Hi Olaf,
When I read the draft I don't see how the change is reflected in your summary,
actually your summary shows no difference between OSCORE and DTLS profile,
while actually there is one. This is the difference we are discussing in the
DTLS profile, about secure communication between Client and Authorization
Server:
1. DTLS OLD:
The use of CoAP
and DTLS for this communication is RECOMMENDED in this profile, other
protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be
used instead.
2. DTLS CURRENT:
The use of CoAP
and DTLS for this communication is REQUIRED in this profile. Other
protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) will
require specification of additional profile(s).
3. OSCORE CURRENT:
The
use of CoAP and OSCORE ([RFC8613]) for this communication is
RECOMMENDED in this profile; other protocols fulfilling the security
requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] (such
as HTTP and DTLS or TLS) MAY be used instead.
3. allows for applications to use this OSCORE profile "coap_oscore" and OSCORE
between C and AS, but also if they prefer, DTLS between C and AS, or other
security protocols that fulfil the security requirements of the framework.
1. also allows for the same for the DTLS profile (although it might be good to
clarify that other protocols are only allowed if they fulfil the sec
requirements).
2. does NOT allow for "coap_dtls" to use anything else than DTLS between C and
AS. If C and AS want to use e.g. TLS, a new profile needs to be defined. This
doesn't seem like a good idea.
About the "need to look somewhere else" : the only thing we say in the profiles
is that C and AS have to have set up a secure communication channel. That is
not really protocol specific, how that is established is out of scope of the
profiles.
The question is: do we really need to specify one different profile for each
security protocol used between C and AS? I hope not.
So my preference would update the text in the DTLS profile:
NEW:
The use of CoAP
and DTLS for this communication is RECOMMENDED in this profile, other
protocols fulfilling the security
requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] MAY be
used instead.
Francesca
On 28/01/2021, 18:11, "Ace on behalf of Olaf Bergmann" <[email protected]
on behalf of [email protected]> wrote:
Hi Daniel,
On 2021-01-28, Daniel Migault
<[email protected]> wrote:
> Apparently, the change on the DTLS profile has not been noticed by
> everyone in the WG, so I am bringing the discussion here.
>
> The change has been made as a response to a comment from the security
> directorate. Please provide your feed backs by Feb 4 (but preferably
> before)- and potentially propose the text you would like to see if you
> disagree with the change.
I agree with the change (although I do not care very much but the new
text makes more sense than the old) because the change suggested in the
secdir review is not about mandating one protocol or the other. It is
about which protocol you need to implement if you want to use that
protocol between C and AS. In short:
* the OSCORE profile mandates that "if you want to use CoAP over OSCORE
between the C and the AS, you need to follow the steps in the
OSCORE specification and look somewhere else if you want to use
another protocol", and
* the DTLS profile mandates that "if you want to use CoAP over DTLS
between the C and the AS, you need to follow the steps in the
DTLS specification and look somewhere else if you want to use
another protocol"
Grüße
Olaf
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
