Dear Orie,
Thank you for the review and the comments.
Please see responses inline.
El 13/11/24 a las 23:52, Orie Steele via Datatracker escribió:
Orie Steele has entered the following ballot position for
draft-ietf-ace-wg-coap-eap-11: Discuss
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please refer tohttps://urldefense.com/v3/__https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/__;!!D9dNQwwGXtA!VrBoZ37jVmRcnYX6y6iqYhIe6FZsGHA_J04-JhqYXpgyj952HIACMhXFiFXMZoveHtbNJUIwcrdrfhG4$
for more information about how to handle DISCUSS and COMMENT positions.
The document, along with other ballot positions, can be found here:
https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-ace-wg-coap-eap/__;!!D9dNQwwGXtA!VrBoZ37jVmRcnYX6y6iqYhIe6FZsGHA_J04-JhqYXpgyj952HIACMhXFiFXMZoveHtbNJUIwckjUX5ZY$
----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------
# Orie Steele, ART AD, comments for draft-ietf-ace-wg-coap-eap-11
CC @OR13
* line numbers:
-
https://urldefense.com/v3/__https://author-tools.ietf.org/api/idnits?url=https:**Awww.ietf.org*archive*id*draft-ietf-ace-wg-coap-eap-11.txt&submitcheck=True__;Ly8vLy8!!D9dNQwwGXtA!VrBoZ37jVmRcnYX6y6iqYhIe6FZsGHA_J04-JhqYXpgyj952HIACMhXFiFXMZoveHtbNJUIwciHD0NOw$
* comment syntax:
-https://urldefense.com/v3/__https://github.com/mnot/ietf-comments/blob/main/format.md__;!!D9dNQwwGXtA!VrBoZ37jVmRcnYX6y6iqYhIe6FZsGHA_J04-JhqYXpgyj952HIACMhXFiFXMZoveHtbNJUIwchC3ZbJQ$
* "Handling Ballot Positions":
-https://urldefense.com/v3/__https://ietf.org/about/groups/iesg/statements/handling-ballot-positions/__;!!D9dNQwwGXtA!VrBoZ37jVmRcnYX6y6iqYhIe6FZsGHA_J04-JhqYXpgyj952HIACMhXFiFXMZoveHtbNJUIwcur8qhrQ$
## Discuss
Thanks Loganaden Velvindron for the shepherd writeup, I note his comments on
media type issues, which I echo in my review.
I also note IANA review state is "Review Needed".
Authors: We addressed the comments of IANA.
### well known uri
It does not appear that mnot's comments here were addressed:
https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/ace/HHSVWFPuPknnlZhojilF0AyD9To/__;!!D9dNQwwGXtA!VrBoZ37jVmRcnYX6y6iqYhIe6FZsGHA_J04-JhqYXpgyj952HIACMhXFiFXMZoveHtbNJUIwclpp95v3$
I agree with his comments.
See:https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/rfc8615*section-3__;Iw!!D9dNQwwGXtA!VrBoZ37jVmRcnYX6y6iqYhIe6FZsGHA_J04-JhqYXpgyj952HIACMhXFiFXMZoveHtbNJUIwcrLFioAl$
I suggest adding a comment to the effect of... "/.well-known/coap-eap" (or
/.well-known/coap/eap) is used with "coap" / "coap+ws" or other entries which
are already present here:
https://urldefense.com/v3/__https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml__;!!D9dNQwwGXtA!VrBoZ37jVmRcnYX6y6iqYhIe6FZsGHA_J04-JhqYXpgyj952HIACMhXFiFXMZoveHtbNJUIwckNCcRpX$
Authors>
We added the following text.
To access the authentication service, this document defines the
well-known URI "coap-eap" (to be assigned by IANA). The
/.well-known/coap-eap URI is used with "coap", "coap+tcp" or "coap+ws".
It seemed like the authors intended to address these comments:
https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/ace/rFm-eTKhaVoD8VWqQKTyeM61SxA/__;!!D9dNQwwGXtA!VrBoZ37jVmRcnYX6y6iqYhIe6FZsGHA_J04-JhqYXpgyj952HIACMhXFiFXMZoveHtbNJUIwcqCOlEjt$
Please confirm the current registration requests are as intended (apologies if
I failed to trace the mailing list discussion properly)
Authors > We exchanged a few emails, with Mark Nottingham, and our
understanding was that he was ok to maintain the well-known URI as coap-eap.
### media type
I do not see a request for review for this media type registration here:
https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/browse/media-types/?q=coap-eap__;!!D9dNQwwGXtA!VrBoZ37jVmRcnYX6y6iqYhIe6FZsGHA_J04-JhqYXpgyj952HIACMhXFiFXMZoveHtbNJUIwcvn2M9wp$
Please seek a review per the guidance here:
https://urldefense.com/v3/__https://wiki.ietf.org/group/art/TypicalARTAreaIssues*media-types__;Iw!!D9dNQwwGXtA!VrBoZ37jVmRcnYX6y6iqYhIe6FZsGHA_J04-JhqYXpgyj952HIACMhXFiFXMZoveHtbNJUIwcokAdrhA$
In particular this part:
Submit your actual registration (not a pointer to it) for review on the
ietf-ty...@iana.org discussion list. Do this before you're ready to request
publication of your draft.
I will change this part of my discuss to no objections in a week or so...
assuming no concerns are raised. Please make sure to copy-paste the full
sections 9.5 (not just a pointer to them) in your mail to media-types.
Authors> Thank you. We sent an email to the list. They seem to be ok
with the proposal. Than you for the guidance on this.
----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------
## Comments
### media types
```
1112 IANA has added the media types "application/coap-eap" to the "Media
1113 Types" registry. The registration procedure is "Expert Review".
1114 Section 4 defines the format.
```
Thanks for the pointer to section 4, and the explanation in figure 7.
```
1153 * Change Controller: IESG
```
Change controller should be IETF.
Authors> Thank you. We changed to IETF.
```
1144 * Person and email address to contact for further information: See
1145 "Authors' Addresses" section.
```
Consider using a working group mailing list here instead (see recent
registration requests on the media type list for details)
Authors > We put the ACE WG mailing list.
### use of null string in Master Secret
```
746 * CS is the concatenation of the content of the cipher suite
747 negotiation, that is, the list of cipher suites sent by the EAP
748 authenticator (Step 1) to the selected option by the EAP peer
749 (Step 2). If any of the messages did not contain the CBOR array
750 (default algorithms), the null string is used.
```
I don't understand this part.
Under which cases would the use of the null string be expected here?
Authors> Reading this after your comments, we rewrote the text to
clarify the process.
“- CS is the concatenation of the content of the cipher suite
negotiation, that is, the concatenation of two CBOR arrays CS-C and CS-I
(with CBOR ints as elements), as defined in {{cbor-coap-eap}}. If CS-C
or CS-I were not sent, (i.e., default algorithms are used) the value
used to generate CS will be the same as if the default algorithms were
explicitly sent in CS-C or CS-I (i.e., a CBOR array with the ciphersuite 0).
### Redundant normative requirement?
```
180 is an EAP state machine that can run any EAP method. For this
181 specification, the EAP method MUST be able to derive keying material.
```
```
219 An EAP method that does not export keying material MUST NOT be used.
```
Authors > We will remove the last phrase to avoid repeating the same
thing.
deriving keying material vs exporting keyint material?
Authors > We improved the text using the wording of EAP.
"For this specification, the EAP method MUST support key derivation and
export, as specified in {{RFC5247}}, a Master Session Key (MSK)[...]"
### When SHOULD state be kept forever?
Also how long is "some time"?
```
508 If, for any reason, one of the entities becomes non-responding, the
509 CoAP-EAP state SHOULD be kept only for some time before it is
510 removed. The removal of the CoAP-EAP state in the EAP authenticator
```
Authors > We are assuming the CoAP EXCHANGE_LIFETIME as default value.
We added the following text to clarify
If, for any reason, one of the entities becomes non-responsive, the
CoAP-EAP state SHOULD be removed after a stipulated amount of time. The
amount of time can be adjusted according to the policies established by
the application or use case where CoAP-EAP is used. As a default value,
the CoAP EXCHANGE_LIFETIME parameter, as defined in CoAP{{RFC7252}} will
be used.
### Array -> Algorithms
```
987 is "Expert Review". The columns of the registry are Value, Array,
```
"Array" is a less than excellent column name... in this case, the column should
be called "Algoritms"... right?
Authors > Thank you, we changed it to Algorithms
### When should tstr be used for ciphersuite?
```
620 ? 1 : [+ int/tstr], ; cipher suite
```
I assume the values here should come from the CoAP-EAP Cipher Suites registry,
where 0 is the default. I don't see any guidance on how or when a tstr
"CoAP-EAP Cipher Suite" should be used... so I wonder how it will be
interpretted by implementations.
Authors > You are correct, maybe it is better to just reduce the options
to int to avoid confusion, as there is no apparent advantage of having
two ways of sending this information.
### CDDL in CoAP-EAP Informational Elements
```
1052 * Value: 1
1054 * Name: cipher suite
1056 * Description: List of the proposed or selected COSE algorithms for
1057 OSCORE
```
Should there be CBOR type information for each entry in this registry?
Consider the "CBOR Type" column here:
https://urldefense.com/v3/__https://www.iana.org/assignments/cose/cose.xhtml*key-type-parameters__;Iw!!D9dNQwwGXtA!VrBoZ37jVmRcnYX6y6iqYhIe6FZsGHA_J04-JhqYXpgyj952HIACMhXFiFXMZoveHtbNJUIwcihpy-3N$
...and
note that "array (of array of uint)" is not CDDL, you can perhaps provide the
DEs with guidance to protect against such issues in the future.
Authors > We added the column as suggested.
### Content Encoding
Perhttps://urldefense.com/v3/__https://www.rfc-editor.org/errata_search.php?eid=4954__;!!D9dNQwwGXtA!VrBoZ37jVmRcnYX6y6iqYhIe6FZsGHA_J04-JhqYXpgyj952HIACMhXFiFXMZoveHtbNJUIwcminyDjL$
```
1163 +-----------------------+----------+------+-------------------+
1164 | Media Type | Encoding | ID | Reference |
1165 +-----------------------+----------+------+-------------------+
1166 | application/coap-eap | - | TBD | [[this document]] |
1167 +-----------------------+----------+------+-------------------+
```
Encoding -> Content Encoding? (This is probably already clear to IANA)
Authors > Thank you.
## Nits
### expand on first use
```
129 EAP methods transported in CoAP MUST generate cryptographic material
130 [RFC5247] in an MSK for this specification. The MSK is used as the
```
### awkward sentence
missing of / are-> is ?
```
146 as the EAP authenticator. In these cases, EAP methods that do not
147 require many exchanges, have short messages and use cryptographic
148 algorithms that are manageable by constrained devices are preferable.
149 The benefits of the EAP framework in IoT are highlighted in
150 [EAP-framework-IoT].
```
Authors > We improved the text as follows
In these cases, EAP methods with fewer exchanges, shorter messages,
and cryptographic algorithms suitable for constrained devices are
preferable. The benefits of the EAP framework in IoT are highlighted
in {{EAP-framework-IoT}}.
### extra of
```
160 Readers are expected to be familiar with the terms and concepts of
161 described in CoAP [RFC7252], EAP [RFC3748] [RFC5247] and OSCORE
162 [RFC8613]
```
Authors > Thank you, we addressed the text nits.
Thank you again for the review.
Best regards.
--
Dan García Carrillo
---------------------
Departamento de Informática, Área de Telemática, Universidad de Oviedo
2.7.8 - Escuela Politécnica de Ingeniería, 33204, Campus de Viesques, Gijón
Tel.: +34 985182654 (Ext. 2654) | email:garcia...@uniovi.es
_______________________________________________
Ace mailing list -- ace@ietf.org
To unsubscribe send an email to ace-le...@ietf.org
