Re: [Lake] 1 week 2nd WGLC on requirements and scoping text

Göran Selander <> Tue, 02 June 2020 13:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3B1A63A0971 for <>; Tue, 2 Jun 2020 06:49:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AmitBCNec-02 for <>; Tue, 2 Jun 2020 06:49:00 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 224DF3A0963 for <>; Tue, 2 Jun 2020 06:48:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=ZbSklM340/npP9YuSgJPN2Nw13psB4ir64AaVxUF3lSP1jE+Q1rIhl0RYrimjOK+cEiO85AWYX7XPwdW/VIqc7ebj5O5E411uf2fFcGsz4n+xEAt1bufOquYdZc4tnMn2rdwqImCTXJ/ymBvKY2qA8OkV546yBOlpA/mqpX9GINzpCiCecKHC3twlzxkPiJfYQpVpMq3eXogrpGXlufu/FaD7466ZICzt8Oa8P1m1NG2LZjjM/IC4JAJZyIPxyYK/+UMr80zorjwZ+QaMFZYt6InpDrwt6WrKIbKBh5zLUeUQ9vXd0lT+Zlw50SEy6KdNHwyPqFvKpbinMn8qppDzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jqSiW55bZaD5Is1zfv5nSNOXnjpsOUjEZfs+S03yImo=; b=DwyXvYBAHroWwrfMu+ZoVm1V+ZlQJU3wx1qwEgY2Xa1jDlzFdp/cRJuwvUab2CqWvEeXaMolpktgW0xW89hbZsfGuyI1NUFE8jOZiiJnJwWYO9wPvvSUo6aaV0ayh6GKQ5FEFwd1gpe29skk4ma1WSt9wPCRY6u7Csto6a0JY00Uf8wogwZZ5lW7KLJgczGeRmq3IQbpE6hJIJhAziup5CNB4gm5ypCUtJjsvEZ2q9kkRSTk3bakRYLDPEWdFutzBSJhzK/rnmwGoQexYUP+zUrSYyWykrvwOhDx38mpOHSCbeBrhpxxYH8aYcOwue0DM7W4knADQUOPUVKMfqMm0w==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jqSiW55bZaD5Is1zfv5nSNOXnjpsOUjEZfs+S03yImo=; b=t4oznAfKaFzVfRx5qsEuZ6Ukytw419ncv1+bL2Sr97Jrc1of8pebMPS4XnhnPptx9b1A8lZJaa+toLFWnjRIGPdA0gQdh3jQc/sHaMrz1OqBorb0b4XjtJVMu8KY4bvTC04SKctFc9vOBsXFmiEykoXyD0i4i7SyYEcw+9MZfIc=
Received: from (2603:10a6:20b:1bf::11) by (2603:10a6:20b:1b1::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3066.7; Tue, 2 Jun 2020 13:48:57 +0000
Received: from ([fe80::55ba:3006:67fc:f931]) by ([fe80::55ba:3006:67fc:f931%7]) with mapi id 15.20.3066.017; Tue, 2 Jun 2020 13:48:57 +0000
From: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <>
To: Eric Rescorla <>
CC: Stephen Farrell <>, "" <>
Thread-Topic: [Lake] 1 week 2nd WGLC on requirements and scoping text
Thread-Index: AQHWOOSQ85smp24+gkmc2pYPqy7Lbg==
Date: Tue, 2 Jun 2020 13:48:57 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-GB
user-agent: Microsoft-MacOutlook/16.37.20051002
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 37823fd1-1537-4e61-4c55-08d806fbb2b7
x-ms-traffictypediagnostic: AM7PR07MB6931:
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0422860ED4
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Z+15gDSTZciRkU1Nc5TF1zrPuOLBHO2hCER7mPu/hvZYMt9J+PjfJ4OD+RsEUovsxJrfUNFPqOasFR8+4g75Jx+rm5dm9/mklyrV5uBmZAqndJyaMrfpsG5oMlJb7zn5XvmoDXilz9S9/NjOLM6woW4DpPL0+wumwtGpstp/1lP00SuF+q25c1XYPYLcaX2Q0S1RRo4T+yb63uzoCEcKPz5wgQbEA0r7R2vrZxW0XRGA0gauW/XSUKrjxrDsSl65pcoKu/9UUzVLnite9PxYHs37M6VVcM9etaw9w1f3JHlD05JvNkmCwXuGOATS50o81sMPt9pOY9Pqtv7a8Pk0N1DNElUfJ8cRbnPNtnfNUgGyrOlzGdwNgreyexyl/BGJabG+V1K1FE3vxaIZD7iPfQ==
x-forefront-antispam-report: CIP:; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM;; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(39860400002)(396003)(346002)(366004)(136003)(71200400001)(2906002)(186003)(6506007)(26005)(2616005)(8936002)(8676002)(54906003)(86362001)(966005)(478600001)(316002)(36756003)(85202003)(166002)(6512007)(6486002)(66574014)(83380400001)(4326008)(66556008)(64756008)(66476007)(66946007)(6916009)(66446008)(85182001)(91956017)(76116006)(33656002)(5660300002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: fC7/p9qA7F1ZDIAcZY7zZ9lkTfW3jmawkM4S2MsJ9jqicywPZ5yeancab6U5b8k6kDqfwRLzBk2nmWiB8d0ROYh7V3CsmIz2EKfunugxAm65OdKxmn8z35P41CvF5k2gb0P/YPrxxnHL58LmM47HVAMvoAVF6GweoVmJ6bUTnLe/fLwX79/O0q7XLQaMm0SdSFni1GR59AQ1PvSNYD15ye9eufG4CJN5cR6ax14SUDyoys/m26fYvaDH5BY08/xu/PGJX3kBVO9bvxR8oul3XwzLcgvR7yhu2mxb1sYfCDILhVPnzEFYZYQCnWDnHQJ2fPPr4b/RuTgb+8a9rCD5XX+6X43N8mVxR/B+r+eJn86evoawkG3+DZk8g4f1GduZGkAshZz2e2WM9I66GAGBhOlnPZ13GF2Pe035fkJFOrKFxWTdTpGpzEQHTf8VNxARd9QYFAiqZoYzPfLSVUPi5sUzkQPwkqc+OM/t3HFy710=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_10CCD34810E6400A81E3253475C97250ericssoncom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 37823fd1-1537-4e61-4c55-08d806fbb2b7
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jun 2020 13:48:57.6924 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: OoJF7BpKj+V+294DsCLn16QypoE0isO22VyiMd0Kt8GqpJOFqI7xHr73DU5dUkGjNzor/qkDWGIHLC5SQn42ZWoJIm+YyZIfnBe3C5iraUE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6931
Archived-At: <>
Subject: Re: [Lake] 1 week 2nd WGLC on requirements and scoping text
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Jun 2020 13:49:02 -0000

From: Eric Rescorla <>

The scoping text added was:

   As illustrated above, the setting is much more diverse
   in terms of credentials and trust anchors than that of
   the unconstrained web.  In order to deliver a timely
   result, there is a need to initially focus on what is
   considered most important at the time of writing: RPK
   (by reference and value) and certificate by reference.
   Information about validity of a certificate may be
   omitted from the AKE if available over unconstrained
   links.  The case of transporting certificate validation
   information over the AKE may be specified in the initial
   phase if there is a lightweight solution that matches
   existing standards and tools.

   A subsequent extension beyond the initial focus may be
   inevitable to maintain a homogenous deployment without
   having to implement a mix of AKE protocols, for example,
   to support the migration path described above.  The AKE
   needs to make clear the scope of cases analysed in the
   initial phase, and that a new analysis is required for
   additional cases.


It's not clear how to read this in the context of other parts of
the document, for instance:
which says:

   In order to allow for these different schemes, the AKE must support

   PSK- (shared between two nodes), RPK- and certificate-based

   authentication.  These are also the schemes for which CoAP is

   designed (see Section 9 of [RFC7252]<>)9>).

How is one supposed to interpret this text?

[GS] Since OSCORE is an extension to CoAP it is expected to support the schemes for which CoAP is designed. But in the discussion following the virtual IETF 107 LAKE WG meeting we restricted the initial focus, leading to the addition of section 2.2.1 and the following text in the paragraph after the one you quoted:

”In order to provide a clear initial effort, Section 2.2.1<> lists a set of credential types of immediate relevance; the mechanism for selecting credential scheme is presumed to enable future extensibility if needed.”

The ability to extend beyond the initial focus is also repeated in the text from Section 2.2.1 which Stephen quoted in his mail:

”A subsequent extension beyond the initial focus may be inevitable to maintain a homogenous deployment without having to implement a mix of AKE protocols, for example, to support the migration path described above.”

Yes, my point is that these three paragraphs together contradict each other. One says the AKE MUST support PSK and the other says it's not part of the initial focus. Does that mean that the AKE as published will or will not support PSK?

[GS] The AKE which we will start work on will not include the PSK ECHDE variant. The process for how to include that variant is as far as I know not defined, but it must be possible to extend to that variant at a later stage given that the appropriate analysis etc. is made.