Re: [secdir] secdir review of draft-ietf-ace-dtls-authorize-14

[Olaf Bergmann <bergmann@tzi.org>]

Thank you, Russ, very much for your review.

I am perfectly happy with your suggested change to make CoAP over DTLS
REQUIRED for this profile.

Best regards
Olaf

On 2021-01-19, Daniel Migault <daniel.migault@ericsson.com> wrote:

> Thanks Russ for the review. I do get your comment - and had a similar comment for the
> oscore profile.
> I will let the co-author to address your concern so the documents can be moved forward
> shortly.
>
> Yours, 
> Daniel
> ---------------------------------------------------------------------------------
> From: Russ Mundy <mundy@tislabs.com>
> Sent: Monday, January 18, 2021 9:08 PM
> To: iesg@ietf.org <iesg@ietf.org>; secdir@ietf.org <secdir@ietf.org>;
> draft-ietf-ace-dtls-authorize.all@ietf.org <draft-ietf-ace-dtls-authorize.all@ietf.org>
> Cc: Russ Mundy <mundy@tislabs.com>
> Subject: secdir review of draft-ietf-ace-dtls-authorize-14 
>  
> Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for
> Constrained Environments (ACE)
>
> draft-ietf-ace-dtls-authorize
>
> I apologize for the lateness of the review but I have reviewed this document as part of the
> security directorate's ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the security area
> directors.  Document editors and WG chairs should treat these comments just like any
> other last call comments.
>
> The summary of the review is Ready with one issue:
>
> The draft-ietf-ace-dtls-authorize document is well written and provides a very good profile
> for use of the ACE framework with a client and a resource server use CoAP [RFC7252] over
> DTLS version 1.2 [RFC6347] to communicate.  The document provides the necessary
> specification details to use Authentication and Authorization for Constrained Environments
> (ACE) using the OAuth 2.0 Framework (ACE-OAuth) [I-D.ietf-ace-oauth-authz] with one
> single exception.
>
> Since the document under review is a profile for [I-D.ietf-ace-oauth-authz], it must meet the
> requirements for a profile contained in [I-D.ietf-ace-oauth-authz].  Section 6.2 of
> [I-D.ietf-ace-oauth-authz] specifically requires that "Profiles MUST specify how
> communication security according to the requirements in Section 5 is provided." The
> document under review does provide this detail for use of CoAP and DTLS however the
> current wording of this profile document does not require that CoAP and DTLS be used for
> this profile. Quoting a part of 6. "The use of CoAP and DTLS for this communication is
> RECOMMENDED in this profile, other protocols (such as HTTP and TLS, or CoAP and OSCORE
> [RFC8613]) MAY be used instead."  
>
> Since use of other protocols (besides CoAP and DTLS) is clearly permitted by current
> wording and there is no information about how communication security will be provided by
> these other protocols, section 6 of this profile does not appear to meet the MUST
> requirement of 6.2 of [I-D.ietf-ace-oauth-authz].
>
> The simplest resolution of this inconsistency appears to be to require use of CoAP and DTLS
> for compliance with this profile and revise the wording relating to the other currently listed
> protocols to define additional profile specifications.
>
> For example, current wording: 
> "The use of CoAP and DTLS for this communication is RECOMMENDED in this profile, other
> protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be used instead." 
>
> could be changed to: 
> "The use of CoAP and DTLS for this communication is REQUIRED in this profile. Other
> protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) will require specification
> of additional profile(s)."
>
> Another possible resolution of the inconsistency would be to include additional details in
> this specification to define how communication security requirements will be met by these
> other protocols.
>