IETF Logo Mail Archive

Re: [core] 🔔 WG Last Call of draft-ietf-core-oscore-groupcomm

Marco Tiloca <marco.tiloca@ri.se> Sat, 05 March 2022 10:59 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BEEB3A167B for <core@ietfa.amsl.com>; Sat, 5 Mar 2022 02:59:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SYRwDirQfhuT for <core@ietfa.amsl.com>; Sat, 5 Mar 2022 02:59:29 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0621.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1e::621]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32AB43A167A for <core@ietf.org>; Sat, 5 Mar 2022 02:59:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BxeNAg08zVPlTFCV6B+szn/UoRmFJpa6GFuh+kQscM9WmFepmNcN5MfpwIpy5jBR+dPOPEeNGKcJDT0wORUfBESzS9CgYOTsLWrh+wSGh8swG3XWfEmUjajne8mXr5soAFEZq61MkG2vHZ3kuwzdNuXhga0i0D6oGKKUpo2BasXgR8qHJ+Dgf1wTkdIBKaa/5Z759V1sxn4Cm/6o0gMkYUfSIdCkMDnr7vpq4wo+gO1nSq2cDkkVcFKfiRz1nKkB+b0soXffG+Z23i+P24iji2wasDKYV0MTqe3hfKhNCduPJl9zqRTvpQvv+8c8C9q6Y6nUpBqCpvyrYPRIPITE4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CUIYQ+C616dWZVSPGbxb2lsrWoWI66hhu6EXlIegv8A=; b=ZvJrJZx+jQipX1pUjKjaWr1sb3NB7FcAg9Hc1/xnRrKt8SSk+ix/CazUMexN7VLY2fTMmBGYzJ9YMY2pA/+4A/y9gEBjPnek3Vx9IXWGnKXgLWmxs7cu/BHnThY7CpQTpL+pgU/K9+VdNfpSk9/z4dDkNs4W15wZ3bfDLwlL0GiwbiUIN1aPnYSzx1eogWTJVMeYzmkpL8xS1exQ0P74WRzEWGmlQebzBRkctNnuFE1eT5h632uRSf+nyhHpcZs/mxn5aj48qlWKqepxqi+B0Tyk8F8+LyhmBt8tvn/XhAb7zB8DJ18f3FG0Ocwb0eO0T4XU6XlPFyfUtgvXiT8wLw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CUIYQ+C616dWZVSPGbxb2lsrWoWI66hhu6EXlIegv8A=; b=eBevZKISc0TsZRRFA/MOtp5zfLjaopyGLvQZdR2kTRJI6tKbxluD5tVHXAnFCRGj7Q2dVOsICg7yVP6BbEvClXwtSqOPFIXiekKa0hT9ESmW5Fmiq6o7VgV7SzgfB8m7ICvEq5KZnwLRrJGVMna/hy6hsstAjMsKtxnCCvJcgyI=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14) by PR3P189MB0924.EURP189.PROD.OUTLOOK.COM (2603:10a6:102:4a::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5038.14; Sat, 5 Mar 2022 10:59:22 +0000
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::b0ea:12ff:4a7e:a24c]) by DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::b0ea:12ff:4a7e:a24c%6]) with mapi id 15.20.5038.017; Sat, 5 Mar 2022 10:59:21 +0000
Message-ID: <929cf114-2df5-aeb1-9e32-a2f9a9688b9a@ri.se>
Date: Sat, 05 Mar 2022 11:59:18 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
Content-Language: en-US
To: Rikard Höglund <rikard.hoglund=40ri.se@dmarc.ietf.org>, Jaime Jiménez <jaime@iki.fi>, "core@ietf.org" <core@ietf.org>
References: <e1c0ac8b-cfa8-4a26-9d19-eee6d9f697b0@www.fastmail.com> <fd96f760-dd06-4a1e-b128-0ddebf280d6b@www.fastmail.com> <AM9P189MB1571DDC7EBCD95D358077C2783519@AM9P189MB1571.EURP189.PROD.OUTLOOK.COM> <PAXP189MB15821EE1D41BC355AEAB97D483049@PAXP189MB1582.EURP189.PROD.OUTLOOK.COM>
From: Marco Tiloca <marco.tiloca@ri.se>
In-Reply-To: <PAXP189MB15821EE1D41BC355AEAB97D483049@PAXP189MB1582.EURP189.PROD.OUTLOOK.COM>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------AxsIlcUZOyf4ttw0cjqxWPao"
X-ClientProxiedBy: GV3P280CA0094.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:8::7) To DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f1154787-11fd-4c53-fad1-08d9fe9733d3
X-MS-TrafficTypeDiagnostic: PR3P189MB0924:EE_
X-Microsoft-Antispam-PRVS: <PR3P189MB092493AD331E412498082EFD99069@PR3P189MB0924.EURP189.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: POPUYbYgMH4N2v7NeRA/UySsZG3oNlEO4tV6XuYXU2iRuxa4Tgr9J8J3Dv+VtdMwXGB2VNuhnPuUeOqCV6GDI14M0E10BMRYzzmvDGmvxpRKSlS7pDPIVHZ6g/+CGISftNf5MKfaUHYeFYKtyVX/S6CVjQYnaY1K/TPYoLNBbLY9rr18Do3NKAghhtBUbcTO2AXYZrQKX2bsBcEbsEFJoZAHTPfHoDZh1ZE/cNQV/+9cngY4r0Eou8qFBbdotrFOeFotAznRMTnFuyszcc1hnSJZOdwPlXya+5V3ggtARUVpxZlSkbM8C3NSnEMafpMTKB6kpeoCv91zCFQ1hKgRHNX0uY/Cis2VgvsnlPxwO8sESrxd+sXU+IjBygm9MGx424alALcCXHZSQE7Y+fhHDr13klFyaAy99otAik9TFFukoshoBQ6uKpTOsqsYqbD+i6pkT8kFQPulqQv498/IKSLULtDzzHDTjntsM1PS2AVVg2+juZRZXmpkAwkSVxSXpE9QlzpfPdGvZcvw70rsd1PaI42APxFzkCwo1y+1678bQQt+pWEt3dJJJiQ0IZBTD4SRVl4H3Vr+2zEbPQfVIxIcs2JHh77UeN4H3/MFQ094T/RVdNUfed5AuAbSn4PeQd67HQvN8Q5SDqws7q+ZHQXB7Auiaw4tImZfnlOGd2b7TdD9/fpjFpTdiPPLmwybt8siRH0j+K0LTrH0O60JNJZ7viVfncvzphJOOTLdVof0pa6YhWZVkeVER5PF8qiOjrsG55JSPkyWDJTRUPCbs45pdQMIND2xLMWCmXVkjMLy5CHoldu4vJ1bfsij6DMRzP1TDnkEeKxerAY2d3g4DQ==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB8P189MB1032.EURP189.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6486002)(966005)(45080400002)(44832011)(66574015)(66556008)(21480400003)(19627405001)(5660300002)(235185007)(508600001)(36756003)(30864003)(8936002)(31686004)(2906002)(83380400001)(2616005)(66476007)(31696002)(66946007)(86362001)(316002)(186003)(26005)(6506007)(33964004)(53546011)(110136005)(38100700002)(166002)(6666004)(6512007)(45980500001)(43740500002)(579004)(559001)(10090945010); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 40Bpq3BvBlWRYkC2MDwjAxu3uyc+laVSnha1hApHJupgzLiI0e7o4uup7hZI6TrXT0b+VG7Clw/kUhQE78nrSXZ2mxYR2NAGNpJAuaRVx0KCdqLBpkNJ3HiMZYuvYrxpErVDi0wYfkATMGZPdyBSgCrFh2L34Qw3dm9VDqoxr8mxZTzmv6gqd/Fr7O5VyjsQlCMTIynINk+/8QrriEJZLM/q7WBdTLw/pszps7wxnXVzcQfK35WBtaYLdJYh/pSQwMV5+csfy6kujgr/CEfaE6JRsTBQsArD5XSiZH2Uo7+GEjFy0JUKUi0NfAqQEpZXCtAt3MLuxFlDu8ItzthzykI4tW4bBQU86WokoZNh3zWfn/9eWVeo0nWnW49UMCTM+eYFak+pRRWrNL6ruQONz8PbGQa765kSCV90ZcF8MQrVg+/71P/RtpE/HKOdJnoK6M9tvF1t8VF6qosNfVKsfI0SfH8eYT24UyS1mRTLkgYPrFrqLN2xZxgVwgPcr1Pvm9ALCA132tOpi8GjqPeJBf/BEyOZGfgZ+UDQfA2ytdr0dAimLLbqLM2UEG1hoDet5mNDfRjIKunqIyyrSGKx+OV6wewzUUxd/rWKWiGrOJ+pXfsL8MIsUaNxlEAoobMDGFyHU9cQaD0l5MHdjFJyXHBhNGdyKlVCzUAASrUdbidzPpOJZnheXnSK1x+SnS4scxL28KfL7Z3tcBycN7TdOBweV3CjxsZa9AWeUa6rxm2ssr26bglPTwfunKXf++GSdksd7ndguTuXhm4YsB7H58YcNRRnxgBpJ4E08Nos8NZhaWF1B0a1nsl378r7ReWTrYidXL8Et4jx82P4zvQ9IlB2ozOw4XIpiDOvlYVqgQi8w7yRuYhNImHDOc6SZW8j0aRSjcp8oZyu8MzkWLX115901W1+Pwuofn/5Z6p8OIwhPmPqDnf8/Vn3myZID5JypJw0wVDi6q708Td1n/HlUcn9GDrw96EWPqreg+ZZ8Fnm+Z0ct2umPdSFkYDsUsGHiXbc3zJiXR6wzAKrwS5DaPxG7LZqJTONtZlHXjE2gIXHqI+ZATQm/sL53swi2OrfDsFGv+bzOEMb+Gv3rMhP+YE3V8tmoctfmIHO7h9ZwfQlhT5HpnuwikVE2p/jO3QVlH8KtRyLt5x8sDHLN934uTDvWqwq307rpgeZqXmSsabBXpQ/y3lNlqx+ao7CJormGMmLgqUWAciBkMb8TH418Icyaqq41+QQmz8ukqEtGNji92m3ckA2YAnIddTfg1aboskjJzBLy41u+kh8MTMHmYjID5bJKyQunL2AQ2uYiykZvy8+peVtb3GpvS74KBUyvTF3EbXaD+vozezSaTHC5c4cNcCglFvh8/yRuMdhtZgA//B6oDtuZbZ34MR8A4QvSljCT1KkGVEGaQGYUcETFlpWXBdjvQRcSHvjsSl7KdpxWrt5E8BVjahV5OB+wADPQhaRY4yfOnQ9QEqncsIVB2ZIsN6XGT0FOOhWTpROdDgsw7kQ4efxS95UlKZ46csP9UUOHTcVUF7PBmAwfMj/3XhqdgdoHaV1iOjlC9A+TTLkhjS9IeprmpfoOBIb9Cs3sFcJuqG3paJDEGFgyei5ZU7L/QtuMFxSfIn3xjv6qn8=
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: f1154787-11fd-4c53-fad1-08d9fe9733d3
X-MS-Exchange-CrossTenant-AuthSource: DB8P189MB1032.EURP189.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Mar 2022 10:59:21.5651 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: UDPegBXXlxYOKgvbg8lp4j40P7la6f4Yk/OFUJRD3gbPfRtHx7v8bLZvvKroPUKED2Qhb+aO4T8sgInBMkKZNw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3P189MB0924
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/7SYKlVbIqw26ZaeBXPkM_pNj-ik>
Subject: Re: [core] 🔔 WG Last Call of draft-ietf-core-oscore-groupcomm
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Mar 2022 10:59:35 -0000

Hi Rikard,

Thanks a lot for your review! (and for having considered the latest 
Editor's copy)

Updates based on your comments are captured in the commit at [1].

Please, find also my answers in line.

Best,
/Marco

[1] 
https://github.com/core-wg/oscore-groupcomm/commit/532534ebd3240215b2b6a5e9ac0bdd73ac90d0f9


On 2022-03-03 13:18, Rikard Höglund wrote:
>
> 	
> Vissa som fått det här meddelandet får inte ofta e-post från 
> rikard.hoglund=40ri.se@dmarc.ietf.org. Se varför det är viktigt 
> <http://aka.ms/LearnAboutSenderIdentification>
> 	
>
> Hello.
>
> My apologies for sending this out so late. I have synced with Marco 
> offline so at least he is aware it is coming.
>
> Best wishes
> Rikard
>
> *Section 2:*
> /Regardless of what it actually supports,
> /
> /   each endpoint of a group is aware of whether the group uses the group/
> /   mode, or the pairwise mode, or both./
>
> Is the first part of the sentence redundant?

==>MT
Rephrased as follows.

"Each endpoint of a group is aware of whether the group uses the group 
mode, or the pairwise mode, or both. Then, an endpoint can use any mode 
it supports if also used in the group."
<==

>
> *Section 2:*
> /Signature Encryption Algorithm/
>
> I wonder if this name could be confused for an algorithm used to 
> encrypt the signature.

==>MT
To avoid confusion, I've now added the following sentence.

"This algorithm is not used to encrypt the countersignature in messages 
protected using the group mode, for which the method defined in Section 
4.1 is used."
<==

>
> *Section 2.2:*
> /A newly installed Recipient Context that has required to delete 
> another Recipient Context is initialized with an invalid Replay Window/
>
> Is it the case that any Recipient Context created after some have been 
> deleted is to have its Replay Window be invalid?

==>MT
Yes. Now rephrased as below.

"If the new Recipient Context has been installed after the endpoint has 
experienced the overflow above, then the Recipient Context is 
initialized with an invalid Replay Window ..."
<==

>
> *Section "Authentication Credentials":*
> /The used format MUST provide the public key as well as the full set 
> of information related to the public key algorithm/
>
> Could it be ambiguous what the "full set" is?

==>MT
Changed to "comprehensive set".
<==

>
> *Section "Authentication Credentials":*
> /Storing whole authentication credentials rather than only a subset of 
> those may result in a non-negligible storage overhead./
>
> May be confusing as the previous paragraph is about only storing a 
> subset of a chain or a bag. It could be clearer that this is an 
> explanation and justification of a design choice.

==>MT
The chain/bag is not a credential. The previous paragraph says that the 
actual credential is only the end-entity certificate provided within the 
chain/bag, and as such it is stored and used later on.
<==

>
> *Section 2.4:*
> /Group OSCORE keys used for both signature and encryption MUST NOT be 
> used for any other purposes than Group OSCORE./
>
> The keys are also used towards the Group Manager, which arguably isn't 
> exactly Group OSCORE, but rather the joining procedure.

==>MT
Rephrased as follows.

"Group OSCORE keys used for both signature and encryption MUST be used 
only for purposes related to Group OSCORE. These include the processing 
of messages with Group OSCORE, as well as performing proof-of-possession 
of private keys, e.g., upon joining a group through the Group Manager 
(see Section 3)."
<==

>
> *Section 2.4.3:*
> /On the other hand, when combining group and pairwise communication 
> modes, this may result in the Partial IV values moving forward more 
> often. This can happen when a client engages in frequent or long 
> sequences of one-to-one exchanges with servers in the group, by 
> sending requests over unicast.
> /
>
> True, but is it important to mention? What to do with this information?

==>MT
Added a sentence to clarify practical implications.

"In turn, this contributes to a sooner exhaustion of the Sender Sequence 
Number space of the client, which would then require to take actions for 
deriving a new Sender Context before resuming communications in the 
group (see Section 2.5.2)."
<==

>
> *Section "Loss of Mutable Security Context":*
> /An adversary may leverage the above to perform a Denial of Service 
> attack and prevent some group members from communicating altogether. 
> That is, the adversary can first block the communication path between 
> the Group Manager and some individual group members. This can be 
> achieved, for instance, by injecting fake responses to DNS queries for 
> the Group Manager hostname, or by removing a network link used for 
> routing traffic towards the Group Manager. Then, the adversary can 
> trigger a short power outage, which can result in a mass power-cycle 
> and reboot for some endpoints in the group. After that, such endpoints 
> that have lost their Sender Context and/or Recipient Contexts 
> following the reboot would not be able to obtain new Security Context 
> parameters from the Group Manager as specified above. Thus, they would 
> not be able to further communicate in the group until connectivity 
> with the Group Manager is restored./
>
> Is this big section relevant to mention? If an adversary can induce 
> power outages it can do a lot more damage, and in different ways. 
> Perhaps it can be in the security considerations if kept.

==>MT
This input came from another review and it conveniently fits here, since 
it builds on the exact context from the previous paragraphs in Section 
2.5.1.1 (which would be quite hard to build again later on in the 
security considerations).

I have however made some minor rephrasing as below.

OLD:
"Then, the adversary can trigger a short power outage, which can result 
in a mass power-cycle and reboot for some endpoints in the group."

NEW:
"Then, the adversary can induce a reboot for some endpoints in the 
group, e.g., by triggering a short power outage."
<==

>
> *Section "Exhaustion of Sender Sequence Number":*
> /Exhaustion of Sender Sequence Number/
>
> May be enough with just a reference to the equivalent OSCORE section? 
> And saying to retrieve new Security Context parameters from the GM

==>MT
Kept as is as the result of discussions/reviews on previous versions of 
the document.
<==

>
> *Section 2.5.3:*
> /The Recipient ID ('kid') SHOULD NOT be considered as a persistent and 
> reliable indicator of a group member./
>
> Identifier rather than indicator? Not 100% clear what an indicator is 
> in this context.

==>MT
Changed to "identifier".
<==

>
> *Section 9.6:*
> /Also, upon the establishment of a new Security Context, the client 
> re-initializes its Replay Windows in its Recipient Contexts (see 
> {{sec-group-key-management}})./
>
> Isn't this just like in OSCORE? In the sense that a new context gets a 
> reset fresh replay window.

==>MT
Yes, with the difference that, in general, there are multiple Recipient 
Contexts within the same Security Context.

However, I took the opportunity to fix a section reference, now 
correctly pointing to Section 2.2.
<==

>
> *Section 9.6:*
> /However, since the notification is protected in pairwise mode, the 
> public key is not used for verifying a countersignature as in 
> {{ssec-verify-response}}. Instead, the expected server's 
> authentication credential - namely Recipient Auth Cred and including 
> the server's public key - was taken as input to derive the Pairwise 
> Recipient Key used to decrypt and verify the notification (see 
> {{key-derivation-pairwise}})./
>
> Just restating what is said shortly above?

==>MT
Replaced the quoted text with the following sentence.

"As to the expected server's authentication credential, the same holds 
as specified above for non-notification responses."
<==

>
> *Section 11.6:*
> /The entity assigning an IP multicast address may help limiting the 
> chances to experience such collisions of Group Identifiers./
>
> Good to say that it is recommended to assign groups to different 
> multicast IPs when possible?

==>MT
The possible mapping between security groups and CoAP groups is actually 
discussed in the groupcomm-bis document.

This paragraph was meant to suggest a different kind of help. I've now 
rephrased as below, to provide more context.

"In case multiple groups use the same IP multicast address, the entity 
assigning that address may help limiting the chances to experience such 
collisions of Group Identifiers. In particular, it may allow the Group 
Managers of those groups using the same IP multicast address to share 
their respective list of assigned Group Identifiers currently in use."
<==

>
> *Section 11.7.1:*
> /Upon receiving M2, there is a probability equal to 2^-64 that Y 
> successfully verifies the same unchanged MAC by using the Pairwise 
> Recipient Key associated with X in G2./
>
> I wonder why the probability is 2^-64, why is this attack better than 
> simply forging a message to a group member (and hoping the MAC verifies)?

==>MT
(Following some more section restructuring, this is now Section 12.7.1)

If one forges a message from scratch, one has indeed the same 
probability to build something that yields a successful decryption, 
i.e., such that the MAC verifies.

On top of that, here the result would still be the message originally 
sent to G1, created as valid by its sender X.
<==

>
> ------------------------------------------------------------------------
> *From:* core <core-bounces@ietf.org> on behalf of Rikard Höglund 
> <rikard.hoglund=40ri.se@dmarc.ietf.org>
> *Sent:* Tuesday, January 11, 2022 23:20
> *To:* Jaime Jiménez <jaime@iki.fi>; core@ietf.org <core@ietf.org>
> *Subject:* Re: [core] 🔔 WG Last Call of draft-ietf-core-oscore-groupcomm
>
> 	
> rikard.hoglund=40ri.se@dmarc.ietf.org liknar någon som tidigare har 
> skickat e-post till dig, men kanske inte är den personen. Se varför 
> det här kan vara en risk <http://aka.ms/LearnAboutSenderIdentification>
> 	
>
> Hello.
>
> I am working on a review that I unfortunately have not been able to 
> finish yet. However I will be sending it out before the end of the week.
>
> Best wishes
> Rikard Höglund
> ------------------------------------------------------------------------
> *From:* core <core-bounces@ietf.org> on behalf of Jaime Jiménez 
> <jaime@iki.fi>
> *Sent:* Wednesday, December 1, 2021 16:59
> *To:* core@ietf.org <core@ietf.org>
> *Subject:* Re: [core] 🔔 WG Last Call of draft-ietf-core-oscore-groupcomm
> Dear all,
>
> the deadline for this WGLC is today. Given that we have not received 
> enough reviews and that the Christmas period is arriving soon, we will 
> have to extend the deadline for this.
>
> Marco and I propose 6 more weeks of extension until 2022-01-11 
> Tuesday, to give more ample time for thorough reviews.
>
> Ciao!
> -- 
> Jaime Jiménez
>
> On Tue, Nov 9, 2021, at 8:59 PM, Jaime Jiménez wrote:
> > Dear CoRE,
> >
> > as we discussed yesterday, the authors of
> > draft-ietf-core-oscore-groupcomm think their draft is ready for a 2nd
> > WGLC. The current version of the draft (v13) is not expecting any
> > updates so you can start your planned reviews.
> >
> > 
> https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-core-oscore-groupcomm-13&amp;data=04%7C01%7Crikard.hoglund%40ri.se%7Cc5146db032204faf125d08d9b4e3a676%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637739712988375219%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=6B7dEbJ8l4%2Bvc%2BxrMBiFxN6GRf7lAoi5FUZBI68cdNQ%3D&amp;reserved=0 
> <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-core-oscore-groupcomm-13&data=04%7C01%7Cmarco.tiloca%40ri.se%7C0883879e9f3342c1031d08d9fd0fff88%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637819068004013517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=5sS%2Fu%2B58zddw5LPOVraLom6TVHjVE0rbczCR0ZevvF4%3D&reserved=0>
> >
> > In addition to the email list discussion reviewers could consider
> > opening new issues on the Github repo of the draft as courtesy to the
> > authors.
> >
> > 
> https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcore-wg%2Foscore-groupcomm&amp;data=04%7C01%7Crikard.hoglund%40ri.se%7Cc5146db032204faf125d08d9b4e3a676%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637739712988375219%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=WFXtDpiQ1RRiW1hP1JeUx0%2F4%2F5i1UKOia9ZNT5NdIns%3D&amp;reserved=0 
> <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcore-wg%2Foscore-groupcomm&data=04%7C01%7Cmarco.tiloca%40ri.se%7C0883879e9f3342c1031d08d9fd0fff88%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637819068004013517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=5BtKKTLA9ZjZaVJkemzoHOhCYc%2Ba85bKYqWub3j2i2U%3D&reserved=0>
> >
> > As we have the IETF ongoing and the document needs time to be digested,
> > we place the end of the call on the 1st of December with a possibility
> > of extension depending on the number of reviews.
> >
> >>From the minutes I take that CA, RH, ED and TF would give it 
> thorough look. Thank you already for that, much appreciated!!
> >
> > Ciao!
> > --
> > Jaime Jiménez
> >
> > _______________________________________________
> > core mailing list
> > core@ietf.org
> > 
> https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcore&amp;data=04%7C01%7Crikard.hoglund%40ri.se%7Cc5146db032204faf125d08d9b4e3a676%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637739712988375219%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=O4bk%2Fdhhl6idWhXDkqxWNUyGOUgUp4fqVkeU0hYkCDE%3D&amp;reserved=0 
> <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcore&data=04%7C01%7Cmarco.tiloca%40ri.se%7C0883879e9f3342c1031d08d9fd0fff88%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637819068004013517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ag4Y%2BR1j7LSF4Vaua0XVGI7WP%2FYSXIzoXAd0rlAl5uA%3D&reserved=0>
>
> _______________________________________________
> core mailing list
> core@ietf.org
> https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcore&amp;data=04%7C01%7Crikard.hoglund%40ri.se%7Cc5146db032204faf125d08d9b4e3a676%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637739712988375219%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=O4bk%2Fdhhl6idWhXDkqxWNUyGOUgUp4fqVkeU0hYkCDE%3D&amp;reserved=0 
> <https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcore&data=04%7C01%7Cmarco.tiloca%40ri.se%7C0883879e9f3342c1031d08d9fd0fff88%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637819068004013517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ag4Y%2BR1j7LSF4Vaua0XVGI7WP%2FYSXIzoXAd0rlAl5uA%3D&reserved=0>
>
> _______________________________________________
> core mailing list
> core@ietf.org
> https://www.ietf.org/mailman/listinfo/core

-- 
Marco Tiloca
Ph.D., Senior Researcher

Division: Digital Systems
Department: Computer Science
Unit: Cybersecurity

RISE Research Institutes of Sweden
https://www.ri.se

Phone: +46 (0)70 60 46 501
Isafjordsgatan 22 / Kistagången 16
SE-164 40 Kista (Sweden)

v2.23.0 | Report a Bug | By Email