IETF Logo Mail Archive

Re: [Lake] [core] 🔔 Working Group Last Call (WGLC) of draft-ietf-core-oscore-edhoc-06

John Mattsson <john.mattsson@ericsson.com> Thu, 09 March 2023 10:40 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F43BC14CE3F; Thu, 9 Mar 2023 02:40:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0M4GZxfOGnqG; Thu, 9 Mar 2023 02:40:38 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2061a.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1b::61a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1ADB0C14CE33; Thu, 9 Mar 2023 02:40:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QWdnx0UNLQ7ynCgkQ8hMbUHkPNkIHdHR45Tvk8BA0Y8xst0r5qKKON5nFb6UX/B/21HoGSfJvOQe31d/7jFfQo202YqX0xsAWDhGobr7MV2PFykw8qgB0Y7TOr2L5kBWCOIgmuKIxWec0LapaRzBYKBzvT/IH6gEaYSLK6nkCnIH+w6bVcVa1O8XYMTWa5V/fz0mf5IM/3ufccuxamC7Kv/go0ZacwVCYvLK5tKQK+U/MMEXltBIZxPXWORkfjGW+462FPE9+hNMC1eHs7T2bDByuM3t4v3DaMLdPvB54kaoJsWORi8Mw4ItZSgov+SHs1nRX1A46Hye1xJcbr5TsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DA06V4TdxTrMTNqBnldMp/VuSkQtK4XHGcxFrlALp98=; b=Zz0qt7Lc4qKZmb+qqiyQtsSXhdtf8V/KbkTOLR9p8VcDImuQQu3p/lilwVWxsv/kaM4swM7gBYigsYD8OKKUsIqI7LiOaZHIQERqZCj6066s5Z3ICP3D2b69fePjIdbdrVuBF+nQ84Ja5SqI9EqAzJynVtE1a9ukoXZhFbDTDRBCcE6oZFv4qrU43gP1k80y71ZDClhyZ2Nc8XWmnnARz9kAeuH/BaHnlPdMlnBSx1yGeEq2z9eEYHHrt1fPUztxH6CqGqiZg1Ky6yGh0YXOnzWB+PvoUI350NVRZtvQlnyv9pMLjnlzTJn8WAW8EIioV0Ak3Xw/UYgTtRkFizYWSA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DA06V4TdxTrMTNqBnldMp/VuSkQtK4XHGcxFrlALp98=; b=JLfucecwhKM836KNGgP+rwaEr/r0YkX4VsKdu+D7S49V6do00JtamK5pzvxajRfpKzVB79lPIDDdOP+XTYjjRqsr8lWQgepoJQU2JIgIr/ycHVRb7olgpGt/h5fJUMap+9VcLPJmuN2F97xkpC1OPo4iWTiZLYxlgYWBH/PQ9IQ=
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by AS1PR07MB9594.eurprd07.prod.outlook.com (2603:10a6:20b:472::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.17; Thu, 9 Mar 2023 10:40:33 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::6ec3:856a:ffc7:9526]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::6ec3:856a:ffc7:9526%8]) with mapi id 15.20.6178.017; Thu, 9 Mar 2023 10:40:33 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Christian Amsüss <christian@amsuess.com>, Carsten Bormann <cabo@tzi.org>
CC: "core@ietf.org" <core@ietf.org>, "lake@ietf.org" <lake@ietf.org>
Thread-Topic: [core] [Lake] 🔔 Working Group Last Call (WGLC) of draft-ietf-core-oscore-edhoc-06
Thread-Index: AQHZQY5YRsBTvteTik+FyC2pDZdakq7f9z/wgADqfQCAAABEuIADcxsAgA4MgoE=
Date: Thu, 09 Mar 2023 10:40:32 +0000
Message-ID: <GVXPR07MB967835954A9495780E83172D89B59@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <F02C5E48-A196-45EC-8576-6BC67EC26AD3@tzi.org> <Y+1b4qX6Ya7BCbvk@hephaistos.amsuess.com> <7A07B432-3DD7-4517-B22D-C5C58E9910E6@tzi.org> <HE1PR0701MB3050C70FC1FE5487A9F4D8A489A99@HE1PR0701MB3050.eurprd07.prod.outlook.com> <DD9413CD-9613-4991-9402-B6F385B979A3@amsuess.com> <HE1PR0701MB3050C697D14B8B87B002092C89AE9@HE1PR0701MB3050.eurprd07.prod.outlook.com> <98F49E51-61F7-4521-AA69-C1A5E1EB6978@amsuess.com>
In-Reply-To: <98F49E51-61F7-4521-AA69-C1A5E1EB6978@amsuess.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|AS1PR07MB9594:EE_
x-ms-office365-filtering-correlation-id: cc384d1b-9774-44a6-d16a-08db208ab592
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KICicVtw3OS3uVJprybZw1wLL91mBPHJkfNaCFkI73aS+pQppTG2Mf0xPHaTNdlEIHs+Ui4bMFzPkNyd9cZr/qItonf8ff+8re3IWjVLdsotGSaWuliGOti3/tYXg5W2Z2b3+WxjB6lvo8OSKcgHjT2S7Xj+B4fkBiI91M+Zn3yOR5JRxsTPUW2fyMJuGIOgoMUWz8G1LVj1eoTkGTY7/VL4HwsQOBmmUGq90eTduN0tcGxFOTWtDoUb7dr4O0ZYjIgguDdULUxVBkdOFt47h5NLhXfl1Rd5s+fkJbzzuh0YYr75qcNUjHJ0YKSj3mg1/7n18ZI1xWkS0ls5LpxN2m7A84wQEKWKd96NS2zbiRoitz0MHnOqkWrsftCJWwG+QudIHJav8F8ZzUg+yHL3lfwFPszFl63YgZa704E5KcDC63jxCSo/Jp5dseM8qIhByb+yfA1RZnd1Oh+JPBoJuqvEuU/9NDFb3vl/9zyIlPC2aBtB2qGYHWq+dCakr9Z7n0emBW9PGDQHhVnUqOa+cFkL8nWMumIhdWOyQ6wGrbhpRmFkmzGxCOciUwZx9qJ5ABl6ka28EDJApQNUZw+C4zZex0MnjLcgi42K3E1K7Qqiyp58PPw6LlOFITRigFFd/v3bjv0SGVbAr5p8ejLr10SUBhwZEAx8wbbZv71nw7+ESm9lXwEfpM1EH+5gBx49Hqw5teCmCFHJtXlzrkZUAA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(136003)(396003)(376002)(39860400002)(366004)(346002)(451199018)(478600001)(5660300002)(38070700005)(2906002)(7696005)(44832011)(83380400001)(186003)(9686003)(33656002)(26005)(6506007)(53546011)(55016003)(71200400001)(41300700001)(316002)(86362001)(110136005)(38100700002)(8936002)(76116006)(122000001)(66946007)(4326008)(82960400001)(66446008)(66574015)(54906003)(66556008)(64756008)(66476007)(52536014); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +Qpx31TbU3NyoL5NsQ8GranmxWYwQ6bW6TDYYi1UU4mAzhKfv0mqkqEj4UPIKhz3zAi1LBnn2jx8kBXuEfTDD3NsWl4zsX18NhQTbI9wk+fNIJr3tcfA0UkO3bTJagIUrP8s7VayQXFIrzvayhtep6JCmVOAzfc9cYw7MvdvRrDfOHKVFCyzQT4+w0GlY3GzSQNohOvGhfWt1wzXiKOJ+RxmaaGOt5Nuc5MgZUOKnxLhWqyRoXHOJXmgPMh3YsrbczggjdqBp4rI8u4zm5u+ElozxDYGaJVQELs4670Ffm3DaAGq2m+doOoq9PSmaigDIrRAQNw9lSk4fTpJDU7qbnmrEel5JlTUxz5CfO7BOgGGrpVkDjuHG5tyE6qvIYRZw2sScaNj5kzE1AlrA+b1tGrLXhLvGZuqunQawSVGfeTGgowj7wN4Yw02U56dPCv8jhWrnQlpWorQMgiZUjX6fyzs3SLhwVqyJ3jtE7j7FmS4QDQ0jHbInAGbX6exnn/3oUOOf3TDNMFOjG7TNhyGLtP6YOA8gTvmdgir+qAWXwLGhQDZDdEL/6m1cozO39xlSQRFL9qt9s0zxY68MjdnvFVC9TeMjPqIYVpEq/W017fqsF5iQv9idSMtSgqRlZK7alSLU54hWoCo1P5EO4h27r438ESbkqOZnNqoSTbJNXVJBBZMmCwOB5bJaRC/evxky2mrEkIaxRoqD89mey4n8cTXaw+19EryLICKpPyfOUorATJ2Wv00YXzpyXertPPt708YFH+p5I3IMp1vtvzo3jxeSxeju66PcmOCAu7psoJhR6gyz2dAg4a10TGDzsaBggH2P0EQ4bm1XkJucXgL9ILulK3sqqQsFithOLdZYB8PPD7K9V2vgYPtBoixVd5sDJ+cf4iRToelMNeLkm/JduznMxdFsrkylS4KbHC8jN5SoOzUI20oC6YMvtXKddk1uTcEYcYntmzayjuXQgP0pvcPNloFNWbcqYrXIEavbMEyFRhBP/1J7YYqS3lhCSD+0Q21bbmeJLyD1V/zeVpfUfnGlzE+ETnIxR/q4DE+yz0Zxrol4NHUjrZ1bAXJ2302vIjD0dH5dQFMeyUe+5HkqKQIqVusQ80LLq3NY1kt8Q4nOzU2KH9lg+NO5MHM9C1vyzC26whr0dT+ay0MSpYMHo0M39B4aRPYU2MsfUlX8SKENFWZv7IUiMCU5Qg/gjAXlchCwSecZCLUZppN5bM0kF1rTBX4meblBvnApcapUPBvpqSozMLEzny+gLSwzjzn6+5asmPbtHfsQ8RDRDlVtB8w703HAx4JxYE8vu8ukp0vPQLXAkG6FbrkC7CVaotF0drGmIhdxJP8bvt5pEieLMPpW83jvvwr81mfG6Tz4NvElXRkcMlLu9NEJbbZbU0DkiX0XcIe4SIdCK5SJ0bcFePVHXSQiFHxptGnj49prtQbE3VTIJ/7NlLDgrake1FhvW4+VfZbyEULe+3MZg8T897qZSKM3vCXdcs13GBer+IELBqUNZeFMD22mO6Bu617ckrXDUoDErQBD+WlyU8CsDfFY3BV6unmtnvJZkjfJwQL4RX3mUK1XI6tUBBwQ2qyU2WcWIz1VD8QxB/syrzykV0dhaBV1n2S605CxKnhmeM=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB967835954A9495780E83172D89B59GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cc384d1b-9774-44a6-d16a-08db208ab592
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2023 10:40:32.6618 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: y6eoP9iXBGgXdKcISc9H6nFxBH/jp6lOV7Yb/W/dCeswVHznS7U0r8AGKfObUUi6Ns6Ngpyi9dSlNXdzLFBlBFErli2ssFEBBsdoFVxm3W8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS1PR07MB9594
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/uZs2c6BsL5JjouflE4qb9qIWkA4>
Subject: Re: [Lake] [core] 🔔 Working Group Last Call (WGLC) of draft-ietf-core-oscore-edhoc-06
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2023 10:40:42 -0000

> Then maybe "[on error], OSCORE key material MUST NOT be derived from the EDHOC exchange, let alone
> be used to protect the respone"?

That sounds good to me.

I think we should discuss this topic in LAKE. My view was that deriving keys after message_3 and sending an error after message_3 could both be done. A reason why you sometimes want to decouple authentication from key derivation and continuing the security protocol is that authentication might take a long time (request to some database, popup for the human user to click OK/Deny, etc). The EDHOC specification should be clear on what is allowed and not. If always waiting for authentication is preferred from an implementation perspective then maybe EDHOC should mandate that. The important part is that everybody agrees on what is possible and not.

Also, another comments why the EAD support discovery has to change is that supporting EAD is mandatory in EDHOC-19. All compliant servers need to support EAD1, EAD2, EAD3, EAD4 (if they support message_4).

John


From: Christian Amsüss <christian@amsuess.com>
Date: Tuesday, 28 February 2023 at 12:59
To: John Mattsson <john.mattsson@ericsson.com>, Carsten Bormann <cabo@tzi.org>
Cc: core@ietf.org <core@ietf.org>, lake@ietf.org <lake@ietf.org>
Subject: Re: [core] [Lake] 🔔 Working Group Last Call (WGLC) of draft-ietf-core-oscore-edhoc-06
On 28 February 2023 12:54:02 CET, John Mattsson <john.mattsson@ericsson.com> wrote:
> and then there are authentication errors (X.509 identity not authorized, X.509 cert expired, X.509 issuer not trusted, certificate revoked, database oflline, OCSP server offline, etc.).
5
Ok, I see where this comes from now.

Then maybe "[on error], OSCORE key material MUST NOT be derived from the EDHOC exchange, let alone be used to protect the respone"?

BR
c

v2.23.0 | Report a Bug | By Email