Re: [Lake] [EXT] Re: EDHOC Implementation Considerations for parameters
"Sipos, Brian J." <Brian.Sipos@jhuapl.edu> Wed, 21 February 2024 22:47 UTC
Return-Path: <Brian.Sipos@jhuapl.edu>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21C94C14F698 for <lake@ietfa.amsl.com>; Wed, 21 Feb 2024 14:47:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jhuapl.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r7yMbQCNkEVY for <lake@ietfa.amsl.com>; Wed, 21 Feb 2024 14:47:15 -0800 (PST)
Received: from aplegw02.jhuapl.edu (aplegw02.jhuapl.edu [128.244.251.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B66DAC14F616 for <lake@ietf.org>; Wed, 21 Feb 2024 14:47:15 -0800 (PST)
Received: from pps.filterd (aplegw02.jhuapl.edu [127.0.0.1]) by aplegw02.jhuapl.edu (8.17.1.19/8.17.1.19) with ESMTP id 41LMg1IK032649; Wed, 21 Feb 2024 17:47:14 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhuapl.edu; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=JHUAPLDec2018; bh=TnyrWXbF1jv5W4n511Theq/FqyrTK+h5K714dT9ybXw=; b=JCzJ/qHfXHArrZ5P/FbR1+0DI7SFXnpkVASdWqi0Cp0TBakYQFK/6fJrZXf3zWTKXeBb qX/7g/H0lpTfMlAAI5ZZ6+L15hfpN863WNJTpgJg4uFrojkca2SfzPTYGvdUQINbARIl jPVO7cG6uqBBOzFr56TN1eV3rNV3jX+We1Ov8q0p/kH2Rl8qko4JbiOAnWTFr392tRAP 9j+4A1eZQYVeuxt+T/9aIRxfXI22xPTxUZSZ+ICcWAy7stHk1eghVPriyjSwojfbEa9L xOx/LnEPQRcg9mCBkD3xqeAe6FjLioOc3FcnG24nbsTjLmAHxYNHmCxMnA3scVFtT7Xu Pg==
Received: from aplex27.dom1.jhuapl.edu (aplex27.dom1.jhuapl.edu [10.114.162.12]) by aplegw02.jhuapl.edu (PPS) with ESMTPS id 3wasw5qum3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 21 Feb 2024 17:47:14 -0500
Received: from APLEX21.dom1.jhuapl.edu (10.114.162.6) by APLEX27.dom1.jhuapl.edu (10.114.162.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.40; Wed, 21 Feb 2024 17:47:13 -0500
Received: from APLEX21.dom1.jhuapl.edu ([fe80::20d7:9545:f01e:9b2]) by APLEX21.dom1.jhuapl.edu ([fe80::20d7:9545:f01e:9b2%5]) with mapi id 15.02.1118.040; Wed, 21 Feb 2024 17:47:13 -0500
From: "Sipos, Brian J." <Brian.Sipos@jhuapl.edu>
To: Marco Tiloca <marco.tiloca@ri.se>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [EXT] Re: [Lake] EDHOC Implementation Considerations for parameters
Thread-Index: AdpkDuF5BM9PGlM7SfqYzHv1imJnuQAz0mqAAAYVTMA=
Date: Wed, 21 Feb 2024 22:47:13 +0000
Message-ID: <46e5bf37414f422580d9b474d4913b66@jhuapl.edu>
References: <2815c672c19842738631571bca6bbae7@jhuapl.edu> <52dee43a-e77c-4049-baaa-10d0dedbfcea@ri.se>
In-Reply-To: <52dee43a-e77c-4049-baaa-10d0dedbfcea@ri.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.162.19]
Content-Type: multipart/signed; micalg="SHA1"; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_000E_01DA64ED.FD30EE00"
MIME-Version: 1.0
X-CrossPremisesHeadersFilteredBySendConnector: APLEX27.dom1.jhuapl.edu
X-OrganizationHeadersPreserved: APLEX27.dom1.jhuapl.edu
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-21_09,2024-02-21_02,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/GQmnLrn1R29o5u3Xy8CVEQT7KYo>
Subject: Re: [Lake] [EXT] Re: EDHOC Implementation Considerations for parameters
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2024 22:47:20 -0000
Marco, Yes, that draft [5] is actually just what I was looking for. No need to reinvent an encoding for all of those EDHOC options or selection logic. Thanks for this pointer! From: Marco Tiloca <marco.tiloca@ri.se> Sent: Wednesday, February 21, 2024 5:54 AM To: Sipos, Brian J. <Brian.Sipos@jhuapl.edu>; lake@ietf.org Subject: [EXT] Re: [Lake] EDHOC Implementation Considerations for parameters Hello Brian, On 2024-02-20 16:10, Sipos, Brian J. wrote: All, I’ve been looking through the EDHOC Implementation Considerations draft [1] and there is a lot of very valuable information in there, especially around the notion of side processing. ==>MT Thanks a lot for your interest and support! <== (As a secondary question, was there a source for this term “side processing” or was it created for this document?) ==>MT I've just made the term up and started using it. It seems to have worked well :-) <== One thing in EDHOC that I am trying to reconcile with an integration in a new environment is how to express/agree/negotiate precondition parameters (like Method [2]) to being able to actually invoke EDHOC procedures and expect them to succeed with a should-be-interoperable but external peer. I see in the OSCORE integration document there is a specific listing of available EDHOC parameters [3] that an endpoint can express to help a peer choose what to offer in the first EDHOC message that will have a good chance to succeed. Does it make sense to cover the same needed parameters in a less integration- or transport-specific way in the Implementation Considerations doc? Even just having a list of “these are the things that must or can be expressed before starting an EDHOC procedure to ensure it will complete successfully …” would, I think, be helpful to implementors. ==>MT Yes, it does make sense that two peers can early coordinate on a set of parameters that sets the ground for a successful EDHOC execution. In practice, this is about the two peers coordinating on the EDHOC application profile to use (see Section 3.9 of [2]), based on their mutual support and preference. As you notice, a first step in that direction was taken in [3]. As you also notice, that approach specifically considers link target attributes. Those are used to convey "individual parameters" in weblinks, and thus the corresponding support on the side of a CoAP server acting as EDHOC peer. A different, but still setup-specific approach is used in another document at [4], which defines the EDHOC and OSCORE transport profile of the ACE framework for access control. In this case, an Authorization Server (AS) issues an Access Token to a Client for accessing protected resources at a Resource Server (RS). The Client and the RS will act as EDHOC Initiator and Responder, respectively, and the AS also provides the Client with information that describes what the RS supports as an EDHOC peer. This builds on a dedicated EDHOC_Information object (see Section 3.4 of [4]). Since you are rightly asking about a possible setup-independent approach, we have actually started to work in that direction, and you may be interested to check the document at [5]. In fact, the document introduces more general means for coordinating on the supported EDHOC application profiles, and it especially defines two coordination means: * The registration of pre-defined EDHOC application profiles, identified by an integer number. * A canonical CBOR data item that can be used to describe an EDHOC application profile. As to the actual distribution of this information, so far it has looked better to leave freedom about how it can exactly happen. For example, if what an EDHOC peer supports is described in one such CBOR data item or just referenced by an integer pointing to a registered application profile, this information can be: retrieved as a result of a more general discovery process; or retrieved/provided during the retrieval/provisioning of that peer's public authentication credential; or obtained during the execution of a device on-boarding/registration workflow. We plan to submit a revised version -01 of [5] before the next cut-off deadline, and we certainly welcome more feedback and input! Thanks, /Marco [4] https://datatracker.ietf.org/doc/draft-ietf-ace-edhoc-oscore-profile/ [5] https://datatracker.ietf.org/doc/draft-tiloca-lake-app-profiles/ <== Thanks for your feedback, Brian S. [1] https://www.ietf.org/archive/id/draft-tiloca-lake-edhoc-implem-cons-01.html [2] https://www.ietf.org/archive/id/draft-ietf-lake-edhoc-23.html#section-3.2 [3] https://www.ietf.org/archive/id/draft-ietf-core-oscore-edhoc-10.html#section-6 -- Marco Tiloca Ph.D., Senior Researcher Phone: +46 (0)70 60 46 501 RISE Research Institutes of Sweden AB Box 1263 164 29 Kista (Sweden) Division: Digital Systems Department: Computer Science Unit: Cybersecurity https://www.ri.se
- [Lake] EDHOC Implementation Considerations for pa… Sipos, Brian J.
- Re: [Lake] EDHOC Implementation Considerations fo… Marco Tiloca
- Re: [Lake] [EXT] Re: EDHOC Implementation Conside… Sipos, Brian J.