On 2017-07-24 13:36, Olaf Bergmann wrote:
Hi Ludwig,
Ludwig Seitz <ludwig.se...@ri.se> writes:
On 2017-06-24 02:00, Jim Schaad wrote:
* We communicate the profile to be used to the client, however it is not
currently being communicated to the server. If the server wants to keep the
OSCOAP and DTLS keys separate, this needs to be done. Does it makes sense
to put this in the 'cnf' field?
My perhaps naive assumption was that the profile should be obvious to
the server, since the client will initiate the communication
accordingly e.g. send an OSCOAP message if the OSCOAP profile is to be
used, or start a DTLS handshake if the DTLS profile is to be used.
If we where to tackle this, how would we signal the profile to the
server? Securely sending messages to the server already implies the
use of a specific profile, so it seems like a hen-and-egg problem to
me.
Related to another issue, we had briefly discussed the possibility that
the entity that contacts the AS is not the client that seeks to contact
the RS. Where this is the case, there is no reason to assume that the
security protocol used to retrieve the access token from the AS is the
same that is used for the communication between C and RS. A profile
might want to explicitly forbid this practice, though.
I'm not sure I understand that comment. The communication between C and
AS doesn't matter for this issue, neither does the security protocol
used between C and AS. Perhaps my wording was unclear?
If you replace "server" with "RS" in my previous comment does it make
more sense?
/Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
