Hi Tirumaleswar, Thanks for your review and the good comments. See inline. We will update the document accordingly.
Cheers, John From: tirumal reddy <[email protected]> Date: Friday, 13 January 2023 at 07:32 To: [email protected] <[email protected]>, [email protected] <[email protected]>, [email protected] <[email protected]>, [email protected] <[email protected]> Subject: Secdir last call review of draft-ietf-ace-extend-dtls-authorize Reviewer: Tirumaleswar Reddy Review result: Ready with Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document updates the CoAP-DTLS profile for ACE by specifying that the profile applies to TLS as well as DTLS. Comments below: 1) In case the ace_profile parameter indicates the use of the DTLS profile for ACE as defined in [RFC9202], the Client MAY try to connect to the Resource Server via TLS, or try TLS and DTLS in parallel to accelerate the connection setup. It is up to the implementation to handle the case where the RS reponds to both connection requests. Comment> DTLS should be given higher precedence than TLS as CoAP over UDP is the first choice of implementation. John: Yes, if the Client supports both DTLS and TLS, the first choice should be DTLS unless the Client has reason to believe that only TLS will work. We will add text describing this. 2) As resource-constrained devices are not expected to support both transport layer security mechanisms, a Client that implements either TLS or DTLS but not both might fail in establishing a secure communication channel with the Resource Server altogether. Comment> If the IoT device cannot support both TLS and DTLS , is it mandatory for the device to support TLS ? Otherwise, if a device supports DTLS only and a firewall blocks the communication channel over UDP with the RS, it will fail to function. John: In general it should not be mandatory to support TLS, but a device implementing this document is supporting TLS. Most ACE clients will likely only support DTLS. Some will support both to do firewall traversal. Some will only support TLS. Yes in the case you describe the connection will fail. Things can fail to function even with TLS if the firewall only accepts connections from the other directions. We will add text with these considerations. Cheers, -Tiru
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
