Re: [Ace] Roman Danyliw's Discuss on draft-ietf-ace-dtls-authorize-16: (with DISCUSS and COMMENT)

Daniel Migault <daniel.migault@ericsson.com> Thu, 13 May 2021 01:55 UTC

Return-Path: <daniel.migault@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B15CA3A132E; Wed, 12 May 2021 18:55:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mQt990uVS15B; Wed, 12 May 2021 18:55:24 -0700 (PDT)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2079.outbound.protection.outlook.com [40.107.223.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 142C83A132A; Wed, 12 May 2021 18:55:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NBtf8HZh9ZTmT7xGAU6MsJr5V3P9NfTckmvx75PGsXy/B5ea+e1Jrb6vp1uKoqiP4uTXWpIFg1LFfA2wQFH4LlF4x9bpsn2Kcov5CxtGc0/kdw4ZmyBRc3LxNqA1y7gMJaks4lgP+R/020OQ9XeHn2yjTvJkNrCUVy+4THqz3WccLXTysPCZCPicK5OVWOEkqHgL7+6nrIs9CV7j3mHLDi8uuyfIRi0hkFZ1VO/a4qQ4XiLnU78Tydv94nUx42TmGNZChZ9l3IKTFuag2S5ui++nWRJ0n0l9d56XAxesKxBsTSg/eWWmtt2ciFntByDxVKK1tqwHCxw7uWshH+nP4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Df6p1W7UvHqHFzhcrJUQpVkh8msy6c+73vS2I4VcMuE=; b=Dhy5r5bVhKOoUVheU5Q1X67aQqxa3qKPM/+NuYVWnvo9zJCP/PAKyq/ZR82kwwXBvpsjfpiSwvOFT0jNQ+f5YnqmGUkT7HiVcRzOSP9v2JaXNjce5YsZj+82d7FHa7X/XrVs9Iiwsrxpapy87eHLez0AldK7kuUEeW2UuG9VAqdt1525GfNvfMiKryB27SykZLFgc2LUjzSIf+oD9FR2Vf9ngH9LQp9Q2f2aVOaHBDDp7sZtGR6PBhdoAqBo7yLhgbrtzIOcZs7MGVzbUGQ0cL7W6dEQZI3512rSMHOFZTIIETt0zpgmrZ/syKWdfukd3eMgSMTLeJTHcO+JeODkSA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Df6p1W7UvHqHFzhcrJUQpVkh8msy6c+73vS2I4VcMuE=; b=T/F3JrQJgdY1QI4Trngsw7QSe0RDA0aJvph4RG+bJfSqR8b9AqDJco0GodkiHdVAu4BXdLiTDp6dusu1BUWZjzezuFmHOF/EHonC+WP6f7NPtbD0Mmc/R0YzUM0RMzQdU0916ciS9E1G3CXGDUsSrvebZpoEQbgjX2z1uH5exSs=
Received: from DM6PR15MB2379.namprd15.prod.outlook.com (2603:10b6:5:8a::16) by DM5PR1501MB1973.namprd15.prod.outlook.com (2603:10b6:4:a3::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.27; Thu, 13 May 2021 01:55:19 +0000
Received: from DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::39b3:cab5:d394:8adc]) by DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::39b3:cab5:d394:8adc%5]) with mapi id 15.20.4108.031; Thu, 13 May 2021 01:55:19 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Roman Danyliw <rdd@cert.org>, Stefanie Gerdes <gerdes@tzi.de>, The IESG <iesg@ietf.org>
CC: "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "draft-ietf-ace-dtls-authorize@ietf.org" <draft-ietf-ace-dtls-authorize@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-ace-dtls-authorize-16: (with DISCUSS and COMMENT)
Thread-Index: AQHXH5UeH77Rc5X0KUu0O38Qi+nJ6qrehuUAgAGg9ACAAM72Ew==
Date: Thu, 13 May 2021 01:55:19 +0000
Message-ID: <DM6PR15MB23792BBA10E4F2DF68F50065E3519@DM6PR15MB2379.namprd15.prod.outlook.com>
References: <161647032007.11307.14702169079766002256@ietfa.amsl.com> <ec91a0c7-cf80-3d29-145d-feb91862b7f9@tzi.de>, <cdcbfaa1892a46b28927a2a57fb62634@cert.org>
In-Reply-To: <cdcbfaa1892a46b28927a2a57fb62634@cert.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [96.22.11.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 80e5322b-8840-4233-e7b7-08d915b22983
x-ms-traffictypediagnostic: DM5PR1501MB1973:
x-microsoft-antispam-prvs: <DM5PR1501MB197300605C3E0CAB652AA57BE3519@DM5PR1501MB1973.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6108;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LHxBy4dSsjbMETfJsckPUVAkjgrujX/clyUikBdsj4IlCv53/4Opr28Un9R+hdIhtjIESjrjixrSgddLz0g/6vwV5tneFM+L2E1suL5RqdU+ecaAqJEFiHDYntuMfLduBWHDSUtCAMGn37I4pJ8Zpb+WsTB2aeDJaSoenVkdw/biI5HdB5hw3S715ucbBf5Re9pzv7NLfc3NEz9Xv072nmTLhhAXSZ6NACyMBcvVBu/qUJ90nTPznosbJDm4Ppw/9h4/ui/4eAXqbPR4bjr4QY2kRKuXW+Qm12YTk0+JSQz309mmhIJKSc5BtWBBTyXYmb2EL1EV8ZtHtHCIDKsfynteMR/yOCKxNjynB2Fa+zQ47ji6qV0zwOjrABAX9xHkvaas+ez5C20bF+MQXVMWMVnIeS0mfr0TW3G4KyyrGwflCihI3YWQtI9MgmDtAPFrt+BxZxhJbGULXOpP91eGCX8PGVUqpAcQGhPznyFWz9tXD0gn06yMhNii07CHd8X5GCbrOfvCwcgUXxJkuL8pPmjpycHEvQ14dBhxHH8TmPUvYL9k4ruBjNCnA7cwWFxVS8NuduBYkXatESFeDb0U1Ra64nzB+Ez4gws9hPuP5L+G1ZVjUKK4cpSWHNLsySDjVkbSXtLBMfWGsN+/pUTH4U9ZeqMWlskmceQjauQVLXM8Y3HAhj73HXJaT9w1Pbur
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB2379.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(136003)(39860400002)(376002)(366004)(38100700002)(33656002)(478600001)(54906003)(5660300002)(122000001)(316002)(110136005)(4326008)(83380400001)(44832011)(71200400001)(52536014)(8936002)(9686003)(966005)(76116006)(86362001)(8676002)(166002)(66476007)(64756008)(66446008)(66556008)(186003)(53546011)(6506007)(2906002)(55016002)(66946007)(26005)(7696005)(91956017)(19627405001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: IFD1q+FlwNk9r7B8S/StPdhgdb0JjwzNfIlqZJmQqtlFShGW7xzbPC+IpxW0WVgek4/yLW/pGoCqxi0QqPvt9L8bY01zojekqbAoocJLyUjjIhDYb9yWwNBoLhVDIrld0t7XI4dDh+kgWIHzeGKCZoALsv0sqryAcdZ2iWXWQMZ5a1dni3aEN7jaI6+NhYnPI04SyeWYmSg6yHLVETIms/8EfR0h2wt66hfM2h9Oyh9A9xGK0D2VbdFoD5wYW6Eo8UDDFM86BkR2Wm6yTE5WfvxWmblkVb1HygM1sKsApZ1DmQwMpJkpH/SP76PvwscV3IZOMk61iJXQRV1KMNxoEmLAnkvY2OrbJyLfMWGK9EfztpoDWkTDMumc135vi5c12PA+mKeC5JVpH8nk6Vdq1/ABwM0ICt38c+Na07gZeRxaR+xGnRGI6/OSd72ae7d9YsfCpzrV2XiM6QmX89gE3cGMRtjto3ACHk6cg6bNTJBIlNcNzv/OkxfwY4maqvfnClwpbJazsbhaUXFOwRg+wR5gC3ZKl+0bYEQwt77fD6CgpjbWtlXXZZ8zWwN6RRBdqB3fasW22+EseeZ8OO5mAqiDLZJ8808ThdniS7v21QIHepfFbJ6xjdu7khjukbmTKqlfTJZm+HoZmGQ0OnBr/QX6Gc0I5A66q7cflb34OOXsR3rxKDSxEKc2r4pxsAC8cJEgS1ypxRyTaWfhV+OA+OsUQiYt1R+S6Aecl+b/Q+2rJ6Y8kLOR2mL/1JF/sRYLGF0BJvJwVGUxoOuN+/6YAEdCvY15EqlWhHcXhL4tNnc1FnW+vsA1owkYxogLyEG2uaMhDuEWCv4RH2MY4NyBTYKbfOQ4VT/HSdVaUfiZbYxp6m9yI8Ymx7T4fBtL0INfcbCdWCn2ZFRTBRJe2Vsr6mROwW1WG6thXapmWvCNXMCHFcrmgoWbjQXql/dz6VJnycE9ACnocRwaKm/0/ikwDDsjmvufj9nkyvhINXCLt6PKRD7aJGV6dcjALKCdUP+osDi8r83JFNkYBZLCYhlNn+zmP+vTo+eWPO43qZlgFspfaovmE7yDmTlrrPDZSP74nOkxmMoJjnc5yP/Ph87r6kJSpSFvEM9gohgiPyDRCagkU7JJJy1UgcXP1HWfSPxe2p/d/MQkZz1FWP8AqUHzwjiThoMsMrCXmsW4Od2HbnP6iRFFI8YlwbZp0jNPh9JTuwDOwtRw41OpkOmp+MwdcruM7TRugrGJcLEkDKutDM4dlSn5rV/gLZK4mnWAzoO89fwGswWLke2m5se34wQwTDnaRlaLoie8O2G73wIE/yA=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR15MB23792BBA10E4F2DF68F50065E3519DM6PR15MB2379namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2379.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 80e5322b-8840-4233-e7b7-08d915b22983
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2021 01:55:19.1419 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Uq0FLsn8wR1yRL1/DX+XTpRnzx89wuOPOpBQsacUcusjdZLplQ6dZgHj32jt/g1mT3eq6LYnZJZkaPZ9P6V46tvulhc70DodNERdb7/Xc6k=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1501MB1973
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/uNATrWxGzwLD0iCl-01TEZMIjqI>
Subject: Re: [Ace] Roman Danyliw's Discuss on draft-ietf-ace-dtls-authorize-16: (with DISCUSS and COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 May 2021 01:55:30 -0000

Thank you all for the follow-up.

Yours,
Daniel
________________________________
From: Roman Danyliw <rdd@cert.org>
Sent: Wednesday, May 12, 2021 9:34 AM
To: Stefanie Gerdes <gerdes@tzi.de>; The IESG <iesg@ietf.org>
Cc: ace-chairs@ietf.org <ace-chairs@ietf.org>; draft-ietf-ace-dtls-authorize@ietf.org <draft-ietf-ace-dtls-authorize@ietf.org>; ace@ietf.org <ace@ietf.org>
Subject: RE: Roman Danyliw's Discuss on draft-ietf-ace-dtls-authorize-16: (with DISCUSS and COMMENT)

Hi Steffi!

Thank you for the explanations below and edits made in -17 in response to my review.  All of my feedback is addressed and I've cleared my ballot.

Thanks,
Roman

> -----Original Message-----
> From: iesg <iesg-bounces@ietf.org> On Behalf Of Stefanie Gerdes
> Sent: Tuesday, May 11, 2021 8:42 AM
> To: Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org>
> Cc: ace-chairs@ietf.org; draft-ietf-ace-dtls-authorize@ietf.org; ace@ietf.org
> Subject: Re: Roman Danyliw's Discuss on draft-ietf-ace-dtls-authorize-16: (with
> DISCUSS and COMMENT)
>
> Hi Roman,
>
> Thank you for your detailed comments. We addressed most of your comments
> in the latest version. Please find my comments inline.
>
> On 3/23/21 4:32 AM, Roman Danyliw via Datatracker wrote:
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > (A simple editorial fix) Per Section 5.8.2 of
> > [I-D.ietf-ace-oauth-authz], the name of the parameter in the C-to-AS
> > communication is “ace_profile” (not “profile”).  The “ace_profile” parameter
> is mistakenly referenced as “profile”
> > in the following places:
> >
> > -- Section 3.2.1:
> >    The response MAY contain a "profile" parameter with the value
> >    "coap_dtls" to indicate that this profile MUST be used for
> >    communication between the client and the resource server.
> >
> > -- Section 3.3.1:
> >    If the
> >    profile parameter is present, it is set to "coap_dtls".
>
> Yes, you are correct. The name of the parameter changed in
> ace-oauth-authz-25 and this occurrence must have slipped through.
>
> >
> >
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > Thank you to Russ Mundy for the SECDIR review, and thank you to the
> > authors for responding to it.
> >
> > ** Does this profile only cover part of the oauth-authz framework?
> > Section 3.3 explicitly says “the use of introspection is out of scope
> > for this specification.”  It might be helpful to note in the
> > introduction that this profile only covers C-to-AS and C-to-RS communication.
>
> We added to the introduction that introspection is out of scope for this
> specification.
>
> >
> > ** Section 3.2.1 Figure 3, uses the “req_aud” parameter, but this was
> > renamed to “audience” in -20 of draft-ietf-ace-oauth-authz
>
> Yes, fixed.
>
> >
> > ** Section 3.2.1.  Per ‘The response MAY contain a "profile" parameter
> > with the value "coap_dtls" to indicate that this profile MUST be used
> > for communication between the client and the resource server’, this is
> > true (see the DISCUSS above though).  However, it might be worthwhile
> > to point out that per Section
> > 5.8.2 of draft-ietf-ace-oauth-authz-38, this “MAY” is actually a MUST
> > if the request has an empty “ace_profile” parameter.
>
> Okay, fixed.
>
> >
> > ** Section 3.2.2.  Per “This specification therefore mandates
> > implementation support for curve25519 ...”, perhaps RFC2119 language
> > should be used here
>
> Okay, changed to MUST.
>
> >
> > ** Section 3.3.1.  Per all of the text after “The method for how the
> > resource server determines the symmetric key from an access token
> > containing only a key identifier is application-specific; the
> > remainder of this section provides one example”, consider removing all
> > of the RFC2119 language is this text as its an example.
>
> The Gen-ART review from Paul Kyzivat of 19 Jul 2020 suggested to include the
> normative language to avoid ending up with unclear specifications.
> (The normative language has been added in
> https://protect2.fireeye.com/v1/url?k=6154f2cc-3ecfca1e-6154b257-866132fe445e-003c0148b9c30169&q=1&e=2e35afc9-ad97-4505-ac7e-3c595783ec1b&u=https%3A%2F%2Fgithub.com%2Face-wg%2Face-dtls-
> profile/commit/9ab383c0e08f8d4bff5335cbfadb1c6b48289472)
>
> >
> > ** Section 3.3.2.  Per “When the resource server receives an access
> > token, it MUST check if the access token is still valid ...”, a
> > reference to Section
> > 5.10.1.1 of [I-D.ietf-ace-oauth-authz] for additional verification
> > procedures might be helpful
>
> Okay, done.
>
> >
> > ** Section 3.2.2. and 7:
> >
> > (a) Section 3.2.2.
> >    To be consistent with [RFC7252] which allows for shortened MAC tags
> >    in constrained environments, an implementation that supports the RPK
> >    mode of this profile MUST at least support the ciphersuite
> >    TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 [RFC7251].
> >
> > (b) As this specification aims at constrained devices and
> >    uses CoAP [RFC7252] as transfer protocol, at least the ciphersuite
> >    TLS_PSK_WITH_AES_128_CCM_8 [RFC6655] should be supported
> >
> > The text in (b) is weaker on the mandatory required of the
> > ciphersuite.  In (b), likely s/should be supported/must be supported/.
>
> Okay, changed b to MUST support.
>
> >
> > ** Section 7.  Per “For longer-lived access tokens, DHE ciphersuites
> > should be used”, perhaps add a parenthetical at the end of this
> > sentence of “(i.e., ciphersuites of the form TLS_DHE_PSK_*)”.
>
> Fixed as suggested.
>
> >
> > ** Section 7.1.  Session resumption is noted to be NOT RECOMMENDED.
> > Is there a reason this can’t be stronger (MUST NOT)?
>
> Session resumption can be very useful for very constrained clients. We
> therefore changed it as follows:
>
> OLD:
>
>    Therefore, the use of session resumption is NOT RECOMMENDED for
>    resource servers.
>
> NEW:
>
>    Therefore, session resumption should be used only in combination with
>    reasonably short-lived PoP keys.
>
> >
> > ** Section 7.2.  No issues with the guidance here.  Is there anything
> > DTLS specific that suggests that developers "SHOULD" avoid multiple
> > access tokens per client?  That guidance isn’t in the core framework.
> > I made the comment on the core framework that perhaps this text should be
> there (too?).
>
> We moved the respective paragraph to the framework document.
>
> >
> > ** Please reviews all of the reference numbers to
> > [I-D.ietf-ace-oauth-authz] as a number of them seem to be incorrect (likely
> due to renumbering).  For example:
>
> Okay, checked and fixed.
>
> >
> > -- Section 2.  Per “the client MUST upload the access token to the
> > authz-info resource, i.e. the authz-info endpoint, on the resource server
> before starting
> > the DTLS handshake, as described in Section 5.8.1 of
> > [I-D.ietf-ace-oauth-authz]”, Section 5.8.1 is not the right reference.
> > It’s likely 5.10.1.
> >
> > -- Section 3.4.  Per “The authorization server may, e.g., specify a "cti"
> > claim for the access token (see Section 5.8.3 of
> > [I-D.ietf-ace-oauth-authz]) to employ a strict order”, Section 5.8.3
> > is the wrong section in [I-D.ietf-ace-oauth-authz].
> >
> > -- Section 3.4.  Per “The response SHOULD include AS Request Creation
> > Hints as described in Section 5.1.1 of [I-D.ietf-ace-oauth-authz].”,
> > there is no Section 5.1.1. The appropriate section is either 5.2 to
> > reference this behavior or 5.3 for the details of the hints.
> >
> > -- Section 3.4. Per “Incoming CoAP requests received on a secure DTLS
> > channel that are not thus authorized MUST be rejected according to
> > Section 5.8.2 of [I-D.ietf-ace-oauth-authz]”, Section 5.8.2 is not the right
> reference here.
> >
> > ** idnits returned the following:
> >
> >   == Unused Reference: 'RFC8152' is defined on line 1148, but no explicit
> >      reference was found in the text
>
> Fixed (added reference in the draft)
>
> >
> >   == Unused Reference: 'RFC8613' is defined on line 1212, but no explicit
> >      reference was found in the text
>
> Fixed (removed)
>
> >
> > ** Nits
> > -- Section 7.1.  Typo. s/renogiation/renegotiation/
>
> Fixed.
>
> Thank you for your time,
> Steffi