Re: [Lake] Roman Danyliw's Discuss on draft-ietf-lake-edhoc-20: (with DISCUSS and COMMENT)
Göran Selander <goran.selander@ericsson.com> Thu, 24 August 2023 09:30 UTC
Return-Path: <goran.selander@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF68CC1524DC; Thu, 24 Aug 2023 02:30:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IH8LZpzTm8lb; Thu, 24 Aug 2023 02:30:05 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2082.outbound.protection.outlook.com [40.107.7.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E845FC14CE33; Thu, 24 Aug 2023 02:30:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bggbYa+N6JnIRq53GjnLDQpkKv9szA+ht7YHfVYQqDYC609Np1xmf5s5dG+KY/DyW2ywviyoEOX4s1WIDMiXUO/ZwuGai+5b5VeAAA3dqph04k+lAB3TvMkLvcyKnIgQbnp3v2ytY4lSFBVtcL45ZaA6rmabWiT4/Ea5tyeJOQvnBBCjotVNf2QNudMs689JSa0Ug1cTyUI5X07gs4/zAP74NnICC0BGi/ExfDjZbDRj2XhyYAO5+WQwtJ8ZS7QvvvdpAl6PAgUkaBTTjOzGYywA574LapQhTSqMnFAg9pLFEXPeGh1FIZ2zYh4/XQtMeaIvfolMRi/tSVlZ4MlZTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=PxFSAHP+Z9Buo6hoiul8V0PBg7oMxbkncwzUo25ygFg=; b=ZrpmDTO56tmyYcwXMxGnBJ2iJ05zpdOX2DrtlVnuo3ru88Ax5bfwZ/NLidcxeXq02jdc6Sy8A7m+coSRQA4Q9VTdL3LiSSovtfSvYNOZzMyHaou3zkmX+fzu194zRoef4CjepetRs+/h5j8WCHYy+DCJjAct8+414Av3CA4GHfXgURy7HlhmwFyPu9TWj0UZXY57hctutMov/FisA+otgYNFr8NYxs4HjXT8Bgmn18Ntj9b/Oa+IPX1DtdXLB2sc963iRzTKvLPgNfiaf7/B22p2AyTxu+rpkA0a6xOt/9/FxSNNmUcpH7XSDlq3biIkyNJzlzLoHtxE72KHPrTJ5g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PxFSAHP+Z9Buo6hoiul8V0PBg7oMxbkncwzUo25ygFg=; b=n8ieLpUT/bQs9ORgRsRsbSerA2Kah7VMb6tMOizrNtxRkD2qkTDrsQOCtfU19V191rkKUnRNLLuD1YcZn6+IvDkOlY/2mhqT90DSUUL/s9jpm9/y2J+eOKqZ3q14XNqo+XUQihK76zd2bZhNzcDsThKheScpCxlyk0/9MlTaKUw=
Received: from PAXPR07MB8844.eurprd07.prod.outlook.com (2603:10a6:102:24a::19) by PA4PR07MB8885.eurprd07.prod.outlook.com (2603:10a6:102:266::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6699.26; Thu, 24 Aug 2023 09:30:00 +0000
Received: from PAXPR07MB8844.eurprd07.prod.outlook.com ([fe80::b794:71e5:df86:cced]) by PAXPR07MB8844.eurprd07.prod.outlook.com ([fe80::b794:71e5:df86:cced%4]) with mapi id 15.20.6699.026; Thu, 24 Aug 2023 09:30:00 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-lake-edhoc@ietf.org" <draft-ietf-lake-edhoc@ietf.org>, "lake-chairs@ietf.org" <lake-chairs@ietf.org>, "lake@ietf.org" <lake@ietf.org>, "malisa.vucinic@inria.fr" <malisa.vucinic@inria.fr>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-lake-edhoc-20: (with DISCUSS and COMMENT)
Thread-Index: AQHZ1VvcpFOrVvmQv02hjAIzDUaTp6/49HjK
Date: Thu, 24 Aug 2023 09:30:00 +0000
Message-ID: <PAXPR07MB88445F90BCE168B4B1EE0701F41DA@PAXPR07MB8844.eurprd07.prod.outlook.com>
References: <169275184102.39840.14106038771993517671@ietfa.amsl.com>
In-Reply-To: <169275184102.39840.14106038771993517671@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PAXPR07MB8844:EE_|PA4PR07MB8885:EE_
x-ms-office365-filtering-correlation-id: f4e5159c-7e4f-4db1-d2bf-08dba484b057
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 3xTLqZDvkJD4nT14APPeB6AtpnX/pOU9KCYVe73kotISn85Z6e03t1OVPzPLJy0oakXWze4WpwZfmgWZqi8aCXswa7syQdUY+a29Jogeg9bHXd9EKL0bUjJdTQspRNYj6t0nBweCQVIhv1qVYoPX6U2ui0UWl98xdoMpz81hiPJx9jnFQPtK7wryy+hOFk4u+QgmJWQL6a6veRY2wnAzQd916Shb72tT1DVPo4EjRljcEOQ4di/zd/3XN+hhwepJJh9KR7fE61xI0041NFvlxBb4LKoBZ6mkxyyEOnoYatQoHUCCbLjSQKA8N9e/sfGhywHHOHI/jCnThAr6FM0k4l9ssAPk9tMHYopnTtUsEKJ8chnMC6zogLDA2MFVlPiu7SivIWKEMg4kRFFaXPj51FxlSKc00cE0ObpZ1xAYxeHSlf9Y98KPq9BOqL+5g0QI837Nx3RKUKHpVRZoEq7QZHojVjV50wb85okVHvI5R/Zk/Yh/GVUZXjWzMZd3k4z56Dex+eiMrSF1g+9AYDo/j3kV1sv92uPNxI8h7IP6QeCsia/ZC0RlrlPG1YZ9SLvCXfngXowoigSzqljPKRXWSlcNhJ9aBexCu47OXkaOWsKK/RoMM0AyQEhwQpXzmszcJIkCa8I8ZS4x15LneqY3DskIeqY/NgbH3XWe5Nm1/PZHXC39A7tj5CBmup+n97KB/09PhYwjfTqdZPrK1+tVJrM3V2pdyyp38BcvorwkwKw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PAXPR07MB8844.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(136003)(346002)(39860400002)(396003)(376002)(1800799009)(186009)(451199024)(83380400001)(2906002)(38100700002)(82960400001)(122000001)(38070700005)(86362001)(166002)(55016003)(110136005)(9686003)(41300700001)(64756008)(66476007)(66446008)(66946007)(76116006)(54906003)(66556008)(53546011)(7696005)(6506007)(316002)(52536014)(4326008)(8936002)(8676002)(12101799020)(478600001)(71200400001)(33656002)(966005)(26005)(5660300002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: N3DjHViczAc99O1my+2ryXPhrQC1vDEYib3b3j8Ip5fgSLfh4dFT8qDpmpHsA+fe2Y/f/8pIkGwrTXccOk4tHK8zxuHoAUMaps6z8Cf27D25PMKne4jeig9U889OdOWoBSXG3bBelaNas+anjQqOVCfUkWbaq2gR+B75BV1i2AvRvxMZohxGlFPZt1N7D6+AgINJpfZAJbIOpmGXm7oKGMT8rS5IhxeMHEW8Kn/LHcoCaNfiR/phZlRcjGWSgcMVMIRSRx5oSVi7W3hpyi/3XAg0MFsmSfsGxlFKFk9s9PGe50gx8MdCsk7cEx6Pdx00XE3LLOiRgKh7C9hDotmYvcwD6TyLxRFWxXdKKkD8jt93D3dRudT+B5ZTttH31bdzfkuNdRIRRVBn1w+o0CBMcpXlNOGWUUUyVXw6Om8DK3jyPvDMjzszbIgBuicvKsgIVKqz0Az7HCvBnqPtyLodXkcGyHcxdoh5powO9NGlEQGS/6kloQn5lFjMg2TKvyOntyCrFKApGgE71Ov22jxjgUJbOyaXq7NJJxA/JrMmOqqwGSZuCuz43xMlqmS6aWy/RhdgknQ8sNNzxkPSsKJAfoaSxooaigwvXHzf+BM0IisuRvePPA/OSEIz4cfdH0T2tY2qmF2USuPukYiGq2wQn3gDcd3Wq5Ms67llT0RrZtVKYZvYePfzAIE/LZJYhtIL2ZUc+/qnm89Y4WeisndsJ0+S6uyt+snT4Gf0epURegrkhK9fd+hRRXdlSNA70y5U4H0a9wRJfkNcEBott9+7qclZO+lASiOyeBjqKKPf/vRID0Dy5rnglRSCME2He6HWSiXWFvRx723DviotJ0OCqW7PFvD142yYnNzOmjkg9Ox71xG1MIYtQchEoZGje+OavDbTiGZSBNlxh+vE6j5cferjsW1iyBsddyFLzXYPvcr03MBWzp+yCaodN/qsf/UNqatd4V/0r3R1+8ST7I5AUqgn8XZ/MyXpV/0OislgN11MLwcdEX3iHF0/oYYaUvLW9Pif0qKOix/7V66qzC9isCp5iH89AmKzIPVko04SpH2SQM56b3PlRdjd5hYsIS3i+OFpFfO5mbBGKc/SLRWLhSC6dTYUzKBHQQotAi+lEl/MyQXTkM3E1j20N44c5ZIXmJEL5IZ/LlokRA9mluGFT1r/LPAxCl/9kIyU18KcFUdxIsojyZLpW0ckLUdk7/5k3JA1iGzXoIUFr/ZbiWr5QE0BVnLK/rpSArB/jZ9t/7Rp4C8RaRWt6NAipxsWg2+UUsR/5REpFhWP/Ntw+2V8SJem/OUCS5EcvOTGVaXGZJBk1wh/rnzVaCeCdUycn4+rSv+rXfapEq7tmEOqNxOUuPD6zGMxgJ2rjt+Iiqvm7UF0dZJ10Pu3V+/oO7UppCAoE3evdLUu1/siNFU004j5wfOdiTu5ty6jhU5vU541jH7N25PHfbWlhK1QvqSWy+OdVJi14e4JTvYkbM857/bJ7ivipcA7gtm/1DDcpQ1IXcr9FlF9RGrJ4BcLNjOcQLK/rV6N+17FwVZEP842v3OpGS0ImDAtxeLZFEkU8llxGPLJfdFOiInxlDLMgWyvYryD8Oyokl/dqvA0FRfBsP9CX/5wx+D/gMZMfpdYYuEnaXI=
Content-Type: multipart/alternative; boundary="_000_PAXPR07MB88445F90BCE168B4B1EE0701F41DAPAXPR07MB8844eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PAXPR07MB8844.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f4e5159c-7e4f-4db1-d2bf-08dba484b057
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Aug 2023 09:30:00.3739 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hVrq+vgbeJ+ADafvQ+R2v3QnsKSQ+WvJ4SKIawYxL+KAncaONN30voIXn7ZmUxg6TpxpvKWluUi6q4YFV5UMEstAgH+WD7rECe/iHNamrAo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA4PR07MB8885
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/wKKq_4o5MIV145p9OtqXVhXdMA8>
Subject: Re: [Lake] Roman Danyliw's Discuss on draft-ietf-lake-edhoc-20: (with DISCUSS and COMMENT)
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Aug 2023 09:30:09 -0000
Hi Roman, Thanks for your review. It is tracked as github issue #422<https://github.com/lake-wg/edhoc/issues/422> and updates are in PR #426<https://github.com/lake-wg/edhoc/pull/426>. Please find responses to your comments inline below. From: Roman Danyliw via Datatracker <noreply@ietf.org> Date: Wednesday, 23 August 2023 at 02:50 To: The IESG <iesg@ietf.org> Cc: draft-ietf-lake-edhoc@ietf.org <draft-ietf-lake-edhoc@ietf.org>, lake-chairs@ietf.org <lake-chairs@ietf.org>, lake@ietf.org <lake@ietf.org>, malisa.vucinic@inria.fr <malisa.vucinic@inria.fr>, malisa.vucinic@inria.fr <malisa.vucinic@inria.fr> Subject: Roman Danyliw's Discuss on draft-ietf-lake-edhoc-20: (with DISCUSS and COMMENT) Roman Danyliw has entered the following ballot position for draft-ietf-lake-edhoc-20: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-lake-edhoc/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- ** Section 3.5.2 When the identified credential is a chain or a bag, the authentication credential CRED_x is just the end entity X.509 or C509 certificate / CWT. Per Section 2 of RFC9360, the x5bag claim is: "This header parameter contains a bag of X.509 certificates. The set of certificates in this header parameter is unordered and may contain self-signed certificates. Note that there could be duplicating certificates. The certificate bag can contain certificates which are completely extraneous to the message." How does one pick-out the “end entity” if the list contains self-signed or extraneous certificates? [] As you already noticed, x5bag is defined by RFC 9360. When using x5bag in COSE without EDHOC the endpoint already have to find the end entity certificate. The key in the end entity cert is need to process the COSE message. EDHOC does not add any requirements beyond what COSE already requires. My understanding is that the Certificate Message in TLS can also be a bag. We agree that processing a bag adds complexity that are not well suited for constrained IoT devices. In the worst case I assume you might end-up with several potential end entity certificates and you have to try several to find the correct one. As EDHOC does not add any additional requirements on top of COSE I don't think it makes sense to detail bag processing in the EDHOC specification. Given the problems for constrained IoT devices and bag, we added a sentence describing the problems with bag and a recommendation of using chain. We also changed the reference from RFC 5280 to RFC 9360 which defined x5bag and x5chain. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Radia Perlman for the SECDIR review. ** Section 3.4. EDHOC is not bound to a particular transport layer and can even be used in environments without IP. Is there a minimum transport PDU for EDHOC? That is, if too small, EDHOC would fragment and eliminate all of the design benefits of limited round trips? [] Fragmentation can occur on different layers and the effect of fragmentation depends on technology. For radio links, like LoRAWAN with duty cycle in some regions the penalty of splitting a message is large. For cellular IoT, like NB-IoT there are less visible threshold effects, more a gradual decrease of characteristics with increasing message size. But there are lots of other things to consider. For example, the probability and effects of bit errors, which in turn depends on message size since a larger message has a higher probability for error. Considering these types of effects and others it may be difficult to specify a minimum PDU with the properties you request. In the requirements phase (draft-ietf-lake-reqs-04) we looked at deployments of NB-IoT, 6TiSCH and LoRaWAN. Even for this small set of technologies there are many aspects to consider. What we did find in this work was that with messages of size of 45 bytes and less, common deployments of these radio technologies are expected to deliver good performance, and that this size is achievable with CBOR, COSE and CoAP. I don’t know if this answers your question. ** Section 3.5.2 It is RECOMMENDED that the COSE 'kid' parameter, when used to identify the authentication credential, refers to a specific encoding. In what way does the “kid” claim convey a “specific encoding”? [] This is referring to the specific encoding of authentication credential specified in the application profile, mentioned in the previous paragraph. The paragraphs are now merged with further explanatory text. ** Section 7. This section seems to be discussing how EDHOC implementations handle message duplication. However, Section 3.4 says that “… the transport is responsible … to handle … message duplication”. Is it a transport requirement or not to handle duplication? [] It is not a requirement for the security protocol, but since duplicate messages lead to session abortion it is a highly recommended property. See response to Martin Duke's review https://mailarchive.ietf.org/arch/msg/lake/wuoYFmItMlbtNMYzHDH1ZAOHlno/ and proposed update of section 3.4 in https://github.com/lake-wg/edhoc/pull/429 ** Section 9.4 Symmetric algorithms used in EDHOC such as SHA-256 and AES-CCM- 16-64-128 are practically secure against even large quantum computers. Could “AES-CCM-16-16-128” being “practically secure” be better explained or cited. [] An explaination is added and a citation of NIST. ** Section 9.6. Implementations and users SHOULD consider these threat models. What does a normative “SHOULD” to “consider” a threat model mean? [] Removed the normative SHOULD and reformulated to: “Implementations and users should take these threat models into account and consider actions to reduce the risk of tracking by other endpoints.” ** Section 9.7 EDHOC itself does not provide countermeasures against Denial-of- Service attacks. ... To mitigate such attacks, an implementation SHOULD rely on lower layer mechanisms. What is the intent of this normative guidance? If EDHOC doesn’t have DoS protection, what is the alternative relying on a lower level (stated as a SHOULD here)? Is it an application mechanism? [] The intent is to recommend the implementation to actually make use of available mitigations against DoS as examplified in the text following the quoted sentence. A clarification is attempted. ** Section 9.8 NIST generally forbids deriving secret and non-secret randomness from the same KDF instance, Can the basis of this prohibition be cited? [] John provided a lot of comments to NIST SP 800-108 which led to NIST updating that specification. https://csrc.nist.gov/files/pubs/sp/800/108/r1/final/docs/sp800-108r1-draft-comments-resolutions.pdf SP 800-108 now aligns with [HKDFpaper] in that a secure KDF needs to handle non-secret information as well. We added references to both 800-56A and 800-108 to capture this. We also moved the paragraph to "cryptographic considerations" as this is not implementation considerations. [HKDFpaper] https://eprint.iacr.org/2010/264.pdf ** Section 9.8. Implementations might consider deriving secret and non-secret randomness from different PRNG/PRF/KDF instances to limit the damage if the PRNG/PRF/KDF turns out to be fundamentally broken. ... I’m confused on the position this entire paragraph is taking. It’s framed as “might consider.” It then describes that there is conflicting advice from NIST and [HKDFpaper]. Either removing this text or state an explicit position. [] The sentence is removed. I don't think taking a position that implementations should do this is appropriate. And if taking a stance needs to be done, the sentence does not fill the purpose. ** Section 9.8 Verification of validity may require the use of a Real-Time Clock (RTC). The private authentication keys MUST be kept secret, only the Responder SHALL have access to the Responder's private authentication key and only the Initiator SHALL have access to the Initiator's private authentication key. Can the link between the two sentences in this paragraph be clarified? How is the need for a clock connected to keeping the authentication keys secret? [] There is not link between them. The two sentences are moved to two other paragraphs were they fit better.
- [Lake] Roman Danyliw's Discuss on draft-ietf-lake… Roman Danyliw via Datatracker
- Re: [Lake] Roman Danyliw's Discuss on draft-ietf-… Göran Selander