I agree with Francesca that we should only RECOMMEND CoAP+DTLS for "both legs" of communication with the AS -- the intent of the framework is that we can decouple the protocol used in the different interactions if needed.
-Ben P.S. The sentence prior to the quoted ones refers to Sections 5.6 and 5.6 of the framework for the token and introspection endpoint descriptions; these seem to be 5.8 and 5.9, respectively, in draft-ietf-ace-oauth-authz-36. On Fri, Jan 29, 2021 at 01:15:14PM +0000, Francesca Palombini wrote: > Hi Olaf, > > When I read the draft I don't see how the change is reflected in your > summary, actually your summary shows no difference between OSCORE and DTLS > profile, while actually there is one. This is the difference we are > discussing in the DTLS profile, about secure communication between Client and > Authorization Server: > > 1. DTLS OLD: > The use of CoAP > and DTLS for this communication is RECOMMENDED in this profile, other > protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be > used instead. > > 2. DTLS CURRENT: > The use of CoAP > and DTLS for this communication is REQUIRED in this profile. Other > protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) will > require specification of additional profile(s). > > 3. OSCORE CURRENT: > The > use of CoAP and OSCORE ([RFC8613]) for this communication is > RECOMMENDED in this profile; other protocols fulfilling the security > requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] (such > as HTTP and DTLS or TLS) MAY be used instead. > > 3. allows for applications to use this OSCORE profile "coap_oscore" and > OSCORE between C and AS, but also if they prefer, DTLS between C and AS, or > other security protocols that fulfil the security requirements of the > framework. > 1. also allows for the same for the DTLS profile (although it might be good > to clarify that other protocols are only allowed if they fulfil the sec > requirements). > 2. does NOT allow for "coap_dtls" to use anything else than DTLS between C > and AS. If C and AS want to use e.g. TLS, a new profile needs to be defined. > This doesn't seem like a good idea. > > About the "need to look somewhere else" : the only thing we say in the > profiles is that C and AS have to have set up a secure communication channel. > That is not really protocol specific, how that is established is out of scope > of the profiles. > > The question is: do we really need to specify one different profile for each > security protocol used between C and AS? I hope not. > > So my preference would update the text in the DTLS profile: > > NEW: > The use of CoAP > and DTLS for this communication is RECOMMENDED in this profile, other > protocols fulfilling the security > requirements defined in section 5 of [I-D.ietf-ace-oauth-authz] MAY be > used instead. > > Francesca > > On 28/01/2021, 18:11, "Ace on behalf of Olaf Bergmann" <ace-boun...@ietf.org > on behalf of bergm...@tzi.org> wrote: > > Hi Daniel, > > On 2021-01-28, Daniel Migault > <daniel.migault=40ericsson....@dmarc.ietf.org> wrote: > > > Apparently, the change on the DTLS profile has not been noticed by > > everyone in the WG, so I am bringing the discussion here. > > > > The change has been made as a response to a comment from the security > > directorate. Please provide your feed backs by Feb 4 (but preferably > > before)- and potentially propose the text you would like to see if you > > disagree with the change. > > I agree with the change (although I do not care very much but the new > text makes more sense than the old) because the change suggested in the > secdir review is not about mandating one protocol or the other. It is > about which protocol you need to implement if you want to use that > protocol between C and AS. In short: > > * the OSCORE profile mandates that "if you want to use CoAP over OSCORE > between the C and the AS, you need to follow the steps in the > OSCORE specification and look somewhere else if you want to use > another protocol", and > * the DTLS profile mandates that "if you want to use CoAP over DTLS > between the C and the AS, you need to follow the steps in the > DTLS specification and look somewhere else if you want to use > another protocol" > > Grüße > Olaf > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace > _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
