[core] Re: Deb Cooley's No Objection on draft-ietf-core-oscore-groupcomm-27: (with COMMENT)

Marco Tiloca <marco.tiloca@ri.se> Fri, 12 December 2025 18:53 UTC

From: Marco Tiloca <marco.tiloca@ri.se>
To: The IESG <iesg@ietf.org>, Deb Cooley <debcooley1@gmail.com>
Thread-Topic: Deb Cooley's No Objection on draft-ietf-core-oscore-groupcomm-27: (with COMMENT)
Thread-Index: AQHcNukbYBu5jGnt0Eq66gXtyvlE97UewBu0
Date: Fri, 12 Dec 2025 18:53:11 +0000
Message-ID: <GV3P280MB0450A9676E348C5F4A7DC4D699AEA@GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM>
References: <175977276793.3868362.14869862667669274421@dt-datatracker-6c6cdf7f94-h6rnn>
In-Reply-To: <175977276793.3868362.14869862667669274421@dt-datatracker-6c6cdf7f94-h6rnn>
Accept-Language: en-US
Content-Language: en-US
msip_labels: MSIP_Label_680afd86-dcf7-4483-b9eb-5af1dcd104e1_Enabled=True;MSIP_Label_680afd86-dcf7-4483-b9eb-5af1dcd104e1_SiteId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8;MSIP_Label_680afd86-dcf7-4483-b9eb-5af1dcd104e1_SetDate=2025-12-12T18:53:10.610Z;MSIP_Label_680afd86-dcf7-4483-b9eb-5af1dcd104e1_Name=K2 Intern;MSIP_Label_680afd86-dcf7-4483-b9eb-5af1dcd104e1_ContentBits=1;MSIP_Label_680afd86-dcf7-4483-b9eb-5af1dcd104e1_Method=Standard;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GV3P280MB0450:EE_|GVZP280MB0057:EE_
x-ms-office365-filtering-correlation-id: 539347d6-e865-428d-03a4-08de39afb292
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|19092799006|366016|7053199007|8096899003|38070700021|13003099007;
x-microsoft-antispam-message-info: AQgyqfjaecN3i/Z19DwCYr+IJtddbSA64NZeHWH+8+IaIDJcmSPDEx61X2c0qz17mw7iUqu6MMbtSW58Tsg7d5ua+oXAczflrvidaMBTJci/cFV3mLqJLyFXmRslg1VyeBIU16RrAUkCvn+0LtkS+c+Mrv5cZyjud4A9iwAP9d2hLosTfLWB6LPebwY9kUh04jI8J9PqvOsseN4EY3ZlsDWqd5n8QRB/czdnHLPjJNh6YQfdzm++z0QoFIk7GirZRR+0L+D9BjM0y8numSHxGdrpeCc0JjQP4aNftitZh0RNsCErqekOpuaIWeQLa+8ZyzBY6akLrgBaP0jDL7r6KKI8rprxM2mhNPHGwZLaxh958FM91WmYZwwus+gOyna8+kk6/nhS14wDLQ4FoQPm3YilOAkR3TTEvPSMb6x50HAT/ZYWbdCbopaM598a0RYYOaWnakfJohDkSPhByWPyLaowSMUKWv3QZwHaJkPTWTh4TjOYN54SUTH6qkBHkqTFy4nVpHrrNOWiR6pfKm5ZuUjzhwY70sRkQAP9MXRDnh/NcqeRwTVXhXRxMQsX2UFFUu3QXhyfrH4Z9uc9NupTNu/Ancqza2kWicVtjgFbUaRkVuxlF2cz6oVqpjSYrJLPzTEFDOxts5qyVplaBJC9oCZdYSGlNsw4+Ldxd5znLtWTiISLTKtexNNcaktr0mFmmis2M4ivRt0EbmK7q64zxbbmGxAoqSSrYYnSmf/dVrxyAhSpHPXBI54U2eAhUVD+rlPDa6fxMfGmtC6KEB8WJY/hThyukmLgNXGYhT9ngPKnEwgKrhLOX54GvYCZOdj27Xq+tMDNQdrQVHmNZU7xK/tem8ZK5ZXymJFhCmjH9TYXH9nMn8eGyXwiXuYP0EqhoCAUdD2JVoWeh8DJqSg5NyxripU+kPHxR2SdSQcHpv7mFjmkxjRfOb0cGyLxegxxKhMxlFR6fxnW2wfQJyb92wUcTKL5altQ78381lzAoitC53kQqF5mVsufagvlgXo41+Sb08jgsj1PMZhLmLBbxcrlAMZgTAnh5IinJ1C/07fqCrheUjK2vWO305eg7dZR2vy5LfwsSfmivuC6/CY1kLU4hBRWoA8AMob5W2wPgrl7g2XydmeUVWiQ+D9orGr/94FIUqvAYhRsqRRszEyV1Qxs2wo9lLIicYJVCGSurIU0idTtela5mUvtaODQLQojjDJym654Sms9u5tzDGu13Pj5PMHf7gKwt5mMKTe0yU4EkLj2kFkYylM43ZxPxTWWcIVNkMfGBg2lw+AIdmVsGE9UszonE+RMBvmd5/Nn5Z3dCWebkQ6PNHY7mZjFQPkaqGWDMhODjFrmWvDUuC6pePVPK8jEjKkoIkc8HSzKVXcpj5q7Hn18CqunyejS4bcxMoHgitRrSVjKqTH7W3ku25elUw4AVvcHbvh9VlsDqwFqGOl6cf1UimpjxZOBY6YIuTp/vUQjsSgUnc8T91OPDojd2luGHvw79AGpU1z3ENSE13chUMBXoa654PoHnHhV
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(19092799006)(366016)(7053199007)(8096899003)(38070700021)(13003099007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: B29+6yJ3Y1HX51jlEIpljqMTqdk4neJyxogzu6Qw5WZ1J8OQ8zu83v0TAjwUzzkiK9nC6FyrAmwnD74yT/iKE/1mdsmMdVlHplCzQCjAy6OA9V4KClXn0WChhL3gYUBirIT0ptzoSl9luQV4Xe0Z9Q6SE8wP/Rya30tskUR0BNlxwIBXofn27gP9324AE0QGzMA5EjCAoZ/GbudaK8bJJrBCuNySHs9/R96WhEu4AptAhC8C4qKLCS4R7ohVMo2LCvSnckvwxurqq2luO3QiWA3CjnUsa6vvuvhFIqGAlyhNpKgHrYwJ6WMrRNTPTQbdEMfkNtlCdo3TTJKeSvCnT8xj0SHeQECvL0qUgQHs7qWjSdi9bs7Lvuq8ohvY1oVTizU43JiH20TuuzZ7wYEGlxotwfxOODUQ3+5GMg+ygLFpITV9o7ptMJbOWJvQVXPe17nrr8IPDQgvbhzfiiJ8fXjUBg4xhxN5UbjO9MeIwsEHVbjBucQHXPSOO0Legr3fxHnSENUTtLXWplxzH0wTqnr4uOUxTpWNZ5M5vYOMCSBTDdj02+X+eJ0g7fuCkl5L6uKshIagSwhVEivKNvlIIlhzxg9g+ddM+p1uRLqzE1EulxcJKQvClwAJ65ysmzGXHCHiz5mljPD99GR7IIWze05JaC9yxtPiy4osAg35XKnevVNm8Hr66sQOIcD9+evnZPh18b2gBAm8+PQcCuPPNjA3FHkIYfDP46Tp5YiYU3OHXtvrvOkmAdMypE4FX0AD1zXDP4n64JnQlmjhsDpbmuvslpcFQbi/1RHeP2k2++mcX8Tt3nFlvn3auYIzY1C4byB4+qoq2rndHJj/30SKKwDjoFx2KXBJs6aQYet/MIlz9XkXIdyyGdCUTA6W3imjrJ3ErZirryPSrSgbYsZ/7wO9sSZ82J9ef9CYN+IWVYUOvE+Rblc1LzSpGuzICclz6DIxlONZx7H8PmcLjAmZEZqqvt6BTbGbHAjOf9eYl08pwq1wmrdPsUbYbGoqP2pAiOPfxTkFhHMizhxlFyLk1LdVuAdKlcRocGOrTurZaZv4vPKe8fya3B/BneoPwWWIveIaYCJnWcan/doxcBOVCCoRl+E+PYcj6tNYxaCG+ahwqMVF3bwZ8kb1GpuQpmfmtovmpcqaETt1oqsHCsjBceTNAqJ3s0sP5F/p6XQHKJO84ekawXTUSAWFj/tkwPnC5MAiaFBgO+6Hhy9EvtSiCh7emqF0nfPjU/DtWzZgE/oCEkfm8FQw44lWAMOQ89PXtDBKm9bKsQumF6+Yq9rH38Kk3NJ4mICPMl34HeAeYoogRBb9Um6yojJ9N7VRfk/OxrivbqBTpEM/ZL0BKyyCEBIGA8NH/+uOTrIUJ+8wkms5TodsuEu/Cz4HxdKeFYTMhrZ6pwGB1D4CCk3ZM86uThh9GAxA63yICBy9eG8SVsSqoo52Q0ImOABDmzJLWF4VqPYBgCG/Ztbhs4ZDMCq1aWFwYazFgbPDbatU7ygVn9MeauF7PBOFfO0TJy6h3j2pX3q8WXPipg4YBAzLM9xTJGj2OPeRHyLRJehSvezbaDk=
Content-Type: multipart/alternative; boundary="_000_GV3P280MB0450A9676E348C5F4A7DC4D699AEAGV3P280MB0450SWEP_"
MIME-Version: 1.0
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 539347d6-e865-428d-03a4-08de39afb292
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Dec 2025 18:53:11.0736 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zp1n0R0d/qhYO8zWGnaIrkjsO0pHisSXAZulaDCQ8lRXIYVi3gQ5/tkQvlFwh4KGW1U5wU2sYGTpItcOmKAaHA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVZP280MB0057
Message-ID-Hash: A74YUGDCHRXARWKGDKHJRH67UWH7PJTC
X-Message-ID-Hash: A74YUGDCHRXARWKGDKHJRH67UWH7PJTC
X-MailFrom: marco.tiloca@ri.se
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-core.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-core-oscore-groupcomm@ietf.org" <draft-ietf-core-oscore-groupcomm@ietf.org>, "core-chairs@ietf.org" <core-chairs@ietf.org>, "core@ietf.org" <core@ietf.org>, "christian@amsuess.com" <christian@amsuess.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [core] Re: Deb Cooley's No Objection on draft-ietf-core-oscore-groupcomm-27: (with COMMENT)
List-Id: "Constrained RESTful Environments (CoRE) Working Group list" <core.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/vKRlDKLR4ByQVtvj7E-wvUatAWs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Owner: <mailto:core-owner@ietf.org>
List-Post: <mailto:core@ietf.org>
List-Subscribe: <mailto:core-join@ietf.org>
List-Unsubscribe: <mailto:core-leave@ietf.org>

Hello Deb,

Thanks a lot for your review! Please find in line below our detailed replies to your comments.

A GitHub PR where we have addressed your comments is available at [PR].

Unless any concern is raised, we plan to soon merge this PR (and the other ones related to other received reviews) and to submit the result as version -28 of the document.

Thanks,
/Marco

[PR] https://github.com/core-wg/oscore-groupcomm/pull/124

________________________________
From: Deb Cooley via Datatracker <noreply@ietf.org>
Sent: Monday, October 6, 2025 7:46 PM
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-core-oscore-groupcomm@ietf.org <draft-ietf-core-oscore-groupcomm@ietf.org>; core-chairs@ietf.org <core-chairs@ietf.org>; core@ietf.org <core@ietf.org>; christian@amsuess.com <christian@amsuess.com>; christian@amsuess.com <christian@amsuess.com>
Subject: Deb Cooley's No Objection on draft-ietf-core-oscore-groupcomm-27: (with COMMENT)

Deb Cooley has entered the following ballot position for
draft-ietf-core-oscore-groupcomm-27: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fabout%2Fgroups%2Fiesg%2Fstatements%2Fhandling-ballot-positions%2F&data=05%7C02%7Cmarco.tiloca%40ri.se%7Cb97e891e8e974cbf953308de05003bc8%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638953695736730514%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=pFxz8ALu3n%2F76bs%2FGu1vogYPZ3gNDkgRy10S1O2eprk%3D&reserved=0<https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/>
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-core-oscore-groupcomm%2F&data=05%7C02%7Cmarco.tiloca%40ri.se%7Cb97e891e8e974cbf953308de05003bc8%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638953695736752306%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=EWH3EL07J3ULFlPZ1vxNkiYdM9hPcYwsdiBhJuYAgSY%3D&reserved=0<https://datatracker.ietf.org/doc/draft-ietf-core-oscore-groupcomm/>



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------


While I'm balloting No Obj on this draft, I'd like a response to the comments
I've listed below.

This draft is appears to be quite complicated (and require knowledge of no less
than 9-10 specifications).  A quick review shows that there are plenty of
places where signat encryption, and key agreement are confused. Crisper use of
terminology here would be best. I've given an example below, and I'd be happy
to help work on this.

Thanks to Mališa Vučinić for their secdir review.

==>MT

Thanks for pointing out the inexplicable confusion of encryption and ECDH.

Later in this response, we have listed a few other instances in the same example. Please let us know if there is still confusion.

<==


Section 1.1:  Use of the phrase 'Master Secret' is being replaced (TLS has
already removed it).  Will it be replaced here, maybe with a note to the pre
existing specifications? [Note:  this applies to 'Master xxxx']

==>MT

The term 'Master Secret' as used in this context was coined in RFC 8613, and in another age.

As you noted, there are already a number of related publications in this area and this term is used in several ones, including RFC 9031, RFC 9203, RFC 9528, RFC 9668, 3GPP AKMA (TS 33.535), and OMA Specworks L2wM2M (core specification).

Changing the terminology in this document will most likely not cause any change in the use of this established term and only create confusion. The change of this particular term has been discussed before, for example in the review of what became RFC 9528, and the agreement at the time was to not make any change.

With this in mind, we propose to stay with the terminology currently used.

<==


Section 2, Authentication Credential Format:  This section references Section
2.1.5, which then references Section 2.4 without much clarifying information.
Recommend skipping the double ref and just reference Section 2.4 here.

==>MT

With reference to the inner bullet point in Section 2.0:

> The new parameter Authentication Credential Format, specifying the format of authentication credentials used in the group (see Section 2.1.5).

The final part of the sentence can indeed better refer to Section 2.4.

The first part of the sentence can still refer to Section 2.1.5, where the parameter Authentication Credential Format is introduced. The intent of Section 2.1 is to have a section 2.1.x for each parameter of the Common Context.

With that in mind, we have made the following rephrasing:

OLD
> The new parameter Authentication Credential Format, specifying the format of authentication credentials used in the group (see Section 2.1.5).

NEW
> The new parameter Authentication Credential Format (see Section 2.1.5), specifying the format of authentication credentials used in the group (see Section 2.4).

<==


Section 2, Signature Encryption Key:  Not entirely sure what this means.  Is
this a symmetric key? (it is apparently an AEAD or something like that.

==>MT

In Section 2.0, "Signature Encryption Key" is just referring to a parameter.

Its content is defined in the referred Section 2.1.9, which says that the parameter specifies the encryption key named Signature Encryption Key.

The Signature Encryption Key is an encryption key that is derived by means of the same HKDF-based construct used to derive AEAD encryption keys (see Section 3.2.1 of RFC 8613).

However, the Signature Encryption Key is not used to perform an AEAD encryption. Rather, it is used for deriving a keystream to encrypt/decrypt a countersignature (see Sections 4.1, 4.2, 7.2, and 7.4)..

To clarify, we have made the following consistent rephrasing in Section 2.0:

OLD
> Group Encryption Algorithm, used for ...

NEW
> Group Encryption Algorithm, specifying the algorithm used for ...

OLD
> Signature Algorithm, used for ...

NEW
> Signature Algorithm, specifying the algorithm used for ...

OLD
> Signature Encryption Key, used for ...

NEW
> Signature Encryption Key, specifying the encryption key used for deriving a keystream, which is in turn used for ...

<==


Section 2, pairwise mode:  static-static DH to derived a shared secret, etc.
isn't common...  for a reason.  Please explain why it is ok in this
specification.

==>MT

Given two endpoints, their static key pairs are used only to derive a Diffie-Hellman shared secret (see Section 2.5.1).

In turn, the shared secret is only one input to the derivation of the pairwise keys that are effectively used to protect messages with the pairwise mode of Group OSCORE.

Other inputs are the Sender Key and Recipient Key of the two endpoints, which are in turn derived from the group keying material of the latest established Security Context and from the latest enpoint identifiers.

Effectively, the Sender Key and Recipient Key are used to "salt" the derivation of the Pairwise Sender/Recipient keys.

In fact, as explained in the second from last paragraph of Section 2.5.1, the pairwise keys are discarded after "establishing a partially or completely new Security Context (see Section 2.6 and Section 12.2)". Consequently, newly computed ones will build on the same Diffie-Hellman shared secret (due to the static Diffie-Hellman keys), but on different Sender/Recipient keys used as salt.

A related point was raised in another review during IESG evaluation, for which we are also updating the document as below.

* In Section 2.1.10, we have added a new paragraph after the currently first one:

> When two endpoints compute their Diffie-Hellman shared secret, the Pairwise Key Agreement Algorithm takes as input the static-static Diffie-Hellman keys of the two endpoints. The lifetime of those keys is the same as the lifetime of the authentication credentials that the two endpoints use in the group. As detailed in Section 2.5.1, the derivation of the pairwise keys takes as input not only the Diffie-Hellman shared secret, but also group keying material from the latest established Security Context.

* In Section 2.5.1, we have swapped and updated the last two paragraphs as below:

OLD
> After establishing a partially or completely new Security Context (see Section 2.6 and Section 12.2), the old pairwise keys MUST be deleted. Since new Sender/Recipient Keys are derived from the new group keying material (see Section 2.2), every group member MUST use the new Sender/Recipient Keys when deriving new pairwise keys.
>
> As long as any two group members preserve the same asymmetric keys, their Diffie-Hellman shared secret does not change across updates of the group keying material.

NEW
> As long as any two group members preserve the same asymmetric keys, their Diffie-Hellman shared secret does not change across updates of the group keying material. **The lifetime of those keys is the same as the lifetime of the authentication credentials Sender Auth Cred and Recipient Auth Cred.**
>
> After establishing a partially or completely new Security Context (see Section 2.6 and Section 12.2), the old pairwise keys MUST be deleted. Since new Sender/Recipient Keys are derived from the new group keying material (see Section 2.2), every group member MUST use the new Sender/Recipient Keys when deriving new pairwise keys.

<==


Section 2.1.7, para 2:  It is odd that AES CBC mode is being suggested, give
the issues with the CBC mode.  What makes CBC mode more appropriate than CTR
mode?

==>MT

Thanks for this comment.

After more discussion and considerations, we believe that it is actually better to avoid AES-CBC (also due its padding and related vulnerabilities) and instead consider AES-CTR as a possible non-authenticated Group Encryption Algorithm to use.

To this end, we have also defined in detail how to compose the 128-bit counter block for encryption, building on the Group OSCORE nonce computed as defined in Section 3.3 of the present document.

In particular, we have updated the draft as follows:

**2.1.4 "Common IV"**

We have added the following text at the end of the section:

NEW
> If the Group Encryption Algorithm is A128CTR, A192CTR, or A256CTR (see Section 4 of [RFC9459]), then the length of the nonce used by that algorithm is 12 bytes (see Section 2.1.7).

**2.1.7 "Group Encryption Algorithm"**

We have replaced the last paragraph as below.

OLD
> A non-authenticated algorithm MUST NOT be used as Group Encryption Algorithm if it is not possible to ensure uniqueness of the (key, nonce) pairs. This is the case, for instance, for A128CTR, A192CTR, and A256CTR [RFC9459]. Instead, examples of non-authenticated algorithms that can be used as Group Encryption Algorithm are A128CBC, A192CBC, and A256CBC [RFC9459].

NEW
> In order to be eligible to use as Group Encryption Algorithm, a non-authenticated algorithm MUST ensure that the same key is not reused with the same IV or intermediate values used in the algorithm, e.g., for algorithms that increment the IV internally. If a non-authenticated algorithm does not fulfill the requirement above, that algorithm MUST NOT be used as Group Encryption Algorithm.
>
> Examples of non-authenticated algorithms that can be used as Group Encryption Algorithm are A128CTR, A192CTR, and A256CTR (see Section 4 of [RFC9459]). When either of those three algorithms is used, the following applies:
>
> * A 12-byte nonce MUST be computed as defined in Section 3.3 of this document.
>
> * The Initialization Vector (IV) used in Section 4 of [RFC9459] is equivalent to the nonce above (12 bytes) concatenated with 0x00000000 (4 bytes), in this order.
>
> * The algorithm MUST NOT be used to encrypt a plaintext or decrypt a ciphertext whose length is larger than 64 GB (i.e., 2^36 bytes).
>
> The non-authenticated algorithms A128CBC, A192CBC, and A256CBC (see Section 5 of [RFC9459]) MUST NOT be used as Group Encryption Algorithm.
>
> Future specifications can admit alternative non-authenticated algorithms that can be used as Group Encryption Algorithm. When doing so, it MUST be defined how to securely compose the IV and possible intermediate values used in the algorithm, building on the nonce computed as defined in Section 3.3 of this document. Absent such a specification, alternative non-authenticated algorithms MUST NOT be used as Group Encryption Algorithm.

**Section 10 Implementation Compliance**

We have update the text as below:

OLD
> For endpoints that use non-authenticated encryption, the algorithm A128CBC defined in Section 5 of [RFC9459] is mandatory to implement as Group Encryption Algorithm (see Section 2.1.7).

NEW
> For endpoints that use non-authenticated encryption, the algorithm A128CTR defined in Section 4 of [RFC9459] is mandatory to implement as Group Encryption Algorithm (see Section 2.1.7).

OLD
> Section 6 of [RFC9459] mandates that COSE libraries supporting either the AES-CTR or AES-CBC algorithm and accepting Additional Authenticated Data (AAD) as input must return an error if one of these non-AEAD content encryption algorithms is selected.

NEW
> Section 6 of [RFC9459] mandates that COSE libraries supporting the AES-CTR algorithm and accepting Additional Authenticated Data (AAD) as input must return an error if AAD is provided when such a non-AEAD content encryption algorithm is selected.

**13.1 Implementation \#1**

We have update the text as below:

OLD
> ... ChaCha20/Poly1305, A128CBC, A192CBC, A256CBC.

NEW
> ... ChaCha20/Poly1305, A128CTR, A192CTR, A256CTR.

**13.2 Implementation \#2**

We have update the text as below:

OLD
> The following COSE encryption algorithms: 1-3, 10-13, 24, 30-33, -65531

NEW
> The following COSE encryption algorithms: 1-3, 10-13, 24, 30-33.

**13.3 Interoperability**

We have update the text as below:

OLD
> - (ChaCha20/Poly1305, AES-CCM-16-64-128).
>
> - (A128CBC, AES-CCM-16-64-128).

NEW
> - (ChaCha20/Poly1305, AES-CCM-16-64-128).

<==


Section 2.5:  EdDSA and ECDSA are mentioned in the section, I assume one would
use ECDH for key agreement (vice encryption).  While this section doesn't need
every detail to be perfect, it needs to be closer than this.  Perhaps something
like:  'Elliptic Curve Cryptographic public/private key pairs can be used for
both signature and key agreement'.

==>MT

We have identified and fixed the following confusing text.

**Section 2.5 (first paragraph)**

OLD
> Certain signature schemes, such as EdDSA and ECDSA, support a secure combined signature and encryption scheme.

NEW
> In certain Elliptic Curve Cryptographic schemes, it is possible to use public/private key pairs with both signature operations (ECDSA or EdDSA) and key agreement operations (ECDH).

**Section 2.5 (second paragraph)**

OLD
> Group OSCORE keys used for both signature and encryption MUST be used only for purposes related to Group OSCORE.

NEW
> Group OSCORE keys used for both signature operations and key agreement operations MUST be used only for purposes related to Group OSCORE.

**Section 8**

OLD
> ... , the signature scheme of the group mode MUST support a combined signature and encryption scheme.

NEW
> ... , the public/private key pairs used for signature operations of the group mode MUST be possible to also use for key agreement operations.

<==


Section 5.1, para 3:  'remain active indefinitely',  seems like a bad idea,
especially if the group is rekeyed.  Maybe put a cap on how long?  Especially
from a cryptography point of view.

==>MT

We agree that "indefinitely" might give a wrong impression and is not accurate.

As a start, we have removed "indefinitely" from the quoted sentence in Section 5.1, i.e.:

OLD
> Group OSCORE allows a long exchange to remain active indefinitely, even if the group is rekeyed (thus changing the ID Context) or the client obtains a new Sender ID.

NEW
> Group OSCORE allows a long exchange to remain active, even if the group is rekeyed (thus changing the ID Context) or the client obtains a new Sender ID.


Per Section 3.4, a long exchange can remain active precisely throughout instances of group rekeying, thanks to the 'request_kid_context' element within the aad_array used for processing a message. That element "enables endpoints to safely keep a long exchange active beyond a possible change of Gid (i.e., of ID Context), following a group rekeying".

In fact, there is a cap for the duration of a long exchange. This is summarized by the last paragraph of Section 5.1:

> Upon leaving the group or before re-joining the group, a group member MUST terminate all the ongoing long exchanges that it has started in the group as a client. This frees up the CoAP Token associated with the corresponding request.

In addition to that, a group member might be evicted from the group precisely to prevent by construction that any long exchanges can remain active unsafely.

This concerns a particular, delicate situation that can arise during the lifetime of a group and throughout instances of group rekeying, if the Group Manager is configured to reassign Gid values as defined in Section 12.2.1.1.1.

In such a case, in the interest of safely preserving long exchanges, the Group Manager has to additionally store the "Birth Gid" of each group member, i.e., the Gid that was provided to that member at its latest group (re-)joining.

When rekeying the group and thereby establishing a new Gid value, the Group Manager must determine whether there are "elder" group members whose associated "Birth Gid" is equal to the new Gid to establish. If that is the case, then the group rekeying has to effectively evict from the group also such group members.

Consequently, as stated at the end of Section 12.2.1.1.1:

* Excluded elder members could eventually re-join the group, thus terminating any of their ongoing long exchanges.

* It is ensured by construction that there cannot be long exchanges that are active unsafely. That is, it is ensured that no client can have with the same server two ongoing long exchanges, such that the two respective requests were protected using the same Partial IV, Gid, and Sender ID.

<==


Section 14.11:  Is secure distribution of these keys discussed in any of the
many of specifications referenced?  It does not appear to be addressed in this
draft.  (nor is it listed as out of scope).

==>MT

We believe that this comment builds on the sentence:

> This includes the case where the Group Manager rekeys the group by generating and distributing a new Master Secret.

Both points raised in the comment are covered in Section 12.2, which says:

> The specific group key management scheme used to distribute new keying material is out of the scope of this document. A simple group key management scheme is defined in [I-D.ietf-ace-key-groupcomm-oscore].

The referred document specifies a possible realization of Group Manager, which provides all the functionality expected for a Group Manager and compiled in Appendix D of the present document.

<==

[core] Deb Cooley's No Objection on draft-ietf-co… Deb Cooley via Datatracker
[core] Re: Deb Cooley's No Objection on draft-iet… Marco Tiloca
[core] Re: Deb Cooley's No Objection on draft-iet… Deb Cooley
[core] Re: Deb Cooley's No Objection on draft-iet… Marco Tiloca
[core] Re: Deb Cooley's No Objection on draft-iet… Deb Cooley