[Lake] pre-last-call comments on edhoc draft-18
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 05 December 2022 12:40 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22E8CC14F731 for <lake@ietfa.amsl.com>; Mon, 5 Dec 2022 04:40:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pwohGZ6kSpLS for <lake@ietfa.amsl.com>; Mon, 5 Dec 2022 04:40:48 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0711.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::711]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84732C1522C1 for <lake@ietf.org>; Mon, 5 Dec 2022 04:40:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aARqqkj79jaSc7J5/G4I5Sn4gTuJh70k2Q8wYZ6vDpJSxcQrx5hRhyIHcZkw56K+u3t6+e+9DQqhXl4MOieDr0pbb9V0UHHD/4HpLq6h8x0RbHWwONYQN4dqzTgU4c3kRYOvVDE9pkw9RTe6JEPXwP9rvpgUslPYQ8lhLnY9RLyzeRw832+CVcE+qiVZfPL9fMtPhPpRuUldDEa2AdCyGkyZm02sG7gSBu3kyCdyLm8+Q9kVZQRhEcUrUkI2pJZRI3aH5xj2XVjFrHcxcCWbYa2ZiI4P+WchLH5F4V++Q5IBJhGjM0MK0JD9OpozGUpLZcE5arL1BuLdB1tj6LvcFw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Kk2c6IRokc2sqXI/tn76alG4nDQ13sIFcoy2/5mBZ7I=; b=j4+Kblu/tUJcFaRYFq/oxrF9qYJrrHEbQgeF4tH+//cPjARVqDnTNUM36wSBMPErhKMd2j3OqLPqMtGP3AXv34CqG3486HUAzozKwgEeMpiUXkRq70avaG5u/tvP/495l4E7vRfrxmT6NPSVCLv8qaHqe+pgXsx1rttt581GA1AmIJpmaTGCCGOg66G1SvlZ+nOPYZCTZ14j8Ag45hM2gf9L0tZfZ203ZVjy1IERZzUDb7+yMPuw/0/UsOxjpBDMI/uFVOV7rJATcMKbmAPCDZ4XFffdXTCKMmOrP7bGdQ6U4yNUF9rPCc3BzEvJBbjpL5Q4y14XouhaOQrQNi4bwQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Kk2c6IRokc2sqXI/tn76alG4nDQ13sIFcoy2/5mBZ7I=; b=WkzphV/bNS8hHjT1hd8sRZZpKK4XMDm8a0AVkdEPuQPAjI/5e4n6u9/S2x+vtvzHqu12nrMKLukXAbSKWTU0G2xpHVO/I6eR1DgKM7+0KWLbWsHOL8mJd9pWYtDlPhbR0mS4K7IDXUJMIzReW6rX+yn2MP3NqQYnWqJy/LK3AItYlFpzbLn4TT5+wh2PibY/eG3v2qc39ngLnht/UKRsUvdc7otGzE/nPfq3hMHUTwaJJoZRiAak8wduAe6FZgfH5/sMuHBTC8qjlxgygkAuOqRn867zu86ojeqLGPmG605pXHLYqIICSb09Cjy7GGmwixs8j495xnBQ6iGzmrKGow==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by AS8PR02MB8592.eurprd02.prod.outlook.com (2603:10a6:20b:54d::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.13; Mon, 5 Dec 2022 12:40:36 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::c025:1133:f726:aa9a]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::c025:1133:f726:aa9a%3]) with mapi id 15.20.5880.014; Mon, 5 Dec 2022 12:40:36 +0000
Message-ID: <a6088d06-7cac-5d1f-cf42-74ce2091b667@cs.tcd.ie>
Date: Mon, 05 Dec 2022 12:40:35 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-US
To: "lake@ietf.org" <lake@ietf.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------Vi0n8aCeqXJ0oyOfhSW7kGre"
X-ClientProxiedBy: DB6PR0201CA0028.eurprd02.prod.outlook.com (2603:10a6:4:3f::38) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|AS8PR02MB8592:EE_
X-MS-Office365-Filtering-Correlation-Id: c238106a-6239-496b-995f-08dad6bde873
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: wezF2ZxzjCpLUyiZQM2TuyJAMfoGLYmyqAI19T3IkS5VmTQmSI5vj/ls7ZHlJbsHwPDjVAGeBdOFqVO0o9b4a3t0U82FKYlFEwPCW3CslhJLglmtFeoX8AaA/BJ/UtAg4V4ldWHKXZaWsG+RfRXVd2CkLPaLL+Om12XEkaddfSZaFnmehwiH3P5lSTMtH5W248uJgGy/tNhwL4HqISpZMF33LVpk/N3MXt9GBOVgrzuMIeD4NuugRNAqSL+3ntbZ6fzXgJdLf24/exMwXkzenMjt443WHf05OdDwGCevhnINd5vJQa7+dQXt5Fht0a2/NKtnUPVCOfaJWkjzrnE/KvYurcyyZsxxzrUVaHCW/y/r5TuSpVzjqd0kKDtgl0Ypr042OU4twC9WxJpoCSR0vMb86sh/kGW7Zn82IyQHypT9M9flgh3an/UYRpmYd+pAmz/Ra8KhWrfYiPGKXmCBtLyuhMFKpdi2SpwrXrMMrKtc/pYhHC8Hh/2EFg+GD2BO5YIPb3h3AHPnD3BD9ohsGT5P0jrTt4R7JHv/5Yegbm6AkJqTnRocgGJZhUBnr3deihWnLO50csMCFZW2KDQ0bYq+B7qVft1h9EqSDDpkq7Biy3bAuUV/yEZHSy8prskmCUXDi/MGtfBtPtIrxgyoYiuYikfN6qEfOoo00f++piRqcqQCT0B2bKEAgRhBJvc0FUZOK+WrcwG9yXEo5hEEPcAOOGITp7uRYOIa/1lYFN8=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(376002)(39860400002)(396003)(366004)(136003)(346002)(451199015)(66556008)(66476007)(2906002)(8676002)(31686004)(44832011)(66946007)(6486002)(786003)(41320700001)(36756003)(235185007)(316002)(5660300002)(6916009)(31696002)(86362001)(186003)(33964004)(6506007)(6512007)(8936002)(478600001)(38100700002)(83380400001)(21480400003)(41300700001)(2616005)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: I2N0ZcCNv4hYFnVwIrJjY9j+DNqiufNXPdxhyTvPiziRzk0x7GhPaOaISYA6m78a4KEIkapeykoqlEsuugMpR1Z0kJBNvseoFZ6hTMI4GGa50feNbb4vHie/Uj4ut/BCCZu4oy2UOWaY8FMhaNo787uMkgbU6WgcLIu36atEP5mVed2Q+8IbRrsJ+Phz0RXouhJqTRtclh85R1SAbIIC/NUz+jzFnFdMZSIL5gbGeMvZqrRILPt+TQW2Hqi6dOzTNKSJ+7hFLZzCv6y1SB9EtrJM7c0vMVmfl9D6+xKZINatuFhr53vjawrEtHyFa1CtNdw1uSpAhn7A5dH+mI/OeugKoV7RURe8E6D3h981DzMONKe64EDzRRWDyODtSOjjX9/t8G+2u7lcp0JHS44efxj+jDACvhadkY212rafis9BcZuqds7Ck0i1TFLBm+Ozfx6LrNUBK8BvGdfpGQTc084jheoXaZNGyS6yow18ubmAlmcjuaJCuITB623dUCJSmOi3xrfRkPYyVi1KIHRpk+o64FomQbi7q0tldL8zXiYvXyg+3t5p+ryJ41RhJ5AcNr8x4j3zO57DByksgAJrug6w8AniYPtn7Z4IM/8TsId3PL2yvAJmuycvOjU1LSBHiuRC+BK2UL94ESI6b8nxX0cJefiymquP+RWxEFIsYFRU0k4jFYyDscapjgEgo31R/jmCzedNkYVBvBExMKbR4GzQF/92fO0J5MQJIRUy0TQS5J7OPojdSEoj0GAgCpHVT0zVb2TA/cYGBW8+zMRBcRgui5PcZ8/XkkEiBLxSg6g+6zvFlPFGLcvA/TWyMKP7n8AYc0bO2ZcINduUsCIWxxLYIEOX5SA17rEUW/V8jFDuUSgOFL+56FBtiT2/2kh//oF8/lyxtTeyRp+X8V0Jrn/ZEy+6b4fwddrC0Ic6+4b08NkJlBhg2uCyHXYmtKqIJq5M7MJIHP2SbkFa3SDMkU6OrkD+Qo+vMC3z2kl8Odx6954bf8SYivIuqNWTj0aAeMxbZc245YdFu3drkPHb80qV1Yvid8FLndACRj40NXuF6NfPcUBboXe+R+wuw77lyJ+gN39xAYf9veO42nsGEdGxeJi8slGPcytxwgiKVNhZ4tnmGlghjT1RND7Fz8Md0Yf5Z5dPke18ZJNhgn8AK6wPR3fGkxZai6EhEiv6FIfAT2wijn+msXZzpXg2tw8SBNThGrZbsv6M6WLe0F/Ev6d65iS9UkJ3At2FSPzMAGgEXaf3uvnW6sqFph+52BkYUHU1PfrQrHGe9gIJhiDVbODgEn6pbKEe1l63YUl4kIMBv3b/B9lhA3695YuJu9FLxdOf3e/T6DAUZqS5hDHx0ZUAQs0v3534NON1JJW0HwcnD3AXeIZMKtpx1bDcpMdp+Ed77EawRxSdGBwdcM2SItyovph1r0CpiF2qe5Hf1N/e1q3vSjdi+A7wfL3tvb+A8Z4cInpGUpUfiHow6iKEz1IispmvhPID8tDWQ0g0jOB7vItm4CH9sQFeDEW5MGrumHPWfC2W2xJwVD0LthkPwzfwL7jzmWvKY05NvPlvIpXr393Xqm+5jh5r6+t4OmrI71xZxbOuwxf2vg84bDyiYcUaVLK2kePgIhAuR1wYSKlxmEy/Isp0GCC+XHOZKR+o
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: c238106a-6239-496b-995f-08dad6bde873
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Dec 2022 12:40:36.4180 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: kFCRB3EcPXWVe8GAPNKfBVanjd2QzY/iIwlHKtmyZ1FT+JlbS9Hmix9NGmvUjD4I
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR02MB8592
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/_5eVv4p8epYbA1yls471jqETyTU>
Subject: [Lake] pre-last-call comments on edhoc draft-18
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2022 12:40:53 -0000
Hiya, While warming up to hit the pub-req button for edhoc I gave draft-18 a full read-through. I have a few non-nit comments (some just questions) and a bunch of nits, all of which are fine to process as part of IETF last call. (IOW, I don't see a need to hold up hitting the pub-req button to handle any of these.) To be clear; these are comments made whilst wearing no hat at all - I'll chat with my co-chair shortly about hitting that pub-req button:-) Lastly - for a 100 page document, this seems entirely credible for implementations that interoperate. That's really quite an achievement, so well done all! Cheers, S. non-nits: 1) 3.5.2, 2nd para: on what basis is rfc5280 a normative ref whilst [I-D.ietf-cose-cbor-encoded-cert] is informative? They seem to be equally required for implementation based on this text. Given [I-D.ietf-cose-x509] is normative, perhaps it wouldn't add delay if both were? 2) 3.5.2: I forget if use of the full DER-encoded X.509 cert was discussed on the list or not? If not, the alternative would have been to use the SPKI which has some slightly different properties that can sometimes be beneficial (potentially easier use of different CAs on each side). I'm not asking for a change here btw, just to check was this discussed on the list. (I see appendix D.2 talks a bit about this.) 3) 5.2.3: what happens if the decode of message_1 fails? (Say due to an unknown suite.) Does EAD_1 get provided to the application? I hope not! Maybe the text after the bullets needs to specify this explicitly? Same for other sections wrt providing EAD to the application (esp EAD_1 and EAD_2). 4) 9.4: As the method field is how we handle breaking changes, do we really want that registry to be specification required? The alternative might be standards action, if we prefer the IESG to be involved in such changes. nits: - section 1.3: this only mentions appendix A - is there a good reason for that or is it just text that's not changed in ages? Probably omitting or including mention of all appendices is better. - section 2, p8 bullet says "Verification of the selected cipher suite." - that puzzled me a bit as I'd have assumed that the transcript hashes provide/cover that validation? If that's the case maybe this bullet could be deleted, if not, be interested in what's meant. - reference to [I-D.ietf-lake-traces]: not really a comment on edhoc, but we should probably ask the WG if we want to hold publication of edhoc as an RFC until the traces work is also done (i.e. create a small cluster for those two in the RFC editor queue). - 3.4.1, 2nd last para: the "MUST" statements here seem a bit bogus in 2119 interop terms. If those are only for emphasis, then s/MUST/must/might be better to avoid other people commenting on this later. - 3.5.3: the two example definitions for ID_CRED_X seem to be introducing a notation "{ 4: kid_x }..." before that notation is defined/referenced. Maybe add at least a forward pointer to 1.3 about such notations? Or, if 1.4 is considered to cover this, then that's fine. (I didn't read all the referred things from 1.4:-) - 3.8: I bet a beer EAD item criticality won't work as planned:-) - 3.8: since zero is used for padding it's not true to say "non-negative" means non-critical. - 3.8: Am I getting this right? If I define a new EAD item "foo" with a codepoint of 17 then sending 17 means non-critical but sending -17 means "treat as critical"? The text isn't quite clear (here) as to whether +x and -x mean the same EAD type, just with different criticality, or, whether +x and -x correspond to independent EAD item types. - 3.8.1: This leaves the reader wondering what is an "appropriate length" of padding? I'm also left wondering what is the point of padding in EAD_1 which is not encrypted? (Is it only useful if there's also some lower layer confidentiality?) - 3.9: "incompliance" - that's a very uncommon word, maybe that'd be better rephrased e.g. s/incompliance/lack of compliance/? - 3.9: it correctly says here >1 transport may be used, but earlier (last para of 3.4 before 3.4.1) it said I and R "need to have agreed on a transport" (note the singular). I'd change or delete the text in 3.4 rather than that in 3.9 probably. - 4.1.1 refers to Figure 8 but that's a few pages ahead and the names of the keys (e.g. PRK_3e2m) aren't intuitive. It'd be good to somehow introduce those names earlier, maybe just by moving Figure 8 earlier, but at least by pointing out the naming scheme (that PRK_2 refers to message 2 and how etc.). In any case, it'd be good to do an editorial pass with the goal of making understanding the key derivation easier for a new reader. (Requiring readers to reverse engineer that seems sub-optimal:-) - 4.1.1/4.1.2 maybe "Extract()" and "Expand()" aren't the best function names? Those probably exist already in lots of libraries. Perhaps "EDHOC_Expand()" etc. would make it easier to map implementations to the spec? Or whatever names are used in current implementations. (I'd also s/EDHOC-KDF/EDHOC_KDF/g to get a name that works for compilers and same for EDHOC-Exporter.) - Figure 8 looks more like a table than a figure:-) - 4.1.3: TEE is used without expansion. - 4.2.1: just checking - there's a lowercase "must" there - is that intentional? (It could be correct as it says "must be unique" which is always tricky:-) - section 5: As a non-implementer, I didn't understand the "MAY contain parameters" sentence there. - 5.1: What's a "session"? I think that's a nit, but wonder a bit if someone's tested/analysed in case there's any odd state that can be reached if a node has forgotten state but receives a message assuming the state is known/stored. It's probably ok though. - 5.1: is "SHALL be processed" right? Maybe just "are processed" is ok? (Just trying to avoid others asking this again, I don't really care myself:-) - 5.3.2: "the length of the protocol" seems to mean "for that session" but neither is that well defined - could this be made more precise? - 5.3.2: The "<<...>>" notation wasn't described so far. (See earlier comment wrt 1.4) - 6.3.2, figure 11: Shouldn't G_X in the 2nd message_1 be G_X' or something to indicate a different DH public value? Is the same C_I meant to be sent in both message_1's or not? - Appendix A.2: This has an RFC2119 SHOULD. If the intent was that none of the appendices had such terms, that'd be wrong, but I'm not sure if that was the intent of the WG. (There are more examples of 2119 terms in appendices.) Might be good to say (e.g. in 1.4) whether or not such 2119 terms are important for implementers who might otherwise ignore 'em. - Appendix C.1 ends with a table (with no label/caption) that doesn't seem to have text describing it anywhere? - Appendix I: This seems to describe an optional to implement thing that has two internal options. I don't see that the text tells me which I ought implement, if I choose to try support long plaintexts. The problem is indicated by the paras beginning "A potential work-around..." and the following one starting "Another solution..." I read those as two different ways to handle long plaintexts.) - Appendix J: If you do s/EDHOC-KDF/EDHOC_KDF/ then I guess you'll also do s/EDHOC-KeyUpdate/EDHOC_KeyUpdate/ maybe. - Acks: Sad to say it, and I'm not sure which is best, but maybe consider s/Jim Schaad/the late Jim Schaad/? Hard to know how to phrase that well though:-(
- [Lake] pre-last-call comments on edhoc draft-18 Stephen Farrell
- Re: [Lake] pre-last-call comments on edhoc draft-… Göran Selander
- Re: [Lake] pre-last-call comments on edhoc draft-… Göran Selander
- Re: [Lake] pre-last-call comments on edhoc draft-… Göran Selander