Last Call Review of draft-ietf-ace-dtls-authorize-14
review-ietf-ace-dtls-authorize-14-secdir-lc-mundy-2021-01-24-00

Request Review of draft-ietf-ace-dtls-authorize
Requested rev. no specific revision (document currently at 16)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2020-07-20
Requested 2020-07-06
Authors Stefanie Gerdes, Olaf Bergmann, Carsten Bormann, Göran Selander, Ludwig Seitz
Draft last updated 2021-01-24
Completed reviews Genart Last Call review of -12 by Paul Kyzivat (diff)
Secdir Last Call review of -14 by Russ Mundy (diff)
Opsdir Last Call review of -12 by Joel Jaeggli (diff)
Secdir Telechat review of -16 by Russ Mundy
Genart Telechat review of -16 by Paul Kyzivat
Assignment Reviewer Russ Mundy 
State Completed Snapshot
Review review-ietf-ace-dtls-authorize-14-secdir-lc-mundy-2021-01-24
Posted at https://mailarchive.ietf.org/arch/msg/secdir/cvj5eZ44oQS2c8S0qQLuDkyBL3Y
Reviewed rev. 14 (document currently at 16)
Review result Has Issues
Review completed: 2021-01-18

Review
review-ietf-ace-dtls-authorize-14-secdir-lc-mundy-2021-01-24

Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)

draft-ietf-ace-dtls-authorize

I apologize for the lateness of the review but I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The summary of the review is Ready with one issue:

The draft-ietf-ace-dtls-authorize document is well written and provides a very good profile for use of the ACE framework with a client and a resource server use CoAP [RFC7252] over DTLS version 1.2 [RFC6347] to communicate.  The document provides the necessary specification details to use Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth) [I-D.ietf-ace-oauth-authz] with one single exception.

Since the document under review is a profile for [I-D.ietf-ace-oauth-authz], it must meet the requirements for a profile contained in [I-D.ietf-ace-oauth-authz].  Section 6.2 of [I-D.ietf-ace-oauth-authz] specifically requires that "Profiles MUST specify how communication security according to the requirements in Section 5 is provided." The document under review does provide this detail for use of CoAP and DTLS however the current wording of this profile document does not require that CoAP and DTLS be used for this profile. Quoting a part of 6. "The use of CoAP and DTLS for this communication is RECOMMENDED in this profile, other protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be used instead."  

Since use of other protocols (besides CoAP and DTLS) is clearly permitted by current wording and there is no information about how communication security will be provided by these other protocols, section 6 of this profile does not appear to meet the MUST requirement of 6.2 of [I-D.ietf-ace-oauth-authz].

The simplest resolution of this inconsistency appears to be to require use of CoAP and DTLS for compliance with this profile and revise the wording relating to the other currently listed protocols to define additional profile specifications.

For example, current wording: 
"The use of CoAP and DTLS for this communication is RECOMMENDED in this profile, other protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be used instead." 

could be changed to: 
"The use of CoAP and DTLS for this communication is REQUIRED in this profile. Other protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) will require specification of additional profile(s)."

Another possible resolution of the inconsistency would be to include additional details in this specification to define how communication security requirements will be met by these other protocols.