IETF Logo Mail Archive

Re: [Lake] [core] 🔔 Working Group Last Call (WGLC) of draft-ietf-core-oscore-edhoc-06

John Mattsson <john.mattsson@ericsson.com> Tue, 28 February 2023 11:54 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 467CEC151AE2; Tue, 28 Feb 2023 03:54:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.786
X-Spam-Level:
X-Spam-Status: No, score=-0.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL=1.31, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPdRSUuO_B1r; Tue, 28 Feb 2023 03:54:07 -0800 (PST)
Received: from EUR03-DBA-obe.outbound.protection.outlook.com (mail-dbaeur03on2081.outbound.protection.outlook.com [40.107.104.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 160BEC1516E9; Tue, 28 Feb 2023 03:54:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XNjl+g5A8pcKrCoDSGzYmN7idsqP02bzLr50CrNqREnDOnnHPnTrqNDqCsZrfDoJClrlyFg78Src3wu45bqrH3ZAqwSAvjy6ewHf2iT2ywuct+hKtqOv2QaBO6EHydLNJ/esVKQObHFtfc5LhDN3w6V3jT/ev8USVEI66qfxFdo7NHpeB7mtXXkUk+hMCiiB1stt1w2EEdjUEr/+7bgichxY/YvD7toNo7Wc/DuEl1Xg6Arx5vvR9aPYn8nQcsOWBsR8LiP3yE6/gD/A7EYfVau0m1/6pj61tVco2qOs/b0r83s5kV3gpKUQy48mPKzJKN8AwyMvGBpc697KlH5Wdw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/oNIlF7ao3VfTMOjUtXTIqbzgYiGnMhAy+dfqR04Cbs=; b=UDubrurB2ehs1IbpqjjcN1EXiGZSiH3ifc1fQM6FIjgNyHYOu88GHBK8fdKI2oVoolfnWry8MYhO0+hKgEIdSNfq0GwG6mLrvn/vNGa6tgCLa5Ks1wMfIMnZ5Ouv/dqXdmW6s0wsLEeZEE8A2lZLqZIc7YzSCgaYx3rkGGgkcKmKTgSC+ki5tvibRo/L8PvFmgM9qMY9zcmQ2GV8A8qgbuDoMq0528VmT1r59SY56FCrhrrkkLUzRZcPlAZFMMXEFZICai0J026SKpXvh4Qu3hy26tjJIobyjAhpOIo5eo5yXChbsT1b4h9zLZrDLrrGRLeqybQg2vqVYKgeymbVpw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/oNIlF7ao3VfTMOjUtXTIqbzgYiGnMhAy+dfqR04Cbs=; b=rvtZm9x0w20ofuMXQbLN3PbK2oA/GVumho+BYzJeEsvjD78M5JEq56C9JV6GNNx15BaDFWB55YUhFTS3aodueo6WeqgAu5uqdnhvRP3kHg7V6c7QaoxEiWJr9oWGH7+Ye9GD/rk38QP6D/2KWHAjmaOU0n2qOeXhNdYWgAsGkx0=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by AS1PR07MB8639.eurprd07.prod.outlook.com (2603:10a6:20b:476::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6134.30; Tue, 28 Feb 2023 11:54:02 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::916e:b205:36f6:6748]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::916e:b205:36f6:6748%3]) with mapi id 15.20.6134.030; Tue, 28 Feb 2023 11:54:02 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Christian Amsüss <christian@amsuess.com>, Carsten Bormann <cabo@tzi.org>
CC: "core@ietf.org" <core@ietf.org>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [core] [Lake] 🔔 Working Group Last Call (WGLC) of draft-ietf-core-oscore-edhoc-06
Thread-Index: AQHZQY5YRsBTvteTik+FyC2pDZdakq7f9z/wgADqfQCAAABEuA==
Date: Tue, 28 Feb 2023 11:54:02 +0000
Message-ID: <HE1PR0701MB3050C697D14B8B87B002092C89AE9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <F02C5E48-A196-45EC-8576-6BC67EC26AD3@tzi.org> <Y+1b4qX6Ya7BCbvk@hephaistos.amsuess.com> <7A07B432-3DD7-4517-B22D-C5C58E9910E6@tzi.org> <HE1PR0701MB3050C70FC1FE5487A9F4D8A489A99@HE1PR0701MB3050.eurprd07.prod.outlook.com> <DD9413CD-9613-4991-9402-B6F385B979A3@amsuess.com>
In-Reply-To: <DD9413CD-9613-4991-9402-B6F385B979A3@amsuess.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: HE1PR0701MB3050:EE_|AS1PR07MB8639:EE_
x-ms-office365-filtering-correlation-id: 462af542-ca1b-4ea6-e436-08db19827c4f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y+gkr+firtH9BglOyII+aQA5NayqvSwzPQWw4WaAqRoRSCPsUnVEgSlA8ugZtMricHWgc9c35deUnZNjgBMUG/HXiXTehRZYlwrsfIzelatfqsp6BMgUFwqI6nKbC/kvSqHcBwNUkMKBRCIeSWRwwcmg7Ta3iQi0WkVs3ZBE6uMBAQUR1P7W+Q70p+yvHlq67Y8J0IgvnwYvizJR6kH8RVstVCEkpMSv6dLFmeQ2O0nnkvY7aAZMiD1j/Hzg6y4SCzfnviFeYwsvvvqJFIlBu5eJY/1miiqpdAr38hs+s+e+pBz9NQmX4/VsaYEZEPTck8vLjS2AGw26NyfThqRt/XVLCU12e5+wc68oghWSGLP/urf6gj0ZH7H1nyfpH/5GUJ+dnwaU/d3FIpvpKAbEvUhGQlZlWQPL1d4BERV2aZkrQXmy79K5AbH7PsO1tvxUU7EYJoZo9K2mT5fxtj50pgIgJ/vMey75CzkrPuvSPr038JRGEKFKX9NaPkDOE8KMnzzq7nLdNS4Nyz8d9xT/b6aGUqxSqAoFDtAYTZySLt+kBq/HVP0EG+BY47EatP40zqK71KrEWFIsK7WxmUfzXvm4BCFt3A0E3SAL9yuZZynnrwZyx5OMkwjgdsAC1sd8mTNqahNujelHtdxpOgO2YQQqteXZL0C0AMwvA5KYJk7ABxGgxznHnZGZfnaK62QlPDeySoqtgsgNMvaaIT3wDQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(376002)(346002)(136003)(39860400002)(396003)(366004)(451199018)(5660300002)(41300700001)(478600001)(44832011)(8936002)(52536014)(54906003)(110136005)(55016003)(86362001)(316002)(66574015)(4326008)(66476007)(66946007)(91956017)(66446008)(64756008)(66556008)(83380400001)(76116006)(7696005)(71200400001)(82960400001)(53546011)(9686003)(6506007)(38100700002)(38070700005)(33656002)(26005)(186003)(2906002)(122000001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: XMEp9bFenafgqubRtyeEOAPFxr1lY22cRm39KAajlmG/FT75kP/p19uWMX6LCgELRLlvEkcAtlRKQUhG3055BAR630ct+q21bBhHBtcebNOzyU33HyLGXASwyT51qKUJn5lVVQxA08ETmWyXa96HFTv2qZnl8UAU3zIr3H9WDTxDYRyY/ddXQUy1nO33hj9CBLR1XSGAemJpb/zQenPrzyatsae5hVlIzh18PnA8VAngJcuZ2gxhVqi/PmCC3zI2LVmT5YOOnI3aubS4R88pTeXhUCUP3QNDejt/t8DKJQ+VlES43lkPiMD+brg7jh1LUWuNJruA2pMjK/sXAMpwVYd0rX5THGB2vJ5bIP5cNS3UMyT6q6DjDSn531JYgC22VcAcdOuRDEzgb8dugUmm1ypJ3xcUrHIhEPUqUfbxBD1qwAzHtmDor1Inv2TkK4Sd5+HIgJRuepLnWkxAJGXIsqusWaC8/J1hCs6VfJiKZZQ5b93KV8uLztIUwGKAC0YUAmCBIp/SWe46WgpeaG25xjQMD28YrwLqWSc8ocF06Qjrl4Ylim70cwM5sW0QCwwgj2cvDYV7JmeMdA+vZ7MNWlN6+P5tcfq831Ktzk8cAgbMQ7jzuCw2/EWwQ/A2mFZPNUq5irpwnn9n9aU/mmsI1Xv7znYSB2fPCAz2WKHRNmxQvUZOzGVPVjKD+gC6tLi87jXK1NmhpscrxJH5SjQsxHe0IdH8KqeDd3M5raGpm3PD77vlwbL705ja6s0oU36old0Y46eloCYfP/OO9Yps+n/W7jXV7PE3JTEKxRFTWDmCzVfIkUPt0bVJRPMm6sbeWcWcIrrFJIBy+irKVvL9cEYbeIe4sdPSq+ZrYmZIIlvoBKNV7of8qeew0EH1u1npfG6MSTkU6eyjJrqeyYB4OXN3UuWyi07fh9OXrHTq6S5FJRN9fcJkc0Zx860wqIss0aS2jUwzHqtfaR673zUCoIwXdW8y0+OAJZv0uzKJapdwq/ggx58UsCRQweT5dgpFp78K4KQ4lnCQozuWOHDNxHFnLrjv6HSp/5MLaKLJGiaFN2I2GWfGcZ/7D/xGh8cvnQ53/dvSijt+bFW/y/cH8ouF7f32+eT6aQB80rN2Maq+C721ntc+tnFzfA1nrZ3dr61OQMf7pUhmMPNkPZedLjfLq1ErZX8KCRrzo4ADdNDzB3BVh3kHGdgSfqJz/5GKtWuLOQC/l09rdf/30dTmdNiy+bhmq20O8CgJHpgd3+v6BA6O8wmjgBgAHGzvswSLBkSUqio5A031mFYM6ZCRgQmYTzpEOa1Ul9DuLPcF6IbX6tP3wu93R6som4PU+JagI2quDFEdwioXDQLQweiFoX8fi4NU6N3TCnUOWVTDpq9FZd9sblWMXs9X1B6k3JGQ03J0r0f/vpO//JrzdgCeQdF50SXb8ncA+SBteYFu6z18Jz3/QYual9oLKiGgCTGfzfo5qnuunmU5GU7P/m6HdHB9xokVzLnyVrS4ix5CDsu7gc0XBLhn8Pg8raMIb2p+Eyqa29hdiqko531oLHxvhL7xaRR4c+Qdqyushy3AIsdTeMQAquFhlfZACp43FL42BsXpzTfcS0hE7Qu0CrhHiDDyIjMRdyp0K+EXdGjKnGQ=
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050C697D14B8B87B002092C89AE9HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 462af542-ca1b-4ea6-e436-08db19827c4f
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Feb 2023 11:54:02.4641 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vqDREsqe0Pt7Jm+dVMKTVSh93dZaUlE8YPdQuY9kJEMYrw+rVdZtB7mm3CNjDnE9UwcSyAQDEykB8gCn6vThazrPLEbLbdX+JSu8Z61S+iw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS1PR07MB8639
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/cEae0RYsgBAsT0xmNe-6R5BX9Bc>
Subject: Re: [Lake] [core] 🔔 Working Group Last Call (WGLC) of draft-ietf-core-oscore-edhoc-06
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2023 11:54:11 -0000

>describing factual impossibilities. (If EDHOC errs, no OSCORE >context gets created

I don’t think this is a factual impossibility. This is exactly what TLS 1.3 does and my understanding was that this could be done with EDHOC as well. There are two different types of things that can go wrong in EDHOC. One parsing errors to you cannot derive keys and then there are authentication errors (X.509 identity not authorized, X.509 cert expired, X.509 issuer not trusted, certificate revoked, database oflline, OCSP server offline, etc.).

My view was that you could derive OSCORE keys in EDHOC even if authentication fails but I don’t have a strong opinion.
What is possible in EDHOC and in draft-ietf-core-oscore-edhoc are different things. EDHOC could allow this and draft-ietf-core-oscore-edhoc could forbid it. But whatever the answer is, it needs to be clear. If EDHOC would forbid this, draft-ietf-core-oscore-edhoc does not need to state the same thing. Currently I don’t think it is clear in either document.

John
From: Christian Amsüss <christian@amsuess.com>
Date: Sunday, 26 February 2023 at 08:18
To: John Mattsson <john.mattsson@ericsson.com>, Carsten Bormann <cabo@tzi.org>
Cc: core@ietf.org <core@ietf.org>, lake@ietf.org <lake@ietf.org>
Subject: Re: [core] [Lake] 🔔 Working Group Last Call (WGLC) of draft-ietf-core-oscore-edhoc-06
On 25 February 2023 18:21:59 CET, John Mattsson <john.mattsson@ericsson.com> wrote:
>- The document is not clear on if you can send back an EDHOC error over OSCORE or not. It should be.
No objection to being explicit, just please make sure not to use normative language when describing factual impossibilities. (If EDHOC errs, no OSCORE context gets created -- but a MUST NOT would be yet another statement oscore-proxies would need to revise to enable nested operation).

BR
c

v2.23.0 | Report a Bug | By Email