Re: [Ace] FW: WGLC comments on draft-ietf-ace-dtls-authorize
Benjamin Kaduk <kaduk@mit.edu> Sun, 10 March 2019 17:19 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id B812912796C;
Sun, 10 Mar 2019 10:19:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id oyVRlQ-xh5Lt; Sun, 10 Mar 2019 10:19:22 -0700 (PDT)
Received: from NAM05-BY2-obe.outbound.protection.outlook.com
(mail-eopbgr710112.outbound.protection.outlook.com [40.107.71.112])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 2D25F1240D3;
Sun, 10 Mar 2019 10:19:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=3MB8WAKTQIIzW3CRKOHlnmE7kmiDckAs4/Q+DzeWfJM=;
b=BJihQKDb2cBBiyhfOyqb8OsqKzYPT34Qo4pePfDG9+bDPQ9+V+S11XAgujxZI/znGs+mbbgggi5sUL4v753XR599hPZJ+kIm35VBMDyfhFuy+WYZsnJLG1b4HmdPyEHihTS6ESYPxgXzee1LvkmqboOr+EJUypFr0XcELDN0V88=
Received: from SN2PR01CA0047.prod.exchangelabs.com (2603:10b6:800::15) by
DM5PR01MB2476.prod.exchangelabs.com (2603:10b6:3:3c::10) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1686.18; Sun, 10 Mar 2019 17:19:20 +0000
Received: from DM3NAM03FT005.eop-NAM03.prod.protection.outlook.com
(2a01:111:f400:7e49::209) by SN2PR01CA0047.outlook.office365.com
(2603:10b6:800::15) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.16 via Frontend
Transport; Sun, 10 Mar 2019 17:19:20 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11)
smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed)
header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.9.28.11 as permitted sender) receiver=protection.outlook.com;
client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by
DM3NAM03FT005.mail.protection.outlook.com (10.152.82.143) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.1686.19 via Frontend Transport; Sun, 10 Mar 2019 17:19:19 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com
[24.107.191.124]) (authenticated bits=56)
(User authenticated as kaduk@ATHENA.MIT.EDU)
by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x2AHJG8g014025
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
Sun, 10 Mar 2019 13:19:17 -0400
Date: Sun, 10 Mar 2019 12:19:15 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Jim Schaad <ietf@augustcellars.com>
CC: =?iso-8859-1?Q?'G=F6ran?= Selander' <goran.selander@ericsson.com>,
<draft-ietf-ace-dtls-authorize@ietf.org>, <ace@ietf.org>
Message-ID: <20190310171915.GD8182@kduck.mit.edu>
References: <029e01d46a3e$72bad330$58307990$@augustcellars.com>
<87a7mnv7ls.fsf@tzi.org>
<990DB036-3144-4729-8FB1-8E25E704E2DA@ericsson.com>
<005401d4d162$9f0c9870$dd25c950$@augustcellars.com>
<250DA6EB-8B59-42D1-877E-ABA1149100EB@ericsson.com>
<20190310170952.GB8182@kduck.mit.edu>
<037701d4d765$2912e580$7b38b080$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <037701d4d765$2912e580$7b38b080$@augustcellars.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI;
SFV:NSPM;
SFS:(10019020)(346002)(396003)(376002)(39860400002)(136003)(2980300002)(13464003)(189003)(199004)(8676002)(104016004)(246002)(6246003)(8936002)(4326008)(26826003)(55016002)(478600001)(316002)(229853002)(93886005)(36906005)(75432002)(33656002)(54906003)(58126008)(50466002)(786003)(47776003)(426003)(336012)(106466001)(26005)(106002)(2486003)(23676004)(186003)(7696005)(53546011)(356004)(76176011)(11346002)(446003)(956004)(1076003)(126002)(476003)(66574012)(486006)(88552002)(2870700001)(305945005)(53416004)(5660300002)(2906002)(6916009)(86362001);
DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR01MB2476; H:outgoing.mit.edu; FPR:;
SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: fd788076-ed29-46ff-b7ad-08d6a57c8825
X-Microsoft-Antispam: BCL:0; PCL:0;
RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4608103)(4709054)(2017052603328)(7153060);
SRVR:DM5PR01MB2476;
X-MS-TrafficTypeDiagnostic: DM5PR01MB2476:
X-Microsoft-Exchange-Diagnostics: 1; DM5PR01MB2476;
20:9Mx6OrCrkAc8V29X+1Lm60BhQj/Bgn9R0EWLjhmY+m0ZdLXHUX84crg7NwFCH61qvFQDsru8REGbMT7tshQOrU1Zk5IN1DmkS33RCkH3l4Z+3TE2Iyob3Ft56lOiSUkS7iwuBXx0rxNPqetgSWBDRj6ItdAiOOj4K6GXteLDyp43xvdFRPp8kZHaC/KQdsjeFcnj530j2kg+tUC08y9wEuXotEIq20EsE/+TNLBCvPTtPMEgTZbzMqjScS/9ht16zFhTdB04bHC5lY38Mlq+ycb7shUX7xAK/7/OYTfyuP8ZuhjIci3JXXgd6kFALMGomxPW8LCGmragVp9iwg+gWozvcCAuAs5vxvaSWQkfJAoiw9BhKo1nBvvr5W4Mh2Uld2Q8pBrS76wutYu3ExmGXF1+MXSpBbvcQwy7ZAw/S7u/9/g8tz08BmbHDR9hcHodKHhiMOOakvBBnsVo/9iPaj3iOhdGl7p93htFUbqDJvR48udp47GlzRmjcbltO0gwuDrSTcT56Blm7sB3kNUYK/jSuWv11tTpdbQc/8aocf6XSQR6WTj6pVC9xX0vZDZVy6M3M0UzdLGPii5X8Y2GGlzFsHnpofFFYW8fnuJD3vY=
X-Microsoft-Antispam-PRVS: <DM5PR01MB24763F8181FD4EE14698B9A4A04F0@DM5PR01MB2476.prod.exchangelabs.com>
X-Forefront-PRVS: 0972DEC1D9
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtETTVQUjAxTUIyNDc2OzIzOllxem4xb3pXbjhnUzdTZy9SelVEKzQrdHFz?=
=?utf-8?B?TmE0VG9acjVwVmxsOWVBRUpvaVlUdlgwbE1hMEZNT0wyeURTRzBCYWNWSSts?=
=?utf-8?B?dkhxOXBNUTJXNHlQamhCb1FianJZbnpFMGZ5UUVhN0VoeGZxWUFXN0FUSE0w?=
=?utf-8?B?OVNCQ25KYmN1TG9EQkJsbG9oc3BhYktKSEJJQTErYVJtMHFjdWlEU0xlYnNh?=
=?utf-8?B?OENaYkJkNWxuNVlBNGtJUURoeE9MejdWWk0vbEVIVEJkQUlERGRhemR6b2Q0?=
=?utf-8?B?SktNVGJUSEJpcElSelhRdkFMRnlXSXQ5WVIzbytXOVA5MUtHSldycmYzL0g1?=
=?utf-8?B?ZWZ0dk5zSHQyRmVGSm5OY3RjN3pobFU4NzZOTENHNEoyN2c2WG50akdVN2FB?=
=?utf-8?B?MG5aeVdMMkEwV3M0dGt2N0ZTMDZYVEVvNXdGQ1FrU3FCM3gvUzN5QXFQdXdW?=
=?utf-8?B?STBLd0lrREg4Yk54b243bkJKWEtCTFkxc05pTHVmWFFxbkJXQ1lxTnRhS05i?=
=?utf-8?B?MXpZc0hpMzdMVHZOdFE2cHFvTVAvM040eDZoU0NobVpRUjQ4OVlyeW9KanIy?=
=?utf-8?B?c1dIdmFoZER3MXFUWlF6bUpjcUVOZ25tZThXRkJnWkk3RmhONGREaVhyU0pR?=
=?utf-8?B?M1B3eWpoMEVkdVZ2aTlsSHY0WGtPYXBrYUswZWE0MG5zQVZUdEZBcHNwWDBr?=
=?utf-8?B?M0tGUkxjOVQ3ZFFKSWdGVXVOSGs5UjFaZVJkeFZ5SU9ZNkd4U2kzNmZRbk1O?=
=?utf-8?B?dEM0Z2pRSVZXb212bVV5ZDI2Z1Yzdzl5WC9UTklSN1U4SVBqWi9IVml2QXJn?=
=?utf-8?B?TjlSZXkzZmJsdXpyU0Nyb3F5YkppOGEyaytMMFhXNFhRRzJxNEpPdHlkcHEw?=
=?utf-8?B?NTNrV3JoWDQvZ1FLNEJxcmkybEtVYXErY1pHNWNPSmtyRURpTkl0b3Fsd1Zx?=
=?utf-8?B?cStralExck1kcGFiVzhPL2VTOXZ1anpkNkYrOFdabmdDT1o4cFdoR3ZTMEgy?=
=?utf-8?B?RXBLeGxSOGtQcjh4emU3TUprdjFETDNQMmJ0c1IvTDFwWW5tTU5VTXBqU21x?=
=?utf-8?B?YkxSV21jZkNmNkFub3VCN2RyY2wrQjEyRkNtUjA5Zk1RODNXMWdrK2lyaHh5?=
=?utf-8?B?bnhnSXZ0U0YvRkRPcitDaGtLZG1JV2ZiNDBVaVI2TkpuMnVmdTNMOVF1bjRE?=
=?utf-8?B?cUVJSk5rVkJlTmxTQ0tqUDBvSlNDRVo2aVgzWnBZODErcEM0a1lmUVNDSkZL?=
=?utf-8?B?dmFXL2NYMkJWczludC8vdDJIcFRXYTlmMGpoLzk5QUN2VUs3WStIeWJWT1RK?=
=?utf-8?B?cHEvaWx1S281bjZtY2ppUE1vY2lxbURRRHVYTnNnS1hmM0NsUWhxN1ptNDlE?=
=?utf-8?B?azh4MlM1R0ZIRTBvL1d4emUvQi9YdHYweDdadkxhMXo2cTZSMEdCMW1uT3pa?=
=?utf-8?B?OWxORTN4UjB1S04yc2RVc0pSRkRZdWh0bGN0b2xROElSaGNzME1nOXlURDFr?=
=?utf-8?B?QUhVM1Y2YmVFZUltUjRUQ1BDNzBNUitFcFVmc0dzZExRZVExMmxabHRadmVW?=
=?utf-8?B?ZlNQa2FHNCtDWFFiY0ZKWHdZMGxRMHZZbTAyNzc2ZkVIYjFFdlV1cmx4ak83?=
=?utf-8?B?aDJpWUlmdHlNcVo3QTdCVkcyQm9LSHJWZnk2UnpOVEY0cFRCMG5iS3dqTXhB?=
=?utf-8?Q?V3WTcJsdglAxXQc/JE=3D?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: /zTOHvXaj6EiSAg6HOdupvHG7n0cStxGd0wZgntZHYCsx4vUgSkH/1fou2GP2dmG7YoUSD5el1J4LVejmvKWKjP/EEI33H53DFqByNdy3QqqMXB+fXaF//ziWQ2AMOvJrMqIV9QAGQuQgGt7MUX1aabGq4bq6SgPQxfzXXCh52df59bjCdVVhHTubqQQuTqr2eEsHsSY8n854v0HqYCGjP9yL0dEG2OpmPnQQJcGu+jdY3DjWaEvV66meutgH9UFUv4DLuV3UBrGf8sS2w3z+6YIDPAtf2yaJZGGOXEPDgNhlbX//CzSotELpDvH0PooSBkbRrNoXEAU6qfgY1TqZ+gQ535qaMl+1kWxWxR2ONVbUBWi0eHkLmEv1VG9JWU5pFNYqwK4/mmQNSPDVFar6CG6dRbvW4MYQ2deHYvjI9E=
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Mar 2019 17:19:19.4486 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: fd788076-ed29-46ff-b7ad-08d6a57c8825
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11];
Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR01MB2476
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/wsb94GD5cwp9HRIpUD-UcvSxiKQ>
Subject: Re: [Ace] FW: WGLC comments on draft-ietf-ace-dtls-authorize
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments
\(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>,
<mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>,
<mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Mar 2019 17:19:25 -0000
On Sun, Mar 10, 2019 at 10:17:35AM -0700, Jim Schaad wrote: > > > > -----Original Message----- > > From: Benjamin Kaduk <kaduk@mit.edu> > > Sent: Sunday, March 10, 2019 10:10 AM > > To: Göran Selander <goran.selander@ericsson.com> > > Cc: Jim Schaad <ietf@augustcellars.com>om>; draft-ietf-ace-dtls- > > authorize@ietf.org; ace@ietf.org > > Subject: Re: [Ace] FW: WGLC comments on draft-ietf-ace-dtls-authorize > > > > On Fri, Mar 08, 2019 at 04:01:26PM +0000, Göran Selander wrote: > > > > > > On 2019-03-03, 02:44, "Jim Schaad" <ietf@augustcellars.com> wrote: > > > > > > I am responding to the review below in regards to the most recent > > version -06. > > > > > > > -----Original Message----- > > > > > Section 3.3 - Figure 4 - Where is the 'alg' parameter defined at that > > level? > > > > > > > > See next comment. > > > > > > > > [GS] alg parameter included > > > > > > > > > Section 3.3 - I am always bothered by the fact that PSK should really > > be > > > > PSS > > > > > at this point. The secret value is no longer a key and thus does not > > > > > necessarily have a length. There is also a problem of trying to > > decide > > > > what > > > > > the length of this value would be based on the algorithm. If the > > client > > > > > offers TLS_PSK_WITH_AES_128_CCM_8 and > > > > TLS_PSK_WITH_AES_256_CCM_8 (I may > > > > > have gotten these wrong but the intent should be understandable) > > then > > > > what > > > > > length is the PSK supposed to be? > > > > > > > > I think what you are saying is that for the shared secret (k) in the > > > > COSE_Key structure in Fig. 4, the AS needs to tell C what to do with > > > > that shared secret? This was the intention of the alg parameter > > (which > > > > has a not-so-useful value in this example). > > > > > > Some of what is done here makes sense and some of it makes no sense > > at all. > > > > > > Happy with the removal of the "alg" parameter in the root map. > > > > > > Happy with the addition of the kid parameter in the COSE_Key object > > since this is required for doing DTLS w/o sending the token as the identifier. > > > > > > I have no idea what the algorithm is doing here? This is not currently a > > COSE algorithm, it is a TLS algorithm and thus would not make a great deal of > > sense. > > > > > > GS: I admit this does not make sense, neither here nor in Fig. 6. > > > > > > The terms of what the PSK length should be would be better covered by a > > statement along the lines of "When offering and/or accepting a TLS > > cryptographic suite, the length of the PSK should be at least as long as the > > symmetric encryption algorithms that are offered." This may already be > > pointed to in the TLS documents and thus can be referenced to rather than > > stated explicitly. > > > > What would you do with a PSK that is longer than the input needed by the > > symmetric algorithm in use? > > Ben, we are talking about TLS and this is the pre-shared secret. It is an input to the KDF function and is not a symmetric algorithm key. > Ah, I must have been looking at the wrong part of the doc. Sorry for the noise. -Ben
- [Ace] FW: WGLC comments on draft-ietf-ace-dtls-au… Jim Schaad
- Re: [Ace] FW: WGLC comments on draft-ietf-ace-dtl… Olaf Bergmann
- [Ace] FW: [core] FW: WGLC comments on draft-ietf-… Jim Schaad
- Re: [Ace] FW: WGLC comments on draft-ietf-ace-dtl… Göran Selander
- Re: [Ace] FW: WGLC comments on draft-ietf-ace-dtl… Benjamin Kaduk
- Re: [Ace] FW: WGLC comments on draft-ietf-ace-dtl… Jim Schaad
- Re: [Ace] FW: WGLC comments on draft-ietf-ace-dtl… Benjamin Kaduk