Re: [core] Opsdir last call review of draft-ietf-core-oscore-edhoc-09
Marco Tiloca <marco.tiloca@ri.se> Thu, 23 November 2023 15:39 UTC
Return-Path: <marco.tiloca@ri.se>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C14BC14F6EC; Thu, 23 Nov 2023 07:39:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rV0eEs9Tq-N2; Thu, 23 Nov 2023 07:39:27 -0800 (PST)
Received: from GVZP280CU001.outbound.protection.outlook.com (mail-swedencentralazon11011011.outbound.protection.outlook.com [52.101.81.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9FC2C14EB19; Thu, 23 Nov 2023 07:39:25 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BXF+r9aVPklXk0Q219gw55tXpuW4l6yn/5zRifagCvPVFB4pybfzLz4BJ77BS34rxQXCH7S20mDzcb2Pi6jNERT101jvljB6EjRKlxe27BbLoHMT8IakEIu1cB80ov+F1V8UTNj5/4IUIBiIMqmgdH2RHOysAbr1S24FiE7H/8xUEeo2rm8+ZVCslwy3Vc38Ap7diV7ud0ehVsgLpEjHUj7ylNrMgfvwTUe/kypEIpGLIJxQDR0DM5SG1QtlEuovufeJqP+pDXLUwFK3yMlMO2J8urh5QfqjWrDxoift0kOC92g/Kg0+kIuoSQln/E3GhDe4LDjvSuVCwEaeilRyEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lT5iV1sb+HF2hiLcteFg6vrzXyBfE+rKsgdX6Gdw2wk=; b=O9OuCHFmpwpUMfLDUh2jdvW7/XcNXHvXQ7R44o1k/cWVWUhxne+UABGyL/E232Hc1Ve7nR6cK1S2EKjpgyhbxxLk/hvErYrWwvulsytguzfrfEdBTQmSQe4ktpv7SMGx1tnqAmJpMOspSs445gG2ROt4L91ktvTzuGLSI1OlMsQ1DsvZW5qLfz2gEVmyIX7YHrgcD++3sRnrkI1ZghEOcwHqh7UNYkHEEfnpL1mB965etSGPGJ8ugLX62GagDu1ZY/V5iJzrVmV1DpQsb3B/+UU6apst8XDVBNpXKCJ57NFnk9zF5kuErQLMzYIk/dGGJji8v2HhXPmkMNfUcW6cSw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lT5iV1sb+HF2hiLcteFg6vrzXyBfE+rKsgdX6Gdw2wk=; b=Ccc4DSyBQJAQMySPnpjX6esBI13kYHOKfT9tknO1E1cbeQOjUK/6bKGOJTmc3cctmTC54oHYX9u5ANz4Dru/TOpmzYWYENZxfOV2HbI+SXFnnZR4RNsEWx9kxE+aqs0qDGtBqc0VZ7QG02mMPoFkmnlbQpKqyk8v9cYPnQfgzqE=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17) by GVZP280MB0187.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:43::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7025.21; Thu, 23 Nov 2023 15:39:20 +0000
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::49f4:9d27:4b68:cdab]) by GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::49f4:9d27:4b68:cdab%4]) with mapi id 15.20.7025.021; Thu, 23 Nov 2023 15:39:20 +0000
Message-ID: <9bd1da17-f0d5-4805-904f-cbd05cc62321@ri.se>
Date: Thu, 23 Nov 2023 16:39:19 +0100
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Jürgen Schönwälder <jschoenwaelder@constructor.university>, ops-dir@ietf.org
Cc: core@ietf.org, draft-ietf-core-oscore-edhoc.all@ietf.org, last-call@ietf.org
References: <169989987987.41741.1428440266953987317@ietfa.amsl.com>
From: Marco Tiloca <marco.tiloca@ri.se>
Autocrypt: addr=marco.tiloca@ri.se; keydata= xsBNBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAHNNk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPsLAdwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzzsBNBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAHCwF8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
In-Reply-To: <169989987987.41741.1428440266953987317@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------FWsmO4WO0CxgCPAbKyUwaw4D"
X-ClientProxiedBy: GVX0EPF000013E8.SWEP280.PROD.OUTLOOK.COM (2603:10a6:144:1::1f) To GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GVYP280MB0464:EE_|GVZP280MB0187:EE_
X-MS-Office365-Filtering-Correlation-Id: b8b6e5f5-527d-43b3-32f3-08dbec3a5c70
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 7WWL0jrh7uLREN645wOrNO3k2rA3Nq2TJPu5+PxeVNbZGx1YVTqWSNktQMjIRcZVc1a8NfsDDUilJKkm+IHeWscWwNDT/2E/CDPTLGiYBRLc1uE0pY2+IfV3vXeWlsRQ8BpdfBxc43z3VCZNVWqLgaOBL6VKk6Rmw6GymPYLMt4/6bRr6zTkG3GjIr+v9xUhDe5klUcWYsaUFy0wfg32eNBxWJ6Wv51TEUm4ZlQhuVpp9Xwleb6YovuEWJvYIa+4H5l21N36+KpbcblMMsqrLuehw+ITY3PBEaveM5al99RB1lEx0t9TkOwyj5Nxn2VaF/eOni4mHDWlWwk/HiHaV+GkmioFZrhEjBogTifUxupcI7EfqbJpQHv3CMnnyo1ONa9zJYf9PtBo+2l+hM4SZ8JkssDazxhm5aYFYXW+x0Q7qrRNpQKgj6butBdERuYM21nJt4dgxQtcw46U2c8GQCtedjU0J2+xm1JfduIXoPaK3xbsnFhUwNz3pfH9DE6RKk7Juig2wtHg7ur69LFipBK4sf0urOiKR8Stz/6lzvsXHWADaMNHkELiA9YEoIDqmNAB7bxK4h85vxZDFZPciBeRyAByXu89xMUQWelW2HlFcoZgEAHULZnPUx53cjt+MvHPdKuerr+9gFAxtPfiXmJjbOTjl6HUqWx5PIwkGi68fMxgb+fdwyPihuc7Kee3
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(396003)(376002)(346002)(136003)(366004)(230173577357003)(230273577357003)(230922051799003)(64100799003)(451199024)(1800799012)(186009)(30864003)(2906002)(4001150100001)(31686004)(44832011)(66946007)(66476007)(66556008)(8936002)(33964004)(6506007)(6512007)(8676002)(4326008)(41300700001)(316002)(966005)(5660300002)(235185007)(478600001)(6486002)(53546011)(26005)(66574015)(21480400003)(2616005)(83380400001)(38100700002)(166002)(31696002)(86362001)(36756003)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: oJ3FQe9sLxM/e9JZxATE/YZWw9eUBEEFcit6toP//mGqI0jkk6/bQae/95kttg1bPBplJnieqh5p75CA8g2KBTdvIBrF2dJgiRs805ITZGgddwHEk83+ds1eUEw9vPxB+8BDuFrdJyQnK/dNCfLooLxRZjgbwqxcWoq7WrVEAFeRfg2lNuJ/xn4TBnbJWETO/ENFF3t47sJaCvUNgAW4fogVEWi7kzQpp6kP2ZrPfR5iOcJhFAb4coPAvSSVBwpjLbPKivckiKtZisFWLZm+GDJ2v23JIeQrpPcOhyRi1pDjQv8uTsJ0KFmhCPtlbYJqSpLRsmjH3Uiszxxz01FJ9t6D2lLxh8j6gYE+JPXnfd69aIC0gMn5dBxcPXDj9A331OlhPPIrAODrJAcFLJ+yvwhFwIZqGhi4l57qez5auc/If4lQX5GbhY4nKRZO3ogyt+klPAum4R/MDcEJwNQCHX4fYBOm9GQEu2wqFdryMETDGKP6JZSfbSqfdPjPliCqeZfom3Ylg8avkbCDLR3a92/CUD4mxhnaEddtAFU3zmh+PDs9wGhO5LFvG4IBr2z5up4LtioRR6fLXAP2XBO6mNW5dh8JVFJ23SC8EDDR9iB+EW2bV9tqhtps2ZtwOHHcBiXajgtz72KCt1gc5c7Mkw1ALclUAFuMUOW2J0GNA0V8OlvoXDA5WhbuVGwc+jRzYL/N5kCNU1XdicG4TbU7IGsU5aTA1niRJmT6s46xdXT+W4gH+ut+j1sNp0DWcg3xbE6ipUAKHKZFkHY5mzVpePbI77cAwRBIqRZ0O1gpb61bKs8BJlT0GaYz3vXapAy/GcgjzKnmQ4dGx/0JemUOxkQ0aYXk+/LkEsZHkCHixOd6DxiQprq4fY7LI8iMVdIC37avmwTK9iUfydQva/Koor68qaVFR36Gcuk24YnWcThY92v/g1mAuzJoXUWNZfyPZQDtD1pLH4aVawK4zxmP84R0kYS30GT05ZqQYDrIUbvuFrKLxI+xPkOoskGW04jZCG6gCEGz7z4PGudVJ+z2uwBQ0NKhG3XIYgBJw4sZAelyzyUBapOk7o4r+Rz4+2u+OxN6qscC03WwguuKkWnRF6eJ0l/0aC/X97HxH3Sz6OcVR9PBxjMS5WA19NqlfY9b7dEt9zaYcF2Zz62oYjTgELu0zy0aLEMoHobawhYoIm1BlWyVY18psMbfR6a0AjLxi2Y1hWtFiFpvWlUSwuSNRrKT/opghnaqgVMUT3DFT03wikNkCjiCfh1SZHY5giQREfY67uyv7T/3zjzihghvslCIuyxcQNMz0Cq/nF9vwnW3pj67pcIFqfyUYtlkh6GHjUIHfMKJFVZenvo+YKnJxqYpD2+LDBbRdQY5n5o2pV3rUZbXSSd4l8FRfnObiwXnRUvKcog2N/U0GkZBQqMXIDZDr6YF2WgHqazo1XNIoLXrOKXa4YtvLS9ENL2ao/sGgdda5LtIutPvgbHZcENUul78Z1Irf8hYUYRnZ4Wk6j3RtmCAdU+YawIPwunEQqne1Pfd/+s+GhFqAeVNwRsUg61DV1N1Q9hN2uUiAyzpqVQJMDPYDiYbYGx7KnTEMvA0
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: b8b6e5f5-527d-43b3-32f3-08dbec3a5c70
X-MS-Exchange-CrossTenant-AuthSource: GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Nov 2023 15:39:20.7323 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: UFTfQ75WBtA2U4DqxrxWtvtyEhuRFZLwrjwtmMewJKptYcaIRs8VhWHYIcajzwFo4uAiF8jBM7s+hniTliEmhw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVZP280MB0187
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/ZUElzwogXyAfmR85Odzkg6bKj4E>
Subject: Re: [core] Opsdir last call review of draft-ietf-core-oscore-edhoc-09
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Nov 2023 15:39:31 -0000
Hello Jürgen, Thanks a lot for your review! Please find in line below our detailed replies to your comments. A Github PR where we have addressed your comments is available at [OPSDIR-PR]. Unless any concern is raised, we plan to soon merge this PR (and the other ones related to other received reviews), and to submit the result as version -10 of the document. Thanks, /Marco [OPSDIR-PR] https://github.com/core-wg/oscore-edhoc/pull/16 On 2023-11-13 19:24, Jürgen Schönwälder via Datatracker wrote: > Reviewer: Jürgen Schönwälder > Review result: Has Issues > > I have reviewed draft-ietf-core-oscore-edhoc-09 and while I have a > general understanding about CoAP, I am not familiar with EDHOC or the > details of OSCORE. Perhaps some of my questions have simple obvious > answers for those familiar with the technologies. > > - The document title consists of six token, three of them are > acronyms. This is crisp and short but unless you know the acronyms, > it is hard to tell what this document is about. Sure, expanding all > acronyms in the title makes it long but it might make the abstract, > which uses the acronyms as well, more accessible as well... > > Using Ephemeral Diffie-Hellman Over COSE (EDHOC) with the > Constrained Application Protocol (CoAP) and Object Security for > Constrained RESTful Environments (OSCORE) ==>MT We have changed the title and the abstract, by expanding the acronyms as suggested. <== > > - It is difficult to judge whether there are any possible side effects > of the proposed optimization, which essentially piggybacks the first > OSCORE exchange on the last EDHOC exchange. Optimizations of this > kind sometimes cause subtle side-effects. A security review should > be done to ensure that there is no impact on the security of EDHOC > and OSCORE. I am not able to judge this in a time efficient manner. ==>MT This document builds on the security properties and considerations of EDHOC and OSCORE. There have been security reviews, and no issues have been found. <== > > - It is not clear to me how this works in mixed deployments where some > responders implement this specification but others do not. How does > the initiator figure out whether sending a combined message makes > sense? It seems question is handled by the application profile. But > then section 5. starts with "can include the information below" > followed by some SHOULD text. So what does this combination of "can > include ... SHOULD ..." mean? ==>MT Regarding the first part of the comment: > - It is not clear to me how this works in mixed deployments where some > responders implement this specification but others do not. How does > the initiator figure out whether sending a combined message makes > sense? It seems question is handled by the application profile. Yes, the way for the CoAP Client (the EDHOC Initiator) to know for sure how to run EDHOC in advance is based on its knowledge of the EDHOC application profile to refer to, see https://datatracker.ietf.org/doc/html/draft-ietf-lake-edhoc-22#name-application-profile Note that the general requirement for such a knowledge is not something that this document is creating. Instead, it holds for several aspects of EDHOC, ranging from its authentication methods, to the possible types of authentication credential to use, to the supported External Authorization Data (EAD) items that can be used during the protocol execution. In turn, there are different ways for the Client to gain knowledge of the EDHOC application profile and the information elements included therein. * One way is actually specified in the present document, as relying on link target attributes applicable to the discovery of server resources where to run EDHOC. See Section 6, and in particular the target attribute "ed-comb-req" indicating support at the server for the EDHOC + OSCORE combined request defined in this document. * Another way is being defined in the EDHOC and OSCORE transport profile of the ACE framework for authentication and authorization, as relying on a descriptive EDHOC_Information object that an Authorization Server provides to the Client during the ACE authorization workflow, see https://datatracker.ietf.org/doc/draft-ietf-ace-edhoc-oscore-profile/ * Further ways are being defined in https://datatracker.ietf.org/doc/draft-tiloca-lake-app-profiles/ , as more general methods for coordinating the use of EDHOC application profiles. Such methods include registered numeric identifiers of EDHOC application profiles (in turn possible to express by means of a link target attribute or of a parameter in an EDHOC_Information object mentioned above), as well as a canonical representation of an EDHOC Application Profile as a CBOR data item that can be conveniently distributed and stored. Overall, like it is the case for the main EDHOC specification draft-ietf-lake-edhoc , the present document is not intended to discuss in detail how an EDHOC peer gains knowledge of the EDHOC Application Profile to consider. Yet, it does provide a means to gain knowledge of such related information, i.e., through target attributes in link to EDHOC resources. On the second part of the comment: > But > then section 5. starts with "can include the information below" > followed by some SHOULD text. So what does this combination of "can > include ... SHOULD ..." mean? We literally mean "can include", as "it is possible for it to include". We have rephrased as follows. > It is possible to include the information below in the application profile referred by the client and server, according to the specified consistency rules. Then, the second paragraph builds on the first one with a normative requirement. That is, given the fact that the EDHOC application profiles can include such information (first paragraph), then the application profile associated with an EDHOC resource where the EDHOC + OSCORE request is supported SHOULD say so. This provides early knowledge to a Client, sparing a possible use of the optimized workflow that fails due to lack of support on the Server side. <== > > - What does it mean for the client to 'bear [something] in mind'? > Should the text not spell out clearly what the client is expected to > do in this case (SHOULDS not send a combined EDHOC + OSCORE > request)? ==>MT The quoted paragraph tries to describe two concepts without going too much into details, but admittedly in way that ended up being too terse. We have replaced the paragraph with the following two paragraphs, each mentioning one concept. > In case the application profile indicates that the server supports the optional EDHOC message_4 (see Section 5.5 of [I-D.ietf-lake-edhoc]), it is still possible to use the optimized workflow based on the EDHOC + OSCORE request. However, this means the server is not going to send EDHOC message_4, since it is not applicable to the optimized workflow (see Section 3.3). > > Also, in case the application profile indicates that the server shall send EDHOC message_4, then the application profile MUST NOT specify support for the EDHOC + OSCORE request, and there is no point for the client to use the optimized workflow, which is bound to fail (see Section 3.3). <== > > - Is section 4 telling me that the OSCORE ID and EDHOC ID can be the > same (but they do not have to be the same) while with the proposed > optimization they must be the same? Or is there always an identity > mapping between the OSCORE ID and EDHOC ID? If so, why is section 4 > even necessary? ==>MT Section 4 covers several points, only one of which comes from draft-ietf-lake-edhoc. In Section 4.0, we provide the following information: * The first paragraph is a reminder of the identity mapping between EDHOC Connection Identifiers and OSCORE Sender/Recipient IDs. This is the only information already defined in draft-ietf-lake-edhoc and reminded here. * The second paragraph clarifies that, in the EDHOC + OSCORE request, the EDHOC Connection Identifier C_R is the value of the 'kid' field in the OSCORE Option. To make the text clearer and simpler, we have replaced both paragraphs in Section 4.0 as shown below. OLD > Section 3.3.3 of [I-D.ietf-lake-edhoc] defines the straightforward mapping from an EDHOC connection identifier to an OSCORE Sender/Recipient ID. That is, an EDHOC identifier and the corresponding OSCORE Sender/Recipient ID are both byte strings with the same value. > > Therefore, the conversion from an OSCORE Sender/Recipient ID to an EDHOC identifier is equally straightforward. In particular, at step 3 of Section 3.3, the value of ’kid’ in the OSCORE Option of the EDHOC + OSCORE request is both the server’s Recipient ID (i.e., the client’s Sender ID) and the EDHOC Connection Identifier C_R of the server. NEW > The OSCORE Sender/Recipient IDs are the EDHOC connection identifiers (see Section 3.3.3 of [I-D.ietf-lake-edhoc]). This applies also to the optimized workflow defined in Section 3 of this document. > > Note that, at step 3 of Section 3.3, the value of ’kid’ in the OSCORE Option of the EDHOC + OSCORE request is both the server’s Recipient ID (i.e., the client’s Sender ID) and the EDHOC Connection Identifier C_R of the server. As to Section 4.1, its content is definitely necessary. It defines additional processing required on EDHOC messages, with respect to their base-processing defined in draft-ietf-lake-edhoc, and specifically due to the fact that EDHOC is used to derive keying material for OSCORE. This especially includes normative requirements on the selection of the EDHOC Connection Identifiers C_I and C_R. <== > > I have ticked 'has issues' because there is no reviewer 'has > questions' option. It is most likely that my questions have very > simple answers - so take a look at my questions and it is absolutely > fine to move ahead if my questions have obvious answers or are just a > lack of understanding of the context. ==>MT Thanks again for your comments and questions! <== > > -- Marco Tiloca Ph.D., Senior Researcher Phone: +46 (0)70 60 46 501 RISE Research Institutes of Sweden AB Box 1263 164 29 Kista (Sweden) Division: Digital Systems Department: Computer Science Unit: Cybersecurity https://www.ri.se
- [core] Opsdir last call review of draft-ietf-core… Jürgen Schönwälder via Datatracker
- Re: [core] Opsdir last call review of draft-ietf-… Marco Tiloca