Re: [Ace] remarks on draft-tiloca-ace-oscore-gm-admin-00

[Marco Tiloca]

Hi Jim,

Thanks a lot for this review!

We have been working on an updated version accessible at [1], which is
already taking into account your comments on CoRAL.

Please, find below inline some more replies and open points.

Best,
/Marco

[1]
https://gitlab.com/crimson84/draft-tiloca-ace-oscore-gm-admin/blob/v-01/draft-tiloca-ace-oscore-gm-admin.md

On 2019-11-20 00:13, Jim Schaad wrote:
> This is just going to be a high level review on how things are done rather
> than a detailed review on each line of text.
>
> 1. - Go and read that CoRE Pub-Sub update document - you know the one that
> Klaus and friends have not managed to get written since the model proposal
> was done way back when.


Yes, we are now relying on an akin interface, along the lines of the now
published draft
https://datatracker.ietf.org/doc/draft-hartke-t2trg-coral-pubsub/


>
> 2.  Re-write this to use CoRAL - Yes I know that this makes another
> dependency on getting it published from the CoRE group, but I don't want to
> do things multiple times.


We have now also added examples in CoRAL, for all the interactions
between Administrator and Group Manager, now also extended with FETCH
for filtered retrieval.


>
> 3.  I think that this document really needs to be able to be used with
> HTTP/JSON as well as CoAP.   If you can get the JSON version of CoRAL from
> Klaus then this falls out without any work.


We are now saying the CoRAL examples are in text format, but they are in
CBOR or JSON on the wire, with no particular additional effort. Is this
enough?


>
> 4.  Are you making it a requirement that the group name be the same as the
> group identifier assigned by the "group_name" parameter?  If so then having
> some type of title and description would seem to be almost mandatory.


They are in fact the very same thing. The "group_name" parameter
specifies the group name, as intended to identify the OSCORE group both
by the administrator and the joining nodes in the other related
documents. We can use only "invariant name" rather than "invariant
identifier". Are we missing something? If so, what do you suggest we
should give a title and description to?


>
> 5.  There needs to be some parameters around pointing to the correct AS and
> so forth.  The management API may reject because it does not trust the AS.
> Don't assume that this is a single value for the AS either.


This is good and also aligned with other related drafts.

If we interpret your suggestion correctly:

1) The POST request to /manage may specify also an optional 'as_uri'
parameter, with the link to a suggested AS. The GM may accept the
suggestion or not. If not, it has to think of an alternative AS, as
valid issuer of tokens for joining that group.

2) The GM must have one more parameter in the group configuration with
the effective AS URI, i.e. either one provided by the administrator and
accepted, or one otherwise decided.

Do you think of any additional related parameters to be included in the
POST request, other than 'as_uri'? Perhaps the public key of the
suggested AS if applicable?

Do you think the suggestion in the request should actually be a list of
AS, out of which the GM may pick up at most one?


>
> 6.  You are missing a lot of management detail on the POST to the group
> node.  Some of the things that are missing would be:
> a)  Is the group active or inactive


We can have one more parameter on the group-configuration resource for this.

We are interpreting active/inactive as follows. Ideally, upon creating
the group, the request can specify the initial status as active or
inactive. Upon later updating the group by sending a request to the
group-configuration resource, the administrator can change the status
(or read it through a GET).

Then the active/inactive status has two parallel scopes:

1) one scope is for the GM alone, i.e the GM would allow the joining of
new group members only if the group is set as active.

2) when the group is set as inactive, the current group members should
refrain from sending and should not expect receiving any message
protected with that group key material. However, there is no way to
actually force them to.

In support to scope (2), when the status changes to inactive, the GM
should inform group members about that. To this end, the
group-membership resource intended for group members would also include
a parameter reflecting the group status and aligned in value with the
one in the group-configuration resource. Then, there are two ways to
inform the group members of a status change.

a) A way is to have the group members observing the group-membership
resource (that they may have been doing already anyway for
notification-based rekeying).

b) A second way is for the group members to have a dedicated local
resources for this (and other) kind of control communication (e.g.
rekeying). This is something we are also considering in
ace-key-groupcomm(-oscore) for receiving individual rekeying messages.
In either case this 

[Ace] Authentication and Authorization for Constrained Environments (ace) WG Virtual Meeting: 2020-01-31

[IESG Secretary]

The Authentication and Authorization for Constrained Environments (ace) Working 
Group will hold
a virtual interim meeting on 2020-01-31 from 11:00 to 12:30 America/New_York.

Agenda:
* chairs slides (note well, agenda bashing ...)
* draft-ietf-ace-key-groupcomm
* draft-ietf-ace-key-groupcomm-oscore
* draft-ietf-ace-mqtt-tls-profile
* draft-ietf-ace-coap-pubsub-profile
* AOB

Information about remote participation:
ACE Working Group invites you to join this Webex meeting.  Meeting number 
(access code): 641 066 992   Meeting password: akZaYmff Friday, January 31, 
2020  11:00 am  |  (UTC-05:00) Eastern Time (US & Canada)  |  1 hr 30 mins  
Join meeting   Join by phone Tap to call in from a mobile device (attendees 
only) 1-650-479-3208 Call-in toll number (US/Canada)  Join from a video 
system or application Dial 641066...@ietf.webex.com  You can also dial 
173.243.2.68 and enter your meeting number. Join using Microsoft Lync or 
Microsoft Skype for Business Dial 641066992.i...@lync.webex.comNeed help? 
Go to http://help.webex.com

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] [Gen-art] Genart last call review of draft-ietf-ace-oauth-params-06

[elwynd]

Sent from Samsung tablet.
 Original message From: Ludwig Seitz  
Date: 07/01/2020  19:52  (GMT+00:00) To: elwynd , 
gen-...@ietf.org Cc: last-c...@ietf.org, 
draft-ietf-ace-oauth-params@ietf.org, ace@ietf.org Subject: Re: [Gen-art] 
[Ace] Genart last call review of
  draft-ietf-ace-oauth-params-06 On 2019-12-22 19:27, elwynd wrote:> Hi, 
Ludwig.>> Having had another look at section 3.1 of> 
draft-ietf-ace-cwt-proof-of-possession, technically the rules about> which keys 
have to be present are not part of the syntax of the cnf> claim.  The point can 
be covered by changing '"syntax of the 'cnf' claim"> to "syntax and semantics 
of the 'cnf' claim"> in each case.>> However, the second look threw up another 
point:  Figure 2 in s3.2 gives> a Symetric key example  - I think this should 
use an Encrypted_COSE_Key> (or Encrypted_COSE_Key0) as described in section 3.3 
of> draft-ietf-ace-cwt-proof-of-possession.>> Otherwise I think we are done.>> 
Eventually we will get to Christmas!>> Cheers,> Elwyn>>Hello Elwyn,I hope you 
had a merry Christmas and a happy new year's eve.I have updated the draft to 
-10, fixing the phrasing to your suggestionfrom the first paragraph above in 
various places (and an issue that cameup during IANA review).Given my argument 
for not having the encrypted COSE_Key in figure 2 Ileft that part as it was. 
Please indicate whether this is acceptablewith the given 
explanation.Regards,LudwigHi, Ludwig.Yes, we had a pleasant festive season - 
Hope yours was good also.The -10 draft looks good.  Regarding the symmetric key 
in s3. 2/Figure 2, I think it would be worth adding a sentence to point out 
that one might have to use the encrypted form per proof-of-posession draft if 
the overall message was not encrypted (as in it is in the oauth 
usage).Cheers,Elwyn___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] ace - Update to a Meeting Session Request for IETF 107

[IETF Meeting Session Request Tool]

An update to a meeting session request has just been submitted by Daniel 
Migault, a Chair of the ace working group.


-
Working Group Name: Authentication and Authorization for Constrained 
Environments
Area Name: Security Area
Session Requester: Daniel Migault

Number of Sessions: 1
Length of Session(s):  1.5 Hours
Number of Attendees: 30
Conflicts to Avoid: 
 Chair Conflict: tmrid calext cbor lamps
 Technology Overlap: teep lake tls oauth t2trg suit core cose
 Key Participant Conflict: abcd dnsop homenet emu lwig cfrg ipsecme saag 
secdispatch


People who must be present:
  Daniel Migault
  Jim Schaad
  Benjamin Kaduk

Resources Requested:

Special Requests:
  
-

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace