Hi all, I was going through the four drafts that have been "waiting for writeup" for a while, to check that the latest changes are good and they are ready to go once the last point from the secdir review of draft-ietf-ace-dtls-authorize is wrapped up. In short: they are, but I had a couple comments on the OSCORE profile that might help improve it.
In section 2, we have some discussion: The use of nonces during the exchange prevents the reuse of an Authenticated Encryption with Associated Data (AEAD) nonces/key pair for two different messages. Reuse might otherwise occur when client and RS derive a new Security Context from an existing (non- expired) access token, as might occur when either party has just rebooted, and might lead to loss of both confidentiality and integrity. Instead, by using nonces as part of the Master Salt, the request to the authz- info endpoint posting the same token results in a different Security Context, by OSCORE construction, since even though the Master Secret, Sender ID and Recipient ID are the same, the Master Salt is different (see Section 3.2.1 of [RFC8613]). If nonces were reused, a node reusing a non-expired old token would be susceptible to on-path attackers provoking the creation of OSCORE messages using old AEAD keys and nonces. Where we talk about how the nonces (N1 and N2) exchanged during the authz-info request/response are used to prevent the use of nonce+key combinations for the AEAD used for the OSCORE messages. But there's really two classes of nonce: the ones for the AEAD, and the ones used in constructing the master salt. Whenever we just say "nonce" or "nonces" there is potential for ambiguity, so we might want to add an adjective every time we use the word, as tedious as it is to do so. Also in Section 2, I just wanted to check on the location of the "mutual authentication" indication -- currently it's show after the second OSCORE Response, but I am not sure why it is not achieved after just the first Request/Response exchange that performs proof of possession. Thanks! -Ben _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
