IETF Logo Mail Archive

Re: [Ace] WGLC draft-ietf-ace-oscore-profile-13.txt

Marco Tiloca <marco.tiloca@ri.se> Thu, 19 November 2020 16:03 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B9783A00C4; Thu, 19 Nov 2020 08:03:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A9yo_E4KM108; Thu, 19 Nov 2020 08:03:49 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40087.outbound.protection.outlook.com [40.107.4.87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC6503A0DCC; Thu, 19 Nov 2020 08:03:18 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jtsLBzpljvC/kwIyhtf/2PD+Arpp60KTo696u8WzmHRaEE7BoM0k5Fb/NKL5GVw0NUZ3Fr1Gf3bpB8d9vE+rXM9gonSxexG78Gj+1RpuHh08PmakiqHktcPLCjy0r1TLVaFjlAzlGkRCdZlO6bjZ9zEJHvSDzVdXEm7GW35oMIfCtz5jlw6uauC07X/u4QLdTmmUZkdNN7AQn+H/xEMx2Q8n7MDKAPo3MYbqot90NDCON4tpLpqOBh3O4N6qkzVR0gUOkGQA4DmuCMKMJRIVKyKwFmk3n6GdywpYa6u61sMF7dd3ye+wjSFgqArw+DyUFsoXqhcd4wUQUJrIVIKhxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CCo1w1G3QZoNN3vpI1WL4HHHHyfah+9Q2X7EcBRPD98=; b=WDNxDoEynZfAZgSr8oFSDRv5o+NSr1gdM+ZHULsHB89SBqAyNfKrFsjZ+d8I8wI7cC7mQppEw9teDykg/0u9wYQGfvXyyzEXisa9PogRPrnAowh43iMmbQGuD/R3eVyypZPKbEFs8Vkt1MlbiQWNsQlYbkH/vtplSb5APhc5iGXg0Fxd/cBWhoTSNxF3hwwBqWvC10+UivbORGLjSbCwah2dQxfM26V9760iCYENOGucT2+96c5uHikT8beGutGxT8PfHCKUMpM6Nkl1T+pNNl7PN/95cBWFGGyCF22muFzZMUbz711L3ZKzpmtLVFVtx3HnDxcFfkDpXVbaKbFwFg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CCo1w1G3QZoNN3vpI1WL4HHHHyfah+9Q2X7EcBRPD98=; b=i91f5jRWcoztCcy3hDDCW6qPzb4sB6L5S+xOxqjtXW3+KdLdH1L8oXtbgiZU/qkfTohfBDklygi7667sEpnzOajb8NED9hbWyS/mW95yzBJ963Mi/SIMRUHRLZ3hRIppRms8zXSO9Z6Zvxlv5N686wwG78EPe/lW8LFxLPZ5Mvs=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ri.se;
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14) by DB8P189MB0999.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:160::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.20; Thu, 19 Nov 2020 16:03:16 +0000
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::c906:d500:5041:56fd]) by DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::c906:d500:5041:56fd%9]) with mapi id 15.20.3589.021; Thu, 19 Nov 2020 16:03:16 +0000
To: draft-ietf-ace-oscore-profile@ietf.org, Ace Wg <ace@ietf.org>
References: <160381525062.27226.4156909974711721360@ietfa.amsl.com> <CADZyTknMd1c0jH-O73HymDCABdTQ4JvOu9zfZQf4Q4aaAo3Wtg@mail.gmail.com>
From: Marco Tiloca <marco.tiloca@ri.se>
Autocrypt: addr=marco.tiloca@ri.se; prefer-encrypt=mutual; keydata= mQENBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAG0Nk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPokBNwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzuQENBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAGJAR8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
Message-ID: <02a1d3ce-071b-e35a-104f-333e54458d4a@ri.se>
Date: Thu, 19 Nov 2020 17:03:05 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
In-Reply-To: <CADZyTknMd1c0jH-O73HymDCABdTQ4JvOu9zfZQf4Q4aaAo3Wtg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="MhHuhUl8VjV2K6vajIV7eDNoZ1Q3V1G82"
X-Originating-IP: [92.34.27.84]
X-ClientProxiedBy: MN2PR07CA0016.namprd07.prod.outlook.com (2603:10b6:208:1a0::26) To DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.0.68] (92.34.27.84) by MN2PR07CA0016.namprd07.prod.outlook.com (2603:10b6:208:1a0::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.20 via Frontend Transport; Thu, 19 Nov 2020 16:03:15 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 906f45bd-20fa-4703-c61e-08d88ca4a009
X-MS-TrafficTypeDiagnostic: DB8P189MB0999:
X-Microsoft-Antispam-PRVS: <DB8P189MB09992877C0E49C883CD433B499E00@DB8P189MB0999.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:7219;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: k3JoGCpQniMydmNlzP0PLJN0LFeM4P4wUAIbPKXfK579jtu8YlxEed6LHxytCxhkEgiVuqEvNHoNlgHzfCdwAuOd7y5YVfk7/s/Y5urtDpvIFIv8Nst7fURUSF8IIlCaxbixkQ4FmxrAK7RmhPBMsppgxbhjDx1MWqIZBedcXPF5a6xELeDoQ+IasWvzOfj5hAuRpylRIByQRCgUiTxtEXYsTdP9hjImX8wzwzwvPTIOYzR1asmMwUZdlRX2rImYeXcEWv6TJyGEVqVO9oCfHaDfOF8MPTtAqU+9iXqA8wqAx7SyvmA40SGAXp1lEZdaymXWcTMO8HHRtnKoKaznQBFnLMl/wl0612LcXsLAISOCxSUdMoDixbzkToCHhdFk5mGV91DIeIpjfZMneg8PIhZyfB4s9m7VUiNi6KvPt6fRXvrxTQX1efTpBuJu5OUnL2NkaCbJImZp7QBEGxHaNQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB8P189MB1032.EURP189.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(136003)(346002)(396003)(39840400004)(376002)(366004)(6486002)(2906002)(966005)(86362001)(4001150100001)(8676002)(31696002)(166002)(83380400001)(21480400003)(66574015)(2616005)(316002)(36756003)(16576012)(26005)(5660300002)(6666004)(53546011)(956004)(186003)(16526019)(52116002)(33964004)(45080400002)(478600001)(6916009)(8936002)(450100002)(235185007)(66556008)(66946007)(44832011)(31686004)(30864003)(66476007)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: 7Ou2JM+dkcpqK1Iy+TYxU12pRB+bxCGsllvbyND4nF+y30vJnlt410jk9TXHTtAaGvKJBggvolF0sERJUvDVmzLAxMyUgFEikAexO2xbVKhnmYw6rqe6XEAc83Boilah8PSCHImMvytnSUtcCdRf0eRRZJX5u6qyT75j+eppqRubs/A4g4mEVEZUO30+t3I9Dio+4t7GRlfv/Slfpb0HTVRHQdsNAwpR11KEJnYESLChmUaHOM2Twxz95igb5Mz+FrWyycnYhyzeDDhdpeWs8R9/CAVSya4pI3B5nD6NZ3YNcihez6kB6GBTgsLw9/hynL0eE7MFPvtRRDVf3oQeW8paz1Fm57KqMDk02YbPpgjVBYZLs+XAXMSBKL7aZc7WhaoZn0dXnE6sj4AwMNvfb1/j01aygIdtMMQr4a6dbV5zxJyIT3hEl8UY/dxCgFLMyXqL22kNhBM6Vbxsiom8QGzltOK2mvqD1yAWVvyfOF+lSAA1mjcV4IqskIaPT5T2mbnC1YbTVVD9W+pNj2z+RYAlXrhFxwy0Q90xe8p4ApEcxgZDlHXRnz5fz1sxEb0NaDt07a6DsGMEjV6X6sM7RVKnMEI7A73AMtDFuFOqeymOfacmlbBrNJmUW7d2AZz/KDvoFUYfOHfbHFR9SvIULa5NkUli6waMds0mDvUcT9178ofrDZdPoge+cEeneo+NBLqyiqX573Kr5cHz3IKCE+US1O2hRGa3nbXmcUt71j8hguiycPWVhgaxBiZpzEUPmf8T3xUGmHaPvH8Josm6l/fMpLKsAdWwEhAyd2nB2dRZZSlw8JJQJqQgxox4MTcGeXlY/1IQBGWYTjSMXz4nHcne5L9KEOrhXq+lHOVusbRooOXHbTeBwDL6vlTXLYQR
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: 906f45bd-20fa-4703-c61e-08d88ca4a009
X-MS-Exchange-CrossTenant-AuthSource: DB8P189MB1032.EURP189.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Nov 2020 16:03:16.4278 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: JynfuPKWq66XjEcyyYpjkWXfToJvnhB2NM3tHVY9CcJ3yTHN2ekDAj7o72nYtMi/06TNAJCcZpeNjhoRkAsSsw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8P189MB0999
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/rmyXwLOl61pOx1p84nkG7Bp8dBY>
Subject: Re: [Ace] WGLC draft-ietf-ace-oscore-profile-13.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2020 16:03:54 -0000

Hello OSCORE profile authors and ACE,

Please, find below some WGLC comments. Hope it helps!

Best,
/Marco



Section 1

* s/is not done by a/is not achieved through a

* s/after the first OSCORE exchange/after the first message exchange
using OSCORE


Section 2

* "This specific identifier, encoded as a byte string, is assigned by
the AS to be unique in the sets of its OSCORE Security Contexts ..."

   To avoid confusion, it's probably better to say "unique among the
issued sets of OSCORE input material", since the AS can have actual
OSCORE Security Contexts it uses to communicate with Clients or Resource
Servers.

* Referring to 'id' as specific identifier, the text says: "and is not
used as input material to derive the full OSCORE Security Context."

   That's correct, but then the identifier is later included in Table 1
"OSCORE_Input_Material Parameters" :-)
  
   Perhaps it's fine to just revert to OSCORE_Security_Context_Object,
both for the name of Table 1 and in different spots of the text? They
would still consider 'id' as OSCORE Input Material Identifier, while
aligned with the registry name from Section 9.4.

* s/If the request verifies/If the request is successfully verified

* s/until token expiration/until token deletion, due to e.g. expiration
or revocation

* s/the same or different/the same or a different one

* Figure 1 can also show the achievement of mutual authentication,
following the OSCORE exchange at the end


Section 3.1

* s/object. kid field carrying/object, with the kid field carrying


Section 3.2

* "... profile negotiation can be omitted" - I think "profile signaling"
better reflects what may happen here, see also the beginning of the
paragraph.

* s/in the the/in the

* s/in the 'cnf' parameter of the token/in the 'cnf' claim of the token


Section 3.2.1

* In the text entries following Table 1, the CBOR integer labels need to
be aligned with the CDDL summary at the end of the section.

* s/This parameter identifies the OSCORE_Input_Material/This parameter
identifies the OSCORE_Input_Material object

* s/the "id" type is byte string/the "id" type is bstr

* This version -13 has removed 'clientId' and 'serverId' from Table 1
and thus as code points from the "OSCORE Security Context Parameters"
registry.

  No strong need to include them back, but even if this profile does not
use them and does not send them on the wire, I think they still belong
to the same namespace, since they are descriptive of a security context
and are in fact also used as input material to derive it :-)
 

Section 4

* s/the RS and client authenticates themselves/the RS and client
authenticate each other
 
* s/successfully verified the response from the RS/successfully verified
a response from the RS as protected with the established OSCORE context

   (similar occurrences are also later in the text)


Section 4.1

* In the first paragraph, I suggest to rephrase as "and the posted
access token is still retained".

  That doesn't require to explicitly mention "valid", since asserting
especially validity can be non-trivial for the client, e.g. in case of
Token revocation.
 
  (similar occurrences are also later in the text)
 
* In the second paragraph, I suggest to extend the ending as:

  "... makes sure that it does not collide with any of its Recipient IDs
currently used. These include also Recipient IDs used as ID1 value for
ongoing executions of this profile."
 
* s/the client MUST wrap the token and N1 in a CBOR map/the client MUST
wrap the token, N1 and ID1 in a CBOR map
 
* s/using the "access_token" parameter/using the 'access_token' parameter

* In the sixth paragraph, the last sentence says "... as different
nonces will be used." Doesn't the client and the RS also negotiate new
IDs like they did in the first posting of the same original token?

* In the last paragraph: "The client MUST only send the access token in
the payload, no nonce or identifier are sent."

   Just to be sure, can you expand on this request format? I suppose the
client still uses Content-Format "application/ace+cbor", just including
only the 'access_token' entry in the map. Correct?

* In the last paragraph: "... the RS will replace the old token with the
new one, maintaining the same Security Context."

   This replacement step can be expanded for clarity. A simple 1-to-1
replacement would overwrite also the stored 'cnf' claim from the
original token, among other things. So it should be more about
selectively replacing some information originally coming the first
token, while keeping some other from it. What to actually replace should
include, for instance, information related to access rights (e.g.
scope), and to the new token's lifetime (exp, exi).
 
* While reading this, I was wondering if one could repost the same first
token to rekey the OSCORE context. This is mentioned at the end of
Section 4.3, but anticipating the possibility here and adding a forward
pointer to Section 4.3 would help.


Section 4.1.1 and Section 4.1.2

* The first sentence captures the case where the first token is posted
or re-posted. It can be rephrased to cover also the posting of a token
for updating access rights, where these parameters are not included.


Section 4.2

* "any of the mandatory    parameters from the AS or the identifier) ..."

   It's worth making it explicit that the mentioned identifier is 'id'.

* s/in the 'osc'/in the 'osc' field
  
* "... the RS must respond" --- Should this not be a MUST ?
 
* s/is different from the ace_client_recipientid/is different from the
value specified in the received 'ace_client_recipientid' parameter

* Second paragraph after Figure 11

   - s/MUST discard/MUST ignore
  
   - s/the "cnf" parameter of/the 'cnf' claim of

   - s/matches the OSCORE Input/matches with the identifier of the
OSCORE Input

   - Related to a previous comment about token replacement, some
information has to be retained from the first token, as not present in
the new one.
  
   -s/in the "cnf" parameter/in the 'cnf' claim
  
* It can happen that all is fine for the RS, it installs the OSCORE
Security Context, it responds to the client, and the response gets lost.
In this case:

   - After a timeout expiration, can the client simply repost the same
token as mentioned at the end of Section 4.3? This can be another reason
for reposting the original token, to mention in the sixth paragraph of
Section 4.1.
  
   - Should the server delete the token and the OSCORE Security Context,
if not receiving an OSCORE protected request from the client before a
timeout expires? After all, it's reasonable to assume that a client
sends a request right away or not long after the token post is
completed. If this is included, it would be one more point in the bullet
list for the RS in Section 6.
  
  
Section 4.2.1 and 4.2.2

* The first sentence captures the case where the first token is posted
or re-posted. It can be rephrased to cover also the posting of a token
for updating access rights, where these parameters are not included.
  

Section 4.3

* s/Secret from the parameter, received/Secret from the parameter received

* If the client stops the exchange, it should also unlock the ID1 value
previously offered.

* s/to RS/to the RS

* The end of the last paragraph mentions possibly reposting the same
first token to rekey the OSCORE context. Consistently with the fourth
paragraph of Section 4, I suggest to mention here again that this
request is not protected, since not related to updating access rights.


Section 5

* s/profile, other/profile, but other


Section 6

* s/context expires/context expires or is revoked   (2 instances)

* In the fourth bullet point, isn't this actually fine if the reposted
token is exactly the original first token? In that case, new nonces (and
I guess also IDs) are exchanged.

* I think there should be one more bullet point in the client list, for
when the client receives back ID2 == ID1 from the RS, after having
reposted the original first access token.

(This relates to a previous comment for Section 4.1; I thought a
reposting of the first original token involves an exchange of new nonces
as well as of new IDs)


Section 7

* s/usecase/use case

* s/for a client/for a same client   (2 instances)

* I think it's better to expand C and Cs to "client" and "clients"


On 2020-11-08 23:51, Daniel Migault wrote:
> Hi, 
>
> This email starts a WGLC for the draft draft-ietf-ace-oscore-profile
> until Monday November 23. We would like to send the document back to
> the IESG with sufficient confidence, so please take the time to review
> it carefully provide comments and feed backs.
> Note that also that the document (13) is being reviewed by the
> security directorate.
>
> Yours, 
> Daniel   
>
> [1] https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-profile/
> <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ace-oscore-profile%2F&data=04%7C01%7Cmarco.tiloca%40ri.se%7C330189d7d82b48dd1e8e08d88438f043%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637404727980974848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DCzcOuQ7MnBLs0hxiHbIAi%2B1VjBHLBJRzi4N8P9VDV4%3D&reserved=0>
>
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>>
> Date: Tue, Oct 27, 2020 at 12:14 PM
> Subject: [Ace] I-D Action: draft-ietf-ace-oscore-profile-13.txt
> To: <i-d-announce@ietf.org <mailto:i-d-announce@ietf.org>>
> Cc: <ace@ietf.org <mailto:ace@ietf.org>>
>
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Authentication and Authorization for
> Constrained Environments WG of the IETF.
>
>         Title           : OSCORE Profile of the Authentication and
> Authorization for Constrained Environments Framework
>         Authors         : Francesca Palombini
>                           Ludwig Seitz
>                           Göran Selander
>                           Martin Gunnarsson
>         Filename        : draft-ietf-ace-oscore-profile-13.txt
>         Pages           : 32
>         Date            : 2020-10-27
>
> Abstract:
>    This memo specifies a profile for the Authentication and
>    Authorization for Constrained Environments (ACE) framework.  It
>    utilizes Object Security for Constrained RESTful Environments
>    (OSCORE) to provide communication security and proof-of-possession
>    for a key owned by the client and bound to an OAuth 2.0 access token.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-profile/
> <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ace-oscore-profile%2F&data=04%7C01%7Cmarco.tiloca%40ri.se%7C330189d7d82b48dd1e8e08d88438f043%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637404727980974848%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DCzcOuQ7MnBLs0hxiHbIAi%2B1VjBHLBJRzi4N8P9VDV4%3D&reserved=0>
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-ace-oscore-profile-13
> <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-ace-oscore-profile-13&data=04%7C01%7Cmarco.tiloca%40ri.se%7C330189d7d82b48dd1e8e08d88438f043%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637404727980984842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OaxJICL6Bp%2Fzt5DMwUWcv04yU07JkvEILCNy17Moqro%3D&reserved=0>
> https://datatracker.ietf.org/doc/html/draft-ietf-ace-oscore-profile-13
> <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-ace-oscore-profile-13&data=04%7C01%7Cmarco.tiloca%40ri.se%7C330189d7d82b48dd1e8e08d88438f043%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637404727980984842%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7Ac6UdrbH6IBIcm2%2BYWd4iwufwIblv76Nq4VretJZuw%3D&reserved=0>
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-ace-oscore-profile-13
> <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-ace-oscore-profile-13&data=04%7C01%7Cmarco.tiloca%40ri.se%7C330189d7d82b48dd1e8e08d88438f043%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637404727980994840%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=R%2Bj8cmPnyb8DUEcygCzhOpCJBqQbS8gDalwSsVZtdkw%3D&reserved=0>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org
> <https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftools.ietf.org%2F&data=04%7C01%7Cmarco.tiloca%40ri.se%7C330189d7d82b48dd1e8e08d88438f043%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637404727980994840%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=pec0ClOMPHj%2BsHa%2ByDBFOvDj90aPwlcEURCcQI6igxI%3D&reserved=0>.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> <https://eur02.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp.ietf.org%2Finternet-drafts%2F&data=04%7C01%7Cmarco.tiloca%40ri.se%7C330189d7d82b48dd1e8e08d88438f043%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637404727981004834%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=AJhNeMUrwuGWnKk7Oazo4jFxm0gX1t7hMcI9IvRIQCk%3D&reserved=0>
>
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org <mailto:Ace@ietf.org>
> https://www.ietf.org/mailman/listinfo/ace
> <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Face&data=04%7C01%7Cmarco.tiloca%40ri.se%7C330189d7d82b48dd1e8e08d88438f043%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637404727981004834%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wMdtJRfiWur2dXXZw8z84usAX7P9vHcvhGy%2BPNHeDVg%3D&reserved=0>
>
>
> -- 
> Daniel Migault
> Ericsson
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Face&amp;data=04%7C01%7Cmarco.tiloca%40ri.se%7C330189d7d82b48dd1e8e08d88438f043%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637404727981024818%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=SlpecuiDXwgoE5ogL8jSqtUO7zVut7dr1q6VXX8y9Z8%3D&amp;reserved=0

-- 
Marco Tiloca
Ph.D., Senior Researcher

RISE Research Institutes of Sweden
Division ICT
Isafjordsgatan 22 / Kistagången 16
SE-164 40 Kista (Sweden)

Phone: +46 (0)70 60 46 501
https://www.ri.se

v2.23.0 | Report a Bug | By Email