[core] Re: Paul Wouters' No Objection on draft-ietf-core-oscore-groupcomm-27: (with COMMENT)
Marco Tiloca <marco.tiloca@ri.se> Fri, 12 December 2025 18:37 UTC
Return-Path: <marco.tiloca@ri.se>
X-Original-To: core@mail2.ietf.org
Delivered-To: core@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 617DE99C8C91; Fri, 12 Dec 2025 10:37:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ri.se
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XfZPYGy9mWmw; Fri, 12 Dec 2025 10:37:11 -0800 (PST)
Received: from MM0P280CU010.outbound.protection.outlook.com (mail-swedensouthazon11012057.outbound.protection.outlook.com [52.101.77.57]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1C52F99C8C78; Fri, 12 Dec 2025 10:37:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=tzXRYQPQeOdyVbzT1K6wutQp4DtBgjfnNJb08QMYBMTdQerXPyxFMfUQ942SdHpxzXWu9IwSK9uwclqNSRZARoESzRBf5B9hUZZ6HKg0Vv9InCQ4mjjTif8exZyLO/lGyA8OF1jDsaQ9o6chbFEZjMJcRixL/SQ2Eo75vn9devl6AYcSPaY0WtAXnXN1z77o5HdVxzYWq83ODf5PbIMsoV+XUCpZX7nehT9ALw0iZuTXVyNyI9ouZbe2g7tDwHu1AoSOtIXRIA2MU1Rl1cxLGxowGXIrBm+22S5U/DPn3leflIjf3xaRkMdpuHewtS/shglF5YYBHnJno9SnGpLNYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ELdFdoCX1GospbMLZLi7QJaOFHdZ8A1MyHTUu7ZkGP0=; b=Hhx8pw1UIeQyRX1SeJLddOIvgRwQrMddX1cdglkwTjThTGliwnn6vLE7aM5dQpn+yiR4ebpg2jwUjGxZdb9TPAz2xC0umAUbHUI7iemEVBGVAo2d00ROFH9cTdedPYHkc3RVf6el5zezQvni6qDLKBPUA1WUXBjrxMZClsxOd32QbqXGtkXN/JujhWvZXHJrijDQyzESYwe3xjtLPY+dtFOCWO26oBxFp/L2cx7IydaAhrnwzFoyxIOTtU7wrZrsTczDO/Cj6PVoyNbiGG4ZUkJx3fNja6KZzRj+siaKPfFRmF23vrV/dZLvfNmIjDfHwEnFG8Zx2WeWcPKgKXo0Uw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ELdFdoCX1GospbMLZLi7QJaOFHdZ8A1MyHTUu7ZkGP0=; b=KQ0/cjG5XiLp+mTmfWp0Uw1qOmatKeEd+oWaUyGF0R84aDCN9dDbRmwImKUk91qt/OuRNLCp0VtPwn5koVLEWrB33VvgOHGnL3snZ0UR/9pRg99p/bRH1dW1kUyrfods85FDjKsUDF6BYzSK+4yh3fQpL/cXTh+JaJQ+j5sqj3tgheqahHX+V12Fm43t+xGgJPZhbuJjRqYaS/hpyP4ib4OgmwgpB8aIqmyOB9MIyEKPQ3vcqnjZJ5k8HB2R+s//OMKRIUhrXP8V4V1pHfCHTqJGd0jBAE1IP2iZioebcbfXSEa+1OTcrs9CwTAT7EH3fztPUZWnloAaJNxamao69g==
Received: from GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:11::7) by MM0P280MB0360.SWEP280.PROD.OUTLOOK.COM (2603:10a6:190:13::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9412.10; Fri, 12 Dec 2025 18:36:59 +0000
Received: from GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM ([fe80::660a:b243:998d:77df]) by GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM ([fe80::660a:b243:998d:77df%6]) with mapi id 15.20.9412.011; Fri, 12 Dec 2025 18:36:58 +0000
From: Marco Tiloca <marco.tiloca@ri.se>
To: The IESG <iesg@ietf.org>, Paul Wouters <paul.wouters@aiven.io>
Thread-Topic: Paul Wouters' No Objection on draft-ietf-core-oscore-groupcomm-27: (with COMMENT)
Thread-Index: AQHcRB63eQ1cCiUyOEuJFXljeqh0iLUeopg/
Date: Fri, 12 Dec 2025 18:36:58 +0000
Message-ID: <GV3P280MB0450124103183C74FC1BD0C899AEA@GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM>
References: <176122512744.285639.13946756195871342757@dt-datatracker-675c8fd764-bsflw>
In-Reply-To: <176122512744.285639.13946756195871342757@dt-datatracker-675c8fd764-bsflw>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_680afd86-dcf7-4483-b9eb-5af1dcd104e1_Enabled=True;MSIP_Label_680afd86-dcf7-4483-b9eb-5af1dcd104e1_SiteId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8;MSIP_Label_680afd86-dcf7-4483-b9eb-5af1dcd104e1_SetDate=2025-12-12T18:36:58.220Z;MSIP_Label_680afd86-dcf7-4483-b9eb-5af1dcd104e1_Name=K2 Intern;MSIP_Label_680afd86-dcf7-4483-b9eb-5af1dcd104e1_ContentBits=1;MSIP_Label_680afd86-dcf7-4483-b9eb-5af1dcd104e1_Method=Standard;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GV3P280MB0450:EE_|MM0P280MB0360:EE_
x-ms-office365-filtering-correlation-id: 5520c8a3-4683-4284-d8ae-08de39ad6ef1
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|376014|1800799024|19092799006|8096899003|7053199007|13003099007|38070700021;
x-microsoft-antispam-message-info: YpiU0cpzDgkrb6ldSfad3dmhvco2eYpy+shMybTausqwiFP902b21K4uwFattgS26QHey/R7jXw0VtQaZ8q7WUW9sQF21VpHan5kxcLw6q5MVfm5vDmqUHxH9Ut12UgMKoY2H1DlBAlfDnH1z+L2ArKqul70v7K1w3c+s6q582T5WfX3INGc8Cc9JsjS9KLXkqRU84oKQQjs7RQDvYtnqE68SiLncWP50Mgw+K+fUTG9OuTpGwJDlWRTs9F7DQqFNjO1D+mt22NNXQW0zaJmAbq2O/QeLowMNYk9SJqgejpiqaX2PCC6NyPBq0HPz03AdeKC/AqFkz3ndf60nzHkFYguquEDDojwy5+TAZ7KtDgVj+So8Kr23NpKSPxIDFFIGZMyiu6RacrcqvPzJTZ7F8vyZbN/FB4dfFgQ0fMLyHGrj+aAfb3iW7xZTJKZDB6xffcgBpXMsCWyuOGL9grJVrOl49AYZSn5OK4qIeMDB1ONR7FogpzGvgoD/MbJ9mDUnnJp1DN83u0RG/hpRXLHglEbRM7E1Zo/Wr0MHHdqNPl2emZDykyub0fYZFfao+LqwLbXI6b59PEeEW7ondKbuyRQ8+ErHnEmFDSssIx4gnvdqjNsTspThapNq0NHXCOEGaIDOvpdhOrlho7mTCzdd3t94aVboONcJTM4RpeyuzdSQ19LN5lS0KXCAgg1FQx4xLZJiBkGOLF+6ME9Ra1eBgBPJJsldHo+/ek4Vc0t8JqG10ZIC8MYoMe5o1gV+otIUgAU1r4iQPdaGlhK/HlXdWFbvIQWmuyULJD3yjOdFsTrjwNQFhGmGcWeAdBGMPFEHO3O3Q+hTXajaf/dG8mMWe2xKwx9hlEJo/LAxfzywKW4/5p6X/wnxBiEhTnSVEbAfQ6n+Ky32ul22pAQhJS0CULNSuHiKlmFacBzKoS+JOo7lYSwVFyNMnWQoaXIlR+GX+WK8VfJkt3gYDodjhTzTu46GnJtDFbjWrmFhinZPKM9a0G3RZCozrZrMlQw/yB4JodghOxPYKI6yGjFcfgC0PK62jGtz7Njrgyt21bYysAkQPe4nHGpeGwgwn79gbv/eYL/32c5apceZ+lTk5VxBHtwXR6GY9k03tkJSqF4DCMmJMmCbEYSys4YmbqtE8vlLkQH6IPYNERT1xBte2NElge+vLiDdMk0th3/ykOK2HQkVhferihg2x603BGdI9/4Dv7vE1WAYr/k2lHbImKHsydYHKtTrG8LbtVes2diz/vGsjYpnikQ2cIMFom0YQ0BZMwHIGulihgtRXAt+tPs8fBuycOaxu5EJXNIamEEwDWt1qO2nlVXnjH0HeTgLEwYEokxsYOmNWwQtUQ/+hWBr2fkv9NR5j2Ub+sTOX7qQ4ioJUIlUeaBmgIQ5UCP9MjyFosRWiTx97B68UmirXE6URzV4U+Te+Smmq5VYK673gkX+1tPxcsZepDChW3GhPzR8WxWV+IuBqJqsmcc3nyzc2tqz3/DNaDbJIe3CxUlXBQcPPHgkIE7FQA4+nkDYCTn
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(19092799006)(8096899003)(7053199007)(13003099007)(38070700021);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: a7Nfpi2lxiDT4eKLeLw8O1MEvQE0hYnAt9C6VGrKSC2SRJyfG8SrveNMHyRyrzsvsznXB3e3wKvfWr4CGYZvWrjQ/qSybRTaauECIRBTVbWQ5VhfmH2fm5Cbp36e9ltRTQqSPjOhaRQEXOvO1hCLcGFvgdE3iRLdo6DdAmapVxq/Zh5Ok99EjvpmM2FfRznF+WGLPcwnP/XrKu9GoLtR0XT6RtryFvc1GC3YzegWG8Oj3Kf5D38PmKa/2jsdbligw2cB7DxG5ILOQHT+p6OBTOhFhoE1JiVYNfPXyr7I7lAbJytiVIZtgSmNUchB85YZDTIvNgFlt3s6UDGrailE++uUgZHd0kWy+gVdRqq2lHwdgzCDWqI+toY+rAqVSLXbQiXp4LaVwZm/YygvOUZdyHYVu8628CVGKGGjaxPW6yW2oWCnyoR6vPIpY66r93HS/J+GxYMaMYcU4sC+UizmPRBdAlRL+y3LJcH7onpg/70wOuhLSNWA/d5cD9+Tmtc8udoFTfStCFDWJvnjsw8ot+5AD3f2g5NxdPgxCYwu7XZqNLjS8sUZa1B0Q7t+12jX1RZQC5znv2gIuQpSn+5P8HbPJZMm+OWhRm4d5T7VNKNULOiHIclyee5cMfuSAd4EJxlNkNAnjVPELuLhRXF2N4D2GhOnMH4pm7ivio+Cy4CxmocRtvzOzO9H6/9ShF4+imkiCOrLvZaltJPKY5+A6IaPBMbNmOr0aG5vj/iNyRvBzYfIWn7WxSEb8sQfPYIsd98vFtZYJs++LrMmszpaWoKbZnvDxF9KPFy29GiHIZnrSa/tzWlRdWyPnvI4p7p4uTsY0lne3xu0eUNJy54smK0fuaT8ei7OFnre529Tx9DUSC5Dyma1GWCSPyc/QQh4+kqBmYk57Y7eOl/TkFM1TZGDG+7px/22AeZNWb1BJwOYhEvewNevEqbq0YxGuPuEQGEDOZLQjSu2cdxNba6/5dV4btX+pBSi2BDIMmed90tTrRUSQ5B66T+F/0jtgxcTNfD6oMo4nvgM/w5gkIT7RCPAcFEzxab6+bEpDLB/11c5ayKd6Nwrt/D0PoqLrXexq5Nxe31ARheGZR9eW7ai52w+SvYeQOzuoMt0s8KKS3+SOnAh3K+apmH8fTtHyYlQ3uKjasGzW5h6zfh3DYZWl2mRsMEsUzXXg3HCC7woZL1WL5WusjAdRyW5WmN48tXIQeNFhbMm+5Okne9BM6Nfqk42gsaKIqdiEhK8oqBp0w62UNbrxEdADCST4txETVm1A/PDvMATEkTeXR6Dn5/ztJf8Q7silNFU6ST0KjHVbYk9Z4K9FH3e5+QObnmpW+q4yQ9CFMS3z+/cXYUXcJ9QSR866sSJApCj46yAoES99U5Knz2IW8TJqPlcWHGCJOCQJ5JkvYj0Md40dB2ZPGQmp8UAE4qHbgUmB0keWShq2muBKuU3jLQN/aRbh6P0t1Wbl+WQAGQe8gOOMK4oxaPyB8xU6q58XsJ+2lPdCcQysCFRHRxuZl3fxBeikJbg2JqQURYz1CJGeIoe+ux5qbn478fxHNafAolL699ymhlaB44=
Content-Type: multipart/alternative; boundary="_000_GV3P280MB0450124103183C74FC1BD0C899AEAGV3P280MB0450SWEP_"
MIME-Version: 1.0
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GV3P280MB0450.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5520c8a3-4683-4284-d8ae-08de39ad6ef1
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Dec 2025 18:36:58.6386 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: T26ZViC0x3FGfcmtdHCJzkkfEd7XDACiFF2SrABc6DavHpXOhaQaVdqa7YCfWz0jvCfBOf3Bni2ktfup02jGBg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MM0P280MB0360
Message-ID-Hash: EKA3C74GRNNXIHJNA2T57M5URHGPNJSN
X-Message-ID-Hash: EKA3C74GRNNXIHJNA2T57M5URHGPNJSN
X-MailFrom: marco.tiloca@ri.se
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-core.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "christian@amsuess.com" <christian@amsuess.com>, "core-chairs@ietf.org" <core-chairs@ietf.org>, "core@ietf.org" <core@ietf.org>, "draft-ietf-core-oscore-groupcomm@ietf.org" <draft-ietf-core-oscore-groupcomm@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [core] Re: Paul Wouters' No Objection on draft-ietf-core-oscore-groupcomm-27: (with COMMENT)
List-Id: "Constrained RESTful Environments (CoRE) Working Group list" <core.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/zW0_j46LOhgltGKQoUKbIbwjoW4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Owner: <mailto:core-owner@ietf.org>
List-Post: <mailto:core@ietf.org>
List-Subscribe: <mailto:core-join@ietf.org>
List-Unsubscribe: <mailto:core-leave@ietf.org>
Hello Paul, Thanks a lot for your review! Please find in line below our detailed replies to your comments. A GitHub PR where we have addressed your comments is available at [PR]. Unless any concern is raised, we plan to soon merge this PR (and the other ones related to other received reviews) and to submit the result as version -28 of the document. Thanks, /Marco [PR] https://github.com/core-wg/oscore-groupcomm/pull/123 ________________________________ From: Paul Wouters via Datatracker <noreply@ietf.org> Sent: Thursday, October 23, 2025 3:12 PM To: The IESG <iesg@ietf.org> Cc: christian@amsuess.com <christian@amsuess.com>; core-chairs@ietf.org <core-chairs@ietf.org>; core@ietf.org <core@ietf.org>; draft-ietf-core-oscore-groupcomm@ietf.org <draft-ietf-core-oscore-groupcomm@ietf.org> Subject: Paul Wouters' No Objection on draft-ietf-core-oscore-groupcomm-27: (with COMMENT) Paul Wouters has entered the following ballot position for draft-ietf-core-oscore-groupcomm-27: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fabout%2Fgroups%2Fiesg%2Fstatements%2Fhandling-ballot-positions%2F&data=05%7C02%7Cmarco.tiloca%40ri.se%7Cc570f71f45bf42b4f38708de1235d85d%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638968219629495316%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=cg6l950vXvkPVu6iAf6squ9S%2Fl7%2F%2BImMbfQvQSX6R%2F0%3D&reserved=0<https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/> for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-core-oscore-groupcomm%2F&data=05%7C02%7Cmarco.tiloca%40ri.se%7Cc570f71f45bf42b4f38708de1235d85d%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638968219629543274%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=8TpZjRou54BqIUCbEOzgqb%2BTXbsVQ2BVutCGkji51v8%3D&reserved=0<https://datatracker.ietf.org/doc/draft-ietf-core-oscore-groupcomm/> ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Note I am concerned about long term use of static-static DiffieHellman keys, and would appreciate an answer to my question below. The AEAD Algorithm (see Section 3.1 of [RFC8613]) SHALL identify I think this should just say "identifies" without a SHALL ? The HKDF Algorithm (see Section 3.1 of [RFC8613]) SHALL identify the same The ID Context parameter (see Sections 3.1 and 3.3 of [RFC8613]) SHALL contain same The Common IV parameter (see Section 3.1 of [RFC8613]) SHALL identify the same ==>MT We have applied the suggested changes. <== Section 2.1.7 Probably state that an AEAD is prefered over non-AEAD ? ==>MT The Group Encryption Algorithm covered by this section pertains to the group mode. When using the group mode, a countersignature is present and ensures integrity protection. So, from a security point-of-view, there is no particular benefit to prefer an AEAD algorithm over a non-AEAD algorithm. On the other hand, one may prefer a non-AEAD algorithm due to the smaller overhead that it results in. We have made the following rephrasing: OLD > This algorithm MAY provide integrity protection. NEW > This algorithm MAY provide integrity protection. If it does not, integrity protection is still provided by the countersignature added to the message due to the use of the group mode. <== Section 2.1.9 deriving a keystream to encrypt/decrypt Maybe call this a symmetric key instead of keystream ? Same for the use of KEYSTREAM? ==>MT We have added a forward reference to Section 4.2 that defines how the keystream is derived, i.e.: OLD > ... for deriving a keystream to encrypt/decrypt a countersignature, ... NEW > ... for deriving a keystream to encrypt/decrypt a countersignature (see Section 4.2), ... <== It could be better clarified what the lifetime is of static-static DH keys (eg that rejoining the group, a reboot, etc results in a new "long term" identifier with respect to the static-static DH keys. I could not figure out from this document whether there is any maximum keylife for these type of keys before a rekey/rejoin event must happen. ==>MT The lifetime of the static-static DH-keys is the same as the lifetime of the long-term authentication credentials of the peers. The lifetime of the Pairwise Sender/Recipient Key is shorter, because other group keying material from the Security Context is used during their derivation (specifically, the Sender Key and Recipient Key). Practically, the lifetime of the pairwise keys is the same as that of the group keying material or of the long-term authentication credentials (whichever is shortest). In order to clarify the above, we have revised the document as follows. In Section 2.1.10, we have added the following new paragraph after the currently first one: > When two endpoints compute their Diffie-Hellman shared secret, the Pairwise Key Agreement Algorithm takes as input the static-static Diffie-Hellman keys of the two endpoints. The lifetime of those keys is the same as the lifetime of the authentication credentials that the two endpoints use in the group. As detailed in Section 2.5.1, the derivation of the pairwise keys takes as input not only the Diffie-Hellman shared secret, but also group keying material from the latest established Security Context. In Section 2.5.1, we have swapped and updated the last two paragraphs as below: OLD > After establishing a partially or completely new Security Context (see Section 2.6 and Section 12.2), the old pairwise keys MUST be deleted. Since new Sender/Recipient Keys are derived from the new group keying material (see Section 2.2), every group member MUST use the new Sender/Recipient Keys when deriving new pairwise keys. > > As long as any two group members preserve the same asymmetric keys, their Diffie-Hellman shared secret does not change across updates of the group keying material. NEW (emphasis mine) > As long as any two group members preserve the same asymmetric keys, their Diffie-Hellman shared secret does not change across updates of the group keying material. **The lifetime of those keys is the same as the lifetime of the authentication credentials Sender Auth Cred and Recipient Auth Cred.** > > After establishing a partially or completely new Security Context (see Section 2.6 and Section 12.2), the old pairwise keys MUST be deleted. Since new Sender/Recipient Keys are derived from the new group keying material (see Section 2.2), every group member MUST use the new Sender/Recipient Keys when deriving new pairwise keys. <== Section 14 The key pair can, for example, be generated by the endpoint or provisioned during manufacturing. I assume this key is only used for authenticating to Group Manager(s) and not for the static-static DiffieHellman because that would be severely lacking in forward security. ==>MT The key pair supported by the authentication credential are used: * To authenticate with the Group Manager. * To authenticate with other group members when using the group mode (via a signature). * To authenticate with other group members when using the pairwise mode. On the latest point and building on the reply to the previous comment, the key pair is used only to derive a Diffie-Hellman shared secret. In turn, the shared secret is only one input to the derivation of the pairwise keys that are effectively used to protect messages in pairwise mode. Another input is group keying material from the latest established Security Context. Seen from another point of view and as clarified by the additional text in Section 2.5.1 (see the reply to the previous comment): * The lifetime of the shared secret is the same as the lifetime of the asymmetric key pairs, which is the same as the lifetime of the authentication credentials. * The lifetime of the pairwise keys is the shortest lifetime between that of: i) the long-term authentication credentials of the two endpoints deriving the pairwise keys; and ii) the latest established Sender Key on either of the two endpoints deriving the pairwise keys. <== A possible way to ameliorate Please find another word for "ameliorate". If I don't know this word, many more people won't know what it means. ==>MT We have rephrased as below. OLD > A possible way to ameliorate this issue ... NEW > A possible way to mitigate this issue ... <== Randomness requirements for security are described in [RFC4086]. I think 4086 is very oudated and bad, and wouldn't mind not using it and instead stating something about using proper cryptographic strength randomness provided by the OS/hardware instead. ==>MT We have simply removed that sentence and the reference to RFC 4086. In fact, earlier text in the same paragraph already says that the Master Secret must have a good amount of randomness. <==
- [core] Paul Wouters' No Objection on draft-ietf-c… Paul Wouters via Datatracker
- [core] Re: Paul Wouters' No Objection on draft-ie… Marco Tiloca