IETF Logo Mail Archive

Re: [Ace] [Emu] New Version Notification for draft-ietf-ace-wg-coap-eap-04.txt

Dan Garcia Carrillo <garciadan@uniovi.es> Fri, 26 November 2021 09:03 UTC

Return-Path: <garciadan@uniovi.es>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C51323A0C45; Fri, 26 Nov 2021 01:03:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.75
X-Spam-Level:
X-Spam-Status: No, score=-3.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-1.852, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=unioviedo.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mxioql-V3VFM; Fri, 26 Nov 2021 01:03:44 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-am5eur02on060d.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe07::60d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B498A3A0C3E; Fri, 26 Nov 2021 01:03:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zcc4pThM6Wz/xAFNr6ZCb3P984g3beZXv850jCfRJu7qK14kn2aBPB+BiUJcc1LNTFD9H4y1gllFeWDtzMlaFTl8aRxxnhDzLDHnRI4Yx1HQd7BdfMXucHDqzvKScJPuIChQeeu/BEwgn6gQsI8WbvLI/qz5NwLDOszDE2dmGyLORJcQXnf8Rh564BfX4oX1pxWEoEcguSuYlVLSuThh6mc/C00sQzaSj5oTd7cYZWHJsBg+ArK64pyDMINjVVwd4nCpNKsaTvLP8O+SEUn0QIA1kdUKRYjq7O8BLd0PtEVzogiVV9cmM+y8zidEy4Pg50MIrOAq2MpoL7hENmgRXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=C6Ipy40rpAh/ZrawwQ9KkqLWcuBLdYv6Frqxytd5xcU=; b=Hw1q0rL08BVD23vuYs+/FDVZOwYdbll8xIjhRmDpSUkOLEBPU2v2ioZygMVqjC6J7DlJpPwtlZdcJ846xao4/LVZlS9o46Ybn+MtJmsR8gN9M/Ev7UlmDy3LxF4NFuxLSKD47UokUOlXvmCuLHAhqD7D01eo8l8FBE1jTuWkdA76Giapm7P9bOQ97ovB7/sk+jh4bsN2SH0aqMC7yaBnQ4uSOQlpLMvKFVnami7bRC18GClWjZtjVUn+KWr3Y3WSWoXlbXGmBr3SvT7VRXeFI0Z8J8BDW3bYhIqdoZZedzu9xcoXS0yJXifGLYHU64o4S561D4FAKOPsxv61+JdPAA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uniovi.es; dmarc=pass action=none header.from=uniovi.es; dkim=pass header.d=uniovi.es; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=unioviedo.onmicrosoft.com; s=selector2-unioviedo-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=C6Ipy40rpAh/ZrawwQ9KkqLWcuBLdYv6Frqxytd5xcU=; b=GjJKjei05UEh2VW8sjKuk0oX9rmkkHSTgaiTYIFG8eNi5N5cwrY+LIB7Z7emj5h3IUL+xPiv6VPLwatrWzWLvalgs6HJ+2w4IuWtXfywzTOtgCUtpTWTWD0pdvyei0sLlyXGjxYdt0NIQ9dRMYKGhNd/7UYkJqB+K1/kwmTpKlU=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=uniovi.es;
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9) by DB8PR08MB5484.eurprd08.prod.outlook.com (2603:10a6:10:111::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4713.22; Fri, 26 Nov 2021 09:03:36 +0000
Received: from DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::1434:d823:a6b5:6f50]) by DBBPR08MB6202.eurprd08.prod.outlook.com ([fe80::1434:d823:a6b5:6f50%7]) with mapi id 15.20.4713.027; Fri, 26 Nov 2021 09:03:36 +0000
Content-Type: multipart/alternative; boundary="------------J9YtB0OR431pnqno3Eq6onuJ"
Message-ID: <e643e377-409f-cd2e-0b68-d70a857820f5@uniovi.es>
Date: Fri, 26 Nov 2021 10:03:33 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.3.2
Cc: garciadan@uniovi.es, "ace@ietf.org" <ace@ietf.org>, EMU WG <emu@ietf.org>
To: Daniel Migault <mglt.ietf@gmail.com>, Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org>
References: <163516103436.11405.13911066633297545379@ietfa.amsl.com> <bc792146-39c4-73a3-63e2-7db7acf7aa2f@uniovi.es> <HE1PR0701MB3050A49DC2D32180B2831D6889839@HE1PR0701MB3050.eurprd07.prod.outlook.com> <AM4PR0701MB219545F3A90E17FD18844F13F4629@AM4PR0701MB2195.eurprd07.prod.outlook.com> <CADZyTk=Q4u8S8zxjrO=MVYZXxEPXEHdMENfoNiRrB2X0yOPm-w@mail.gmail.com>
From: Dan Garcia Carrillo <garciadan@uniovi.es>
In-Reply-To: <CADZyTk=Q4u8S8zxjrO=MVYZXxEPXEHdMENfoNiRrB2X0yOPm-w@mail.gmail.com>
X-ClientProxiedBy: LO2P265CA0167.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:9::35) To DBBPR08MB6202.eurprd08.prod.outlook.com (2603:10a6:10:209::9)
MIME-Version: 1.0
Received: from [IPV6:2a0c:5a80:3c13:f000:589f:2891:1b30:6314] (2a0c:5a80:3c13:f000:589f:2891:1b30:6314) by LO2P265CA0167.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:9::35) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4734.20 via Frontend Transport; Fri, 26 Nov 2021 09:03:34 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 302f9a4b-a5c8-4bb3-0a40-08d9b0bba0d8
X-MS-TrafficTypeDiagnostic: DB8PR08MB5484:
X-Microsoft-Antispam-PRVS: <DB8PR08MB54844EA6264C17C746B02197B4639@DB8PR08MB5484.eurprd08.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 8XcPsINVCrIbQ8VGwQmYpmn8U0DS4HcSI59uSDVZdcjXv0hEAtOiFhZZaXrdAqC/nVDeMewZ0CMaBpfvBQ5SbbZncminDD/83z9JlT265FayhAbaZAUcqtAkIB12MzEEoG2kRc2zJAGV6/ewXWZNDlPb7Ep5DTmcI6L5emqxfgsLvDt4Qo7yc1ohcJIntarwieq9vz5By4wkreowI+l2REKWCzcYPED7qlYezxvUFUiOKbdYDxV0JpRKIkt1Kp070qp4EOnuR8m4uZ0EI9GgbedT3toz6747aJavGwhfeS45LEUUtTgDc0v7pcvjBY8MokKx/epDOpleW9icQ1IGOGuWeH9Pxe/fr1PmGEb28wRFhghoNiban66IpGtta4iJUDyaPd8MTZT4MTMCMXdNAgBSw6EQCsBZrNRckcIamg0Z2WdDZFKALVQ/gVdQsjjRX+lans16Is/AQDOq3O1sq4x12+vLEPwnGkgTmwOoklbt0WvvqfXTG6HcBPfpl4X6QIqO3wrt+U7UZeqm1EjmceDTt0iTdW+hMTUu7POXs932CAsZn+HWeOY2nnZHn+VNBevdrxE/3W6pcVkbCDnEVAOmMdBto6Lar9xdQqd3GcAoezRfoCzzxJdN1KG5GHSwBlxHvDBfLc5rXhKuMfVTo8cSSsChX9B92+/RE2nu8VlcE/hIpG4UhC86ccZb2mhrcsySyZtUtNfuWgW9LVO/kJAOKUz1pUkgtkzI7jqvmD/p22lYeJtGJiuy2odH01W/A8PQN9Nxi7Gv1G2hjh8El7bzGm16riq168BLtnC00dIuF3idmdpdO5H2KP8jCjT3
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBBPR08MB6202.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(4326008)(8936002)(966005)(86362001)(15650500001)(30864003)(6486002)(36756003)(5660300002)(110136005)(8676002)(186003)(31686004)(54906003)(508600001)(53546011)(2616005)(786003)(316002)(83380400001)(2906002)(31696002)(66556008)(33964004)(166002)(66476007)(4001150100001)(66946007)(38100700002)(66574015)(52116002)(45980500001)(43740500002)(559001)(579004); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: JjhSl/3qCHwvsTwPZdX3MxNVOxhzaZL8M4m/daoghA/7Whb1jc/Tz3q3/xDqBGda6kKQFlthktbErj1pqpDLT6Dfxhw1UGftw46glrL/X0yzFP49RW2XnRFuGwwZgpvlvMV4rT+XR+6nYtsPAvyS7Rjk4E29CDh3AmVvWaei0NIpXPwWwtlut67n5hk/wi67jPRqyvxABJd3oUMLM39igNG+cEUqRWayNRmFOTV0g6upuwX+E7dWAlmwA35gjvMya2kWimGClmI2G67wCReRkESULnVqjhKj0IbLHoQgDWVfJeRidl+bpEdywA9dVQTMdfTuNi91V7iYnA2Arz0IqGxpyWCzL9vR+mb6+lXqOB8e7FqUf0JM5cR3BWCsvdkRh8fBjuZQN9te+GxbNNFrA17cEHXNtDK2iKdguhwcSSY0gmAZv2/DV9owSDvFpJZyQwLSC3iWhbWowYfSiePzhXyJCuuZd0Hm9WI0z7zmSX76/y3CEHo4/svg01ku7zs1jKFitnvTxhHmKvFZXkdyCPvrcTHj5u35gKTkiAesMEupWDfVLzdkge0AIxV/mSVI/o7SECwxIThXkw/A+tqwBi5bD/ySTYy5KAg4A1CJx6uP8AjfGJbYa72y0UZm/0MlS6piCc6kNDdgyATQdL/5e47AMkMxMEb/7StgnsJMoP5QQCi57EskuOr6sZlRFOr9I4MdREdR/gsix1xrnYzCTpj8h61uyjmAjO1iAFQeh2r+hHgtgZOfSM9jzfvrO/nGdlnlnmS5kfCDAwzUHx5BmR18pTH4ZssAuHmfE174Td38/r2gdoA4nKJfErRBsci7OtKGsvB7mIRYbqznfHbnV5WldxLkmo9MXBXNqw3IlGhJfkRO+xzvUVWOCtNO1yJ1wTCCrgO91Ww8DKuw3hiH6r4dJHhyPu+hibCF+uwzSyG6Q6gj6sJ9ahezga9YTXrDo07D/eIzagjPjr6Dvsr7dFHapZFyO4hF9lrDwOsBJQrmEVH6mE1NfNn8QNZMmcaxigWXxynwKQqedc2s/8dZu4kW7Oe+l58I04yYYq/uFJWVxx94h9hAdaqGq7VzH19aiPf3s9rkGBA4AHr9oWBVbTYgqX/hWLWtdKK+THI8Qug/uz7cm6O5N395DBaHQqprpEgQqqXQIUnZv4NJISrLzbwqzYGN+R7NpUCQMc9hovDTFPeZDKqQv0V0ZfT1zCjE34tuDWyYbadXSXra1P/Q2PwvBSsrROAhAIoDlNP8KLRuJBWZho0zHiLCabkCzH98v8DSvq9ABBkuuZyLxGQm+05G4n2ljKotaQ5ZZTCtByaHUoaVMA4isl4993h8UehQO0Y0KmVolN3pGR1iZVp/MKYyWhqs0i1bCPfzRxou3sAbzTmFgkAKojEWHdTdmwvLodORWbGjn132Vhv2WsDkJM5C/Ei1De9MksKNTh5fp+hUJoyTQmrWoqacdIfmfykScyS6z7Qy1uKDRwipyO25ytSymEO0lwQ1kI0HeRUUxpGzoggFc/kaE8OdImf9cyeR5IRFg5EJ7s+Y3GXQ1Xlp2vUidPrxYSjYP3BOzpSRAMMNJRyU8K+v4fVzKjaNSVbgNZJh/gDL27R/nJs+JuBx1vLxSSuyd/9+y2++BRBpYWPGiCFiTe/4YR3YghJtq/HcJQzzUHzehJHRmoH6CP5LldOex5EKYE5tWBOfyWVF678=
X-OriginatorOrg: uniovi.es
X-MS-Exchange-CrossTenant-Network-Message-Id: 302f9a4b-a5c8-4bb3-0a40-08d9b0bba0d8
X-MS-Exchange-CrossTenant-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Nov 2021 09:03:35.9017 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 05ea74a3-92c5-4c31-978a-925c3c799cd0
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: yvpZG/lShgYu/KvIlvVDKJCYSNp9Ma9RZTEqQfaWB/C8Smf5J/jvJAvH1QerHCCkp96I0w9vQzhqh9optsy1Wg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB5484
X-MS-Exchange-CrossPremises-AuthSource: DBBPR08MB6202.eurprd08.prod.outlook.com
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 06
X-MS-Exchange-CrossPremises-Mapi-Admin-Submission:
X-MS-Exchange-CrossPremises-MessageSource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 2a0c:5a80:3c13:f000:589f:2891:1b30:6314
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent
X-OrganizationHeadersPreserved: DB8PR08MB5484.eurprd08.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/vXwJgLKyXSQ7v51pGjZ9bD9YtL4>
Subject: Re: [Ace] [Emu] New Version Notification for draft-ietf-ace-wg-coap-eap-04.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Nov 2021 09:03:50 -0000

Dear Daniel,

We are going to go through the reviews and do our best have the document 
ready by next week.

Thank you.

Best Regards,

Dan.

On 25/11/21 15:04, Daniel Migault wrote:
> Thanks Goran for the review, that is well appreciated. I am wondering 
> if these concerns could be addressed by next week (by the co-authors) 
> for example ?
>
> For all, please provide your comments or feedback as soon as possible, 
> but we do expect to ship that document to the IESG very soon - for 
> what very soon means.
>
> Yours,
> Daniel
>
> On Thu, Nov 25, 2021 at 4:10 AM Göran Selander 
> <goran.selander=40ericsson.com@dmarc.ietf.org> wrote:
>
>     Hello authors of draft-ietf-ace-wg-coap-eap,
>
>     Thanks for working with this draft. Here is a mix of
>     nits/editorials and more substantial comments in the order as they
>     appear in the draft.
>
>     Abstract
>
>     OLD
>
>     One of the primer goals is to
>
>     NEW
>
>     One of the main goals is to
>
>     Section 1.
>
>     "EAP methods transported in CoAP MUST generate cryptographic material
>
>        [RFC5247] for this specification. "
>
>     The term “cryptographic material” is used multiple times in this
>     document but is not defined. RFC 5247 uses “keying material”, does
>     that match the intended meaning?
>
>     Section2.
>
>     Figure 1 is perhaps too informative containing endpoints, stacks,
>     what is CoAP, and scope of this document. There is no line/arrow
>     between IoT Device and Controller, presumably because there is too
>     much other information. Section 2 don’t talk about the stack at all.
>
>     * Proposal: Make two figures: one with nodes and lines/arrows
>     (“architecture”); another with the stack, which is essentially the
>     same in the two nodes in scope of this document.
>
>     *  It is confusing that CoAP role allocation is shown in the
>     figure since those only apply to one step of the operation in
>     section 3.2. In all other steps the roles are reversed. Proposal:
>     omit the CoAP roles in the figure, and/or provide an explanation
>     in section text or caption.  The section text talking about CoAP
>     client also needs to be modified accordingly.
>
>     * Nit: RFC8323 calls the layer between request/response and
>     reliable transport “message framing”. Perhaps you want to have a
>     common layer renaming the "Messages" layer with “Message /framing/”.
>
>     Section 3.
>
>     "It is RECOMMENDED a light EAP method for the case of constrained
>     link and constrained IoT devices."
>
>     If this will remain a normative recommendation, then there needs
>     to be a definition (reference) of "light EAP method". Perhaps
>     consider just explain the intention of "light" ("lightweight"?)
>     and remove the normative recommendation?
>
>     ---
>
>     OLD
>
>     The article [eap-framework], highlights the benefits of the EAP
>
>        framework.
>
>     NEW
>
>     The benefits of the EAP framework are highlighted in [eap-framework].
>
>     3.1
>
>     "resource directory"
>
>     Provide a reference or at least as an example, like
>     draft-ietf-core-resource-directory,
>
>     ---
>
>     OLD
>
>     Example of this protocols
>
>     NEW
>
>     Example of such protocols
>
>     3.2
>
>     Step 0
>
>     "The message also includes an URI in the payload of the message to
>     indicate to what resource (e.g. '/a/x') the Controller MUST send
>     the first message with the EAP authentication"
>
>     The DoS issues with requiring the Controller to send a message to
>     an unknown URI need to be considered.
>
>     Step 1
>
>     "the Sender ID for OSCORE selected by the Controller"
>
>     Is this the Sender ID *of the IoT device* selected by the
>     Controller? In other words, is it the Recipient ID of the
>     Controller selected by the Controller? That would correspond to
>     how OSCORE identifiers are chosen in EDHOC:
>
>     https://datatracker.ietf.org/doc/html/draft-ietf-lake-edhoc-12#section-3.3.2
>
>     Best not to use the terms "SID" or "RID" unqualified in message
>     fields since they are reversed on the IoT device and Controller.
>     Better use terminology like e.g. RID-I and RID-C for RID of IoT
>     device and Controller, respectively.
>
>     Step 2
>
>     "the EAP response, the Recipient ID and the selected ciphersuite
>     for OSCORE are in the payload."
>
>     Is this the Recipient ID *of the IoT device*? See comment above.
>
>     ---
>
>     OLD
>
>     In this step, the IoT device MAY create a OSCORE security context
>     with the Sender ID and Recipient ID.
>
>     NEW
>
>     In this step, the IoT device MAY create a OSCORE security context
>     with its Sender ID and Recipient ID.
>
>     Step 7
>
>     OLD
>
>     The reception of the POST message protected with OSCORE using the
>     Sender ID sent in Step 1 is considered by the IoT device as an
>     alternate indication of success ([RFC3748]).
>
>     The unqualified "Sender ID" is confusing here. Why does the ID
>     sent in step 1 indicate success to the IoT device? I would expect
>     the ID selected by the IoT device itself and sent in step 2, if
>     used by the Controller to derive the OSCORE security context to
>     protect the message in step 7 would be a stronger indication of
>     success. Proposal (check if this is correct):
>
>     NEW
>
>     The reception of the POST message protected with an OSCORE
>     security context derived using the Recipient ID of the IoT device
>     sent in Step 2 is considered by the IoT device as an alternate
>     indication of success ([RFC3748]).
>
>     ---
>
>     "The communication with the last resource (e.g. '/a/w') from this
>     point MUST be protected with OSCORE except during a new
>     (re)authentication (see Section 3.3)."
>
>     I don't understand why there is an exception. OSCORE seems to be
>     applied to communication with the last resource in all cases:
>
>     * In the case of new authentication the procedure explained in
>     Section 3.2 applies protection with OSCORE in communication with
>     the last resource.
>
>     * In the case of re-authentication, the procedure is explained in
>     Section 3.3 to be "exactly the same" as in Section 3.2.
>
>     Also I find the expression "new (re)authentication" confusing -
>     what is the the difference between "re-authentication" and "new
>     re-authentication"?
>
>     Section 4.
>
>     "  1.  SID: It contains the Identifier for the Sender ID to be used in
>
>            the OSCORE security context.
>
>        2.  RID: It contains the Identifier for the Recipient to be used in
>
>            the OSCORE security context."
>
>     Same comment as above to qualify SID and RID: is SID the Sender ID
>     of the IoT device or of the Controller?
>
>     Section 5.1
>
>     "If the Controller sends a restricted list
>
>        of ciphersuites that is willing to accept, and the ones
>     supported by
>
>        the IoT device are not in that list, the IoT device will
>     respond with
>
>        a '4.00 Bad Request', expressing in the payload the ciphersuites
>
>        supported. "
>
>     Make clear (here or in a security consideration) that in case of
>     an error message containing a cipher suite, the exchange of cipher
>     suites between EAP authenticator and EAP peer cannot be verified.
>     For example, a man-in-the-middle could replace cipher suites in
>     either message which would not be noticed if the protocol is ended
>     after step 2.
>
>     Best regards
>
>     Göran
>
>     *From: *Ace <ace-bounces@ietf.org> on behalf of John Mattsson
>     <john.mattsson=40ericsson.com@dmarc.ietf.org>
>     *Date: *Monday, 25 October 2021 at 17:03
>     *To: *Dan Garcia Carrillo <garciadan@uniovi.es>, ace@ietf.org
>     <ace@ietf.org>, EMU WG <emu@ietf.org>
>     *Subject: *Re: [Ace] [Emu] New Version Notification for
>     draft-ietf-ace-wg-coap-eap-04.txt
>
>     Thanks,
>
>     I think this is a very useful mechanism and a well written draft.
>     Some quick comments.
>
>     - "ciphersuite"
>
>     Note that both TLS and EDHOC spells this with space "cipher suite"
>
>     - Section 2. I don't understand what "SM" in Figure 1 is an
>     abbrevation for.
>
>     - Section 2. "UDP/TCP/Websockets" Why is the Websocket protocol in
>     plural?
>
>     - Section 3. "EAP method that exports cryptographic material"
>
>       This can probably be reformulated in terms of MSK, EMSK or "Key
>     derivation" which
>
>       is the property that RFC 3748 uses.
>
>     - "EAP-MD5 cannot be used since it does not export key material"
>
>        MD5 should really not be used at all for security resons.
>     Highlighting it like this might
>
>        be the idea that it would be ok if EAP-MD5 had the "Key
>     derivation" property.
>
>     - "The required key, the Master Session Key (MSK), will be
>     available once the
>
>        EAP authentication is successful."
>
>        Does this belong in step 2?
>
>     - In Figure 2. I do not think you have to wait until EAP-SUCCES to
>     make MSK available.
>
>       The authentication can be successful before EAP-SUCCES.
>
>     - In section 3.3. it might be good to state that
>     "Reauthentication" might be needed to rekey MSK/EMSK and to
>     increase protection against key leakage.
>
>     (An important mitigation of pervasive monitoring is to force
>     attackers to do dynamic key exfiltration instead of static key
>     exfiltration. Dynamic key exfiltration increases the risk of
>     discovery for the attacker [RFC7624]. While OSCORE will soon be
>     augmented with a rekeying mechanism with forward secrecy,
>     attackers can still get away with doing static key exfiltration.
>     This is similar to TLS 1.3 with KeyUpdate, after leakage of
>     application_traffic_secret_N, a passive attacker can passively
>     eavesdrop on all future application data sent on the connection
>     including application data encrypted with
>     application_traffic_secret_N+1, application_traffic_secret_N+2, etc.)
>
>     - "4.  The values from 65000 to 65535 are reserved for
>     experimentation"
>
>        what does "The values" refer to? Lifetime? In that case it
>     would fit better under 3.
>
>     - In addition to AES-CCM-16-64-128, only ciphersuites only cipher
>     suites with AES-GCM is included. My feeling was that most IoT
>     people are more interested in ChaCha20-Poly1305 than AES-GCM. I
>     don't have a strong personal opinion.
>
>     - "which is considered fresh key material"
>
>     “considered fresh”? Maybe "uniformally random"?
>
>     - With normal use of DTLS, Appendix A violates “The CoAP-EAP
>     operation is intended to be compatible with the use of
>     intermediary entities between the IoT device and the Controller”.
>     This limitation should be clearly stated.
>
>     - Probably good if the labels have “CoAP-EAP” in all the labels to
>     guarantee that they do not collide with anything else.
>
>     Cheers,
>
>     John
>
>     *From: *Emu <emu-bounces@ietf.org> on behalf of Dan Garcia
>     Carrillo <garciadan@uniovi.es>
>     *Date: *Monday, 25 October 2021 at 13:27
>     *To: *ace@ietf.org <ace@ietf.org>, EMU WG <emu@ietf.org>
>     *Subject: *Re: [Emu] New Version Notification for
>     draft-ietf-ace-wg-coap-eap-04.txt
>
>     Dear ACE and EMU WG,
>
>     We have submitted a new version of the draft
>     (draft-ietf-ace-wg-coap-eap)
>
>     This version provides information on the different comments, from the
>     reviews and interim meetings.
>
>     Best Regards.
>
>
>     El 10/25/2021 a las 1:23 PM, internet-drafts@ietf.org escribió:
>     > A new version of I-D, draft-ietf-ace-wg-coap-eap-04.txt
>     > has been successfully submitted by Dan Garcia-Carrillo and
>     posted to the
>     > IETF repository.
>     >
>     > Name:         draft-ietf-ace-wg-coap-eap
>     > Revision:     04
>     > Title:                EAP-based Authentication Service for CoAP
>     > Document date:        2021-10-25
>     > Group:                ace
>     > Pages:                29
>     > URL:
>     https://www.ietf.org/archive/id/draft-ietf-ace-wg-coap-eap-04.txt
>     > Status: https://datatracker.ietf.org/doc/draft-ietf-ace-wg-coap-eap/
>     > Htmlized:
>     https://datatracker.ietf.org/doc/html/draft-ietf-ace-wg-coap-eap
>     > Diff:
>     https://www.ietf.org/rfcdiff?url2=draft-ietf-ace-wg-coap-eap-04
>     >
>     > Abstract:
>     >     This document specifies an authentication service that uses the
>     >     Extensible Authentication Protocol (EAP) transported employing
>     >     Constrained Application Protocol (CoAP) messages.  As such, it
>     >     defines an EAP lower layer based on CoAP called CoAP-EAP. 
>     One of the
>     >     primer goals is to authenticate a CoAP-enabled IoT device
>     (EAP peer)
>     >     that intends to join a security domain managed by a
>     Controller (EAP
>     >     authenticator).  Secondly, it allows deriving key material
>     to protect
>     >     CoAP messages exchanged between them based on Object
>     Security for
>     >     Constrained RESTful Environments (OSCORE), enabling the
>     establishment
>     >     of a security association between them.
>     >
>     >
>     >
>     >
>     > The IETF Secretariat
>     >
>     >
>
>     _______________________________________________
>     Emu mailing list
>     Emu@ietf.org
>     https://www.ietf.org/mailman/listinfo/emu
>
>     _______________________________________________
>     Emu mailing list
>     Emu@ietf.org
>     https://www.ietf.org/mailman/listinfo/emu
>
>
>
> -- 
> Daniel Migault
> Ericsson

v2.23.0 | Report a Bug | By Email