Thanks for the feedbacks Olaf. So I understand why we need such flexibility on the client side. The main reason seems that the communication with the AS is seen as bootstrapping the communication between the client and the RS and as such we would like to keep them as independent as possible.
I see interoperability being achieved when a) client, RS, and AS implemented by independent vendors and b) all three follow the framework and the given profile is sufficient to make them work together. Currently the client - RS communication is well defined, but the client AS communication is left to a RECOMMENDATION. RFC2119 defines RECOMMEND as follows: SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. The question becomes how RECOMMENDED is sufficient or not. It seems to me the definition above makes it clear that the recommended protocol is expected to be supported, and AS or clients that are independently developed are expected to support the recommended protocol. To ensure the implementers are well aware of the consequences of the implication we could clarify this explicitly. Of course this does not provide a formal proof for interoperability, but this seems acceptable in the scope of a framework. >From the latest suggestion, I would propose the following changes, - that I expect will reach consensus. Please let us know by Friday March 5 if you agree or disagree with the proposed changes. Section 5: OLD "Profiles MUST specify a communication security protocol that provides the features required above." NEW "Profiles MUST specify a communication security protocol between client and RS that provides the features required above. Profiles MUST specify a communication security protocol RECOMMENDED to be used between client and AS that provides the features required above. Profiles MUST specify for introspection a communication security protocol RECOMMENDED to be used between RS and AS that provides the features required above. Such recommendations are expected, among others, to guarantee independent implementations interoperate." Section 6.2: OLD "Profiles MUST specify how communication security according to the requirements in Section 5 is provided." NEW "The requirements for communication security of profiles are specified in Section 5." Yours, Daniel On Tue, Mar 2, 2021 at 10:20 AM Olaf Bergmann <bergm...@tzi.org> wrote: > Hi Daniel, > > On 2021-03-02, Daniel Migault <mglt.i...@gmail.com> wrote: > > > This is just a follow-up. I would like to be able to close this issue > > by the end of the week, and so far I have not heard any issues for > > profile mandating a protocol. On the other hand, not mandating a > > specific protocol comes with interoperability issues. So unless more > > feed back is provided, I am currently leaning toward ensuring > > interoperability. > > > > It would be good for me to hear from the WG and understand what > concrete deployment > > issues the two statements below would raise: > > * OSCORE profile mandating the AS to support OSCORE and have the C > <-> AS using > > OSCORE. > > * DTLS profile mandating the AS to support DTLS and have the C <-> > AS using DTLS. > > I think the major issue is that a client that implements both OSCORE and > DTLS cannot just switch from one mechanism to the other because it must > stick to either one or the other. This also raises the question what > happens if an AS is contacted by the client via OSCORE but the RS only > supports DTLS: Is the client allowed to switch from OSCORE to DTLS if > the AS says so? > > Another aspect is that we would need to add another specification if a > client implementing the DTLS profile wants to contact the AS via TLS. As > CoAP over TLS is well-defined, this would not make any difference > regarding the security or the handling in the application, but mandating > DTLS in the profile would currently preclude the use of TLS. > > Grüße > Olaf > -- Daniel Migault Ericsson
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
