[Lake] Call for adoption for draft-selander-lake-edhoc - decision

[Mališa Vučinić <malisa.vucinic@inria.fr>]

Dear all,

Thank you for expressing your views on the topic of adoption of the EDHOC draft (draft-selander-lake-edhoc) by the LAKE working group. We have noted valid arguments both in favor and in objection to the call for adoption.

We noted the support of quite a number of participants who work with OSCORE implementations and/or plan on implementing EDHOC, or have their implementations under way. We also noted a significant amount of work, 14 documents referencing OSCORE (RFC8613) normatively and 18 documents referencing it informatively, that has a dependency on the outcome of the discussion we are having. We noted the ongoing work and interest on performing the security analysis of the EDHOC draft by two independent teams specialized in formal verification.

So we do see rough consensus to adopt this, but there were a number of valid issues raised that needed to be considered, and that we conclude have been considered to the extent now possible.

One main concern is with the fragmentation that a new AKE may cause in the IoT ecosystem and subsequent effects on interoperability. This is a valid concern, but one where the boat either has sailed already, or else never will, (in terms of significant deployment). In the former case working on EDHOC would fill a niche that needs filling. In the latter case working on EDHOC will be a waste of time for the participants involved and a distraction for implementers who may be expected to support EDHOC. As chairs, we can't evaluate that last case, other than via the informed opinions of participants, who while split, do include a substantial number supporting adoption. 

Several voices have been raised that the setting is too similar to that of TLS and that the only difference is message size. While an important argument has been made in favor of EDHOC in terms of message size, as well, this working group is chartered to work on a LAKE for OSCORE, usable in all the environments where CoAP/OSCORE is, including application-layer intermediaries. We have not seen evidence of cTLS being adapted as an AKE for OSCORE whereas participants have stated plans to use EDHOC in that setting.

We also noted complaints on the process in that cTLS has not been evaluated for suitability. Adopting the EDHOC draft at this point does not prevent such an evaluation in future, when both documents are in a more stable shape, for instance during working group last call or IETF last call. It is the chairs’ opinion that both cTLS and EDHOC either do, or can be made to, match the requirements, so that any comparison exercise carried out now between those drafts and the requirements will result in no new information.

This is a case where consensus is quite rough - there are, and have been for an extended duration, differing opinions on EDHOC without those opinions being affected by WG discussion (at least as visible to us as chairs). It may well be that, as chairs, we have erred in reaching this conclusion, in which case some participants may choose to take the path of appealing our decision. Such appeals are a part of the normal IETF process and are welcome, when needed. If any WG participant wishes to appeal, the first step can be to contact the chairs setting out where you think we may have erred and we'll be happy to discuss that. That can be done on or off-list. There are various steps in the appeal process beyond that, if someone remains dissatisfied, starting with informally contacting our area director.

Given all the above, we consider there is rough consensus to adopt the EDHOC draft as a working group item of LAKE. Authors, please submit the current version of the draft as draft-ietf-lake-edhoc.

Your LAKE chairs.