IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-ace-dtls-authorize-14

Daniel Migault <daniel.migault@ericsson.com> Tue, 19 January 2021 03:11 UTC

Return-Path: <daniel.migault@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB66F3A1092; Mon, 18 Jan 2021 19:11:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.349
X-Spam-Level:
X-Spam-Status: No, score=-2.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jjpik2WU96yu; Mon, 18 Jan 2021 19:11:11 -0800 (PST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2072.outbound.protection.outlook.com [40.107.223.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC8053A0CBD; Mon, 18 Jan 2021 19:11:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kyRXfphVvc+fh85ye/tmY4R6tJx6TDC2og6bQsZ701XuNFFkELDZ4jelYwkEuYyKkD/jLHxgSLoUZHcxsFEhWcU0S398s41wzMs7iXbc7dT7w9e0isgfVBK/lddLF/h8hRKEt5lOWmoMVdZ2qG4v5BgtTJL2X6ygm2G2VUffR6uH45QPcQcqNGXiw4UMmJugCzyDoi7pkIjwkPkLvSue51NChPhKlzVvAWSL5BSHzOe9xmizaK4t2DKwurNNrXa/4O2BqDjcX8nszY+otVzANa8yf6juFiK0tCgJfbiggp7dtXfbNlYT+90xSCOY9NrVSPVtOOGAKeD03ro4fos/jw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ka0urmNHLMSBRgRp7WuaBx7Bzh90x5okmxBZxiRTOe0=; b=dSfVIDNVaLBDOnDLNrsef/l+pV4/n5jClPsgb3qL7rYw0/EAD8y9XDCg+k2+TCc2j+o0ij59gj9d/oLsowbZgk09R8JqQM1RmGg43zGrq0iS/UUpfIZShm9jCpn5BiMhwYJSXS0cKfEc42iU2IuMbrl2maf5PJ17E9O1pRwLmVe0pu/svfjzI6CycJXgy9ahQ17abNX7Gvp++KFDQg8cLqBA07hXZ5n0yrpxgdRGZkiCX+M7lR95dTkUN3Hj5M/05ni/HITdcCw0M4w2yyId2d700CpnT5G9XWlC3FZRyj713NAjpKQgpgxYK9P8ESl04/BNwIjC38YhnozDavh63g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ka0urmNHLMSBRgRp7WuaBx7Bzh90x5okmxBZxiRTOe0=; b=ViKctnJkmBTb0AyorlcZigQxKjN6nFw+C4datrQlApy1ybVb9+vaXAWZd61hRCp9i03DPZ4wvBK5tOZtXxUI3PHlfMlzb743G5RPoQAiru+LEwCEpbtZ8zcy0fhsKCf9BwAB8tqFHg7fr7viLzy0z+56cc83v4HiIRjNuKI6CKA=
Received: from DM6PR15MB2379.namprd15.prod.outlook.com (2603:10b6:5:8a::16) by DM5PR1501MB2136.namprd15.prod.outlook.com (2603:10b6:4:a3::36) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3763.9; Tue, 19 Jan 2021 03:11:06 +0000
Received: from DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::a9f9:326f:8cfb:157b]) by DM6PR15MB2379.namprd15.prod.outlook.com ([fe80::a9f9:326f:8cfb:157b%7]) with mapi id 15.20.3763.014; Tue, 19 Jan 2021 03:11:06 +0000
From: Daniel Migault <daniel.migault@ericsson.com>
To: Russ Mundy <mundy@tislabs.com>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-ace-dtls-authorize.all@ietf.org" <draft-ietf-ace-dtls-authorize.all@ietf.org>
Thread-Topic: secdir review of draft-ietf-ace-dtls-authorize-14
Thread-Index: AQHW7ggDkr/onBsVAESCM1Xz/nYaZ6ouRE3A
Date: Tue, 19 Jan 2021 03:11:05 +0000
Message-ID: <DM6PR15MB237984B44F9E6E407341BD0FE3A30@DM6PR15MB2379.namprd15.prod.outlook.com>
References: <4BED04D6-5BB6-4F7A-A0E5-3CC718E55169@tislabs.com>
In-Reply-To: <4BED04D6-5BB6-4F7A-A0E5-3CC718E55169@tislabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: tislabs.com; dkim=none (message not signed) header.d=none;tislabs.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [96.22.11.129]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5cc2f6b5-37d2-4384-68ce-08d8bc27dc68
x-ms-traffictypediagnostic: DM5PR1501MB2136:
x-microsoft-antispam-prvs: <DM5PR1501MB21363D72494C813ECA1ADBD2E3A30@DM5PR1501MB2136.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ljXx2kL4rCLJuVWzOhBGhwS1eYchL7mQHzb5w0ZjHfi5jagADPz2F4ggUvg47NgJff/es0Pa4UllF33Qojuvtz/8Q1RHNB9Czon8S+NhhtHCh56EZjD/H/95PnRclHoOAPmN2cukN/qMNT4YhiHbszYBhfsnmYMCmm76z5Qr0PWKFlFNvGWVbRAop6zrMcTFLwsauwQpS+pS5aCi/gfSUijt4PsOmtwCXR6xWhOZ2Z0w8HwZDkC8wxnF27t5mKzdp0hT1Ly7K0TCFgoCfq9jSrNcu9o8mz20L+5UQiAo45l5n+7TUa9UFDMky/5+LAHmGmC9pcx6P7DrPNlzObXCHEt7oEwt0819MLkzeLyAV5YImPmDeYcNNNl8YraA7y3hFycafmLv+YcwxZd8Z4T8IA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB2379.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(136003)(366004)(376002)(396003)(346002)(478600001)(86362001)(55016002)(19627405001)(2906002)(83380400001)(9686003)(26005)(6506007)(53546011)(7696005)(44832011)(186003)(110136005)(76116006)(91956017)(71200400001)(8936002)(66476007)(66556008)(64756008)(66946007)(52536014)(5660300002)(316002)(8676002)(66446008)(33656002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: p7B/FlaHHWaqSAOfCtmZcWEf8ZbIXHjpqnC1LWpr+YpdR/LY9LjoIaMzYKAqtzwAlSF9YNvVM5aVQZej74EbrMVmG9D1kMbuNgDbul0huj4qVMnY2VzS7u8K9bB8AHuABdb0bVHB7KU6qM0LQefNTKqq/tiQsVpZE3feMDCRgwwqcdAZFZcHI330th2QmfHJotpAyPy/RUmjN0fOLS5yXpsbls8wStHHNjh7izELkiit02uLrRCHwnefj3itYIS8t65upLvu1HK4jxfYsImwwrnqzrlaN+8D5MtsUJjG7Cem/0WiSqRAlrBNzuEyyc4wnUL26f+mRKpJvRrJJ7QEsswa8m8tpTpLHdavKmNeNVQ+ZrelpdciqYUMd+trXoLtbMYDtGYIRym5X9x1Y7SpiO7QNrsv0IqTKRwUg4OBterMuTq469kDGZ53RUPMrdwxMv02R+0E9Wg4qURgMwhEnE/r81PVYpr8cpG0g+GV4rakQyqz8sdQAPrBWkmEcwSAGmj67GrvBXKrPqWC93Jq4m7Mu1B1HPd0m6XC4QriRtEEYKvOI3e9Kdd1nxEoCMsEaC+bqgbF6huCI8edj4RfI2qEidYtpurytndAwTCO6NO5rT5rZyh4IpseQ1qDA4kTCe946I14s82ZUbJ2uB3mkIZxyqK9Hm3M25Nyw+cVzQmIi+PX+snVgx9GjA4XiO2m3tbUHvUf8NhGuxK2Pdt26hn0PlqmGnda0UDB/a1zkVo47UyYn48IfpnreOOcLuNGdh88oQpidQL+pSqgG5qZJTQOgh6++JMH3ADIgr05VoyMisMlgSLhiusQqX6kclj0IwmFcYne8uQdATVWDYjH2Q9DubjwIXNKBcwvgH4XONG/cTyxRp/RZODlkrasA86PuY15I3VVMEyYFAWgLCl0t5eYDwPCKPTHkIb/OUjKEtEmnuk0nU9FEpCGWYpb1oLnhK31vX63GN2D4ypxVwvsvdyGBB5gDLaeZqiaJ9tjv/U=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR15MB237984B44F9E6E407341BD0FE3A30DM6PR15MB2379namp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2379.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5cc2f6b5-37d2-4384-68ce-08d8bc27dc68
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jan 2021 03:11:05.9592 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: RJ4+LvZaqvAiFAVlKiYHLtec44ltp9p2d2zvTDkqXKF7amFEwBqFMePGeE+VJZYrM18XYsLCHq0LFf1ZcQkLXHytNVfCcH45GYFJa23roRY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1501MB2136
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/OkImvhGg0v0BSERZToc_VLWOzqY>
Subject: Re: [secdir] secdir review of draft-ietf-ace-dtls-authorize-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2021 03:11:13 -0000

Thanks Russ for the review. I do get your comment - and had a similar comment for the oscore profile.
I will let the co-author to address your concern so the documents can be moved forward shortly.

Yours,
Daniel
________________________________
From: Russ Mundy <mundy@tislabs.com>
Sent: Monday, January 18, 2021 9:08 PM
To: iesg@ietf.org <iesg@ietf.org>; secdir@ietf.org <secdir@ietf.org>; draft-ietf-ace-dtls-authorize.all@ietf.org <draft-ietf-ace-dtls-authorize.all@ietf.org>
Cc: Russ Mundy <mundy@tislabs.com>
Subject: secdir review of draft-ietf-ace-dtls-authorize-14

Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)

draft-ietf-ace-dtls-authorize

I apologize for the lateness of the review but I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The summary of the review is Ready with one issue:

The draft-ietf-ace-dtls-authorize document is well written and provides a very good profile for use of the ACE framework with a client and a resource server use CoAP [RFC7252] over DTLS version 1.2 [RFC6347] to communicate.  The document provides the necessary specification details to use Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth) [I-D.ietf-ace-oauth-authz] with one single exception.

Since the document under review is a profile for [I-D.ietf-ace-oauth-authz], it must meet the requirements for a profile contained in [I-D.ietf-ace-oauth-authz].  Section 6.2 of [I-D.ietf-ace-oauth-authz] specifically requires that "Profiles MUST specify how communication security according to the requirements in Section 5 is provided." The document under review does provide this detail for use of CoAP and DTLS however the current wording of this profile document does not require that CoAP and DTLS be used for this profile. Quoting a part of 6. "The use of CoAP and DTLS for this communication is RECOMMENDED in this profile, other protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be used instead."

Since use of other protocols (besides CoAP and DTLS) is clearly permitted by current wording and there is no information about how communication security will be provided by these other protocols, section 6 of this profile does not appear to meet the MUST requirement of 6.2 of [I-D.ietf-ace-oauth-authz].

The simplest resolution of this inconsistency appears to be to require use of CoAP and DTLS for compliance with this profile and revise the wording relating to the other currently listed protocols to define additional profile specifications.

For example, current wording:
"The use of CoAP and DTLS for this communication is RECOMMENDED in this profile, other protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be used instead."

could be changed to:
"The use of CoAP and DTLS for this communication is REQUIRED in this profile. Other protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) will require specification of additional profile(s)."

Another possible resolution of the inconsistency would be to include additional details in this specification to define how communication security requirements will be met by these other protocols.

v2.23.0 | Report a Bug | By Email