[Dtls-iot] AD review of draft-ietf-dice-profile-13
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 06 July 2015 16:17 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AB2B1B2F87 for <dtls-iot@ietfa.amsl.com>; Mon, 6 Jul 2015 09:17:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.81
X-Spam-Level:
X-Spam-Status: No, score=-2.81 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oYhRRhp6Pv6f for <dtls-iot@ietfa.amsl.com>; Mon, 6 Jul 2015 09:17:07 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A45141B2F6F for <dtls-iot@ietf.org>; Mon, 6 Jul 2015 09:17:04 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 17BD8BDCF for <dtls-iot@ietf.org>; Mon, 6 Jul 2015 17:17:01 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lth_t6zqPaO4 for <dtls-iot@ietf.org>; Mon, 6 Jul 2015 17:17:00 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 18F09BE3E for <dtls-iot@ietf.org>; Mon, 6 Jul 2015 17:16:57 +0100 (IST)
Message-ID: <559AA9F8.6080005@cs.tcd.ie>
Date: Mon, 06 Jul 2015 17:16:56 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: "dtls-iot@ietf.org" <dtls-iot@ietf.org>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/-QbyM_BXHnRt1JZB7BWNsdF2cEM>
Subject: [Dtls-iot] AD review of draft-ietf-dice-profile-13
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2015 16:17:12 -0000
Hiya, I've done my AD review of draft-ietf-dice-profile-13. It's a fine piece of work that's nearly but not quite ready. I have quite a few (13!) comments that I'd like to chat about before starting IETF LC and at least the last of those definitely needs a revised I-D. So I'll be marking this as needing that shortly. If it helps to get out an I-D before the Prague meeting starts just let me know and I can ok that. Most but not all of the things I'd like to chat about before starting IETF LC are easy, but need checking I think. And since you chose to make this a 55 page document, I've of course also got a bunch of nitty nits:-) Those can be handled before or after IETF LC from my POV, whatever's easier for the WG/authors. Anyway, I don't think it ought take us too long to resolve these issues and move this on to IETF LC and I bet people will think this is a really fine RFC when it does pop out from the RFC editor. Cheers, S. Things I'd like to chat about before I start IETF LC: ----------------------------------------------------- (1) 6.1: Is TLS_PSK_WITH_AES_128_CCM_8 still ok for CoAP? We're discussing taking all the _8 ones out for SRTP, i.e., from [draft-ietf-avtcore-srtp-aes-gcm] because of the 8 octet tag being too short. I'd need to go check if the same issues apply here, but maybe they don't. What do we think? If this applies to any of the ciphersuites here, it presumably applies to all so I wanted to check just in case. (Kevin Igoe and Magnus Westerlund are involved in that SRTP discussion in case it helps.) (2) 6.2: Saying that the client key pair "may, for example, be configured during the manufacturing process of the device" is not ok really. There have been too many cases where the same key pair has been used in whole production runs or worse. You need to add a 2119 instruction here that doing the quoted thing "REQUIRES a different key pair for each device that SHOULD be generated and installed in as-secure a manner as possible." Or similar text. I don't care where that text is added (6.2 might not be right) so long as it's not hidden away on page 54:-) (3) 6.3: How can you have a MUST for s/w update when there is no well-defined interoperable way to do that. I think s/MUST/need to/ would be right here. (I'd love to see us define the IETF bits of a s/w update mechanism that could be referenced via such a MUST but we don't have that today so it's a bogus MUST as written.) (4) 6.3: The Ed25519 reference should be removed or the text modified. CFRG are not selecting Ed25519 it seems so that would be misleading as-written. (5) 6.3: Forgetting CoAP for the moment, surely this profile will be used with devices that only have (possibly bogon) IP addresses and that want to have those in certs. I do get that how to handle that well is not very clear, esp. for certs for e.g. 192.168.0.1, but shouldn't it really be covered by this profile? (6) 13: sorry I don't get why a 1 second initial timer is an issue because messages "need longer" (we're not in a DTN, right:-) I don't think you've justified the 10s initial value and that might be bad in fact e.g. for sleepy nodes one might want a much shorter initial timeout so the node can go back to snoozing. (It could be that this 10s value was justified on the list, but I'm not getting it from the text. Or is it appendix A you're thinking of? If so, that seems overly specialised for a generic 10s recommendation.) (7) 14: Doesn't [Heninger] really cause many devices to use one RSA prime factor? That's not the same as "same keys again and again" and in any case you're not recommending RSA keys on challenged nodes here. Shouldn't you do the analysis of the impact of a dodgy PRNG on populations of devices that follow these profiles and not something else? (8) 14: You are RECOMMENDING to follow mathewson-no-gmtunixtime which is fine. That however means that that's a normative reference on which you need to wait. I'm fine with that, but the WG may or may not be. (9) 14: And also - if you RECOMMEND to sometimes use ServerHello.Random for "secure time" then don't you have to say that that's only to be used after one has verified the server cert/knowledge-of-PSK or something? Otherwise any old fake server could send me a time value then bail on the handshake, and I might set my clock to that. (The bad effect there is not related to certificate revocation btw, but more e.g. DoS for sleepy nodes or application layer nastiness.) (10) 14: I want to check that the WG are really ok with the "MUST" for h/w "quality" RNGs. I really like the idea, but it's very odd for the IETF to have such a MUST touching on the style of implementation. (Say if my entire implementation of TLS is in some kind of VM? Then I couldn't meet this ever.) I think we have to s/MUST/weasel-words/ there tbh, sadly - it's just not our job to mandate implementation styles. The following para though does the job nicely, so maybe s/MUST/ought to/ is enough of a change. (11) 21: Why not make RFC7539 a SHOULD or MUST right now? Doesn't it seem like doing so now in a profile would be the right kind of timing? And that might be our best bet for healing the CCM/GCM rift so I'd like to check if the WG agree with that idea or not before we go to IETF LC. (That might justify a separate thread.) (12) 24: You need to mention that simply emitting a packet can be privacy sensitive and that (D)TLS doesn't help if so. For example, if lights turn on when I enter the room and those packets can be detected then seeing any packet says someone has entered the room. Or if a thing I carry about sends out nicely encrypted stuff then seeing the destination IP for that might have the privacy issue. Or if a sensor has a threshold and only fires above/below that then seeing any packet means we've crossed the threshold. Text that explains that and that that's a system and/or application layer issue is needed I think. (13) Appendix C has an editor note that says that it's not finished. That's gotta be wrong, no? Minor/nitty comments: --------------------- - Title: You are actually defining >1 profile but the title is in the singular. Worth fixing? - 55 pages! Sigh;-) - So it seems like everything up to section 6 is just introductory and not normative text (or at least pages 4-19 or so). IMO that is too much and if we were earlier in the process I'd argue it'd be better reduced a lot or put into another document. As-is, I think you need to add text in the intro that says "If you're familiar with (D)TLS, then skip ahead to section 6" and then at the start of section 6 you need to say that the normative text really starts here. 6.1 is the first place I saw any 2119 keywords - "required" (lowercase in the draft) and a SHOULD NOT. - section 2 (or somewhere): it might be worth saying that TLS1.3 is being developed but that it is not expected that this profile will "just work" for that due to the significant changes being done to TLS for 1.3. That'd imply there may be a need for another profile later for TLS1.3 but that's ok, I'm not asking we start that work now, just that we explicitly say that 1.3 is underway and we're not expecting this profile to work for that just as-is. You do sort of say that in section 8, but that's a bit obscure I think. - section 3: Is RC4 really the only stream cipher defined for TLS1.2? That surprised me but I've not checked. - 4.1.1.1 has quite a bit of text - I'd have said it wasn't all needed and just saying EAP-TLS is relevant and some RFC pointers would have been enough. - Figure 4 spans 3 pages. That's too much. Can't you split that into two figures each on one page? - 4.1.1.2, last para before Figure 4: Are you implying that DTLS-server-initiated resumption needs to be supported? I don't know if that's reasonable or not. Is it? This is triggered by the combination of "After some time" and "the already established" which could be read to imply DTLS session resumption initiated by the resource directory. Maybe this is addressed later in the document though? - 4.2, para just after figure 5: Is "have to be solved" correct? There are really no other ways? I think s/have to/can/ is probably better. - 4.2: Something seems broken here "as described in Section 2 of [RFC7452] these different communication patterns. " - Figure 6 spans >1 page too and needn't. - Section 5 duplicates RFC5246. I'd say delete the lot would be better. I'll live if you don't:-) - 6.1: "While the server is not required to initiate a cookie exchange with every handshake, the client is required to implement and to react on it when challenged." Is that a piece of normative specification or just a description of what's already documented elsewhere? I think you should be clear about that. (As this'd be the 1st bit of normative spec in the draft I think.) - 6.1: "into the firmware" I think you should warn against doing this, even in a passing reference like this. Firmware is usally published and putting sensitive values inside that is a really bad idea. - 6.1, near end of p20: "bit-by-bit comparison" please say to make that constant time, just in case it got into a tight enough loop to expose information about what ought be secret. (I assume guessing the PSK identities that a device has configured in might be sensitive if it can be done remotely. I forget how mismatches in those are handled.) - 6.3: "is omitted from the chain" - I think a recent DANE draft required that the root keys be included in the chain. Just notin the potential mismatch in case someone cares about these kinds of device and DANE. (I'd say "ask Viktor" is the way to check that out.) - 6.3.3, last para: that's not a good argument - trust anchors do not get revoked anywhere near as often as end entity (TLS client or server) certs - so for constrained devices, I'd expect a higher revocation rate in theory. (Though I agree, not in practice.) - table 1: this has too much stuff that is syntactically required and where there is no real choice. Shorten the table by getting rid of all those where you've nothing more to say. The table spans 3 pages too, so please break it into two. - table 1, serialNumber: for what length serial do you require support? There was a time when longer serials were an issue for some implementations and I could see that happening again here maybe. If that is an issue, then probably so would subject and issuer where you might also want to add a bit more text. - 6.3.6: typo: "during the DTLS exchange provides" - section 8: Simplification is good but I wondered if these restrictions were going to simplify very much. I'd not be surprised if implementations had to be able to handle lots of the errors you say aren't needed in any case. So maybe doing this as non-normative guidance would be better (and hence moving it before section 6). - section 9 typo: s/server constrained/server is constrained/ - 10: CRIME needs a reference. You could use the UTA draft. - 12: typo s/my expire/may expire/ - 12: I think you ought refer to heartbleed in some way - some implementers might think that was a protocol design flaw and not follow this section if you don't. - 23: If false start is RECOMMENDED then it needs to be a normative ref. Do you want to wait for that too? - 25: I really like para 2, thanks. I'm not sure that the OMA thing is the answer. (It might be, I don't know.) - Appendix A: I'm getting WAP-flashbacks :-( Are you really recommending that A.3 be implemented? I assume not, but it nearly says that so I thought I'd just check.
- [Dtls-iot] AD review of draft-ietf-dice-profile-13 Stephen Farrell
- Re: [Dtls-iot] AD review of draft-ietf-dice-profi… FOSSATI, Thomas (Thomas)
- Re: [Dtls-iot] AD review of draft-ietf-dice-profi… Stephen Farrell