wed, 18 Dec 2019 10:56:40 +0000
Message-ID: <CAA7SwCOryGZ93OGzmoQif_VES1V9uGy_NYAqiNxyFxS=k6AD2g@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>, Daniel Migault <daniel.migault=40ericsson.com@dmarc.ietf.org>
Cc: Ace Wg <ace@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004e47970599f84de4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ph5ZyszBrOGMVagum_Uwi27JAjE>
Subject: [Ace] Version -03 prep for draft-ietf-ace-mqtt-tls-profile
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2019 10:57:00 -0000
Dear Jim and Daniel, As discussed in Singapore, we've started working on the -03 based on the comments we've received. https://github.com/ace-wg/mqtt-tls-profile/tree/v-03-WIP The main changes are: Version 02 to 03: 1) Added the option of Broker certificate thumbprint in the 'rs_cnf' sent to the Client. 2) Clarified the use of a random nonce from the TLS Exporter for PoP, added to the IANA requirements that the label should be registered. 3) Added a client nonce, when Challenge/Response Authentication is used between Client and Broker. 4) Clarified the use of the "authz-info" topic and the error response if token validation fails. 5) Added clarification on wildcard use in scopes for publish/subscribe permissions 6) Reorganised sections so that token authorisation for publish/subscribe messages are better placed. 7) Clarified protection of Application Message payload as out of scope, and cited draft-palombini-ace-coap-pubsub-profile for a potential solution Could you provide input regarding the following: 1) Based on Jim's suggestion I added a statement that says: The AS MAY include the thumbprint of the RS's X.509 certificate in the 'rs_cnf' (thumbprint as defined in <xref target="I-D.ietf-cose-x509"></xref>), then the client MUST validate the RS certificate against this thumbprint. Is this implemented by rs_cnf = x5t and then the client computes the hash and checks against x5t? Regarding other questions raised by Jim on OASIS certificate guidelines and the mqtt/mqtt(s), I have not managed to get more information than: 1. there is no official UIR scheme but there is a community wiki entry which proposes something: https://github.com/mqtt/mqtt.github.io/wiki/URI-Scheme. The MQTT 5 server redirection feature uses a very simple way of indicating a server reference, see https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html#_Server_redirection 2. There's currently no certificate validation document. The recommendations linked in the spec can be found here: https://docs.oasis-open.org/mqtt/mqtt/v5.0/os/mqtt-v5.0-os.html#_Toc3901280 . 2) I temporarily added the exporter label to our draft but will wait on the final decision on that. So, if it is defined and registered in another document, I can refer to it. I will push changes as 03 once there is an agreement on how to resolve these issues. Kind regards, --Cigdem
- [Ace] Version -03 prep for draft-ietf-ace-mqtt-tl… Cigdem Sengul