Re: [Ace] WGLC for draft-ietf-ace-oscore-profile
Jim Schaad <ietf@augustcellars.com> Mon, 22 October 2018 19:09 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE06A1277C8; Mon, 22 Oct 2018 12:09:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NSwBoUHDdNiv; Mon, 22 Oct 2018 12:09:22 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA4341294D7; Mon, 22 Oct 2018 12:09:21 -0700 (PDT)
Received: from Jude (192.168.1.162) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 22 Oct 2018 12:04:13 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: draft-ietf-ace-oscore-profile@ietf.org
CC: ace@ietf.org
References: <065a01d45f4e$b738ae60$25aa0b20$@augustcellars.com>
In-Reply-To: <065a01d45f4e$b738ae60$25aa0b20$@augustcellars.com>
Date: Mon, 22 Oct 2018 12:08:53 -0700
Message-ID: <028c01d46a3a$ae1b9e40$0a52dac0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIoMJGW0ffnzj4eMWBhJ41cSURLyKSBBagw
Content-Language: en-us
X-Originating-IP: [192.168.1.162]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/A8ko4sAmG9CODbZDWN7APzqkyvs>
Subject: Re: [Ace] WGLC for draft-ietf-ace-oscore-profile
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Oct 2018 19:09:25 -0000
* Section 1 - I understand the reasoning behind having the server send back a nonce, although it would be good to have a description someplace about why this is being done. (I would also make it optional as not all RS need to do this.) I do not understand the reasoning behind having the client send a nonce to the server. * Section 3.1 - This is more general than the section, but you should not use the URI path in the text, instead you should be using the name that is in the authz document. * Section 3.2 - Does it really make sense to use 'COSE_Key' to transport the key data? Would a different field name be better? * Section 3.2 - Please provide a justification for the requirement that the ids must be unique over the set of all clients and RS. I can see that the client ids need to be unique on a single RS and RS ids need to be unique for any given client but not the broader statement. * Please add an explicit section on when a RS and a client should discard the security context. * Section 6 - Ok I'll bite - how does not echoing the nonce allow for a man-in-the-middle attack given that the salt and shared secret are still going to be known only to the C and RS and not to the MITM. I can see a DOS attack being made, but that can be done even without this just by causing the response to never be delivered. * Appendix - I am not sure that I think that the EDHOC profile should be in this document as oppose to being in it's own document. The fact that we have not even tried to get this to work in any of the interop tests means that I am less sure that it is well baked. Jim > -----Original Message----- > From: Ace <ace-bounces@ietf.org> On Behalf Of Jim Schaad > Sent: Monday, October 8, 2018 2:35 PM > To: ace@ietf.org > Subject: [Ace] WGLC for draft-ietf-ace-oscore-profile > > The chairs believe that the set of documents dealing with the OAuth > framework for constrained environments is nearing the point that we should > be able to advance it to the IESG for publication. We therefore want to > have a full list of issues that need to be dealt with at the Bangkok > meeting. > > This starts a 2 week WGLC for draft-ietf-ace-oscore-profile > > We know that the following issues are outstanding: > > draft-ietf-ace-oscore-profile: > * No current known issues > > > Jim & Roman > > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace
- [Ace] WGLC for draft-ietf-ace-oscore-profile Jim Schaad
- Re: [Ace] WGLC for draft-ietf-ace-oscore-profile Jim Schaad
- Re: [Ace] WGLC for draft-ietf-ace-oscore-profile Francesca Palombini
- Re: [Ace] WGLC for draft-ietf-ace-oscore-profile Jim Schaad
- Re: [Ace] WGLC for draft-ietf-ace-oscore-profile Francesca Palombini