Re: [Last-Call] [Gen-art] Genart last call review of draft-ietf-ace-mqtt-tls-profile-15
Lars Eggert <lars@eggert.org> Mon, 07 March 2022 09:32 UTC
Return-Path: <lars@eggert.org>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 8C5BE3A0D44;
Mon, 7 Mar 2022 01:32:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=eggert.org
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id qipy5-GDATML; Mon, 7 Mar 2022 01:31:59 -0800 (PST)
Received: from mail.eggert.org (mail.eggert.org
[IPv6:2a00:ac00:4000:400:211:32ff:fe22:186f])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 6AC7A3A08D5;
Mon, 7 Mar 2022 01:31:58 -0800 (PST)
Received: from smtpclient.apple (unknown
[IPv6:2a00:ac00:4000:400:d856:7fda:b24d:a65a])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mail.eggert.org (Postfix) with ESMTPSA id 13C4C1D2FE0;
Mon, 7 Mar 2022 11:31:47 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=eggert.org; s=dkim;
t=1646645507; bh=gFnVzN10sMYPqRfyd8KDzM0HvmTReqqA61UulGEpcBA=;
h=Subject:From:In-Reply-To:Date:Cc:References:To;
b=m2tuRysgPY2ZkQNyGjVk6wlEjULpuFZRXZZq3jf4J3uMt05hK4buFtHT0qjlK/GDH
d0eEsjy1gWh8aiQEyCjxC4g5GUqsH0iY3YGJrBo5G2UFV+FTgp8vFyWDHf4cRUdB92
fYUIcCfeZqvLHewP3SMOM25dikf2W0zkRV5qot7g=
Content-Type: multipart/signed;
boundary="Apple-Mail=_1E6B7E4D-5040-41B1-BAB8-6A2386BDFF03";
protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
From: Lars Eggert <lars@eggert.org>
In-Reply-To: <164625142349.18034.6160062151802397570@ietfa.amsl.com>
Date: Mon, 7 Mar 2022 11:31:46 +0200
Cc: gen-art@ietf.org, last-call@ietf.org,
draft-ietf-ace-mqtt-tls-profile.all@ietf.org, ace@ietf.org
Message-Id: <76CF01A9-8F51-4D5B-A95A-49A0BD24F945@eggert.org>
References: <164625142349.18034.6160062151802397570@ietfa.amsl.com>
To: Theresa Enghardt <ietf@tenghardt.net>
X-MailScanner-ID: 13C4C1D2FE0.A943B
X-MailScanner: Not scanned: please contact your Internet E-Mail Service
Provider for details
X-MailScanner-From: lars@eggert.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/IsSZJ0zRwViIl1ScYYoW5QShSRk>
Subject: Re: [Last-Call] [Gen-art] Genart last call review of
draft-ietf-ace-mqtt-tls-profile-15
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>,
<mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>,
<mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Mar 2022 09:32:07 -0000
Theresa, thank you for your review. I have entered a No Objection ballot for this document. Lars > On 2022-3-2, at 22:03, Theresa Enghardt via Datatracker <noreply@ietf.org> wrote: > > Reviewer: Theresa Enghardt > Review result: Ready with Nits > > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please treat these comments just > like any other last call comments. > > For more information, please see the FAQ at > > <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>. > > Document: draft-ietf-ace-mqtt-tls-profile-15 > Reviewer: Theresa Enghardt > Review Date: 2022-03-02 > IETF LC End Date: 2022-03-03 > IESG Telechat date: Not scheduled for a telechat > > Summary: This document is fairly clear and concise, and basically ready for > publication. I found a few minor points and nits that should be addressed to > further enhance document clarity. > > Major issues: None. > > Minor issues: > > Section 1: > > "The token MAY be a > reference or JSON Web Token (JWT) [RFC7519]." > What is a reference in this context? > > Section 1.3: > > "Will > If the network connection is not closed normally, […]" > I suggest to make this a bit more specific: > Does "the network connection" refer to a TCP connection, or a TLS session? Or > does it refer to MQTT's notion of "connection"? Does "not closed normally" mean > anything other than a FIN-ACK exchange to close a TCP connection? Or does it > depend on the used transport protocol (however, in this document, it should all > refer to TLS over TCP iiuc?) If the notion of a "network connection is not > closed normally" is a well-defined concept in this context, please provide a > reference if possible. > > Section 2 > > "Whatever protocol is > used for C-AS and Broker-AS communications must provide mutual > authentication, confidentiality protection, and integrity protection." > Is this a MUST? > > Section 2.1 > > "The PoP token includes a 'cnf' parameter with a > symmetric or asymmetric PoP key. " > The 'cnf' (and 'rs_cnf' in Section 2.2.1) parameter is mentioned here and in > some other places, but it is not obvious what it means and why it is > special/important. I suggest to provide a brief explanation or reference. > > 2.2.2 > "If the QoS level is equal to 0, and the token is invalid or the > claims cannot be obtained in the case of an introspected token, the > Broker MUST send a DISCONNECT packet with the reason code '0x87 (Not > authorized)'." > Does this paragraph apply to all packets or is it specific to the PUBLISH > packet (like the next paragraph)? I suggest to make this explicit. > > Section 2.2.4.1 > > "Given that clients provide a token at each connection," > Does "at each connection" mean in each CONNECT packet, or something else? > Please clarify. > > Nits/editorial comments: > > Section 1: > > "In this profile, Clients and Servers > (Brokers) use MQTT to exchange Application Messages. The protocol > relies on TLS for communication security between entities." > Section 1.3 defines MQTT over TLS as MQTTS, and if I understand correctly, this > document requires MQTT between Clients and Servers over TLS, effectively, > making the document about MQTTS, and it does say "MQTTS" in some places. Short > of substituting all or nearly all "MQTT" with "MQTTS", is it worth mentioning > "MQTTS" once more here in the introduction? > > "MQTT v3.1.1 clients" > Here, "clients" is lower case, while it is upper case in most other places in > the doc. Should it be upper case here as well? There are other occurences of > lower case "client" in Section 2.2.3.1, 2.2.3.2, 2.2.4.1, 2.2.5 - should these > all be upper case? > > "This > document does not protect the payload of the PUBLISH packet from the > Broker." > Maybe this reads better as "The mechanisms specified in this document do not > protect […]"? > > Section 2.1: > "The document follows the procedures > defined in Section 3.2.1 of the DTLS profile > [I-D.ietf-ace-dtls-authorize] for RPK, and in Section 3.3.1 of the > same document for PSK." > This is the first occurrence of RPK and PSK, yet, these acronyms are only > expanded later in Section 2.2.1 and 2.2.3. I suggest move the expansion and > maybe a brief explanation to Section 2.1, and then perhaps the acronyms do not > need to be expanded again in Sections 2.2.1 and 2.2.3. > > Section 8: > "Broker does not cache > any invalid tokens." > The broker? > > > _______________________________________________ > Gen-art mailing list > Gen-art@ietf.org > https://www.ietf.org/mailman/listinfo/gen-art
- [Last-Call] Genart last call review of draft-ietf… Theresa Enghardt via Datatracker
- Re: [Last-Call] Genart last call review of draft-… Cigdem Sengul
- Re: [Last-Call] Genart last call review of draft-… Theresa Enghardt
- Re: [Last-Call] Genart last call review of draft-… Benjamin Kaduk
- Re: [Last-Call] Genart last call review of draft-… Cigdem Sengul
- Re: [Last-Call] [Gen-art] Genart last call review… Lars Eggert
- Re: [Last-Call] Genart last call review of draft-… Reese Enghardt