Hi Ben,
I replied to some of your comments in my previous mail to the list. Additional
comments inline.
On 2019-01-18, 18:27, "Benjamin Kaduk" <ka...@mit.edu> wrote:
On Fri, Jan 18, 2019 at 11:54:58AM -0500, Richard Barnes wrote:
> Let me provide some additional context. When the chairs and ADs
discussed this in BKK, it seemed pretty clear that EDHOC is not within the
current charter of ACE — after all, ACE is targeted at authentication and
authorization, not key exchange. Since ACE would need to recharter to accept
this work in any case, and because EDHOC overlapped with the interests of other
working groups, it seemed to make sense to have the conversation in a broader
venue.
ACE's charter is ... messy. More below.
> Göran: Your email starting this thread seems like an abbreviated summary
of the past discussion of this draft. Since this is a new audience, it would
be helpful if you could start from the underlying requirements (“we need an AKE
with certain constraints”) and lay out why new protocol work is needed, vs.
profiling existing protocols (as has been done, e.g., in DICE).
There seem to be several interleaved issues at play, here, and I agree that
some clear/consolidated background would be helpful. I particularly call
out the security proof that has been presented elsewhere, which I think
would be interesting to several readers (but I don't have the link handy).
Referenced in Roman's previous mail to secdispatch. I agree that asserting the
formal security properties is key.
Some thoughts of my own...
There is clear demand for a lightweight key-exchange protocol for use in
IoT protocols, especially OSCORE. EDHOC has been around for a while, and
even discussed in ACE with some frequency. That said, there are several
reasons to prefer asking secdispatch to just calling for adoption in ACE
directly, including but not limited to:
(a) designing secure authenticated key exchange protocols is hard! It takes
a lot of energy from smart people to design and analyze a protocol to have
confidence that it is secure and fulfils the advertised functions.
Starting from well-known/well-analyzed foundations like SIGMA is a great
start, but hardly a guarantee of success. Secdispatch gets us some better
visibility, and insight into where work can be done that will have
sufficient expertise (both within and outside the IETF, as well as what has
been done already vs. what remains to be done) to be confident in the
result.
This sounds like an excellent support function. Thanks.
(b) ACE has a pretty complicated charter, that seems to place restrictions
on how it can adopt new protocol work without rechartering. We find things
in the charter like "existing authentication and authorization protocols
will be evaluated and used where applicable [...]. Some functionality,
however, may not be available in existing protocols, in which case the
solution may involve new protocol work." This would seem to require a
clear criteria for how to determine whether or not existing technology is
applicable, plus evidence that existing protocols do not meet the bar. In
particular, "make the key exchange messages as small as possible" is not a
clear criterion, as that would always argue for a new protocol over an
existing one, as we come up with new ways to eke out space.
I don't know how important it is to fit into the existing ACE charter but the
comparison between EDHOC and TLS/DTLS handshake showed a reduction in message
overhead with up to 75%, which can be translated into power consumption. I
would say that "power efficient key exchange" is functionality not available in
the existing protocols we looked at.
(c) A clear and substantial difference between key exchange/handshake size
between EDHOC and even minimized DLTS could be compelling enough for
secdispatch to decide that the work is usable, and find an appropriate
home, independently of the question of rechartering ACE and meeting the
additional barrier described in the previous point.
The WG is not crucial, but involvement from the user community is valuable as
well as the security expertise.
Jim and several others have done some good work looking into tabulating
message overheads in various scenarios (e.g.,
https://www.diva-portal.org/smash/get/diva2:1156483/FULLTEXT01.pdf,
https://jimsch.github.io/randomDrafts/draft-schaad-ace-tls-cbor-handshake.html)
that will be helpful as we consider this topic.
In addition to just comparing the byte count for handshake/key exhchange
messages in various methods, it would probably also be good to think about
things in terms of the constraints in the current ACE charter. That is,
someone could (1) pick a (class of) device(s), (2) show that it has wide
deployment/potential thereof, (3) give hard numbers about what it's (not)
capable of, and (4) show that DTLS falls on the wrong side of that cutoff,
using the handshake numbers we already have. In particular, I don't
remember seeing anything touching on (3), previously. An analysis like
this would not only give some context for interpreting the gap between
EDHOC and DLTS, but could also be compelling in support of the need for the
more lightweight solution.
As mentioned, message overhead differences translate into measurable
quantities. While it may be possible to find an example where there is a clear
cut, I think for many scenarios there would be qualitative differences.
Göran
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
