[Ace] draft-ietf-ace-dtls-authorize

[Daniel Migault]

Apparently, the change on the DTLS profile has not been noticed by everyone in 
the WG, so I am bringing the discussion here.

The change has been made as a response to a comment from the security 
directorate. Please provide your feed backs by Feb 4 (but preferably before)- 
and potentially propose the text you would like to see if you disagree with the 
change.



This is how has just been updated.


 The use of CoAP

   and DTLS for this communication is RECOMMENDED REQUIRED in this profile, 
other profile.  Other

   protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be

   used instead. will

   require specification of additional profile(s).

Yours,
Daniel
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] draft-ietf-ace-dtls-authorize-01

[Hannes Tschofenig]

[chair hat off]

Hi all,

I took a look at the draft and noticed a few minor things:

- The document should talk about "profiles" rather than "profile" since
it specifies at least two profiles, namely the RPK and the PSK profiles
with DTLS. I suspect an implementation is only expected to implement one
of them rather than both.

- Editorial comment: most of the articles are missing, which makes the
document harder to read.

- AS discovery: Wouldn't the client need to know the AS upfront when
using RPK and PSK (since it has to share a PSK with the AS or, in case
of the RPK, has to have the RPK with the server exchanged out of band)?

- There are two options provided for conveying the access token to the
RS, either either a dedicated endpoint or inband within the DTLS
exchange. There are pros and cons regarding the usage of both; is the
idea to settle with one approach in the end or do you envision both
options to be available in the final version of the specification.

- Regarding the dynamic update of authorization information. Since the
access token is a PoP token I believe you will have to demonstrate the
possession of the key every time you change the access token. (Section
2.4 gives me a different impression.)

- When the access token is conveyed inband in DTLS as part of the
PSK_identity then the text on page 12 is applicable. The description in
CDDL format confuses me. Normally, it should be quite simple: either you
transmit a psk_identity field or you convey the access token. The server
would figure it out. Is this just a complicated way to express this
semantic or do you have something else in mind?
(Btw, my understanding is that the server does not need to send a
illegal_parameter alert when it the psk_identity does not lead to a
successful authentication. Is this your suggestion or is this taken from
TLS PSK?)

- What is the reasoning behind this statement:

   "This specification mandates that at least the key derivation
   algorithm "HKDF SHA-256" as defined in [I-D.ietf-cose-msg] MUST be
   supported."

I would have assumed at the session key provided by the AS to the client
and the key embedded in the access token is used directly within TLS as
a PSK.

- Could you explain this statement:
"
   If the security association with RS still exists and RS has indicated
   support for session renegotiation according to [RFC5746], the new
   Access Token MAY be used to renegotiate the existing DTLS session.
   In this case, the Access Token is used as "psk_identity" as defined
   in Section 4.1.  The Client MAY also perform a new DTLS handshake
   according to Section 4.1 that replaces the existing DTLS session.
"

What are you trying to accomplish? Do you expect authorization
information to change frequently? What security association are you
talking about in the paragraph above?

Ciao
Hannes

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] draft-ietf-ace-dtls-authorize

[Olaf Bergmann]

Hi Daniel,

On 2021-01-28, Daniel Migault  
wrote:

> Apparently, the change on the DTLS profile has not been noticed by
> everyone in the WG, so I am bringing the discussion here.
>
> The change has been made as a response to a comment from the security
> directorate. Please provide your feed backs by Feb 4 (but preferably
> before)- and potentially propose the text you would like to see if you
> disagree with the change.

I agree with the change (although I do not care very much but the new
text makes more sense than the old) because the change suggested in the
secdir review is not about mandating one protocol or the other. It is
about which protocol you need to implement if you want to use that
protocol between C and AS. In short:

* the OSCORE profile mandates that "if you want to use CoAP over OSCORE
  between the C and the AS, you need to follow the steps in the
  OSCORE specification and look somewhere else if you want to use
  another protocol", and
* the DTLS profile mandates that "if you want to use CoAP over DTLS
  between the C and the AS, you need to follow the steps in the
  DTLS specification  and look somewhere else if you want to use
  another protocol"

Grüße
Olaf

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] draft-ietf-ace-dtls-authorize

[Francesca Palombini]

Hi Olaf,

When I read the draft I don't see how the change is reflected in your summary, 
actually your summary shows no difference between OSCORE and DTLS profile, 
while actually there is one. This is the difference we are discussing in the 
DTLS profile, about secure communication between Client and Authorization 
Server:

1. DTLS OLD:
   The use of CoAP
   and DTLS for this communication is RECOMMENDED in this profile, other
   protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be
   used instead.

2. DTLS CURRENT:
  The use of CoAP
   and DTLS for this communication is REQUIRED in this profile.  Other
   protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) will
   require specification of additional profile(s).

3. OSCORE CURRENT:
The
   use of CoAP and OSCORE ([RFC8613]) for this communication is
   RECOMMENDED in this profile; other protocols fulfilling the security
   requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] (such
   as HTTP and DTLS or TLS) MAY be used instead.

3. allows for applications to use this OSCORE profile "coap_oscore" and OSCORE 
between C and AS, but also if they prefer, DTLS between C and AS, or other 
security protocols that fulfil the security requirements of the framework.
1. also allows for the same for the DTLS profile (although it might be good to 
clarify that other protocols are only allowed if they fulfil the sec 
requirements).
2. does NOT allow for "coap_dtls" to use anything else than DTLS between C and 
AS. If C and AS want to use e.g. TLS, a new profile needs to be defined. This 
doesn't seem like a good idea.

About the "need to look somewhere else" : the only thing we say in the profiles 
is that C and AS have to have set up a secure communication channel. That is 
not really protocol specific, how that is established is out of scope of the 
profiles.

The question is: do we really need to specify one different profile for each 
security protocol used between C and AS? I hope not.

So my preference would update the text in the DTLS profile:

NEW:
   The use of CoAP
   and DTLS for this communication is RECOMMENDED in this profile, other
   protocols fulfilling the security
   requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] MAY be
   used instead.

Francesca

On 28/01/2021, 18:11, "Ace on behalf of Olaf Bergmann"  wrote:

Hi Daniel,

On 2021-01-28, Daniel Migault 
 wrote:

> Apparently, the change on the DTLS profile has not been noticed by
> everyone in the WG, so I am bringing the discussion here.
>
> The change has been made as a response to a comment from the security
> directorate. Please provide your feed backs by Feb 4 (but preferably
> before)- and potentially propose the text you would like to see if you
> disagree with the change.

I agree with the change (although I do not care very much but the new
text makes more sense than the old) because the change suggested in the
secdir review is not about mandating one protocol or the other. It is
about which protocol you need to implement if you want to use that
protocol between C and AS. In short:

* the OSCORE profile mandates that "if you want to use CoAP over OSCORE
  between the C and the AS, you need to follow the steps in the
  OSCORE specification and look somewhere else if you want to use
  another protocol", and
* the DTLS profile mandates that "if you want to use CoAP over DTLS
  between the C and the AS, you need to follow the steps in the
  DTLS specification  and look somewhere else if you want to use
  another protocol"

Grüße
Olaf

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] draft-ietf-ace-dtls-authorize

[Benjamin Kaduk]

I agree with Francesca that we should only RECOMMEND CoAP+DTLS for "both
legs" of communication with the AS -- the intent of the framework is that
we can decouple the protocol used in the different interactions if needed.

-Ben

P.S. The sentence prior to the quoted ones refers to Sections 5.6 and 5.6
of the framework for the token and introspection endpoint descriptions;
these seem to be 5.8 and 5.9, respectively, in
draft-ietf-ace-oauth-authz-36.


On Fri, Jan 29, 2021 at 01:15:14PM +, Francesca Palombini wrote:
> Hi Olaf,
> 
> When I read the draft I don't see how the change is reflected in your 
> summary, actually your summary shows no difference between OSCORE and DTLS 
> profile, while actually there is one. This is the difference we are 
> discussing in the DTLS profile, about secure communication between Client and 
> Authorization Server:
> 
> 1. DTLS OLD:
>The use of CoAP
>and DTLS for this communication is RECOMMENDED in this profile, other
>protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be
>used instead.
> 
> 2. DTLS CURRENT:
>   The use of CoAP
>and DTLS for this communication is REQUIRED in this profile.  Other
>protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) will
>require specification of additional profile(s).
> 
> 3. OSCORE CURRENT:
> The
>use of CoAP and OSCORE ([RFC8613]) for this communication is
>RECOMMENDED in this profile; other protocols fulfilling the security
>requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] (such
>as HTTP and DTLS or TLS) MAY be used instead.
> 
> 3. allows for applications to use this OSCORE profile "coap_oscore" and 
> OSCORE between C and AS, but also if they prefer, DTLS between C and AS, or 
> other security protocols that fulfil the security requirements of the 
> framework.
> 1. also allows for the same for the DTLS profile (although it might be good 
> to clarify that other protocols are only allowed if they fulfil the sec 
> requirements).
> 2. does NOT allow for "coap_dtls" to use anything else than DTLS between C 
> and AS. If C and AS want to use e.g. TLS, a new profile needs to be defined. 
> This doesn't seem like a good idea.
> 
> About the "need to look somewhere else" : the only thing we say in the 
> profiles is that C and AS have to have set up a secure communication channel. 
> That is not really protocol specific, how that is established is out of scope 
> of the profiles.
> 
> The question is: do we really need to specify one different profile for each 
> security protocol used between C and AS? I hope not.
> 
> So my preference would update the text in the DTLS profile:
> 
> NEW:
>The use of CoAP
>and DTLS for this communication is RECOMMENDED in this profile, other
>protocols fulfilling the security
>requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] MAY be
>used instead.
> 
> Francesca
> 
> On 28/01/2021, 18:11, "Ace on behalf of Olaf Bergmann"  on behalf of bergm...@tzi.org> wrote:
> 
> Hi Daniel,
> 
> On 2021-01-28, Daniel Migault 
>  wrote:
> 
> > Apparently, the change on the DTLS profile has not been noticed by
> > everyone in the WG, so I am bringing the discussion here.
> >
> > The change has been made as a response to a comment from the security
> > directorate. Please provide your feed backs by Feb 4 (but preferably
> > before)- and potentially propose the text you would like to see if you
> > disagree with the change.
> 
> I agree with the change (although I do not care very much but the new
> text makes more sense than the old) because the change suggested in the
> secdir review is not about mandating one protocol or the other. It is
> about which protocol you need to implement if you want to use that
> protocol between C and AS. In short:
> 
> * the OSCORE profile mandates that "if you want to use CoAP over OSCORE
>   between the C and the AS, you need to follow the steps in the
>   OSCORE specification and look somewhere else if you want to use
>   another protocol", and
> * the DTLS profile mandates that "if you want to use CoAP over DTLS
>   between the C and the AS, you need to follow the steps in the
>   DTLS specification  and look somewhere else if you want to use
>   another protocol"
> 
> Grüße
> Olaf
> 
> ___
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
> 

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] draft-ietf-ace-dtls-authorize

[Olaf Bergmann]

On 2021-01-29, Francesca Palombini 
 wrote:

> So my preference would update the text in the DTLS profile:
>
> NEW:
>The use of CoAP
>and DTLS for this communication is RECOMMENDED in this profile, other
>protocols fulfilling the security
>requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] MAY be
>used instead.

I can live with that.

Grüße
Olaf

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] draft-ietf-ace-dtls-authorize

[Daniel Migault]

great, so I suggest we publish the update before next interim meeting.

Yours,
Daniel

From: Olaf Bergmann 
Sent: Wednesday, February 3, 2021 12:58 PM
To: Francesca Palombini 
Cc: ace@ietf.org ; Benjamin Kaduk ; Daniel Migault 

Subject: Re: [Ace] draft-ietf-ace-dtls-authorize

On 2021-01-29, Francesca Palombini 
 wrote:

> So my preference would update the text in the DTLS profile:
>
> NEW:
>The use of CoAP
>and DTLS for this communication is RECOMMENDED in this profile, other
>protocols fulfilling the security
>requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] MAY be
>used instead.

I can live with that.

Grüße
Olaf
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

Re: [Ace] draft-ietf-ace-dtls-authorize-01

[Ludwig Seitz]

On 2017-10-01 11:35, Hannes Tschofenig wrote:

[chair hat off]

Hi all,


Hello Hannes,

thank you for your comments. Replies inline.

/Ludwig



I took a look at the draft and noticed a few minor things:

- The document should talk about "profiles" rather than "profile" since
it specifies at least two profiles, namely the RPK and the PSK profiles
with DTLS. I suspect an implementation is only expected to implement one
of them rather than both.


I would have said that PSK vs RPK are just options within the DTLS 
profile, but I have no strong opinion about this.


You have a point that constrained implementations are likely to only 
support one option.




- Editorial comment: most of the articles are missing, which makes the
document harder to read.


Will fix.


- AS discovery: Wouldn't the client need to know the AS upfront when
using RPK and PSK (since it has to share a PSK with the AS or, in case
of the RPK, has to have the RPK with the server exchanged out of band)?


There are two scenarios how this could work:

1.) The client doesn't know the AS upfront, but after getting the 
discovery message it can register at the AS through some out-of-scope 
method in order to establish the PSK or RPK needed for communication 
with the token endpoint.


2.) The discovery hint just helps the client to select an AS from a set 
of previously known ASs.




- There are two options provided for conveying the access token to the
RS, either either a dedicated endpoint or inband within the DTLS
exchange. There are pros and cons regarding the usage of both; is the
idea to settle with one approach in the end or do you envision both
options to be available in the final version of the specification.


Note that the inband version only works for PSK, so the authz-info 
endpoint is at least needed for RPK. I would guess that constrained 
implementations would settle for just one option. Maybe we should 
specify some signaling for that.




- Regarding the dynamic update of authorization information. Since the
access token is a PoP token I believe you will have to demonstrate the
possession of the key every time you change the access token. (Section
2.4 gives me a different impression.)



Not necessarily. Since you still have the session open, you only need to 
have the AS to link the new token to the same pop key (for which you 
already proved possession). The framework (in conjunction with the cnf 
draft) have mechanisms for this).



- When the access token is conveyed inband in DTLS as part of the
PSK_identity then the text on page 12 is applicable. The description in
CDDL format confuses me. Normally, it should be quite simple: either you
transmit a psk_identity field or you convey the access token. The server
would figure it out. Is this just a complicated way to express this
semantic or do you have something else in mind?


The actual functionality that is specified is this:

psk_identity = {kid : } | {access_token : }

does that make more sense to you?

I'm not entirely happy with that solution, since we now have the weird 
situation where a client oblivious of the profile might use the 
psk_identity as intended, thus we actually have:


psk_identity = {kid : } | {access_token : } | kid

and my code needs to handle all 3 cases. I agree this needs to be discussed.



(Btw, my understanding is that the server does not need to send a
illegal_parameter alert when it the psk_identity does not lead to a
successful authentication. Is this your suggestion or is this taken from
TLS PSK?)

- What is the reasoning behind this statement:

"This specification mandates that at least the key derivation
algorithm "HKDF SHA-256" as defined in [I-D.ietf-cose-msg] MUST be
supported."

I would have assumed at the session key provided by the AS to the client
and the key embedded in the access token is used directly within TLS as
a PSK.



I'm not sure about this, Olaf, Steffi?



- Could you explain this statement:
"
If the security association with RS still exists and RS has indicated
support for session renegotiation according to [RFC5746], the new
Access Token MAY be used to renegotiate the existing DTLS session.
In this case, the Access Token is used as "psk_identity" as defined
in Section 4.1.  The Client MAY also perform a new DTLS handshake
according to Section 4.1 that replaces the existing DTLS session.
"

What are you trying to accomplish? Do you expect authorization
information to change frequently? What security association are you
talking about in the paragraph above?



The idea is to be able to handle changing authorization information, 
without having to redo the full DTLS handshake. The scenario would be 
that a client gains access to a resource, starts performing a series of 
operations, and at some point gets a "permission denied". The client 
would then go back to the token endpoint at the AS and request a new 
access token with a wider scope, that it would submit to the RS.


The

Re: [Ace] draft-ietf-ace-dtls-authorize-01

[Olaf Bergmann]

Hello Hannes,

Thank you very much for your comments. I am replying to the comment that
Ludwig did not yet address:

Ludwig Seitz  writes:

> On 2017-10-01 11:35, Hannes Tschofenig wrote:

>> - What is the reasoning behind this statement:
>>
>> "This specification mandates that at least the key derivation
>> algorithm "HKDF SHA-256" as defined in [I-D.ietf-cose-msg] MUST be
>> supported."
>>
>> I would have assumed at the session key provided by the AS to the client
>> and the key embedded in the access token is used directly within TLS as
>> a PSK.

Yes, you could embed the session key in the access token. But then, you
would always have to encrypt the access token and ensure that is never
decrypted by unauthorized parties. Key derivation allows you to transfer
the access token unencrypted (as long as the privacy objectives are met,
of course). This could even save some bytes in the token as the
encrypted session key does not have to be transferred.

This mechanism has previously been discussed in section 6 of [1] but now
has been adjusted from the simple ad-hoc syntax in DCAF to the more
flexible COSE method.

[1] https://tools.ietf.org/html/draft-gerdes-ace-dcaf-authorize-04#section-6

Grüße
Olaf

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace