Re: [core] AD review of draft-ietf-core-oscore-edhoc-08
Marco Tiloca <marco.tiloca@ri.se> Thu, 12 October 2023 20:51 UTC
Return-Path: <marco.tiloca@ri.se>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E789C151533 for <core@ietfa.amsl.com>; Thu, 12 Oct 2023 13:51:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TF8JHxIFyBBX for <core@ietfa.amsl.com>; Thu, 12 Oct 2023 13:51:30 -0700 (PDT)
Received: from GV3P280CU006.outbound.protection.outlook.com (mail-swedencentralazon11010010.outbound.protection.outlook.com [52.101.75.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C83EC151530 for <core@ietf.org>; Thu, 12 Oct 2023 13:51:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SMMfD1Lr3axcE2GOjSO1qYbnVYqCxtyEaNcvH4yElymv2/65C92tmHgqhfwizPHEjYwfPCKjnjGMfRcDKGodF22rnGzhPEDeNsw1nJEy3mlMN3xRy+ymyc70uRfzlfocsI8De0oy+hXtvMgLwX7GDGv5ckNMIYtjNqxz19kN/dDPwcqD0uodOF6TSYirmyJAaeV7pD8FGMV9ioDbsvog/SJBoCQgmndZRx3UdEDm3yO9NyaGYUDIxjiddh0Icf/9A8J0JiDyCyFDjzv6dhxJ6jiA4bxcJFiPR2ZHBLZ1eAx5BDoxRB0or/l427n8H6y0Yg7DQIDCOi805lCjjvyg3w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xF6jOMlj9Z3hPlW2vUTL02cBX2HJsjLz3zx8sa9oWoo=; b=fWcao5/vIaWgarCjgnoMX2XwGx/Es4qIMKcaZ1NBf0pgK0QxZ3oXMFlnIO0tXfCWKg3gsRorCShVx2hvTnUXiDFw8qWEyUJyzF89gIz4ldjbMCFGdFaFgR7BeL0rvPUojsoNmV1QAcMvlpkH14XZNWkLE9M7WMhmmQaw1M4hWB1ivAvDOGgaqY9wew4/5VaUvrRxVEUU54MlMQsxdYzvPwSBaaUYo3NdQYFSNs92/fZM04T0nwJ9CKbuk9NsD0TzDls09eTMrGdNJaoKP+YTyL69t7tXARQA6cuQiFLtsePu6qDBG+4HamwvUaxW4Y+p36L4H8Q+hJ9zflihQvi23g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xF6jOMlj9Z3hPlW2vUTL02cBX2HJsjLz3zx8sa9oWoo=; b=D30yqhQVlKdvUsJhxUupaY/9MGGPsYoKYZxPKL/7tF5/HVxlMaggx7c5xVDlXxgmUWDUufccMtgKEQixCaraMrOeNW07NSMNZzCYatr+IFxGpGjNEwUfLZfnctjf8mcQevA7c8q8fBQPxWwvMXlTt7N1A3jBGB6odYFun/3p5SU=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17) by GVYP280MB1104.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:ee::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6886.17; Thu, 12 Oct 2023 20:51:25 +0000
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::2ba1:6422:7beb:635e]) by GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::2ba1:6422:7beb:635e%6]) with mapi id 15.20.6886.031; Thu, 12 Oct 2023 20:51:25 +0000
Message-ID: <ac116eb5-97ee-4cd0-9ea8-2bcb2d3d5602@ri.se>
Date: Thu, 12 Oct 2023 22:51:23 +0200
User-Agent: Mozilla Thunderbird
To: Paul Wouters <paul.wouters@aiven.io>, stefan.hristozov@eriptic.com, rikard.hoglund@ri.se, Göran Selander <goran.selander@ericsson.com>, Francesca Palombini <francesca.palombini@ericsson.com>
Cc: core@ietf.org
References: <CAGL5yWZ2PW9ajUmdA5NDq7g2UR7DBRZruMBND-p-3wRnSH_hWg@mail.gmail.com>
Content-Language: en-US
From: Marco Tiloca <marco.tiloca@ri.se>
Autocrypt: addr=marco.tiloca@ri.se; keydata= xsBNBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAHNNk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPsLAdwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzzsBNBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAHCwF8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
In-Reply-To: <CAGL5yWZ2PW9ajUmdA5NDq7g2UR7DBRZruMBND-p-3wRnSH_hWg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------kmyxzTHweuVopvVPU7DDRXoH"
X-ClientProxiedBy: GV3P280CA0056.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:9::10) To GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GVYP280MB0464:EE_|GVYP280MB1104:EE_
X-MS-Office365-Filtering-Correlation-Id: 7028cd60-97f9-4371-4f70-08dbcb64ffb6
X-LD-Processed: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8,ExtAddr
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: VbIUaKuA706L0yVEccgKnz5Xp6RcLveZv8ieQsgWRTH13bVxk61KGgdoUSLpxzIZME45tKthTyteDTyvKkmBu942mYjbl7vVW3RA21h085iTlMVN2M4oQ/BvI3bFgdCQKUASlalwKBZCJ8Tk8q1A6/HAdMJyiAZ2qMHFvb7umhMytK5u1Xok/X5uCt840ErpjtcZ+kmoV4aIoEXXonURBlBwMRmwWio2cl7RDa7nCPiHcfJR0Mx9zNqnus6wnfR1rnd+RVM2daaIbDiwSY7d7cn7xLPa4WiPOAQC9BY73evPAtmDe38J52jE4rn5+qtSfa9+DWh8n08Y6Iii+CzPeXQXZIg8kMHUohZpGwt5JbfRsB/ADPQBhWm5TsYLo7Y1/g2jOevlbsjqf/RWIarlAedAIeh7Ar0Y/kAFAVER+4OUdMfahuG2W82Mnz6stxXqMnRXD+42/7nu8PQQtxd5EkUKo7v5UnivlpVfp2LNc3UHl56rrN0ArD0umu6gjkQBSxueOLLKVrxBH1Nwng/ZcOAKpRUb5oPUZhHw6CHYU2z99DHVwNOPtHda/nVYGR4KbVMm3yOBsuzhAvDscFX49OXWWv2zhSaekDQwkEz9KfDhBJWbo3xFjqsw8gh8+pwkWEfsQMul7MPvhZbjBArKPg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(396003)(136003)(346002)(376002)(39860400002)(366004)(230922051799003)(1800799009)(64100799003)(186009)(451199024)(6512007)(21480400003)(26005)(33964004)(6506007)(55236004)(53546011)(83380400001)(2616005)(31686004)(38100700002)(8936002)(966005)(6486002)(478600001)(166002)(36756003)(8676002)(41300700001)(4326008)(5660300002)(30864003)(235185007)(31696002)(2906002)(86362001)(44832011)(66476007)(66556008)(66946007)(110136005)(316002)(43740500002)(45980500001)(579004); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: SiO6vtKjjZLTgHFUVQjT/tStyALCO6GS4KjtOk1m3NF9o3Gy7IvtnpXxzmCfodB0vhmdL0Zy3viD8w8TW/do0sCktz1O/wEsezbKGjnISavTkPnztEM5pZxIuby5Ovf3qGh+R66VYcM0mZFLzYDWkVGr9kcF9tWdW5eCQFDDczmUxsa4EJKp3+z1RSG4y79OultKSQq1xS0mkYQtQPf5yMD2b1cG+oHdoRBi6zLoK6uwZaH0UwwoNy9+sPXSUr/rjjOWhlk9kMzKlasmKgmZu+08msfwhYWuQD/5GavD9R9/pXTSAothUm7aAWBxnzvkvdONSfrrrzskohN4VAabE+sJeP63Yer5pTGa1xY1pd5uqHs3mRI8EbUddwcBk3JFtZ1BqMnvUzOBYk1kdOx8hiQ+VYtBTq667QTPt9pFP4P82dMC5CgeNpdnd+tiL58m3BFpH9NF+fbTU+Dnuc7in5P8ddsCOoJI8GgDRpmqW+ZM8nbUc9shxkZ7tiNu+G+ty0zumTSJei2Z8H6TdPv3rMcHODzSnFKkP0fWvfGdbgu9vNikQMm77RpLP0qUpAw9pIew/2zATL4eS52JjYopzS+ujIAQyb0Ii/A8Iet5/ucj9sUUKdU8z0X28Zfarj6GeeWtmzspw52RBYQ2lzhfTPNR7UWT/8Pb5nxjX8DJUPV9iJJho8p0cgaszyH1wvLVbSV16aOeXNyLnszfzZXgvedtK+w4k3/ppF89LUNWbJST/ydw5qJ3ta4T7lhrO+HDr/eBOEAH0oVFyUkBVcwLzwalNgjPoqTPEd7VnATRMkn4Rc97xZ62hx11hmO/VKfRq6+bfERne5DBL3i+3BZVsuJ9ZGgx8KahZ5+Sxdh2sdT2WY4P3300J9xGTO3BKfzQ/1CyHfTbX9R0/55wJL6SkqS0tenge7l/b4VU0uc25mGrh+rEMhFW5AdJNi4p72/rtHY+WOB/9uUwfl/g85+6mSrr9JAh7+x0OEJaFFcoBTYAxFhWzZr1Tivk/RYt1dFjeO2Rz3CkGVFIqfFBXAxvo5GGmNLX5tcuHNJrcsAlLOYpZlQoM8tgNzE71hw9ncd9uoI0PIHrkcjhrsRYg9DBqNgwGtWTkA1r5NyK0Ylq0ToJfCbE+BCxh1mG5Q7pvxSfmlk/wRzm9HlVuJmqdH4q1+1eRxxzMEB/Xzd4Qk282KtpmlLP9SkAIeoQBhbahPQF10TiMV45FPVeBkhdXlhm71KqvVArMnOiTJQ9huX5ipsNrGhriR8WnXlCWrPP8GgfHLQYY7X0NB6ksRu6dA/YXvDV5ra0WP5dP2eJUMmd5VQDc1D+uFAeVcXVpV2T7RulRBWq3M7OLKTu3VkP0GbubvewpxsjCUHPXYtLg3/fYkSDQPOILMYWK01PUo54sbWfztAY1/O/fY4Q/EXGC3YT+8PaRaoID/0ZPfp0Gq/QzRP9HZPr4oDDrgOulOsdbdzfoYHv6l52ihv1I6Vm6GKCdSeaIvdZdeqtmnBFPibcku9TW2w+fURT1B4HWtljB9Vgq44viIv0qMdm5PDsR0m1NXnzOuFQMSmcx3Lf88Kmx8GVTMQBnQnOGNIHE+TMA6w3
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: 7028cd60-97f9-4371-4f70-08dbcb64ffb6
X-MS-Exchange-CrossTenant-AuthSource: GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Oct 2023 20:51:25.1590 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 1L8gz8QMnaeJyWN251CpJqOqr0qWcZgGc4P8P6t7raETSgAP+PezuzfSQSjd0kY0yS2qjd3QG5PPWOGoYcCZGg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVYP280MB1104
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/O7QKg1SKcr2hRkpMpOoiptFDz20>
Subject: Re: [core] AD review of draft-ietf-core-oscore-edhoc-08
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2023 20:51:34 -0000
Hi Paul, Thanks a lot for your review! Please see in line below our detailed reply. Based on your comments, we have prepared the PR #14 at [1]. If there is no objection, we plan to merge the PR and submit the result as version -09 soon. Best, /Marco [1] https://github.com/core-wg/oscore-edhoc/pull/14 On 2023-09-28 22:08, Paul Wouters wrote: > Hi, > > Overall the document looks good. I have a few comments/nits below and > one issue. > > Issue: > > The request payload consists of the EDHOC connection identifier > C_R encoded as per Section 3.3 of [I-D.ietf-lake-edhoc], > concatenated with EDHOC message_3. > > A last minute change in EDHOC was to encrypt C_R. It is unfortunate that > this now seems to send C_R in the clear again. Can this be avoided? ==>MT TL;DR: per the EDHOC specification, the encrypted C_R is the one in EDHOC message_2. Instead, the plain C_R mentioned in the text is the one prepended to EDHOC message_3, both of which are conveyed in the CoAP payload. The latter C_R is not and cannot be encrypted by EDHOC. The quoted text is part of the overview of EDHOC "as-is" and is aligned with draft-ietf-lake-edhoc, with no difference as to the prepending of C_R in EDHOC message_3 when transported in CoAP. In fact, it is consistent with what is shown in Figure 18 at https://datatracker.ietf.org/doc/html/draft-ietf-lake-edhoc-22#name-the-forward-message-flow when considering the forward message flow of EDHOC transported over CoAP. In that Figure 18, the payload of the second request includes EDHOC message_3 prepended by C_R. Please note that the mentioned C_R in the CoAP request message is not encrypted by EDHOC, since: * C_R is not part of EDHOC message_3 in itself; and * C_R has to be prepended to EDHOC message_3, due to the message correlation properties of CoAP The recently introduced encryption of C_R is for the C_R included in EDHOC message_2, in which case C_R is indeed part of the PLAINTEXT_2 processed when composing EDHOC message_2. Also, please note that, irrespective of using the vanilla or the optimized workflow of EDHOC, C_R is later going to be repeatedly exposed in plain anyway when using OSCORE. That's because C_R is the OSCORE Sender ID of the CoAP Client (i.e., the EDHOC Initiator). Therefore, it is going to be included in the 'kid' field of the OSCORE Option in each OSCORE-protected CoAP request sent by the Client to the Server. When discussing about encrypting C_R in the LAKE WG, the points above were also highlighted on the LAKE WG mailing list. In particular, please see: https://mailarchive.ietf.org/arch/msg/lake/zTdTw7elW_al7D54DQWdKSVTIcg/ As an attempt to clarify that Section 2 and its Figure 1 of the present document overview EDHOC as-is, we have made the following updates in Section 2: OLD > Appendix A.2 of [I-D.ietf-lake-edhoc] specifies how to transfer EDHOC over CoAP. That is, the EDHOC data (i.e., the EDHOC message possibly with a prepended connection identifier) are transported in the payload of CoAP requests and responses. The default, forward message flow of EDHOC consists in the CoAP client acting as Initiator and the CoAP server acting as Responder. Alternatively, the two roles can be reversed, as per the reverse message flow of EDHOC. In the rest of this document, EDHOC messages are considered to be transferred over CoAP. NEW > Appendix A.2 of [I-D.ietf-lake-edhoc] specifies how to transfer EDHOC over CoAP. That is, the EDHOC data (i.e., the EDHOC message possibly with a prepended connection identifier) are transported in the payload of CoAP requests and responses. The default, forward message flow of EDHOC consists in the CoAP client acting as Initiator and the CoAP server acting as Responder (see Appendix A.2.1 of [I-D.ietf-lake-edhoc]). Alternatively, the two roles can be reversed, as per the reverse message flow of EDHOC (see Appendix A.2.2 of [I-D.ietf-lake-edhoc]). In the rest of this document, EDHOC messages are considered to be transferred over CoAP. OLD > Figure 1 shows a CoAP client and a CoAP server running EDHOC as Initiator and Responder, respectively. That is, the client ... NEW > Figure 1 shows a CoAP client and a CoAP server running EDHOC as Initiator and Responder, respectively. In particular, it extends Figure 18 from Appendix A.2.1 of [I-D.ietf-lake-edhoc], by highlighting when the two peers perform EDHOC verification and establish the OSCORE Security Context, and by adding an exchange of OSCORE-protected CoAP messages after completing the EDHOC execution. > > That is, the client ... <== > > Comments: > > This optimization is desirable, since the number of protocol > round trips influences the minimum number of flights, > > I don't fully understand this sentence. I think it is trying to say that > doing two protocols fully sequencially one after the other causes more > roundtrips and thus more latency? Perhaps that can be formulated without > the use if "number of flights" ? (which to me is confusing, also because > actual flights talk about legs :) ==>MT Trying to avoid "flights" altogether, we have instead focused on "messages exchanges" and "round trips", and have updated the text as follows. OLD > This optimization is desirable, since the number of protocol round trips influences the minimum number of flights, which in turn can have a substantial impact on the latency of conveying the first OSCORE request, when using certain radio technologies. > > Without this optimization, it is not possible, not even in theory, to achieve the minimum number of flights. This optimization makes it possible also in practice, since the last message of the EDHOC protocol can be made relatively small (see Section 1.2 of [I-D.ietf-lake-edhoc]), thus allowing additional OSCORE-protected CoAP data within target MTU sizes. NEW > This optimization is desirable, since the number of message exchanges can have a substantial impact on the latency of conveying the first OSCORE request, when using certain radio technologies. > > Without this optimization, it is not possible, not even in theory, to achieve the minimum number of round trips. This optimization makes it possible also in practice, since the message_3 of the EDHOC protocol can be made relatively small (see Section 1.2 of [I-D.ietf-lake-edhoc]), thus allowing additional OSCORE-protected CoAP data within target MTU sizes. <== > > That is, the EDHOC data (referred to as "EDHOC messages") > > Why not also just call it "EDHOC messages" in this document? ==>MT They are two different things. We consistently use "EDHOC data" to indicate the combination of the prepended connection identifier (if any) and the actual EDHOC message. We have updated the sentence as follows: OLD > That is, the EDHOC data (referred to as "EDHOC messages") ... NEW > That is, the EDHOC data (i.e., the EDHOC message possibly with a prepended connection identifier) ... <== > > Finally, the client sends a POST request to the same EDHOC > resource used earlier to send EDHOC message_1. > > This really is confusing to read. I initially read it as "send EDHOC > message_1". > How about: > > Finally, the client sends a POST request to the same EDHOC > resource used earlier when it sent EDHOC message_1. ==>MT Thanks, we have fixed it as suggested. <== > > Section 3.2: Perhaps change the sentence in "Step 1" to: > > Compose EDHOC message_3 into EDHOC_MSG_3 as per Section 5.4.2 > of [I-D.ietf-lake-edhoc]. > > so it properly introduces EDHOC_MSG_3 before its first use? ==>MT Yes, good point. We have fixed it as suggested. <== > > the server discontinues the protocol [...] > > the Initiator MUST discontinue the protocol [...] > > We changed "discontinues the protocol" to "aborts the session" in the > EDHOC document. > You don't mean discontinue to use the protocol defined in this RFC :) ==>MT Indeed. We have changed the text to say "the server aborts the session" (in Section 3.3) and "the Initiator MUST abort the session" (in Section 4.1.3). <== > > The server MUST NOT establish a new OSCORE Security Context from > the present EDHOC session with the client, hence the CoAP response > conveying the EDHOC error message is not protected with OSCORE. > > I don't understand this sentence? Did you mean "as" instead of "hence" ? ==>MT We really mean "hence". The order of event and their causal relation is: - An OSCORE Security Context is not derived; hence - The response transporting the EDHOC error message is not protected with OSCORE (as it cannot be). In order to avoid confusion altogether, we simplified the sentence as follows: NEW > The server MUST NOT establish a new OSCORE Security Context from the present EDHOC session with the client. The CoAP response conveying the EDHOC error message is not protected with OSCORE. <== > > The CoAP response conveying the EDHOC error message MUST have > Content-Format set to application/edhoc+cbor-seq defined in > Section 9.9 of [I-D.ietf-lake-edhoc]. > > There is no section 9.9. I think you mean Section 10.9 (just as > Appendix A.2.3 > does that reference) ==>MT We have fixed the numbers of the referred sections from draft-ietf-lake-edhoc. <== > > As per Section 3.3.2 of [I-D.ietf-lake-edhoc], when using the > purely-sequential flow shown in Figure 1, the same C_R with > value 0x01 would be encoded on the wire as the CBOR integer 1 > (0x01 in CBOR encoding), and prepended to EDHOC message_3 in > the payload of the second EDHOC request. > > I'm a bit confused by "on the wire" of C_R because EDHOC message_3 > contains: AEAD( ID_CRED_I, Signature_or_MAC_3, EAD_3 ) > Do you mean as part of CoAP? ==>MT In short: yes, as part of CoAP. Indeed EDHOC message_3 includes only AEAD( ID_CRED_I, Signature_or_MAC_3, EAD_3 ), but this does not contradict the quoted text. In the vanilla workflow, C_R is prepended to EDHOC message_3, and indeed it is not part of EDHOC message_3 in itself. Yet, due to the message correlation properties of CoAP, C_R has to be prepended to the EDHOC message_3 in the payload of the CoAP request of the forward message flow (see also Appendix A.2.1 of draft-ietf-lake-edhoc). Therefore, C_R is on the wire, since it is part of the payload of the sent CoAP message. <== > > The EDHOC Connection Identifier C_I is equal to the EDHOC > Connection Identifier C_R specified in EDHOC message_2 (i.e., > after its decoding as per Section 3.3 of [I-D.ietf-lake-edhoc]). > > Since C_R is now encrypted in EDHOC message_2, I guess "decoding" is > no longer > the right word. After decrypting ? ==>MT As a clarification, CIPHERTEXT_2 has to be decrypted first. After that, one retrieves from PLAINTEXT_2 the wire-encoding of C_R, which has to be decoded into its native, binary form. In order to avoid confusion altogether, we have simplified the quoted paragraph in Section 4.1.3 and an analogous paragraph in Section 4.1.2 as follows: OLD (Section 4.1.3) > The EDHOC Connection Identifier C_I is equal to the EDHOC Connection Identifier C_R specified in EDHOC message_2 (i.e., after its decoding as per Section 3.3 of [I-D.ietf-lake-edhoc]). NEW (Section 4.1.3) > The EDHOC Connection Identifier C_I is equal to the EDHOC Connection Identifier C_R received in EDHOC message_2. OLD (Section 4.1.2) > The Responder MUST choose a C_R that is neither used in any current EDHOC session as this peer's EDHOC Connection Identifier, nor is equal to the EDHOC Connection Identifier C_I specified in the EDHOC message_1 of the present EDHOC session (i.e., after its decoding as per Section 3.3 of [I-D.ietf-lake-edhoc]), nor is ... NEW (Section 4.1.2) > The Responder MUST choose a C_R that is neither used in any current EDHOC session as this peer's EDHOC Connection Identifier, nor is equal to the EDHOC Connection Identifier C_I received in the EDHOC message_1 of the present EDHOC session, nor is ... <== > > Section 9.10 of [I-D.ietf-lake-edhoc] registers the resource type > "core.edhoc" > > This should be Section 10.10. ==>MT We have fixed the numbers of the referred sections from draft-ietf-lake-edhoc. <== > > which is taken from the 'Label' column of the "EDHOC External > Authorization Data" registry defined in Section 9.5 of > [I-D.ietf-lake-edhoc]. > > Should be section 10.5. (Please check all section 9 references in the > doc for update) ==>MT We have fixed the numbers of the referred sections from draft-ietf-lake-edhoc. <== > > by expanding their semantics and specifying admitted values. > > What does "admitted" here mean? Maybe "specifying additional values" ? ==>MT We have rephrased as follows: > (Future documents may update the definition of the parameters 'ed-i', 'ed-r', and 'ed-comb-req', by expanding their semantics and specifying what they can take as value.) <== > > > the Change Controller is IESG, > > I believe the IESG preference is to list IETF as change controller ? ==>MT We have changed it to "IETF". <== > > > > > nits: > > Personal pet peeve: I dislike using > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > and prefer +-------+---------+---+-------------+-----+ style :) > I have also never seen the usage of open ended boxes, so I would change: > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > |Ver| T | TKL | Code | Message ID | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Token (if any, TKL bytes) ... > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Observe Option| OSCORE Option ... > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | EDHOC Option | Other Options (if any) ... > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > |1 1 1 1 1 1 1 1| Payload ... > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > to: > > +---+---+-------+---------------+-------------------------------+ > |Ver| T | TKL | Code | Message ID | > +---+---+-------+---------------+-------------------------------+ > | Token (if any, TKL bytes) ~ > ~ ~ > +---------------+-----------------------------------------------+ > | Observe Option| OSCORE Option ~ > +---------------+ ~ > ~ ~ > +---------------+-----------------------------------------------+ > | EDHOC Option | Other Options (if any) ~ > +---------------+ ~ > ~ ~ > +---------------+-----------------------------------------------+ > |1 1 1 1 1 1 1 1| Payload ~ > +---------------+ > ~ ~ > +---------------------------------------------------------------+ > > ==>MT As also raised in https://mailarchive.ietf.org/arch/msg/core/LBLmCFK_lY86iwlRGfAMWwQNNOw/ we have preferred to preserve the same style used since RFC 7252. <== > Paul > -- Marco Tiloca Ph.D., Senior Researcher Phone: +46 (0)70 60 46 501 RISE Research Institutes of Sweden AB Box 1263 164 29 Kista (Sweden) Division: Digital Systems Department: Computer Science Unit: Cybersecurity https://www.ri.se
- Re: [core] AD review of draft-ietf-core-oscore-ed… Carsten Bormann
- Re: [core] AD review of draft-ietf-core-oscore-ed… Paul Wouters
- [core] AD review of draft-ietf-core-oscore-edhoc-… Paul Wouters
- Re: [core] AD review of draft-ietf-core-oscore-ed… Marco Tiloca
- Re: [core] AD review of draft-ietf-core-oscore-ed… Paul Wouters