Last Call Review of draft-ietf-ace-dtls-authorize-14
review-ietf-ace-dtls-authorize-14-secdir-lc-mundy-2021-01-24-00

Request Review of draft-ietf-ace-dtls-authorize
Requested revision No specific revision (document currently at 18)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2020-07-20
Requested 2020-07-06
Authors Stefanie Gerdes , Olaf Bergmann , Carsten Bormann , Göran Selander , Ludwig Seitz
I-D last updated 2021-01-24
Completed reviews Genart Last Call review of -12 by Paul Kyzivat (diff)
Secdir Last Call review of -14 by Russ Mundy (diff)
Opsdir Last Call review of -12 by Joel Jaeggli (diff)
Secdir Telechat review of -16 by Russ Mundy (diff)
Genart Telechat review of -16 by Paul Kyzivat (diff)
Assignment Reviewer Russ Mundy
State Completed
Request Last Call review on draft-ietf-ace-dtls-authorize by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/cvj5eZ44oQS2c8S0qQLuDkyBL3Y
Reviewed revision 14 (document currently at 18)
Result Has issues
Completed 2021-01-18
review-ietf-ace-dtls-authorize-14-secdir-lc-mundy-2021-01-24-00
Datagram Transport Layer Security (DTLS) Profile for Authentication and
Authorization for Constrained Environments (ACE)

draft-ietf-ace-dtls-authorize

I apologize for the lateness of the review but I have reviewed this document as
part of the security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily for the
benefit of the security area directors.  Document editors and WG chairs should
treat these comments just like any other last call comments.

The summary of the review is Ready with one issue:

The draft-ietf-ace-dtls-authorize document is well written and provides a very
good profile for use of the ACE framework with a client and a resource server
use CoAP [RFC7252] over DTLS version 1.2 [RFC6347] to communicate.  The
document provides the necessary specification details to use Authentication and
Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework
(ACE-OAuth) [I-D.ietf-ace-oauth-authz] with one single exception.

Since the document under review is a profile for [I-D.ietf-ace-oauth-authz], it
must meet the requirements for a profile contained in
[I-D.ietf-ace-oauth-authz].  Section 6.2 of [I-D.ietf-ace-oauth-authz]
specifically requires that "Profiles MUST specify how communication security
according to the requirements in Section 5 is provided." The document under
review does provide this detail for use of CoAP and DTLS however the current
wording of this profile document does not require that CoAP and DTLS be used
for this profile. Quoting a part of 6. "The use of CoAP and DTLS for this
communication is RECOMMENDED in this profile, other protocols (such as HTTP and
TLS, or CoAP and OSCORE [RFC8613]) MAY be used instead."

Since use of other protocols (besides CoAP and DTLS) is clearly permitted by
current wording and there is no information about how communication security
will be provided by these other protocols, section 6 of this profile does not
appear to meet the MUST requirement of 6.2 of [I-D.ietf-ace-oauth-authz].

The simplest resolution of this inconsistency appears to be to require use of
CoAP and DTLS for compliance with this profile and revise the wording relating
to the other currently listed protocols to define additional profile
specifications.

For example, current wording:
"The use of CoAP and DTLS for this communication is RECOMMENDED in this
profile, other protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613])
MAY be used instead."

could be changed to:
"The use of CoAP and DTLS for this communication is REQUIRED in this profile.
Other protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) will
require specification of additional profile(s)."

Another possible resolution of the inconsistency would be to include additional
details in this specification to define how communication security requirements
will be met by these other protocols.