[Ace] Review of ietf-ace-key-groupcomm-08

christian@amsuess.com Fri, 31 July 2020 09:28 UTC

Return-Path: <christian@amsuess.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id F17CA3A1168; Fri, 31 Jul 2020 02:28:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id yBtDLgFx47Ud; Fri, 31 Jul 2020 02:28:28 -0700 (PDT)
Received: from prometheus.amsuess.com (prometheus.amsuess.com []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 286A03A1165; Fri, 31 Jul 2020 02:28:26 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bd]) by prometheus.amsuess.com (Postfix) with ESMTPS id CFE6940752; Fri, 31 Jul 2020 11:28:24 +0200 (CEST)
Received: from poseidon-mailbox.amsuess.com (hermes.amsuess.com []) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id 88F58AB; Fri, 31 Jul 2020 11:28:23 +0200 (CEST)
Received: from hephaistos.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:4ccb:b950:f051:b4e2]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id 38EC0180; Fri, 31 Jul 2020 11:28:23 +0200 (CEST)
Received: (nullmailer pid 2762114 invoked by uid 1000); Fri, 31 Jul 2020 09:28:22 -0000
Date: Fri, 31 Jul 2020 11:28:22 +0200
From: christian@amsuess.com
To: ace@ietf.org, draft-ietf-ace-key-groupcomm@ietf.org
Message-ID: <20200731092822.GA2614928@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="45Z9DzgjV8m4Oswq"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/q03pyqFHFT4CpdsckLLlifPB3w0>
Subject: [Ace] Review of ietf-ace-key-groupcomm-08
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2020 09:28:32 -0000

Hello Francesca, Marco and ACE,

I've had a bit of a hard time working through ace-key-groupcomm (and the
associated OSCORE adaption); here's what I think makes it difficult:

(It may be worth pointing out that my perspective in reading was joining
a group as a monitor device, which may explain my points of attention or
lack thereof)

* Some example exchange ... somewhere would make it easier to digest.
  I'm not saying that every step needs one here (and am aware that I
  have a tendency to overdo it myself), but skimming through examples
  often allows getting a rough idea much more quickly than having it
  develop while going through the text.

* The way groupcomm-specific data is exchanged in the token phase
  violates the layering of ACE as I see it.

  The whole section 3 (Authorization to Join a Group) should be
  expressible a few paragraphs. Figure 2 already indicates that
  ("Defined in the ACE framework"), yet it spans 7 pages.

  The part where outlines how scope is expressed w/rt groups is good,
  that needs to be there.

  Then there are sign_info and kdcchallenge, which are for the next

  Apart from that, it largely reads like a repetition of general ACE.
  That may be justified by the intention to make it usable for readers
  who didn't go through the rest of ACE before, but then please mark it
  as such. (To illustrate: In 3.2 around rs_cnf I started wondering
  whether that might apply when asymmetric keys are used in the group
  because I never had to deal with rs_cnf, just to realize that it's
  some ACE transport profiles that use it. I've only used ACE-OSCORE so
  far, and sure there's several generic ACE mechanisms I haven't used,
  but why is this piece of information occupying my time here?).

* Join components in the Token phase

  I understand sign_info and kdcchallenge to be process optimizations
  that allow joining the group with fewer round-trips.

  The point they are introduced at does not make this obvious, though --
  the reader is right in the middle of going through the ACE part and
  possibly trying to figure out what they already have implemented and
  what's changed here.

  Frankly, if there were a better way to bundle compressed requests
  ("and by the way, of the things I'm now authorized to see, give me the
  sign_info") or unsolicited responses ("and by the way, if you tried to
  register with a public key, you'd fail because you don't have a
  kdcchallenge, so here's one to get started"), I'd suggest it here, but
  I don't have anything written I could refer you to.

  But from a teaching and understanding point of view, I think that it'd
  be better structured about like this:

  * In the very short ACE section, add an item that "Parts of the
    following group joining process can be rolled into the token
    exchange. They manifest in a sign_info entry in the token request,
    and a kdcchallenge in the token response (which is then an
    application/ace+cbor representation rather than empty). These can be
    added by the parties to save round-trips and are described in detail
    in appendix X. While it is RECOMMENDED that they are used when
    adaequate, parties MAY ignore them (but MUST NOT fail the process
    just because they find them in a message)."

  * Then explain the process from a client not having a kdcchallenge (or
    having a stale one, or not even having sign_info) with the clear
    separation of ACE tasks and interactions with the protected resource
    (the join resource). Here may be a place for a note about the option
    to optimize away the step by using appendix X.

  * Then, in the appendix, use the established knowledge of what
    sign_info and the challenge do to concisely map the data items
    piggy-backed on the token exchange into information populating the
    client's cache of the groups.

* On the AIF: The first parameter of the AIF is said to be "the
  identifier of the specific group or topic".

  I suppose the identifier cleanup will make this clearer. As it's
  described as a default, how is that overridden, and how does the
  client know whether it can just construct a scope or has to try first
  and wait for the KDC to give it a good value in a 4.01?

* GET handler of /ace-group/GROUPNAME: Why MUST requests from
  authorized (as per third paragraph) but non-member (as per fourth)
  clients turned down with 4.00? 

  The only reason I can think of to deny that would be running an audit
  trail of which authorized clients actually joined (to see when to
  rekey after a compromise), but as that sounds like it's within range
  of the permissive side effects a GET could have just as well (as per
  RFC7231 Section 4.2.1), so rather than refusing, the GET could just be
  served and the audit entry created.

  (Otherwise, my gut feeling says this should be a 4.01 response as
  well, but maybe we don't need to have that discussion in the first

* If, of course, the client's scope is only to get public keys of the
  group but not the cryptographic material (as might be for scenarios
  where there is a verifier), then that client would not be allowed to
  GET that data, and should be 4.01'd no matter whether it has actually
  joined the group nor not.

  That case seems not to be covered well in the GET handler
  description: Neither check ("group is in scope", "is a current
  member") really accounts for that. (The 'signature verifier' role of
  -oscore says "does not join [...] as an *actual* member", but I
  wouldn't count on everyone reading that as "not a member at all" for
  the purpose of the above paragraph).

* and (/ace-group/GROUPNAME/pub-key FETCH): 

  The "The handler verifies that" and "Note that this resource handler"
  appear to contradict each other (or the latter overrides the former);
  it would be easier to understand if they were rolled in one.

  The former reads like boilerplate text; I'd rather see that avoided
  ("For all resources, X and Y apply") or referenced if the reader can't
  be trusted to read the whole document ("General authentication
  requirements per Section X apply."). Defined terminology may help
  there as well ("is Authenticated As a group member", "is Authenticated
  As the group member identified by NODENAME" in other places).

* and (/ace-group/GROUPNAME/pub-key GET and FETCH): 

  The GET text reads like a duplicate of the FETCH text. Can't this be a
  simple "GET requests are served just like FETCH requests but without
  any filtering"?

* GROUPNAME/num: Is there a particular reason this is a dedicated
  resource and not just accessed through GROUPNAME?

* request latest keying material "To this end, the Client sends a CoAP
  GET request to the /ace-group/GROUPNAME/nodes/NODENAME endpoint at the
  KDC, formatted as specified in Section"

  What's the purpose of the node observing its own resource rather than
  the the whole group? After all, its own keys won't change out of the
  blue, just the group's material.

* I'm a bit uncertain about the change of keys mid-blockwise, but can't
  put a finger on it yet. Do you have any use case examples that'd help
  me figure out what such an operation would look like in the first

* IANA File Extension: Why?

* I've only skimmed section 8.

Kind regards

To use raw power is to make yourself infinitely vulnerable to greater powers.
  -- Bene Gesserit axiom