Hello Francesca, Comments inline. Update will be posted shortly.
/Ludwig -----Original Message----- From: Francesca Palombini <francesca.palomb...@ericsson.com> Sent: den 10 maj 2021 20:42 To: Seitz Ludwig <ludwig.se...@combitech.se>; The IESG <i...@ietf.org> Cc: art-...@ietf.org; ace-cha...@ietf.org; draft-ietf-ace-oauth-au...@ietf.org; ace@ietf.org Subject: Re: [EXTERNAL] [Ace] Francesca Palombini's Discuss on draft-ietf-ace-oauth-authz-38: (with DISCUSS and COMMENT) Hi Ludwig, authors, Thank you for all the work on the document. I have checked all my comments (including those that you have addressed in v-39 and not reported below), and I am good with almost all of them. Considering the clarifications added as a response to my comments regarding CoAP using CBOR encoding, and HTTP using the encoding from OAuth 2.0, I believe the document is now in good shape and not confusing anymore. I understand that when CoAP is used, CBOR MUST be used; when HTTP is used, semantics and encodings of OAuth 2.0 MUST be used. Any other encodings/transport protocol would have to be defined by a different specification. Regarding my request for clarification on mixing different protocols (HTTP/CoAP) on different legs of the exchange, I understand that it is not in scope of this document, and it would rather be up to the profile defining such a mix to motivate and explain the use case, so I am fine with it. Your clarifications on the use of HTTP also addresses my last DISCUSS point - a new media type is not required, as the framework now effectively reuses OAuth 2.0 encodings. Any other specification (such as MQTT) which aims to use the JSON equivalent of what defined here for CBOR instead of the OAuth encoding will define and register their own media type. I hope we can discuss the leftover comments (especially the last point about using several profiles together) at the interim tomorrow. However, these are non-blocking points, so I will go ahead and remove my DISCUSS now. Thanks again, Francesca >Hello Francesca, > >Thank you for your review, sorry for the long response time. > >Version -39 addresses some of your comments >https://datatracker.ietf.org/doc/html/draft-ietf-ace-oauth-authz-39 > >I have replies on the remaining comment as follows below (prefixed with >'LS:') > >Regards, > >Ludwig > >1. ----- > > sufficiently compact. CBOR is a binary encoding designed for small > code and message size, which may be used for encoding of self > contained tokens, and also for encoding payloads transferred in > protocol messages. > >FP: "may be used" make it seem as if CBOR is always optional (even when >CoAP is used). See points 11. and 13. for examples of text that seem to >imply that CBOR is mandatory in some cases. > >LS: This is a lower-case "may", so it does not have a normative meaning. >There are indeed cases where CBOR is mandatory (e.g. when CoAP is used). > FP: Lower case "may" only makes it so that the corresponding text is not "required for interoperation or to limit behavior which has potential for causing harm" (to quote BCP 14). Even without its BCP 14 normative meaning, the text hinted that CBOR is optional IMO, which is misleading. I would suggest the following: OLD: sufficiently compact. CBOR is a binary encoding designed for small code and message size, which may be used for encoding of self contained tokens, and also for encoding payloads transferred in protocol messages. NEW: sufficiently compact. CBOR is a binary encoding designed for small code and message size. CBOR is used when CoAP is used for encoding of self contained tokens, and also for encoding payloads transferred in protocol messages. This should go with the direction you point out below for CoAP implies CBOR, HTTP implies whatever OAuth 2.0 defined. [LS] I don't like the "is used ... is used" in your suggestion. I'll rephrase it to " ... size. Self-contained tokens and protocol message payloads are encoded in CBOR when CoAP is used." >9. ----- > > parameters. When profiles of this framework use CoAP instead, it is > REQUIRED to use of the following alternative instead of Uri-query > parameters: The sender (client or RS) encodes the parameters of its > request as a CBOR map and submits that map as the payload of the POST > request. > >FP: I think it should be better defined (or at least hinted in this >paragraph) the mapping between the CBOR encoded parameters and the Uri-query >parameters: >are they all encoded as CBOR text strings? > >LS: The encoding depends on the type of the parameter and is described >for each parameter individually FP: I think it makes sense here to state that this document describes the CBOR encoding for the existing parameters, and that if a document needs any other parameters (defined in OAuth by a future document) then the encoding for Ace needs to be specified by that document as well. This is just to clarify that you can't just use OAuth parameters with CoAP. LS: Ok I'll add more text to clarify > >18. ----- > > "x" : b64'usWxHK2PmfnHKwXPS54m0kTcGJ90UiglWiGahtagnv8' > >FP: noted here since this is the first time it appears, but same >comment for the rest of the document. I think it would make more sense >to show examples where CBOR byte strings are used instead of Base64. > >LS: CBOR diagnostic notation allows the use of Base64 encoding, what other >encoding are you suggesting? FP: Just sending hexadecimals CBOR byte strings instead of Base64 encoded strings. So for example in this case, replace the above with: "x" : h'BAC5B11CAD8F99F9C72B05CF4B9E26D244DC189F745228255A219A86D6A09EFF' LS: Using hex notation makes the representation longer and adds clutter to the document. The B64 notation is just for the CBOR diagnostic notation, it still translates to exactly the same CBOR byte string as the hex notation in raw CBOR. > >19. ----- > > Figure 8 summarizes the parameters that can currently be part of the > Access Information. Future extensions may define additional > parameters. > >FP: This is useful! Why not having the same type of figure listing all >acceptable parameters for the request (section 5.8.1)? > >LS: Because those paramters depend on the grant type, and with all the >existing OAuth 2.0 grant types this list would become very long and >include a lot of parameters that are not very useful for ACE-OAuth. >Note that IANA has a very nice listing here: >https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtm >l#parameters FP: And the fact that there are a lot of parameters that would not be very useful for Ace is exactly why I think such a list (containing only the parameters that *are* expected to be used with Ace) would be helpful. But ok to skip if you don't think so. LS: I will not object if someone else contributes this, but I don't believe it is necessary and will skip it myself. > >32. ----- > > The POST method SHOULD NOT be allowed on children of the authz-info > endpoint. > >FP: What children? They do not seem to be defined, so I do not >understand this sentence. > >LS: RESTful resources may have child resources, so there could be >/authz-info/token1345 and so on. These should not be POST-able. FP: Ok, my point is that such child resources or their meaning and functionalities is not defined in this document, hence it seems strange to add a requirement on them. LS: Ok I'll remove that sentence. >37. ----- > > There may be use cases were different profiles of this framework are > combined. For example, an MQTT-TLS profile is used between the > client and the RS in combination with a CoAP-DTLS profile for > interactions between the client and the AS. The security of a > profile MUST NOT depend on the assumption that the profile is used > for all the different types of interactions in this framework. > >FP: This seems strange - maybe I just don't understand how this is >supposed to work, but each profile defines exactly at least C - RS >communication and security, if several are combined, it seems that at >least the C-RS would conflict. > >LS: You could use one profile for C-RS (e.g. MQTT) and another one for C-AS >(e.g. DTLS) in the same interaction. So the writer of e.g. the DTLS profile >MUST NOT make security assumptions that this profile is used on _every_ leg of >the communication. > FP: Ok, I see, you mean that the C-RS interaction uses for example one profile, while the C-AS uses another? I am not convinced this text is enough - first of all you'd have to make sure that the profiles are "combinable" - the OSCORE profile for example requires the security context to be derived, and simply using another profile without tweaking it would not be enough. Additionally, I am confused about the implications for implementers to mix and match different profiles for different legs of communication, this sounds like interoperability could be an issue. Can we discuss this more? LS: I don't really see the problem here. Say you have a client that uses DTLS to talk to the AS. The AS determines that the client should use the OSCORE profile to talk to the RS and prepares the token accordingly (including the OSCORE parameters in the cnf claim of the token and the cnf parameter of the response). The client is informed of the chosen profile with the 'profile' parameter and proceeds to derive the OSCORE context for client-RS communication. _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
