Mercurial > hg > ietf
annotate ace-key-groupcomm-review.txt @ 6:ac8f4ba48e08
ready to submit
| author | Henry S. Thompson <ht@inf.ed.ac.uk> |
|---|---|
| date | Tue, 31 Oct 2023 16:41:20 +0000 |
| parents | b281db304428 |
| children |
| rev | line source |
|---|---|
| 6 | 1 Document: Key Provisioning for Group Communication using ACE [1] |
| 1 | 2 Intended RFC status: Proposed Standard |
| 3 Review type: artart - Last Call review | |
| 4 Reviewer: Henry S. Thompson | |
|
3
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
5 Review Date: 2023-10-@@ |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
6 Result: Ready with Issues |
| 1 | 7 |
|
3
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
8 *Summary* |
| 1 | 9 |
| 10 Caveat: I'm not familiar with the group comms family of RFCs or the | |
| 11 applications they support, so this review is from an outsider's | |
| 12 perspective. | |
| 13 | |
|
5
b281db304428
added disclaimer about section 4
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
4
diff
changeset
|
14 As such, I am not able to comment on the adequacy of section 4. This |
| 6 | 15 is where the details of the Client and KDC interactions are spelled |
|
5
b281db304428
added disclaimer about section 4
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
4
diff
changeset
|
16 out, and it needs a potential user of this spec. to judge whether they |
|
b281db304428
added disclaimer about section 4
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
4
diff
changeset
|
17 provide the necessary functionality. |
|
b281db304428
added disclaimer about section 4
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
4
diff
changeset
|
18 |
|
3
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
19 *Substantive points* |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
20 |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
21 Section 2. I'm seeing an inconsistency in the way the Dispatcher is |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
22 discussed. When introduced in the bullet points the last bullet says |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
23 |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
24 "If it consists of an explicit entity such as a pub-sub Broker or a |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
25 message relayer, the Dispatcher is comparable to an _untrusted_ |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
26 on-path intermediary, and as such it is _able to read_ the messages |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
27 sent by Clients in the group." [emphasis added] |
| 1 | 28 |
|
3
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
29 But at the end of section 2 we find |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
30 |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
31 "5. The joining node can communicate _securely_ with the other group |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
32 members, using the keying material provided in step 3." |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
33 [emphasis added] |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
34 |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
35 If the Dispatcher is untrusted, how can communication be secure? |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
36 There is no discussion of the Dispatcher in the Security section. |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
37 |
| 4 | 38 Section 5: I don't see how authority to institute forced deletion is |
| 39 established. Indeed the means for forced deletion don't appear to be | |
| 40 defined at all. Section 4.8 (and 4.8.3) explicitly requires that only | |
| 41 the Client can send a Delete request, and only for themselves. | |
| 42 | |
|
3
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
43 *Minor points* |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
44 |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
45 Section 1. I note that one of the two referenced examples of candidate |
| 1 | 46 application profiles, "A publish-subscribe architecture for the |
| 6 | 47 Constrained Application Protocol (CoAP)" [2], has expired. I'm not |
| 1 | 48 sure how much it matters to have reasonably mature examples, but |
| 49 without _some_ good reasons to suppose that there's a community out | |
| 50 there waiting to implement this framework, its future does seem a bit | |
| 51 shaky... There is of course a chicken-and-egg problem here which may | |
| 52 explain the lack of progress. | |
| 53 | |
| 54 Section 2. This is the first point where the actual connection between | |
| 55 ACE and this document is made clear, that is, that the KDC is the | |
| 56 Resource Server _per ACE_. Simply adding ", per ACE," to "Resource | |
|
3
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
57 Server" in para 2 of Section 1 would fix this for me. |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
58 |
| 4 | 59 Section 6: It might be helpful to include ASCII-art diagrams of the |
| 60 different communication pathways described for accomplishing rekeying. | |
| 61 | |
| 62 Sections 3.1 & 7: The example scopes include Verifier and Monitor | |
| 63 roles. Although there is a parenthetical reference to the [Vv]erifier | |
| 64 role in Section 3.3.1, no other mention of Monitor is given, and in | |
| 65 general the role of roles is not explained anywhere. There is a | |
| 66 "Request inconsistent with the current roles" error code defined in | |
| 67 section 9, but no tabulation of roles allowed/required for particular | |
| 6 | 68 requests, which one might expect. Nor are any REQ or OPT obligations |
| 69 provided to cover this. | |
| 4 | 70 |
| 71 If all this is something defined in one of the many referenced specs, | |
| 72 and so familiar to likely readers, that's OK, otherwise perhaps | |
| 73 something should be added. | |
| 74 | |
| 6 | 75 Sections 11.6--11.16: _Seven_ new IANA registries! At a quick count, |
| 76 that's a 50% increase in the number of related (CBOR + COAP) | |
| 77 registries. Is there a plan for populating the expert reviewer slots | |
| 78 this entails? | |
| 79 | |
|
3
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
80 *Nits* |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
81 |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
82 Section 1 / Appendix A: The use of REQ[n] and OPT[n] in conjunction |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
83 with REQUIRED and MAY is not explained, nor are they linked to the |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
84 relevant text in Appendix A. There is an oblique reference to this |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
85 practice in para. 4 of Section 1, which could stand to be expanded to |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
86 explain your conventions. |
| 1 | 87 |
|
3
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
88 Passim: Please do a thorough spell-check. The following were found in the |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
89 first 4 sections: |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
90 recommeded -> recommended |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
91 memebrs -> members |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
92 specificaton -> specification |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
93 acces -> access |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
94 trasferring -> transferring |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
95 |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
96 ht |
|
11c0afd7bad2
trying to get into Section 3
Henry S. Thompson <ht@inf.ed.ac.uk>
parents:
1
diff
changeset
|
97 -- |
| 1 | 98 |
| 6 | 99 [1] https://datatracker.ietf.org/doc/draft-ietf-ace-key-groupcomm/ |
| 100 [2] https://datatracker.ietf.org/doc/html/draft-ietf-core-coap-pubsub-12 |