[core] Review of draft-hartke-core-e2e-security-reqs-01
Jim Schaad <ietf@augustcellars.com> Tue, 02 August 2016 22:00 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A9F012D8D9 for <core@ietfa.amsl.com>; Tue, 2 Aug 2016 15:00:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level:
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LZbxZNQYbV_B for <core@ietfa.amsl.com>; Tue, 2 Aug 2016 15:00:52 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1F0D12D663 for <core@ietf.org>; Tue, 2 Aug 2016 15:00:51 -0700 (PDT)
Received: from hebrews (24.21.96.37) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 2 Aug 2016 15:12:16 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: draft-hartke-core-e2e-security-reqs@tools.ietf.org, core@ietf.org
Date: Tue, 02 Aug 2016 15:00:40 -0700
Message-ID: <036801d1ed09$507ef080$f17cd180$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0369_01D1ECCE.A424D370"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdHsNDP6Rd+0VoZ9RbOcD9Mip82KVw==
Content-Language: en-us
X-Originating-IP: [24.21.96.37]
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/j1yoWn9gptGIIznba1FQEYRHzAI>
Subject: [core] Review of draft-hartke-core-e2e-security-reqs-01
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 22:00:54 -0000
Before anything else, let me re-iterate what I said at the F2F meeting. This document is so much clearer and easier to read than was the -00 version that it does not even appear to be the same document. I want to really thank you for the work you did in re-writing it. That being said, I still do have some comments on draft that I would like to you consider. Jim 1. Note that the title of the COSE document has changed you should pick that up. 2. Section 2.1.1 - Should "client receives a response" include * (Threat ?) The proxy returns a stale or outdated response based on data it previously obtained from the origin server or some fourth party. I'm thinking of both out of date caches and poisoned caches. Note that these are valid from a security point of view, but not 'fresh' 3. Section 2.1.1.3 - based on a brief look at mattsson-core-coap-actuators, it appears to have some solutions to the Withholding attack as well as the Delaying attack. This should probably be noted. 4. Section 2.1.1.5 - It is not clear to me that there is a requirement that all messages be protected from eavesdropping. It might just be the way things are stated here, but there is a difference between the fact that the solution must provide a method to deal with this and the fact that integrity protection might be sufficient in some cases. This would also influence the analysis below in some cases. 5. Section 2.1.1.5 - You need to have a better statement of what it means to provide forward secrecy. This requirement would appear to potentially rule out the use of the same session content encryption key for multiple messages. I do not believe that is true, but given that we are looking a message based security some people might think this is the case. I would expand this statement to define the conditions under which PFS must be provided. 6. Section 2.1.2 - Do you consider a proxy re-ordering requests to be a threat? 7. Section 2.1.2.1 - Next to last para. I am not sure that 'involve' is the correct word in this sentence. Perhaps you meant 'include' 8. Section 3 - when I look at figure 10, I keep feeling that it is not a complete picture of what you need to be looking at Security Assn Security Assn +-----------------+ +---------------+ | | | | ____________ __________ ___________ | | | | | | | |----->| |<------| | | Subscriber | | Broker | | Publisher | | |<-----| |------>| | |____________| |__________| |___________| : : '--------------------------------------' Security Association There needs to be a discussion of all of the different potential security associations in this diagram. Some of these can be reduced to simple client-server associations, but some of the implications of this diagram are potentially used for the entirety of the picture. Examples of things that can be looked at: a) The broker is the one that will do enforcement of access control. If this is not true then all subscription requests would really need to be passed onto the publisher to ensure that the subscriber is to have access. And we now have new thread of the broker granting access to a subscription stream when it should not. b) The broker may validate that messages from the publisher are in fact from the publisher, but be unable to look at the content of the message. c) The broker may need to have some details of the SA between the subscriber and the publisher. For example, what happens if the key used to encrypt/protect the message gets updated or if the publisher is generating the same stream but using two different group keys. In the first, is this an issue for the client or for the broker. In the second case there are effectively two different streams with the same name that need to be identified by the broker and the correct responses sent to the client. These are examples of what I meant in the F2F when I said that you have a semi-trusted broker. It is trusted with information about the subscription stream and allowed to enforce it. But it is not allowed to have access to the actual content of the stream. 9. Threats in section 3 also include * out of order delivery of items. * Issues about a broker either granting or denying access to a stream. * Subscriber does not receive a response because the broker pre-maturely unsubscribes the subscriber
- Re: [core] Review of draft-hartke-core-e2e-securi… Jim Schaad
- Re: [core] Review of draft-hartke-core-e2e-securi… Klaus Hartke
- [core] Review of draft-hartke-core-e2e-security-r… Jim Schaad
- Re: [core] Review of draft-hartke-core-e2e-securi… weigengyu
- Re: [core] Review of draft-hartke-core-e2e-securi… Jim Schaad