[Ace] Roman Danyliw's Discuss on draft-ietf-ace-oscore-profile-17: (with DISCUSS and COMMENT)

Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 23 March 2021 03:28 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: ace@ietf.org
Delivered-To: ace@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E094F3A1BAF; Mon, 22 Mar 2021 20:28:02 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-ace-oscore-profile@ietf.org, ace-chairs@ietf.org, ace@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.27.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <161647008263.14777.4462979452223184651@ietfa.amsl.com>
Date: Mon, 22 Mar 2021 20:28:02 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/qtlXsjI5KvnAnWdnPZSwg4gGOZ4>
Subject: [Ace] Roman Danyliw's Discuss on draft-ietf-ace-oscore-profile-17: (with DISCUSS and COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2021 03:28:03 -0000

Roman Danyliw has entered the following ballot position for
draft-ietf-ace-oscore-profile-17: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


(A simple editorial fix) Per Section 5.8.2 of [I-D.ietf-ace-oauth-authz], the
name of the parameter in the C-to-AS communication is “ace_profile” (not
“profile”).  The “ace_profile” parameter is mistakenly referenced as “profile”
in the following place:

(a) Section 3.2.
   The AS can signal that the use of OSCORE is REQUIRED for a specific
   access token by including the "profile" parameter with the value
   "coap_oscore" in the access token response


Thank you to Kathleen Moriarty for the SECDIR review.

** In addition to the normative text noted in the DISCUSS, the examples in
Figure 4 and Figure 7 also have the same typo (but that doesn’t rise to a

** Section 7.  Per “Developers should avoid using multiple access tokens for a
same client”, is there a reason not to use a normative SHOULD here?  The DTLS
profile has nearly the identical words and uses a normative SHOULD?

Likewise should “This profile recommends that the that RS maintains a single
access token for each client” be “This profile RECOMMENDS”?

** Editorial nits
Section 3.2.  Typo. s/The applications needs/The application needs/

Section 3.2.  Typo. s/parameeter/parameter/

Section 4.  Typo. s/Note that the RS and client authenticates/Note that the RS
and client authenticate/

Section 4.1.  Typo. s/The client may also chose/The client may also choose/