Re: [secdir] secdir review of draft-ietf-ace-dtls-authorize-14
Olaf Bergmann <bergmann@tzi.org> Tue, 19 January 2021 08:55 UTC
Return-Path: <bergmann@tzi.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CFA93A1354; Tue, 19 Jan 2021 00:55:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KntSzdXuN7hU; Tue, 19 Jan 2021 00:55:51 -0800 (PST)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F7CE3A134E; Tue, 19 Jan 2021 00:55:49 -0800 (PST)
Received: from wangari.tzi.org (p54bdeb8f.dip0.t-ipconnect.de [84.189.235.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4DKjDM0Tqbz10Ck; Tue, 19 Jan 2021 09:55:47 +0100 (CET)
From: Olaf Bergmann <bergmann@tzi.org>
To: Daniel Migault <daniel.migault@ericsson.com>, Russ Mundy <mundy@tislabs.com>
Cc: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-ace-dtls-authorize.all@ietf.org" <draft-ietf-ace-dtls-authorize.all@ietf.org>
References: <4BED04D6-5BB6-4F7A-A0E5-3CC718E55169@tislabs.com> <DM6PR15MB237984B44F9E6E407341BD0FE3A30@DM6PR15MB2379.namprd15.prod.outlook.com>
Date: Tue, 19 Jan 2021 09:55:46 +0100
In-Reply-To: <DM6PR15MB237984B44F9E6E407341BD0FE3A30@DM6PR15MB2379.namprd15.prod.outlook.com> (Daniel Migault's message of "Tue, 19 Jan 2021 03:11:05 +0000")
Message-ID: <87bldl5mr1.fsf@wangari>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/bOUOuM3JC6O5jBEIVugp5Lq1lkI>
Subject: Re: [secdir] secdir review of draft-ietf-ace-dtls-authorize-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2021 08:55:54 -0000
Thank you, Russ, very much for your review. I am perfectly happy with your suggested change to make CoAP over DTLS REQUIRED for this profile. Best regards Olaf On 2021-01-19, Daniel Migault <daniel.migault@ericsson.com> wrote: > Thanks Russ for the review. I do get your comment - and had a similar comment for the > oscore profile. > I will let the co-author to address your concern so the documents can be moved forward > shortly. > > Yours, > Daniel > --------------------------------------------------------------------------------- > From: Russ Mundy <mundy@tislabs.com> > Sent: Monday, January 18, 2021 9:08 PM > To: iesg@ietf.org <iesg@ietf.org>; secdir@ietf.org <secdir@ietf.org>; > draft-ietf-ace-dtls-authorize.all@ietf.org <draft-ietf-ace-dtls-authorize.all@ietf.org> > Cc: Russ Mundy <mundy@tislabs.com> > Subject: secdir review of draft-ietf-ace-dtls-authorize-14 > > Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for > Constrained Environments (ACE) > > draft-ietf-ace-dtls-authorize > > I apologize for the lateness of the review but I have reviewed this document as part of the > security directorate's ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments just like any > other last call comments. > > The summary of the review is Ready with one issue: > > The draft-ietf-ace-dtls-authorize document is well written and provides a very good profile > for use of the ACE framework with a client and a resource server use CoAP [RFC7252] over > DTLS version 1.2 [RFC6347] to communicate. The document provides the necessary > specification details to use Authentication and Authorization for Constrained Environments > (ACE) using the OAuth 2.0 Framework (ACE-OAuth) [I-D.ietf-ace-oauth-authz] with one > single exception. > > Since the document under review is a profile for [I-D.ietf-ace-oauth-authz], it must meet the > requirements for a profile contained in [I-D.ietf-ace-oauth-authz]. Section 6.2 of > [I-D.ietf-ace-oauth-authz] specifically requires that "Profiles MUST specify how > communication security according to the requirements in Section 5 is provided." The > document under review does provide this detail for use of CoAP and DTLS however the > current wording of this profile document does not require that CoAP and DTLS be used for > this profile. Quoting a part of 6. "The use of CoAP and DTLS for this communication is > RECOMMENDED in this profile, other protocols (such as HTTP and TLS, or CoAP and OSCORE > [RFC8613]) MAY be used instead." > > Since use of other protocols (besides CoAP and DTLS) is clearly permitted by current > wording and there is no information about how communication security will be provided by > these other protocols, section 6 of this profile does not appear to meet the MUST > requirement of 6.2 of [I-D.ietf-ace-oauth-authz]. > > The simplest resolution of this inconsistency appears to be to require use of CoAP and DTLS > for compliance with this profile and revise the wording relating to the other currently listed > protocols to define additional profile specifications. > > For example, current wording: > "The use of CoAP and DTLS for this communication is RECOMMENDED in this profile, other > protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be used instead." > > could be changed to: > "The use of CoAP and DTLS for this communication is REQUIRED in this profile. Other > protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) will require specification > of additional profile(s)." > > Another possible resolution of the inconsistency would be to include additional details in > this specification to define how communication security requirements will be met by these > other protocols. >
- [secdir] secdir review of draft-ietf-ace-dtls-aut… Russ Mundy
- Re: [secdir] secdir review of draft-ietf-ace-dtls… Daniel Migault
- Re: [secdir] secdir review of draft-ietf-ace-dtls… Russ Mundy
- Re: [secdir] secdir review of draft-ietf-ace-dtls… Olaf Bergmann
- Re: [secdir] [Ace] secdir review of draft-ietf-ac… Russ Mundy
- Re: [secdir] [Ace] secdir review of draft-ietf-ac… Benjamin Kaduk
- Re: [secdir] [Ace] secdir review of draft-ietf-ac… Daniel Migault