Re: [core] Comments on draft-tiloca-core-oscore-discovery

Marco Tiloca <marco.tiloca@ri.se> Wed, 20 February 2019 22:01 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7B4F129AA0; Wed, 20 Feb 2019 14:01:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IoxLF-AD0ax3; Wed, 20 Feb 2019 14:01:26 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50085.outbound.protection.outlook.com [40.107.5.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2C16129C6A; Wed, 20 Feb 2019 14:01:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MSVr+3Tgsxmypt28g5Or3LLWS/7hQKo/yqB5z4+CU70=; b=KRUqsqpipiTp/+RuschqNGsN8Q9YssznmS5x2uWYxmtll4V0jWmD5XIhCGn4LF6dTOlEb3tBo+vz/IHsMesH+vmQcBMbkhsw1cLPiZV2B0eWmDEv6ySa1ZFz8JglA4nNdI09jiZb+t/PjlkjFURaHyxTDw86tmfuy36sRVBhCCg=
Received: from HE1P189CA0001.EURP189.PROD.OUTLOOK.COM (2603:10a6:7:53::14) by HE1P189MB0329.EURP189.PROD.OUTLOOK.COM (2603:10a6:7:58::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1622.19; Wed, 20 Feb 2019 22:01:19 +0000
Received: from HE1EUR02FT038.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e05::200) by HE1P189CA0001.outlook.office365.com (2603:10a6:7:53::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.14 via Frontend Transport; Wed, 20 Feb 2019 22:01:19 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by HE1EUR02FT038.mail.protection.outlook.com (10.152.11.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1580.10 via Frontend Transport; Wed, 20 Feb 2019 22:01:19 +0000
Received: from [10.8.1.84] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Wed, 20 Feb 2019 23:01:18 +0100
To: Jim Schaad <ietf@augustcellars.com>
CC: draft-ietf-ace-key-groupcomm-oscore@ietf.org, core@ietf.org, draft-tiloca-core-oscore-discovery@ietf.org
References: <08a001d4b37f$c55111b0$4ff33510$@augustcellars.com>
From: Marco Tiloca <marco.tiloca@ri.se>
Openpgp: preference=signencrypt
Autocrypt: addr=marco.tiloca@ri.se; prefer-encrypt=mutual; keydata= mQENBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAG0Nk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPokBNwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzuQENBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAGJAR8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
Message-ID: <026314bb-caba-1568-c61b-14dc16183902@ri.se>
Date: Wed, 20 Feb 2019 23:01:11 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <08a001d4b37f$c55111b0$4ff33510$@augustcellars.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="SU2SLK1l7f7zi9a2OfvoBJHfW7XfSDqYp"
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(136003)(376002)(346002)(39860400002)(396003)(2980300002)(189003)(199004)(6916009)(3846002)(6116002)(336012)(316002)(106466001)(64126003)(305945005)(65826007)(7736002)(2616005)(11346002)(126002)(86362001)(486006)(478600001)(22746008)(74482002)(58126008)(65806001)(476003)(66574012)(6306002)(5660300002)(16576012)(31686004)(4326008)(31696002)(106002)(53936002)(446003)(65956001)(26005)(8936002)(77096007)(81156014)(71190400001)(8676002)(2906002)(54906003)(16526019)(68736007)(16586007)(186003)(33896004)(22756006)(44832011)(104016004)(40036005)(76176011)(33964004)(966005)(84326002)(81166006)(235185007)(6246003)(21480400003)(69596002)(36756003)(229853002)(568964002)(356004)(6666004)(5024004)(53546011)(97736004)(386003)(14444005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1P189MB0329; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 64ae1872-b8b8-4364-9627-08d6977ef1a0
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600110)(711020)(4605104)(4608103)(4709054)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:HE1P189MB0329;
X-MS-TrafficTypeDiagnostic: HE1P189MB0329:
X-Microsoft-Exchange-Diagnostics: 1; HE1P189MB0329; 20:vMIMUUmh0MGiTN0mKxalUODf3Z2u//NV+BezOtHQbpz+rdK/aqFqth4mQLJrMGgd1dVFNSDrsQr0ahuxBVhfUQIE62GT5s/VQc+vYodtG75ke1/ABqJ2JDoVMtwk0KNovXLO3UtSg8rMOVE4N3w2GmiUth9RrFhamhCYy4W4T3DCpjd7Nem5OYWTKsFzz+aGR7E8FXkcXdubsYRJpk4aTinIMXhC9l+9yTQcBk4SHDylTBoiIQk/RsfSCaqZJtZV
X-Microsoft-Antispam-PRVS: <HE1P189MB032925BD44DE2FB9C996C482997D0@HE1P189MB0329.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 0954EE4910
X-Microsoft-Exchange-Diagnostics: 1; HE1P189MB0329; 23:ohQuqD7MrqZcIywUs7aXhYeZCgaPiwEEB5x7y1erotqL2vmnbhboC2UWi0yATcAN/a50kTzzWnWD7oyYt/bdoWqlDzX7fjhbMdXcaYM4PHUAv5PmtWC7gcfNDkRwagpnIqujDqrHgDApfwumasVsxIckf4F/r0nfvkRGVEawnIWyob3+UCXwqnFWepnXveBYNLegW4nwYfmnVerb6hWH2zXS2TDEifpx9z3Vkv+sn91af49HKTTBqUbpZqfjyWgoNtcossnm6XovCWHK0Mauq4Y0Gf/afRN4KWD/UiVJB7BrE9/AGhEPfPTED5H8BR2IF7d0S/YhuzkfwCdxMHGzRhuMZ9NE3qGemVjscDpRlRofQDlvZX3qSNYk00ADQykYKPoju+Ya4hw5g0pgHivvOsipxK1TF+Hw2iJJxwpIckW6RybOy55yhVOVIx1K+sSwwifVAPiC9yNljSkBQM1BKKKeAcu5Z6z59Vrn0MiGVPxeSf2IrnLW00NcCi5t0SlUJgr0Tene4kLv5fn3SzR1+r8oPUGIpIe22988Rg+jz7Xv0PWGYpgvLuJg9H5Egod/NAlKD11xyr+vkSTzrigBGYUGXM4Funtn9vrB4IkPveqV1pupTMjpwxzBYIcdXfgPaIPw+ZXY9S6+GfIXTxaRAVZWeXhrT96qLrrOhQBWJ+hkDxUUALyVeYCas4q1ZWVdGt0rXPJUR7wQi9C+O8TbkOMA6U0K+uLzA7drEGowNMkKB1rgr9kSZ8+PKhDILTQXQKpllPYsrbDoktByPRAkomYezQy0+1PgYLq1zzg+7Wn0NWSiFR5jtwS1j7+mIHAcFAUKiyJKElBG2RIdCp8nKAxh0zh2Wh+vl6sjM1QP+x3WO37l4BKu4PlZVAXjpgsuvfwU39S6LOdAm2vfQdq/fPZqdMkZiXpDcv0zKG6cgEiP0vk4uWtpzoC8NBWKjbRl6WqmiUgnWREcB5JfiuXyR7HcvnlNvE3sMaemJbQd6r+OKM49mHJt0QLnwSmyelko0LCzL6jA82EClvIIuKDu4hhFO4Ly4kJ5+L6edNXv6BUuReiTGsmhCvHe/y3DBjGt7dytrNJNIPiv4vrame98NQpbUHCZ4x9pS/bR5oX6L+mlVrcuSFwA5HUiUiiOKzUSH2KFwv4yn9VAJ4HpoMD2TwAD65+c+p1T1hJZMRu8choP6XFr6Pw2LgACTMawX0bwpqMjd0pNauwnrcy3bF0TQ2w8TF/WrqJeVwJu8URytWHT3PDVZ3YbFbxWZyH45YRTBu3yI1dkPB7OfI4NPqU/R7dKZxZSAbZwFvBCbHkjTsHOhja4M5z8hJScspLBf5Vl5OZFGGIbsn6DD8s6enF0jF3Yx1rrgqG8Iegz7tt0wTsZWiVQ7qNLaCHdOHerdzrUlorwa6wRF8nSIZywbzIwJHazE8X482oPA3i1vHvNdZam7oGefIgAEi5CgTYXwTpf9QQ38hZf+MTIPVmk/J/qSedH5AR6/ukzDwJX+CwR9HZoje0rKIh63yypT9oxdPicSMcwZsb1i2aM0Lgb3SnhwHNQI4GoELxWfWnu3MxB+DsPsWjXStG888UPJthm0o8qBuE7GG41fC0QDjyccPHJpFprJCQxdu83o9BJ5LlRdmoqtdseet6PlPvbKRFfKRW9
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: S4IKfsayZYgNDT2N7AqBt2TnE+rqKCVo93nl+K9IJg8BJ9LmOmsHerPjqx/58UYoFNeohVEQigkv9NjFUDfm1a2gZaIs2p3EY3SEcP/Xj/HHmgGpt6kXneBwfy+SROZHeGtTiKatVO039gTJ26ZCsKzwnw5IwibLDhp4qNOtqzppj7YC1Ryx1BdvedS+TmrG0Vl6nOf9akfTmbBO9nKEzApiLzgKOk4IXhMOCxOJS2JStbqfrVPGLn2Y9iR9QoQqJCngY2abCHf0s5wPPzGa4qYKqTnie4rFaT2SjaZha7y0907Svl5nrZ+wHP2wK3yhr4bZuKo1tXBtki+C92G2R6xIeuyZTi44ZL/2TpzF75rGjfjtH8nyG1OPuYbZAbuj0bTLCZuCEecz9YFZeT+PLm7fATbcO+Pn4Stw5tSXgBw=
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Feb 2019 22:01:19.2918 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 64ae1872-b8b8-4364-9627-08d6977ef1a0
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1P189MB0329
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/Bm2fQbeimLw5WutQZL2CXthI9fs>
Subject: Re: [core] Comments on draft-tiloca-core-oscore-discovery
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 22:01:31 -0000

(updated the subject)

Hello Jim,

Thanks a lot for your comments and sorry for the late reply.

Please, find our answers inline below.

We have been updating our draft based on your input.

Best,
/Marco

On 1/24/19 1:57 AM, Jim Schaad wrote:
> I am having a huge problem understanding this document because I am
> completely confused by the model that is being propagated here.  
>
> This document has a model that every group is going to be on a different
> resource.  It is not clear that this is the same model as is being used in
> the ACE group communication document.   Probably one of these two documents
> should provide a more explicit module of how things work if this is what is
> going to be desired.  I was under the impression that a single join point
> would be used for multiple groups at the same time.  This may be acceptable
> with this document but if so then it is really not clear.

<MT>

Sorry for the confusion. This document and the ACE document [1] are
aligned and in fact follow the same model. We can especially clarify
that this document uses two types of groups, namely "application group"
and "security group".

The concept of "application group" is already defined and used in the
Resource Directory draft, and we recall it in Section 1.1 of this document.

Then, we can also explicitly include the definition of "security group",
as a set of CoAP endpoints sharing common keying material for securing
communications in a group setting. With particular reference to Group
OSCORE, "security groups" are used in the same way both in the ACE
document [1] as well as in this document.

That said, the same and common model is such that:

- Each "application group" uses only one OSCORE group as "security group".
- A single join resource, i.e. join point, is associated to one
"security group".
- A "security group" and its join resource can be used by multiple
"application groups".

Also, to avoid further confusion, we have thought it's better to rename
the parameter "oscore-gp" as "app-gp". This is in fact used as name of
the "application group", and thus it is not strictly related to Group
OSCORE.

[1] https://tools.ietf.org/html/draft-ietf-ace-key-groupcomm-oscore

</MT>


> This document appears to be pointed at dealing with multicast groups, but
> there does not seem to be any tie between multicast resources and join
> request points.  The document should also deal with the same issue for
> pub-sub servers as that is of interest as well.

<MT>

The multicast resources are shared by all the members of a same
"application group", registered in the RD and with its own IP multicast
address. Instead, a join resource (i.e. join request point) is related
to an OSCORE group used as "security group" by the "application group".

The link between the two is the attribute currently named "oscore-gp",
that can be used as search criterion. As mentioned above, we plan to
rename it as "app-gp", to align it with its intended meaning defined in
Section 5, i.e. name of an "application group".

We didn't think of pub-sub servers, since Group OSCORE does not cover
that communication model. However, we believe it may possible to
generalize this document to cover also a pub-sub setting, building on
[2]. At the same time, it is probably better to first see how security
activities related to pub-sub develop.

[2] https://tools.ietf.org/html/draft-ietf-core-coap-pubsub-06#section-5

</MT>

> This document appears to be missing the registration of the oscore-gp and
> oscore-gid attributes.  I don't know but assume that there is (or should be)
> a registry for these types of things.  Specifically do these items allow for
> multiple values or are they single valued?  (I will assume that if they are
> multiple valued they should appear as multiple items just to make life
> easier.)

<MT>

We are also considering where to possibly register those attributes, and
there seems to be no easy answer.

Since there is no registry for link target attributes, we thought of the
"RD Parameter" registry [3], but it's probably not the best thing to do.

In fact, other applications may still use those parameters in link
registrations, that could tell RDs to act differently on them in some
places [4]. However, that won't keep others from using those parameters
for their purposes in general to-be-registered link-format data.

More specifically on their values:

- "oscore-gid" does not allow for multiple values, since an OSCORE Group
has a single Group ID.

- "oscore-gp" (to be renamed as "app-gp") allows for multiple values.
When this happens, it in fact appears as multiple items, as we show in
the example at the end of Section 5.2.

We can make these points explicit in Section 5, in the bullet points
about these parameters.


[3]
https://tools.ietf.org/html/draft-ietf-core-resource-directory-19#section-9.3

[4] For instance, not accept them as endpoint attributes, or treat them
differently on lookup. All considering that, users must be prepared for
RDs not implementing the special behavior.

</MT>

> Jim
>
>

-- 
Marco Tiloca
Ph.D., Senior Researcher

RISE Research Institutes of Sweden
Division ICT
Isafjordsgatan 22 / Kistagången 16
SE-164 40 Kista (Sweden)

Phone: +46 (0)70 60 46 501
https://www.ri.se