Re: [Lake] EDHOC Implementation Considerations for parameters
Marco Tiloca <marco.tiloca@ri.se> Wed, 21 February 2024 10:54 UTC
Return-Path: <marco.tiloca@ri.se>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEBDBC14F6EE for <lake@ietfa.amsl.com>; Wed, 21 Feb 2024 02:54:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NsvrtVhrbxJ7 for <lake@ietfa.amsl.com>; Wed, 21 Feb 2024 02:54:00 -0800 (PST)
Received: from MM0P280CU005.outbound.protection.outlook.com (mail-swedensouthazon11020003.outbound.protection.outlook.com [52.101.74.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 258CAC14F696 for <lake@ietf.org>; Wed, 21 Feb 2024 02:53:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Smxx8yJeYn6FhkOWhbi2znfWpN4H8HTYFXDPk5bzzuGPAJMTG0v6wCCSiXJqq2Ciq2zPlvRiwhgktBFeAxO272Gihf9nt970IqNmpqiYjAYk8/47QB6CVnESyF04VjNOTvimKaZqmLrtPBjIpSNQ3wBiprZX8G3P5XEUbiVll5DF3/QRWf1IYxwQ0+lzi//RdNCeoX3WkQ4dU7AS8FXLbtPFWjd8O8eDTeDVGBxCTcaDfR5aPu7JXTFT9RaL8mY7hD4wMJt7zo78LFxLRNPKFG9x/OjSlbvZS5vbMJ7v2g+Vl5LpZjPmIfMe6AeAGMDd801xLbQ3HaniNC8pC+se+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3JFcZsHV9F4dyIUtE8pYYHU8tKGvu1Sc3A+GITsL5F8=; b=nY5cN91zG9ULIdhdmJlCAi63+AtqH922LGfl0+JhvFkp7Q9+AbiGYR+YzCmPEb7tIEoaf/1VA/1KjZOUek631p4msV2NXuhWMeu7nGeKnIW6us0DrxfwEj1VpwQovnqCoTY5xyHOrw8RUvGsN5uE6Y7YhG/4gt9ITNgMH5ocAR6zDrgMwnsi3Sf3DewoYJRitf6GnxNayVx9tExfw9iFNvoiXMcROe627LfVqC322JdqEqgZaLyw85ZuP+apBj5HH5sFs+2Zdm0fkEkEf8nNgXrhzQKPd7+PTZbXGHVEac7eyC0F8tvAv3q8bWeVYQEOYBXvs1Ohgm+z7HZgn5MAlg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3JFcZsHV9F4dyIUtE8pYYHU8tKGvu1Sc3A+GITsL5F8=; b=RTMVPsgmm6gPtq0PphTAZJhL83sV6axHwpKId5ZkxxTAj6XytgMr39CkqTaRvv9sN89qL8NYITCH8BHq2NdG1a5UeZKNngKPXVoaLF8eWRwztaMqdy0+rdDsvjAj7op+LXooPMXhQJOtKpiAidDKOriL32KN5EdpExWIAFJNdxg=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17) by MM0P280MB0296.SWEP280.PROD.OUTLOOK.COM (2603:10a6:190:13::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.22; Wed, 21 Feb 2024 10:53:55 +0000
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::3bf1:cff2:41f9:5d75]) by GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::3bf1:cff2:41f9:5d75%5]) with mapi id 15.20.7316.018; Wed, 21 Feb 2024 10:53:55 +0000
Message-ID: <52dee43a-e77c-4049-baaa-10d0dedbfcea@ri.se>
Date: Wed, 21 Feb 2024 11:53:53 +0100
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: "Sipos, Brian J." <Brian.Sipos@jhuapl.edu>, "lake@ietf.org" <lake@ietf.org>
References: <2815c672c19842738631571bca6bbae7@jhuapl.edu>
From: Marco Tiloca <marco.tiloca@ri.se>
Autocrypt: addr=marco.tiloca@ri.se; keydata= xsBNBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAHNNk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPsLAdwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzzsBNBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAHCwF8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
In-Reply-To: <2815c672c19842738631571bca6bbae7@jhuapl.edu>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------BlEDdYVKc1l1R0bn0W04iaum"
X-ClientProxiedBy: GV2PEPF0000382E.SWEP280.PROD.OUTLOOK.COM (2603:10a6:144:1:0:5:0:12) To GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GVYP280MB0464:EE_|MM0P280MB0296:EE_
X-MS-Office365-Filtering-Correlation-Id: cd9ea209-88ae-48cc-f3be-08dc32cb65e4
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Jm3R1VigpU547dpyCfnooZJ9DA4dxLF7UqmDshzxb2DCy/gxmUVsZqhCYyZ4LttNKHbw8dNfazX7qsWfGjOo8dYU3v9V9CSmqN4d/q6YGKvqrq9O5Pfq/urouii9UxHgbS8hJDRtV/YxcNMIvlEoyj57mVuG7b4R4Lx+QxPXKASvh0FWUtLGi+KpAjtwNqapXK8fgj9ls3rZu/lS6Co8SfGdnV+zzO0iaitbHoATR3SFNwDlO/O2XAKWDZyUK+9RO1VL9fPFK0u/IOGCCDsh6WNeVd9m1dKMmEDSp5BvvZYP870qn5xcLkQZpRwwku4PtcusBZRLMg3MSO9z2qw7RSNy4INVycZWLP4vj6JhVd+dBGGWnRzPLzPnV5rPsSrHZK+10RWz+/OVC5y8QXzZHcW0fQnKVmprCxWUDscJyuiFEVFrvXpYDWFWlKwjrqQjzOLSnGMS4GV76HM1hF9LtMY5givK6WT3Dwh28yynLFMKepcmvMfECl37ITwzO1syFzRP8tulP2cHWosmBOWCy3/KN2qLXzSmUw6dC0yR+afG6aFzOsVJEzqEr6un5b3J
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(230273577357003); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: SM4cHr9qAn7jYnZGN16vo15zaAvZ1bb37Woj7nVB3uhIZX8gfBxaAlYnONE6hjEW+WuShMGzdbLuLD+c6MRwqNZWtyGV/DHqrfG69UllILXGFIpL4vDWmpoC0YNOmSTNLmIjEzm+lFumrJvuLLLGTFa6LnAkzxN/tUUcDccZamm5D8gW0uJVygXydHq9O+GzMK/m6STBgl9IDMl029A0IPvgw6p8EzlNgoRcpfZ2WWYl/cl2CF13NaWZ5p3uljDMfPobeK6Haw90p2e9xCGj6S5+TSzg9Q8jHs+GbvFyeRu9WU/LQIePh4K50R3S/cAOpCRcKptIbd7/z8Uyl+l7BMf0C8MUpVe3viSk9YL1v/CQZjBNk8tnDkP/3Q8eztmeifnikarYcykXnH8rHGmIn+27iXtzoaV2XQD3zjX1pT1Nirv9ZScmaMbqE16VnTBV//0uz6wvKK7lrF1/97B5t8coGR2W7Wrl1cVm6a6WJtW00aTjC9WL2eODND31On/39ig+NhotMDFPRkAX83iWXnYnYlkj76lpwZMGG0Lc1qd2m5g0fGe/GZhigdeP7wuYKWcVLiF4t04jygO0HIIsACFot4oTCi+j3hB2VZEN8zi6dqKWXFiqcdKQf+90COP+zuQW30ruKyOs5IjZZhVLQIAOjZP4nL1j2r3dt2QDsf8hie1RNNYKxjEI225mhZVgFLAi1O5Ep8uxMyTO78mFTiBpFrpvk4vpZR+lFRQHUh1AcmS5SyvOCoAXjNGV7KIbsi0v2y0nWpHtvNwXQy+3cmMZSw+AZMb53LXhMRqqk9GnycTjYIgQcS5LUFPc9Uq7jEfKFoO2yHPZGqp5sXURkjozDyKBx/vNPDMf8LxKPcwBv/Agw0tE3V5NvRfNDwxwysCWkm3vjDJOnEgQLnHcU85HyLBc4I3oMi8sZHhu7C34b9jH5RDyLOT+yQCIBgmfaOvY5WXGB8N477qRELUAgCa0D4qZFEhDT5qjqf38QiMgohhMEIzrxfR8mz+kC7EddS6RIzFs6qKgqy9Okne/1kWRO13qTlxNGSn1QvwpCBREZxFmkbU1/xTNBTS6TWHcqEQHT4DMXG3WPAFvfGRMkoIVd3DnQ/xosXVFnV4zx84ytja+1E9zbkmQcmPXfima4GQupaQ0vjRsuQOhvWVAGXdPbt1r26LMciY5FJGXYpXNyp4kNsRksUvAAMGMldRZWRRBiHoyhz7seybx0h6fmszQ4MPQ3n8iM7GoUeZMbD07MZu2/PrD/TrdYddVcoVXePqEXu3K4U+MpTt+ezHKJ/AJ8ICQf+bdGkCgKHmPZ5/0YCAmajyvIKS1baAWDwh79pWEwilEVtYbUDIQEAKAHy44dI7qAu+faNhSaiiXJTw9eSteSO66uLGuQhMP4D0VMSuMpeFvVo2HeClyESKFM/PYZUMsGiWUBZeZA3x6YSc1CMEQuQPuImE/cKuPbwziVjI8FbzCZUwFl5M94zcBnKTjxMQ/6723hkYmNb1spHozRKG3yr/dJn+RlgxyKL+s7PWU1SINCrcEpHcBb3g6u5S3MG1eyWlISnLxLJHWTxWAi1UopUya1QV45eA5bSqQ
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: cd9ea209-88ae-48cc-f3be-08dc32cb65e4
X-MS-Exchange-CrossTenant-AuthSource: GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Feb 2024 10:53:54.9980 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: fYJInwx0Qm9hjvsoysarsN3aGhA/JzhDIVMWAKLVe3v9kW9l/mA0wG4nk5E8iikUvV0WxcmbXAbbt1GigpHoqA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MM0P280MB0296
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/aU7Zxxe1tJUYMCzkC9zGQfsl1mQ>
Subject: Re: [Lake] EDHOC Implementation Considerations for parameters
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2024 10:54:04 -0000
Hello Brian, On 2024-02-20 16:10, Sipos, Brian J. wrote: > All, > > I’ve been looking through the EDHOC Implementation Considerations > draft [1] and there is a lot of very valuable information in there, > especially around the notion of side processing. > ==>MT Thanks a lot for your interest and support! <== > (As a secondary question, was there a source for this term “side > processing” or was it created for this document?) > ==>MT I've just made the term up and started using it. It seems to have worked well :-) <== > One thing in EDHOC that I am trying to reconcile with an integration > in a new environment is how to express/agree/negotiate precondition > parameters (like Method [2]) to being able to actually invoke EDHOC > procedures and expect them to succeed with a should-be-interoperable > but external peer. > > I see in the OSCORE integration document there is a specific listing > of available EDHOC parameters [3] that an endpoint can express to help > a peer choose what to offer in the first EDHOC message that will have > a good chance to succeed. Does it make sense to cover the same needed > parameters in a less integration- or transport-specific way in the > Implementation Considerations doc? Even just having a list of “these > are the things that must or can be expressed before starting an EDHOC > procedure to ensure it will complete successfully …” would, I think, > be helpful to implementors. > ==>MT Yes, it does make sense that two peers can early coordinate on a set of parameters that sets the ground for a successful EDHOC execution. In practice, this is about the two peers coordinating on the EDHOC application profile to use (see Section 3.9 of [2]), based on their mutual support and preference. As you notice, a first step in that direction was taken in [3]. As you also notice, that approach specifically considers link target attributes. Those are used to convey "individual parameters" in weblinks, and thus the corresponding support on the side of a CoAP server acting as EDHOC peer. A different, but still setup-specific approach is used in another document at [4], which defines the EDHOC and OSCORE transport profile of the ACE framework for access control. In this case, an Authorization Server (AS) issues an Access Token to a Client for accessing protected resources at a Resource Server (RS). The Client and the RS will act as EDHOC Initiator and Responder, respectively, and the AS also provides the Client with information that describes what the RS supports as an EDHOC peer. This builds on a dedicated EDHOC_Information object (see Section 3.4 of [4]). Since you are rightly asking about a possible setup-independent approach, we have actually started to work in that direction, and you may be interested to check the document at [5]. In fact, the document introduces more general means for coordinating on the supported EDHOC application profiles, and it especially defines two coordination means: * The registration of pre-defined EDHOC application profiles, identified by an integer number. * A canonical CBOR data item that can be used to describe an EDHOC application profile. As to the actual distribution of this information, so far it has looked better to leave freedom about how it can exactly happen. For example, if what an EDHOC peer supports is described in one such CBOR data item or just referenced by an integer pointing to a registered application profile, this information can be: retrieved as a result of a more general discovery process; or retrieved/provided during the retrieval/provisioning of that peer's public authentication credential; or obtained during the execution of a device on-boarding/registration workflow. We plan to submit a revised version -01 of [5] before the next cut-off deadline, and we certainly welcome more feedback and input! Thanks, /Marco [4] https://datatracker.ietf.org/doc/draft-ietf-ace-edhoc-oscore-profile/ [5] https://datatracker.ietf.org/doc/draft-tiloca-lake-app-profiles/ <== > Thanks for your feedback, > > Brian S. > > [1] > https://www.ietf.org/archive/id/draft-tiloca-lake-edhoc-implem-cons-01.html > > [2] > https://www.ietf.org/archive/id/draft-ietf-lake-edhoc-23.html#section-3.2 > > [3] > https://www.ietf.org/archive/id/draft-ietf-core-oscore-edhoc-10.html#section-6 > > -- Marco Tiloca Ph.D., Senior Researcher Phone: +46 (0)70 60 46 501 RISE Research Institutes of Sweden AB Box 1263 164 29 Kista (Sweden) Division: Digital Systems Department: Computer Science Unit: Cybersecurity https://www.ri.se
- [Lake] EDHOC Implementation Considerations for pa… Sipos, Brian J.
- Re: [Lake] EDHOC Implementation Considerations fo… Marco Tiloca
- Re: [Lake] [EXT] Re: EDHOC Implementation Conside… Sipos, Brian J.