Hi John, please see inline for remarks in addition to Ludwig's response.
John Mattsson <[email protected]> writes: > I just reviewed draft-ietf-ace-oscore-profile. This made me wonder > about the AS discovery mechanism in the ACE framework. Why is this > particular discovery mechanism given so much attention? Of all > possible discovery mechanisms, this seems like one of the worst as: > > 1. It requires a round-trip over the C-RS path which is typically the > most constrained path in the architecture. > 2. The response would in many cases be unprotected, which means C does > not know if the response comes from RS or an attacker. > > A discovery mechanism using a non-contrained path (e.g. DNS, but could > be any type of look up service) would in many cases be much more > efficient and should be recommended. It is clear that the AS Creation Hints are just hints, and, as documented, this information needs to be treated with utmost care. But I do not see how we would justify to recommend a non-constrained path to take for a potentially constrained client. A good solution to this problem (DNS-SD being just one possibility, CoRE RD another) would be to delegate AS discovery to a not-so-constrained entity in the same security domain as the client. Grüße Olaf _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
