ACE Meeting Minutes -------------------- Date: Monday, November 2, 2015 Time: 9:00 - 11:30, Monday Morning Session-I Chairs: Kepeng Li, Hannes Tschofenig Note Taker: Jayaraghavendran K (Meeting minutes polished by Hannes - 16th November 2015) * Welcome and Agenda Bashing (Kepeng Li) Kepeng presents the milestones and the agenda: https://www.ietf.org/proceedings/94/slides/slides-94-ace-0.pdf The agenda lists presentations about the architecture, and two main solution proposals (DCAF, OAuth 2.0). The majority of the meeting time is allocated to the discussion of the direction the working group should go next. DCAF-COSE will discussed in the end, followed by feedback on it. No decision on DCAF-COSE will be made in this meeting. * Architecture (Carsten Bormann, 15 mins) -http://datatracker.ietf.org/doc/draft-ietf-ace-actors/ Carsten presents his slides: https://www.ietf.org/proceedings/94/slides/slides-94-ace-2.pdf [Hannes]: Lot of the document complexity comes from the description of the cross domain cases. So, should we focus on documenting the single domain case first and then, once it is done, move our attention on the missing pieces for cross domain. [Carsten]: This discussion has been going on for a while. We could always focus on one problem and then evolve others or at least at the model level anticipate what is going to happen and still have solutions that are focussed on a subset of the problems and I would prefer a model which can help us for a while. [Hannes]: Better to get feedback from the working group on this. Only a handful are now having these discussions, rest of the group is not involved. [Ludwig]: As one of the authors of this draft, I thought we were all assuming that the tasks will get added to this draft. However, a separate draft about tasks was submitted instead. Some discussion happens between Ludwig, Hannes & Carsten on this issue about adding a summary of the task description to the actor's draft. Kathleen from Jabber: Separate draft has not been adopted yet. So let's run with the actor's draft. Kepeng & Hannes call for reviewers to review the actor's draft. Sandeep, Robert Cragie & Robin Wilton volunteered to do a draft review * DCAF (Carsten Bormann, 20 mins) - https://tools.ietf.org/html/draft-gerdes-ace-dcaf-authorize-04 - https://tools.ietf.org/id/draft-gerdes-ace-dcaf-sitr-00.txt Carsten presents the slides: https://www.ietf.org/proceedings/94/slides/slides-94-ace-3.pdf [Kepeng]: Discussions on this will be done as a part of discussion of different solutions and not now. * ACE Solutions (Jorge Cuellar, 20 mins) - https://datatracker.ietf.org/doc/draft-cuellar-ace-solutions/ Jorge Cueller presents the slides: https://www.ietf.org/proceedings/94/slides/slides-94-ace-6.pdf [Goeran]: CAM node is not involved in the main exchange? [Jorge]: It participates from perspective of passing messages. But, it is the SAM which creates the key material and states for which purposes it can be used etc. [Goeran]: So, this applies to OAuth based solution as well. [Ludwig]: Some sections / flows are missing from the draft which makes reading difficult. These missing sections are also referenced in other draft which makes reading quite difficult. The solution is not quite generalized yet as mentioned in the last slide. It needs more work. [Jorge]: This is just a start and might look sketchy. I just wanted to present to have a discussion on what is missing. It needs revisions. [Hannes]: There is a book on multi-party key exchange protocols, which talks about all the different variants of possible exchanges and their properties. For me the problem is to find out which of the exchanges make sense for standardization. All of them appear to be important and have their pros and cons but we cannot standardize all of them. [Jorge]: I am aware of it, but, I have just chosen one of the exchanges here. [Hannes]: Why this one? [Jorge]: Because I felt this makes sense and this is the way it has been done in ACE, so I chose this one. [Hannes]: We should talk about the selection process in the working group. * PAT Tokens (Jorge Cuellar) - https://datatracker.ietf.org/doc/draft-cuellar-ace-pat-priv-enhanced-authz-tokens/ Jorge Cueller presents the slides: https://www.ietf.org/proceedings/94/slides/slides-94-ace-5.pdf [Goeran]: I think this is really good. It puts a strong emphasis on energy constraints. This is an important solution component, but, this doesn't say we should go for DCAF or OAuth. [Jorge]: I am not sure how the comparison looks like. I would like to have a comparison on messages sizes for different implementations. It was probably discussed in Prague and noted down. So, a comparison of which protocols will be good at privacy, energy consumption etc should be there. [Goeran]: Ok. Thanks. [Hannes]: Which particular privacy property are you focussing on? Like linking of two requests or correlating to an identity? [Jorge]: I think if you can correlate them to an identity, then you can co-related them to one another. Yes. I am interested in hiding information about different messages such that there is no way of linking them. [Hannes]: The architecture we chose with the Authorization server acting as a mediator, there are certain privacy implications of that, which you don't seem to address in your document. This may be ok for you, but, just want to be clear, which privacy considerations are important for you. [Jorge]: I have a trusted third party here, it would be possible to dispense with it, but then the protocol will become much much more expensive. [Leif]: The CrypTech project (see https://cryptech.is/) has implemented a ChaCha based RNG and you might want to take a look at that. We have a lot of experience using them. * Authorization using OAuth 2.0 (Ludwig Seitz, 20 min) - https://datatracker.ietf.org/doc/draft-seitz-ace-oauth-authz/ Ludwig presents the slides: https://www.ietf.org/proceedings/94/slides/slides-94-ace-1.pdf Ludwig towards the end: Both DCAF and OAuth are almost similar approaches, the question here is do we start with a clean slate approach (DCAF) or do we reuse existing stuff (OAuth)? [Mike]: This approach makes a lot of sense. You mentioned a CBOR equivalent web token, it occurs to me that someone must do that in near future. Is there a draft for a CBOR Web Token in the offing? [Ludwig]: It is there in the appendix of our draft. Mike & Ludwig discuss about the pros and cons of self-contained vs. tokens by reference. [Justin]: I am the co-chair of COSE, please bring the COSE Web Token work to COSE WG meeting tomorrow. [Jim]: You were talking about sending tokens in advance and then sending requests. Have you thought about how to correlate these messages together? [Ludwig]: Signature or MAC on the request using the POP key on the token. [Wendy]: Comment from Olaf. DCAF reuses DTLS, COSE and doesn't reinvent everything from scratch. [Hannes]: Using self-contained tokens or reference tokens depends on the constraints you are having. (Also makes some more points with additional data / examples in reference to this) [Goeran]: In response to Olaf, OAuth also reuses DTLS/TLS which is a communication protocol and also reuses OAuth which is the authorization protocol. Kepeng presents his comparison table for the solutions of DCAF and OAuth and asks people to start the discussion about the comparison of both the solutions. Clarifications on the presented comparison table provided by Ludwig, Goeran, Carsten and Hannes. [Sandeep]: Do both solutions solve all the use cases in usecase draft? [Hannes]: That's a good question. We write a document, then forget and move on and don't check it. Nobody checked if either of the solution solves all the uses. [??]: Is there any running code for either of the solutions? [Hannes]: Use case describes many scenarios and implementing all of them will cover most of IoT market use cases. There would be a lot to implement for a single company. [??]: Has somebody covered a subset? [Hannes]: I am speaking for myself only and we have worked on some of the uses which will be shown in a ARM TechCon event next week. [Stephen]: If someone has implemented, that input will be useful for the discussion. Hannes provides some info about some basic implementation they have done with OAuth for IoT. [Ari]: How about the complexity? Is there any quanitifiable data? [Hannes]: We can get a number, but, the data will be relative to a particular scenario and may not be of much use in other scenarios. [Ari]: Yes. But, still do we have a number or some quantifiable data? Hannes says that it should be pretty much the same between both solutions and goes on to elaborate on that. Several further discussions from both sides for OAuth as well as DCAF. Kepeng asks questions on how to proceed: How many people read the drafts? OAuth - 20% DCAF - About the same (slightly fewer) How many people have implemented the solution? OAuth - 3 DCAF - 1 Do you want to have one solution or two solutions? Goran suggests that we should probably go with one solution alone and lists some points supporting that. Votes: One Solution - more than 12 Two Solutions - 2 Need More Information - about 10 (4 have read the drafts out of these) Majority wants one solution Which solution should be the starting point? DCAF - No Hands OAuth - More Hands (About 1/2 the room) * DCAF COSE (Carsten Bormann, 10 mins) - https://datatracker.ietf.org/doc/draft-bergmann-ace-dcaf-cose/ Carsten presents the slides: https://www.ietf.org/proceedings/94/slides/slides-94-ace-4.pdf [??]: Issues raised in mailing list were not considered. [Carsten]: That's the part of work that needs to be done. Few more comments discussions followed by summary Summary from Kepeng -------------------- * 3 reviewers for architecture draft (Robert, Robin, and Sandeep). Deadline for the reviews: first (or second) week of December * Rough Consensus in this room is to adopt the OAuth solution. We will confirmed the decision also on the mailing list and have a discussion with our AD.