IETF Logo Mail Archive

Re: [Lake] spt review of echoc-12

Sean Turner <sean@sn3rd.com> Tue, 01 February 2022 04:02 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D6A13A1122 for <lake@ietfa.amsl.com>; Mon, 31 Jan 2022 20:02:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GQ2Xmhp_q6Zl for <lake@ietfa.amsl.com>; Mon, 31 Jan 2022 20:02:53 -0800 (PST)
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 944953A1120 for <lake@ietf.org>; Mon, 31 Jan 2022 20:02:53 -0800 (PST)
Received: by mail-qk1-x72b.google.com with SMTP id o12so14077071qke.5 for <lake@ietf.org>; Mon, 31 Jan 2022 20:02:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FrGgX+SaPCd7XOCkf/CkcH8AuBzxEGJ+1v3b3A4Epho=; b=ienIPEGw0Ca++z+ICJlrnGQLJlZx1Dxz3Uzm/lM74M0XAiuTuIezyswRYWB6MrmJ0V 5hcdZCG50Dzgnu7EiMUIf+CSnngkJiLAqZV8spIAbeK0gdQb+3aaJqScKBDYHnnKxoWL XdeT1GCNkcrX5RP+yqzibcNOO4jZDB7fLeiv0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=FrGgX+SaPCd7XOCkf/CkcH8AuBzxEGJ+1v3b3A4Epho=; b=FJaKe6XQHQ71LnsBW9cOxuCfYXqhJR4boc4DGc2pvwJVy3SWQWTumWAE2x5VxWVwVb nJF1vRIIGnpQKfQ2YoS+tvM9tQfsjyvgbGdwHROXLCC96Kogk1gqMTlhl/4mpHx1Pte9 hGDGrnA68k8i/4geHMeKdw9zFZZn9p8GFWjHbcMExisLRFuOn67cMwdiwQ4txqzPENhZ mCYCJqYhxscF8Z4f27xiw7ocp3ZBF5o1eIlKTfMbvHhtTg/hjkr5hXy09I63EG6NOpC8 QzgUvkVvjOCnGMuv2Kv9eaigIsMu2blAzQG+7SUlAkjifCWnkldJeIay014pV1P1OA9c 7MhQ==
X-Gm-Message-State: AOAM532HkcidvnwdROYrnv/aSuEdSPe/4lqwxXjUfazQ+KlBdz2oFhNn 2B61eqlsyW4sHqEsWUla/C9V0Q==
X-Google-Smtp-Source: ABdhPJxDUlAvRZebf7bJrqVn7FEF2vZxpaFsKKXAyroqAAgnPpUf53W29/UHcf39JFen3VTuXE4Qjw==
X-Received: by 2002:a05:620a:cf2:: with SMTP id c18mr15423917qkj.679.1643688171546; Mon, 31 Jan 2022 20:02:51 -0800 (PST)
Received: from smtpclient.apple (pool-71-178-177-131.washdc.fios.verizon.net. [71.178.177.131]) by smtp.gmail.com with ESMTPSA id 13sm9649572qtz.87.2022.01.31.20.02.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 31 Jan 2022 20:02:50 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <AM4PR0701MB21957F2B4E38F11C2D5519DCF4779@AM4PR0701MB2195.eurprd07.prod.outlook.com>
Date: Mon, 31 Jan 2022 23:02:49 -0500
Cc: LAKE List <lake@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <AE56D52D-9883-4137-B813-A5DEB500204A@sn3rd.com>
References: <1B6DD418-03D8-4B78-9C26-3C821DF2DB9E@sn3rd.com> <AM4PR0701MB21957F2B4E38F11C2D5519DCF4779@AM4PR0701MB2195.eurprd07.prod.outlook.com>
To: Göran Selander <goran.selander@ericsson.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/rC3OwLdD0fO6EEx8Lnh3k1zXUV8>
Subject: Re: [Lake] spt review of echoc-12
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Feb 2022 04:02:59 -0000

Hi I pruned out the “done” ones and removed them from this response. I wanted to close the loop on some of the others, which frankly mostly appeared to be my misunderstanding.

> On Jan 11, 2022, at 03:55, Göran Selander <goran.selander@ericsson.com> wrote:
> 
> s3.2/s3.5.2 (question): Smarter people than I have devised plans to allow mixing of different METHODs. How does this impact the key usage extension present in certificates? In other words, are METHODS 1 and 2 suggesting that a DS and DH key be used together and does that violate any kind of restrictions on the key usage settings for certificates?
>  
> [GS: Note that the METHODs are not mixed, and that a given METHOD has fixed authentication method for each endpoint (i.e. Initiator authenticate in one way, R in another). Since there is a fixed authentication method in each direction I don't think this causes any problem: Key usage remains well-defined for each peer. Or perhaps I misunderstood the comment?
> ] 

Nope that explains it.

> [GS: firsta a preliminary note on 3.5; Stephen's review included a proposal to shorten this section and issue #223 also comments on this section, so there will be subsequent changes besides what is proposed here]

Okay I can re-review when it’s shortened up.

> s3.5.1, 1st bullet (question): This seems like the “mixing” discussed in s3.2, relies on the identity provide in the certificate?
> 
>     The certification path provides proof that the
>     subject of the certificate owns the public key in the certificate.
> 
> [GS: I didn't understand this comment. As mentioned in the response to the comment on s3.2, mixing is not with respect to a single endpoint. With that in mind, does the comment still apply?
> ]

I think you can safely ignore this one ;)

> s3.5.3 (question): EDHOC seems to assume you only provide the reference for the initiator's/responder’s. Was there any thought it to providing references for the rest of the certification path up to but not including the Root CA’s certificate? I mean technically they can also be in there certificate provided so not necessarily needed.
> 
> [GS: I'm not sure I understand the comment. I assume the question is aboutinitiator's/responder’s *end-entity certificate* (since you speak of "the rest of the certification path" in the next sentence). Note that references can be to the entire certificate chain, see x5u in:
> https://cose-wg.github.io/X509/draft-ietf-cose-x509.html#name-x509-cose-header-parameters
>  
> (Incidently, this third option is missing from the latest submitted version of that draft!)
> ]

I was thinking about how CMS has a bag of certs and how S/MIME says send up to but not including the root. The x5u, as you noted, serves the same purpose. You can safely ignore this comment.

> s3.8 (comment): Wow .. so you can send in the CSR in EAD, if it works then you can use the cert in the later messages (e.g., kind of like EAP)? Sure hope there’s no kind of CSR-related error. And, you know that the CA gets to decide the name right. Sorry just trying to digest it all.
> 
> [GS: We discussed this in the LAKE interim where you participated, but just for the record: Yes, the intent is to be able to send CSR in EAD. This is expected to be detailed in an accompanying specification. One example would be the enrolment of an "operational" certificate as an add-on to initial authentication, the authentication of which could be performed using a manufacturer certificate included in the device from factory.
> ]

Yeah I remember I was there. As long as your consider what to do when you get an enrollment error this will be fine to do.

> 
> s5.2.1, s.5.3.1, s5.4.1, s5.5.1 (nit): is the “,” before the closing bracket right? e.g.,
> 
> OLD:
> 
>     ? EAD_1 : ead,
> }
> 
> NEW:
> 
>     ? EAD_1 : ead
> }
> 
> [GS: This is accepted by CDDL syntax so we kept it for simplicity. Previously I used to trim off these last commas, but when we changed order of parameters or added parameters we always forgot some comma. Less so if all lines end with one. I propose to keep this unless someone has a strong opinion not to.
> ]

I’d leave it if it works. No strong objection on my part.
> s6.2 (nit): It’s really more “Freeform” than unspecified right? I mean the string is required so it’s definitely not unspecified per se.
> 
> [GS: Hmm. The error format is specified but the actual error is not specified. I changed to "Unspecified Error", is that better?
> ]

Yes I think that’s a better way to describe it.
> s6.3.2/s5.2.1 (nit): Might be worth noting earlier that SUITES_R is not important.
>  
> [GS: I guess you mean that *the order of suites* in SUITES_R is not important, right? :-) This is noted at the end of section 6.3.0 (i.e. before 6.3.1) which is the paragraph where SUITES_R is introduced, so couldn't really be noted earlier unless we also move the description of SUITES_R. But I made that statement into a standalone paragraph to highlight that it applies to all cases when SUITES_R is used: "In contrast to SUITES_I, the order of the cipher suites in SUITES_R has no significance."
> ]

And there I missed it ;)

>  s8 (question): Isn’t some kind of consideration needed to address the use of PSKs shared by more than two? See RFC 8773 for some considerations wrt to group key sharing and that sharing impact on authentication.
> 
> [GS: I didn't understand this comment. PSK is explicitly out of scope of EDHOC (only mentioned when that is stated). Were you thinking of group communication protected with OSCORE? In that case, EDHOC is not used but there is the body of work in ACE including draft-ietf-ace-key-groupcomm-oscore.
> ]

You’re confused. I think it was me. You can safely ignore this one.

Cheers,
spt

v2.23.0 | Report a Bug | By Email