Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2

Peter van der Stok <stokcons@bbhmail.nl> Wed, 04 September 2019 07:02 UTC

Return-Path: <stokcons@bbhmail.nl>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A38471200C3; Wed, 4 Sep 2019 00:02:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bbhmail.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyhbSSB-27Rn; Wed, 4 Sep 2019 00:02:10 -0700 (PDT)
Received: from smtprelay.hostedemail.com (smtprelay0187.hostedemail.com [216.40.44.187]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E126D1200B9; Wed, 4 Sep 2019 00:02:09 -0700 (PDT)
Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay08.hostedemail.com (Postfix) with ESMTP id 213F5182CED34; Wed, 4 Sep 2019 07:02:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bbhmail.nl; h= mime-version:content-type:date:from:to:cc:subject:reply-to :in-reply-to:references:message-id; s=key; bh=nceckJ+R3nWrLlVmSP B5z7nO2hY3kKO8Xi235iu1+xY=; b=YckObQ8HEwoBhjLXCjj5g5+7Go3j3eqN6k ZXLKvSJpUKSpSZv7fFWQVy1IWSA5duMSkLu3pPkK8x4pEGYYbTrlOdvrxOrqslCv LziXeL5gazOvfVZqxkQ5AuH5HOBOEKcs7B8oSrzaKUlSmfMbowrZUqO9UD8flvap /e8zsIgdU=
X-Session-Marker: 73746F6B636F6E73406262686D61696C2E6E6C
X-Spam-Summary: 2, 0, 0, , d41d8cd98f00b204, stokcons@bbhmail.nl, :::::::::, RULES_HIT:41:152:327:355:379:582:599:800:960:962:967:973:988:989:1042:1152:1189:1221:1256:1260:1313:1314:1345:1359:1436:1437:1461:1516:1517:1518:1575:1588:1589:1592:1594:1605:1616:1712:1730:1776:1792:2198:2199:2527:2528:2551:2553:2559:2562:2692:2693:2892:2899:2906:2911:3138:3139:3140:3141:3142:3586:3865:3866:3867:3868:3870:3871:3872:3873:3874:4250:4321:4425:4605:4860:5007:6117:6119:6261:6298:6657:6659:6678:7576:7875:7903:7974:8583:8603:8957:9080:9121:9545:10004:10848:10954:11232:11233:11658:11914:12043:12050:12109:12114:12219:12291:12295:12438:12555:12663:12683:12740:12895:12986:13139:13436:13439:13846:13851:13869:13972:14149:14799:21060:21080:21324:21365:21433:21451:21611:21625:21740:21772:21790:21795:21796:21809:21939:30005:30034:30036:30037:30051:30054:30074:30075:30076:30090:30091, 0, RBL:216.40.42.5:@bbhmail.nl:.lbl8.mailshell.net-62.8.55.100 66.201.201.201, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainC
X-HE-Tag: fowl42_4cc09361a4f25
X-Filterd-Recvd-Size: 31380
Received: from mail.bbhmail.nl (imap-ext [216.40.42.5]) (Authenticated sender: webmail@stokcons@bbhmail.nl) by omf19.hostedemail.com (Postfix) with ESMTPA; Wed, 4 Sep 2019 07:02:07 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_233a7b04bc61a60ee4ec531b4c4d9933"
Date: Wed, 04 Sep 2019 09:02:06 +0200
From: Peter van der Stok <stokcons@bbhmail.nl>
To: Jim Schaad <ietf@augustcellars.com>
Cc: consultancy@vanderstok.org, 'Benjamin Kaduk' <kaduk@mit.edu>, draft-ietf-ace-coap-est.all@ietf.org, ace@ietf.org
Organization: vanderstok consultancy
Reply-To: consultancy@vanderstok.org
Mail-Reply-To: consultancy@vanderstok.org
In-Reply-To: <038301d56288$3d13a6b0$b73af410$@augustcellars.com>
References: <20190828233639.GI84368@kduck.mit.edu> <027701d55ebf$994184b0$cbc48e10$@augustcellars.com> <edcbc2a243cc7118e35aec77b2e1599c@bbhmail.nl> <20190901204340.GG27269@kduck.mit.edu> <6b482aaed0ce510c503984dfbac7286c@bbhmail.nl> <7cd78133c263214be535ec36734f7ec1@bbhmail.nl> <038301d56288$3d13a6b0$b73af410$@augustcellars.com>
Message-ID: <408feb436aa5c9d1143d8135ad2dbf28@bbhmail.nl>
X-Sender: stokcons@bbhmail.nl
User-Agent: Roundcube Webmail/1.2.7
X-Originating-IP: [5.206.216.229]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/sNpXlhP8RAgZHD72ttaipJ7rxAg>
Subject: Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2019 07:02:14 -0000

I concluded on the pruned .

Peter
Jim Schaad schreef op 2019-09-03 20:48:

> I have pruned and tossed in  a few [JLS] comments. 
> 
> Jim 
> 
> FROM: Peter van der Stok <stokcons@bbhmail.nl>; 
> SENT: Tuesday, September 3, 2019 5:18 AM
> TO: Benjamin Kaduk <kaduk@mit.edu>;
> CC: Jim Schaad <ietf@augustcellars.com>;; draft-ietf-ace-coap-est.all@ietf.org; consultancy@vanderstok.org; ace@ietf.org
> SUBJECT: Re: [Ace] AD review of draft-ietf-ace-coap-est-12 part 2 
> 
> Hi Ben,
> 
> the last part of the responses to your thorough review.
> Apart from nits you found some "nice" mistakes.
> 
> the openssl example make me worry a bit.
> 
> See below.
> 
> Peter
> _______________________________________________________________________ 
> 
> SignedData is signed by the party that generated the private key,
> which may be the EST server or the EST CA.  The SignedData is further
> protected by placing it inside of a CMS EnvelopedData as explained in
> Section 4.4.2 of [RFC7030].  In summary, the symmetrically encrypted
> 
> .... if the SignedData is not the outermost container, then we don't care
> what the relevant Content-Format for it is; we only care about the
> Content-Format for the EnvelopedData. 
> 
> <pvds> 
> 
> s/ SignedData is signed/SignedData, placed in the outermost container, is signed/ 
> 
> s/ The SignedData is further protected by placing it inside of a CMS EnvelopedData/ 
> 
> SignedData placed within the Enveloped Data does not need additional signing/ 
> 
> </pvds>
> 
> Also, did we explicitly consider and reject AuthEnvelopedData? 
> 
> <pvds> 
> 
> Not sure about this 
> 
> [JLS] As a CMS person, I would consider the use of EnvelopedData and AuthEnvelopedData to be equivalent.  Which of these is used is totally dependent on what algorithm is used for encryption.  If one requires the use of AES-GCM or AES-CCM then one has no choice but to use AuthEnvelopedData.  If one wants to use AES-CCM ten one has no choice but to use EnvelopedData.  Everybody is slowly moving from EnvelopedData to AuthEnvelopedData just because everybody is changing algorithms.  I do not remember any discussions about this, but AuthEnvelopeData is generally going to be the more correct value here.   I will also note that there is a space between Enveloped and Data which is not CMS.
> 
> <pvds2>
> I don't do anything here
> </pvds2> 
> 
> </pvds>
> 
> encryptedKey attribute in a KeyTransRecipientInfo structure.
> Finally, if the asymmetric encryption key is suitable for key
> agreement, the generated private key is encrypted with a symmetric
> key which is encrypted by the client defined (in the CSR) asymmetric
> 
> In the key-agreement case, the symmetric key-encryption key is the
> result of the key-agreement operation, no?  In which case it is not
> itself encrypted, but rather the server's ephemeral public value is
> sent. 
> 
> <pvds> 
> 
> In RFC7030 the text says: the EnvelopedData content is encrypted using a randomly 
> 
> generated symmetric encryption key (that means ephemeral I assume). The cryptographic strength of 
> 
> the symmetric encryption key SHOULD be equivalent to the clientspecified 
> 
> asymmetric key. 
> 
> However, I see no explicit relation with the ephemeral public value. 
> 
> I don't know what to do here; probably insert the 7030 text. 
> 
> [JLS] Ben, you do not have the correct view of the key-agreement case.  It does a key agreement -> KDF -> KeyWrap -> Content.  There is always a key wrap step between the key agreement and the content encryption key.
> <pvds2>
> Also here I see no room for improvement then.
> <pvds2> 
> 
> </pvds>
> 
> public key and is carried in an recipientEncryptedKeys attribute in a
> KeyAgreeRecipientInfo.
> 
> [RFC7030] recommends the use of additional encryption of the returned
> private key.  For the context of this specification, clients and
> servers that choose to support server-side key generation MUST
> support unprotected (PKCS#8) private keys (Content-Format 284).
> Symmetric or asymmetric encryption of the private key (CMS
> EnvelopedData, Content-Format 280) SHOULD be supported for
> deployments where end-to-end encryption needs to be provided between
> the client and a server.  Such cases could include architectures
> where an entity between the client and the CA terminates the DTLS
> connection (Registrar in Figure 4).
> 
> This carefully says nothing about recommendations for use, only for
> software support.  Are we letting 7030's recommendation for use of
> encryption stand?  It's probably worth being explicit, either way. 
> 
> <pvds> I did not find any recommendation for use in RFC7030 apart the responsibility of the server for generating random numbers. The recommendations at the top of section 5.8 of the draft seem adequate in my opinion. The alternative is classifying the applications; unless you see a better way to do this. 
> 
> </pvds>
> 
> Why OPTIONAL?  (Also, nit: OPTIONALLY isn't a 2119 keyword; only OPTIONAL.)
> 
> client.  For example, it could be configured to accept POP linking
> information that does not match the current TLS session because the
> authenticated EST client Registrar has verified this information when
> acting as an EST server.
> 
> This is close enough to a literal quote that we might think about
> actually quoting and using quotation marks.
> nit: s/POP/PoP/ if we don't do the literal quote. 
> 
> <pvds> 
> 
> Hope my co-authors will react to this 
> 
> [JLS] I would disagree with the nit. 
> 
> [JLS] I would agree with the nit on OPTIONALLY being wrong, but I think  that it ought to be at least a SHOULD if not a MUST for the use of COAPS as it is terminating the connection.  The only exception would be in there is internal authentication for the EST request.
> <pvds2>
> Suggest to use SHOULD and not distinguish between terminating or not.
> <pvds2> 
> 
> </pvds>
> 
> Section 9.1
> 
> I think we probably need this document as a reference for all the
> allocations; as the document effectuating the registration, we are still
> of interest even if most details of content encoding lie elsewhere. 
> 
> [JLS] No response from Peter?
> <pvds2>
> Sorry, misunderstood. Will add <thisdocument>
> </pvds2> 
> 
> Appendix A.3
> 
> I'm having trouble validating the private key in the PKCS#8 component:
> asn1parse says: 
> 
> <pvds> 
> 
> As input I used recently a hex dump of Wt1234.key.der: 
> 
> 308187020100301306072a8648ce3d020106082a8648ce3d030107046d30
> 6b020101042061336a86ac6e7af4a96f632830ad4e6aa0837679206094d7
> 679a01ca8c6f0c37a14403420004c8b421f11c25e47e3ac57123bf2d9fdc
> 494f028bc351cc80c03f150bf50cff958d75419d81a6a245dffae790be95
> cf75f602f9152618f816a2b23b5638e59fd9 
> 
> I used openssl pkey -in Wt1234.key.der -text -noout -inform der\ 
> 
> -passin pass:watnietweet 
> 
> [JLS] I would lose the password on the key if possible.
> 
> <pvds2>
> Right, It means changing the whole chain of certificates. and redoing the examples.
> But I understand the reason, being confronted with the disassembly failure.
> </pvds2> 
> 
> The password is may be prohibitive? 
> 
> Resulting in:
> Private-Key: (256 bit)
> priv:
> 61:33:6a:86:ac:6e:7a:f4:a9:6f:63:28:30:ad:4e:
> 6a:a0:83:76:79:20:60:94:d7:67:9a:01:ca:8c:6f:
> 0c:37
> pub: 
> 04:c8:b4:21:f1:1c:25:e4:7e:3a:c5:71:23:bf:2d:
> 9f:dc:49:4f:02:8b:c3:51:cc:80:c0:3f:15:0b:f5:
> 0c:ff:95:8d:75:41:9d:81:a6:a2:45:df:fa:e7:90:
> be:95:cf:75:f6:02:f9:15:26:18:f8:16:a2:b2:3b:
> 56:38:e5:9f:d9
> ASN1 OID: prime256v1
> NIST CURVE: P-256
> 
> $ unhex|openssl asn1parse -inform der
> 308187020100301306072a8648ce3d020106082a8648ce3d030107046d30
> 6b02010104200b9a67785b65e07360b6d28cfc1d3f3925c0755799deeca7
> 45372b01697bd8a6a144034200041bb8c1117896f98e4506c03d70efbe82
> 0d8e38ea97e9d65d52c8460c5852c51dd89a61370a2843760fc859799d78
> cd33f3c1846e304f1717f8123f1a284cc99f
> 0:d=0  hl=3 l= 135 cons: SEQUENCE          
> 3:d=1  hl=2 l=   1 prim: INTEGER           :00
> 6:d=1  hl=2 l=  19 cons: SEQUENCE          
> 8:d=2  hl=2 l=   7 prim: OBJECT            :id-ecPublicKey
> 17:d=2  hl=2 l=   8 prim: OBJECT            :prime256v1
> 27:d=1  hl=2 l= 109 prim: OCTET STRING      [HEX DUMP]:306B02010104200B9A67785B65E07360B6D28CFC1D3F3925C0755799DEECA745372B01697BD8A6A144034200041BB8C1117896F98E4506C03D70EFBE820D8E38EA97E9D65D52C8460C5852C51DD89A61370A2843760FC859799D78CD33F3C1846E304F1717F8123F1A284CC99F
> 
> which doesn't look like an RFC5208 PrivateKeyInfo:
> 
> PrivateKeyInfo ::= SEQUENCE {
> version                   Version,
> privateKeyAlgorithm       PrivateKeyAlgorithmIdentifier,
> privateKey                PrivateKey,
> attributes           [0]  IMPLICIT Attributes OPTIONAL }
> 
> Version ::= INTEGER
> 
> PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
> 
> PrivateKey ::= OCTET STRING
> 
> Attributes ::= SET OF Attribute
> 
> due to the lack of OID for privateKeyAlgorithm, etc.
> (`openssl pkcs8` also chokes on it, but I don't have a working example and
> can't rule out user error there.)
> 
> Even that giant OCTET STRING 27 bytes in doesn't seem to match a
> PrivateKeyInfo:
> 
> $ unhex|openssl asn1parse -inform der -strparse 27
> 308187020100301306072a8648ce3d020106082a8648ce3d030107046d30
> 6b02010104200b9a67785b65e07360b6d28cfc1d3f3925c0755799deeca7
> 45372b01697bd8a6a144034200041bb8c1117896f98e4506c03d70efbe82
> 0d8e38ea97e9d65d52c8460c5852c51dd89a61370a2843760fc859799d78
> cd33f3c1846e304f1717f8123f1a284cc99f
> 0:d=0  hl=2 l= 107 cons: SEQUENCE          
> 2:d=1  hl=2 l=   1 prim: INTEGER           :01
> 5:d=1  hl=2 l=  32 prim: OCTET STRING      [HEX DUMP]:0B9A67785B65E07360B6D28CFC1D3F3925C0755799DEECA745372B01697BD8A6
> 39:d=1  hl=2 l=  68 cons: cont [ 1 ]        
> 41:d=2  hl=2 l=  66 prim: BIT STRING        
> 
> though the OCTET STRING does have the private key and the BIT STRING has
> the public key's contents as depicted in C.3 (details of that too boring
> to show).
> 
> So I have to wonder if I'm messing something up, somewhere.
> 
> Appendix B.1
> 
> Should we be using the same Token value in two different exchanges in
> this document? 
> 
> <pvds> 
> 
> No opinion 
> 
> [JLS] As long as the Token values are not in the same exchange, this makes no difference.  Tokens are reused after an amount of time in CoAP.
> 
> <pvds2>
> No extra text, I gather
> </pvds2> 
> 
> </pvds>