Re: [Gen-art] Genart last call review of draft-ietf-ace-oscore-profile-11

Francesca Palombini <francesca.palombini@ericsson.com> Mon, 24 August 2020 17:07 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE0B63A114A; Mon, 24 Aug 2020 10:07:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.202
X-Spam-Level:
X-Spam-Status: No, score=-0.202 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ddrrtJ1zcaK0; Mon, 24 Aug 2020 10:07:03 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2089.outbound.protection.outlook.com [40.107.21.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 596933A1181; Mon, 24 Aug 2020 10:07:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RknEXXQC4/mOEDjP8t15SZFk1JNjWATC5dSMAH7QIBR94I/8WTxtWewpPA0zndY3mquQLqPw4RB/W7Aa7IGcCcCFykPvq+cXJEVltF9lVW11m5sbismiE/px8K4kedX4Ripy8MJXCwlgqGl/J3wc7CTim01tkma0qkUct1pEx1MuKAv/3f+PGXQyhKmzg3lWi1uK6fuA8Xhi6XEa82wDV1SR/t5jt4RNfjK3vejExyOtvcHzU4xTF+uyIcvRU+jUAE2NbsmHrgxbx0Lgb59L4WRxpctfISKXBbEODQDXpJa5UDnijvAJjhIAi95RX+2dF7do+e7czd1YGmXfZ3+r9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lyiPaa6m41EepKqsR0my4qQWveHA44F7lRPi0Os7Vy4=; b=l9hGkLfCk7vMz90dL/ZzFuROxxIMxh2Ad/yC7LQADUaGJQ7UeCu+tQL49SKX5Q/bVl64ncjB22Pdrt3UCS/j34lPrBwN00lleJIOCXOlCQuXMQ2FuZ0pEvcZ6wUO9rFPUo8CATKydw/RK5RiMDjsv31WbTvgDmgKbtgbj9hI0aXebai+BOXRNauew70IdDcqVLhn2CeZFxNxbhmne9DGocQoDcaH2vm5dkTOPiKHZSP6UFfqCxWzZ78z54+H73Fgsk1vJNC3CEkyImdX7Ik+qzrU1g734NBWGov9Qmtux11iMRGRTabcSezEeVi8BBncmhvr0NIPaTxMRvFoWyDzUw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lyiPaa6m41EepKqsR0my4qQWveHA44F7lRPi0Os7Vy4=; b=rznMp26XvJnOyZ3mo/411Pt+ATGwg1y1/PmOf8zHW1hmpq5Vkv8buvynV9v2hs+zeOzdFTi5/SYtXIylID17xD4WGXw3f2AOIW63YitD6fDa3mhi2VXwLZw3JMzuM3x0aYLBd0LOCW3Fi9eaAIM6nAil9TGGS2XPrGzaikpW9kI=
Received: from VI1PR07MB4477.eurprd07.prod.outlook.com (2603:10a6:803:74::33) by VI1PR07MB5536.eurprd07.prod.outlook.com (2603:10a6:803:b7::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.10; Mon, 24 Aug 2020 17:06:59 +0000
Received: from VI1PR07MB4477.eurprd07.prod.outlook.com ([fe80::cba:ac03:353c:2d1f]) by VI1PR07MB4477.eurprd07.prod.outlook.com ([fe80::cba:ac03:353c:2d1f%7]) with mapi id 15.20.3326.017; Mon, 24 Aug 2020 17:06:59 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Elwyn Davies <elwynd@dial.pipex.com>, "gen-art@ietf.org" <gen-art@ietf.org>
CC: "draft-ietf-ace-oscore-profile.all@ietf.org" <draft-ietf-ace-oscore-profile.all@ietf.org>, "ace@ietf.org" <ace@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Genart last call review of draft-ietf-ace-oscore-profile-11
Thread-Index: AQHWX7IkTd+c1UTuhkKyb48il2WBh6lH1BYA
Date: Mon, 24 Aug 2020 17:06:59 +0000
Message-ID: <B83CD827-D5E3-4616-9056-59258445D31F@ericsson.com>
References: <159537216772.11664.11256578694810978706@ietfa.amsl.com>
In-Reply-To: <159537216772.11664.11256578694810978706@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: dial.pipex.com; dkim=none (message not signed) header.d=none;dial.pipex.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.219.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 621c1366-f8b1-4b70-05e0-08d848501d54
x-ms-traffictypediagnostic: VI1PR07MB5536:
x-microsoft-antispam-prvs: <VI1PR07MB553605482537744AD38E4B1B98560@VI1PR07MB5536.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /R6BWlo6X92Yt6wMP3/7vODhYQVHB+6ZcNGCPsTjAOeRuu3GbwbF3FpQhtV+ki1Pke/KUSAOhQTPbwOpdP9+KC1vi2hIpGuUohLfqAFsvdtM4uSmzZri6zhGJy5AkbrrXLPXNVK9duIa46tkCPTJMA3y7FSUYElSz0zWXlaZKFg5OzYoRTseuFH3N7ckpyQjHTsmaHnOPzIrvGLTGbpZZiHrvJmPHwkIIsDYq/aSAVN+5y7/o7Qq7V53Zbv5BkP9F9Z3sNNvu2GMt5a1OrEwC9HoUi7zmDOeBl4IytrWo1QqD6luz1oGbdW2NdUAeBPK84MK+qRaSAxKCbs/AwBb8yU5LGLoa2UMeVoPtqMWajMi/JK3xMD/lH97ZtTgiWI5C5nJsNIbjmIDS3em4G5Qhw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB4477.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(396003)(136003)(366004)(346002)(39860400002)(26005)(6506007)(2906002)(86362001)(66476007)(36756003)(8676002)(66556008)(83380400001)(4326008)(316002)(54906003)(53546011)(66946007)(66446008)(64756008)(71200400001)(2616005)(110136005)(44832011)(8936002)(76116006)(91956017)(5660300002)(33656002)(6512007)(186003)(966005)(6486002)(478600001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: FpUV5lNLTGXdySXc4Q1efCx/XxMz3hVs9UdiFTrfK75zEpwyYkzrW+qqGTBIhOtL2H57syI0+3WsRCpwNCRvyoDE4jl7vhCX7pUZpN4IKJ3hkvw1rvf2xYNxOA7xkpl7HCpoN0tLMgzPpFpu7MomvizkibbMrdPwFcK4R3b+kFEiN7dZeIRcK79H8tm1dVAVbLnW67gZmkJgjtjIucg3L8+CAeQGERAzYHli+hIn10/ieRPSJaEGkdnSGeEwYFBeAtKP1uUElHUMqnm5YJZ5WzFjNPzYC/C+XOI3nj+8uhOp9P0pbeYm/AocKILIrGujK8Y+Fmmf9dTQV/Gxidoe4/kG3nGOu2v/QkPboFAVQ1e5a6vvBluNVB9Zw4pHnSivGbK7BE01MJOsTttS0e7Cn/nVuJpjJ6sDLZ4VrPf7SeAwiXyR0tQ92As0K9ZEiYMFxuJwlMLuF2ShTHRvhIVBgnkCczhviPSzfrYdS+Z2t0FyWgaN4B16VoDg8Z/D+3Qyr0rpn0UlwIvq2xFOyM/hMcS0LHdiqedLsa1DJhNW/L8NLWOGaLgWND49HRGyLriBq8TgQVKbsUmNDQbWXPBNiWnrXgHY0t4bjkPzjOkbnIaXQzD8jUZcHkeK1pZlmjE+6sGzPOlU0ShIVUs3NqQ3Dg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <06F81365A8058749BE39B48AF5768889@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB4477.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 621c1366-f8b1-4b70-05e0-08d848501d54
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Aug 2020 17:06:59.8625 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DDMbUwbldHoOS4yPWGu+F15HfzmJkNg+AvbMzjmI61KgFqC/ecKkF6ml79L//XvW7J+hwHKJxd021hz5vRKH6yt7LswBCAiBVcqTItoVMUPDvNcNl6jCDBpS3puDfRzU
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5536
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/SzrdVGJn1Fl5Ja90bas50WQHCW0>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-ace-oscore-profile-11
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2020 17:07:05 -0000

Hi Elwyn,

Thank you so much for your review. We have now worked on all your comments in a pull request, and will soon submit an update to the document. All the nits are adressed in two commits: https://github.com/ace-wg/ace-oscore-profile/commit/a7f9483e96107a678b80217ba0b2d3dcfb488192  and https://github.com/ace-wg/ace-oscore-profile/commit/855c34865120a1f09c28ebe6dce93acedb1f3e04 . Detailed comments inline, prefaced with [FP].

Thanks again for the good comments,
Francesca

On 22/07/2020, 00:56, "Elwyn Davies via Datatracker" <noreply@ietf.org> wrote:

    Reviewer: Elwyn Davies
    Review result: Almost Ready

    I am the assigned Gen-ART reviewer for this draft. The General Area
    Review Team (Gen-ART) reviews all IETF documents being processed
    by the IESG for the IETF Chair.  Please treat these comments just
    like any other last call comments.

    For more information, please see the FAQ at

    <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.

    Document: draft-ietf-ace-oscore-profile-11
    Reviewer: Elwyn Davies
    Review Date: 2020-07-21
    IETF LC End Date: 2020-07-20
    IESG Telechat date: Not scheduled for a telechat

    Summary:  Almost ready.  There is one minor issue that needs sorting out and a
    fair number of nits.  Overall I have to say that I found it difficult to keep
    clear in my mind what messages were fully encrypted and which ones were sent en
    clair and which are in some intermediate class.  The authors might wish to go
    back over the document from the point of a naive reader to ensure that it is
    clear for implementers.

    Major issues:
    None

    Minor issues:
    s2, para 5:  Where does the 'input salt' come from?  The term is not used
    anywhere else in this document and  isn't defined or mentioned in either
    dreft-ace-oauth-authz or RFC 8613.

[FP]: Right, as Ben mentioned, this was the result of an update to the name of the term. The input salt is used as one of the inputs to the OSCORE Master Salt. I have now rephrased to clarify that "salt" contains in fact an input to the OSCORE Master Salt. (https://github.com/ace-wg/ace-oscore-profile/commit/07ced6a4f908491d7d70c8c2d6fca7596e3801d4 )

    Nits/editorial comments:
    s1:  Need to expand CoAP on first use.

[FP]: Ok.    

    s1: Need to expand CBOR on first use.

[FP]: Actually, because CBOR appears on first use as the first term of COSE, I have not expanded it in this location. I have added a normative reference to CBOR in the terminology and expanded it there.

    s1.2, CDDL:  It would useful to mention that the predefined type names from
    CDDL, especially bstr for byte strings and tstr for text strings,  are used
    extensively in the document.

[FP]: Thanks for the suggestion, now added.

    s2, para 1: s/overview on how/overview of how/

[FP]: Ok.

    s2, para 1: s/as well as OSCORE setup/as well as the OSCORE setup/

[FP]: Ok.

    s2, para 2: s/that's/that is/

[FP]: Ok.

    s2, para 8: Need to expand AEAD on first use.

[FP]: Ok.

    s2 and Figure 1:  It would be helpful to the reader if Figure 1 and its
    descriptive paragraph was placed closer to the beginning of s2.  Otherwise
    things like Client C' need more explanation to point the reader at the figure.

[FP]: I have kept Figure 1 at the end of the section, but I have now removed all instances of "Client C", since they don't make sense before seeing the picture, as you rightly noted.

    s2, para 3:

    This says:
    To determine the AS in charge of a resource hosted at the RS, the client C MAY
    send an initial Unauthorized Resource Request message to the RS. The RS then
    denies the request and sends the address of its AS back to the client C as
    specified in section 5.1 of [I-D.ietf-ace-oauth-authz]. The access token
    request and response MUST be confidentiality-protected and ensure authenticity

    I found the combination of the Unauthorized Requst and the
    confidentiality-protected etc confusing.  If the last sentence does apply to
    the Unuthorized Request it would be helpful to make it clear that this is not
    just a generic statement but does apply to the Unauthorized Request as well.

[FP]: Ok, thank you for pointing it out. I have now clarified in the beginning of the paragraph that the access token request is different from the Unauthorized Request.

    Figure1:  For consistency the first line should say Unauthorized Rsource
    Request.  I would also suggest explaining the mapping between what is said in
    the text and the terms 'Ceation Hints' and 'Access Information' used in the
    figure.

[FP]: Ok about the Unauthorized Resource Request. I have not explained further about the mapping between the overview text and the figure, as I do not want to go into too much detail there, but I have clarified that the names of messages come from the framework.

    s3.1, para after Figure 2:  The term 'audience' appears in this paragraph
    without any context indicating what it means .  Later in s3.2 it appears that
    audience is associated with CBOR web tokens (RFC 8392).  But it may also might
    also be realted to draft-oauth-token exchange.  The appropriate reference
    ahould be added and should be explained in s3.1.

[FP]: Ok, added a reference to the right section in the framework.

    Figure 3:  Should IdContext be ContextId?  ContextId is used evrywhere else.

[FP]: Good catch!

    s3.2: Expand HKDF on first use ( in second set of bullets).

[FP]: Ok.

    s3.2, para after 2nd set of bullets:  I think the four instances of 'may' 
    ought to be 'MAY'.

[FP]: These may were not normative on purpose, as the normative MAY is the one above the bullet list. I have now rephrased to remove "may" from this paragraph, to avoid confusion.

    s3.2.1:  It would be helpful to provide references to the online versions of
    the  IANA registries (3 places).

[FP]: Ok.

    s4.2, para 1:   A foward reference to s5 where the comunication mechanisms
    needed for introspection are described.

[FP]: I added a reference to the section of the framework where introspection is described.

    s4.1, para 2: s/from what described/from what is described/

[FP]: Ok.

    s4.2, para 5: s/that's/that is/

[FP]: Ok.

    s4.2, last para; s/This simplifies for the RS track/This simplies the process
    needed by the RS to keep track/

[FP]: Ok

    s8, para 6: s/tasked of/tasked with/

[FP]: Ok

    s9.3:  I don't think the Value Type for nonce is 'IESG'! lol

[FP]: Indeed! Thanks.