Hi Ben, I replied to some of your comments in my previous mail to the list. Additional comments inline.
On 2019-01-18, 18:27, "Benjamin Kaduk" <ka...@mit.edu> wrote: On Fri, Jan 18, 2019 at 11:54:58AM -0500, Richard Barnes wrote: > Let me provide some additional context. When the chairs and ADs discussed this in BKK, it seemed pretty clear that EDHOC is not within the current charter of ACE — after all, ACE is targeted at authentication and authorization, not key exchange. Since ACE would need to recharter to accept this work in any case, and because EDHOC overlapped with the interests of other working groups, it seemed to make sense to have the conversation in a broader venue. ACE's charter is ... messy. More below. > Göran: Your email starting this thread seems like an abbreviated summary of the past discussion of this draft. Since this is a new audience, it would be helpful if you could start from the underlying requirements (“we need an AKE with certain constraints”) and lay out why new protocol work is needed, vs. profiling existing protocols (as has been done, e.g., in DICE). There seem to be several interleaved issues at play, here, and I agree that some clear/consolidated background would be helpful. I particularly call out the security proof that has been presented elsewhere, which I think would be interesting to several readers (but I don't have the link handy). Referenced in Roman's previous mail to secdispatch. I agree that asserting the formal security properties is key. Some thoughts of my own... There is clear demand for a lightweight key-exchange protocol for use in IoT protocols, especially OSCORE. EDHOC has been around for a while, and even discussed in ACE with some frequency. That said, there are several reasons to prefer asking secdispatch to just calling for adoption in ACE directly, including but not limited to: (a) designing secure authenticated key exchange protocols is hard! It takes a lot of energy from smart people to design and analyze a protocol to have confidence that it is secure and fulfils the advertised functions. Starting from well-known/well-analyzed foundations like SIGMA is a great start, but hardly a guarantee of success. Secdispatch gets us some better visibility, and insight into where work can be done that will have sufficient expertise (both within and outside the IETF, as well as what has been done already vs. what remains to be done) to be confident in the result. This sounds like an excellent support function. Thanks. (b) ACE has a pretty complicated charter, that seems to place restrictions on how it can adopt new protocol work without rechartering. We find things in the charter like "existing authentication and authorization protocols will be evaluated and used where applicable [...]. Some functionality, however, may not be available in existing protocols, in which case the solution may involve new protocol work." This would seem to require a clear criteria for how to determine whether or not existing technology is applicable, plus evidence that existing protocols do not meet the bar. In particular, "make the key exchange messages as small as possible" is not a clear criterion, as that would always argue for a new protocol over an existing one, as we come up with new ways to eke out space. I don't know how important it is to fit into the existing ACE charter but the comparison between EDHOC and TLS/DTLS handshake showed a reduction in message overhead with up to 75%, which can be translated into power consumption. I would say that "power efficient key exchange" is functionality not available in the existing protocols we looked at. (c) A clear and substantial difference between key exchange/handshake size between EDHOC and even minimized DLTS could be compelling enough for secdispatch to decide that the work is usable, and find an appropriate home, independently of the question of rechartering ACE and meeting the additional barrier described in the previous point. The WG is not crucial, but involvement from the user community is valuable as well as the security expertise. Jim and several others have done some good work looking into tabulating message overheads in various scenarios (e.g., https://www.diva-portal.org/smash/get/diva2:1156483/FULLTEXT01.pdf, https://jimsch.github.io/randomDrafts/draft-schaad-ace-tls-cbor-handshake.html) that will be helpful as we consider this topic. In addition to just comparing the byte count for handshake/key exhchange messages in various methods, it would probably also be good to think about things in terms of the constraints in the current ACE charter. That is, someone could (1) pick a (class of) device(s), (2) show that it has wide deployment/potential thereof, (3) give hard numbers about what it's (not) capable of, and (4) show that DTLS falls on the wrong side of that cutoff, using the handshake numbers we already have. In particular, I don't remember seeing anything touching on (3), previously. An analysis like this would not only give some context for interpreting the gap between EDHOC and DLTS, but could also be compelling in support of the need for the more lightweight solution. As mentioned, message overhead differences translate into measurable quantities. While it may be possible to find an example where there is a clear cut, I think for many scenarios there would be qualitative differences. Göran _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace