ACE WG Meeting IETF 97 - Seoul Thursday, 17 Nov, 2016, 15:20 - 17:50 Chairs: Kepeng Li, Hannes Tschofenig Acting chairs: Barry Leiba, Nancy Cam-Winget Minutes taker: Brian Rosen * Agenda Bashing Carsten: "Bar BOF" two interesting drafts, possibly for ACE. * Actors (Carsten Bormann) - http://datatracker.ietf.org/doc/draft-ietf-ace-actors/ Rob Wilton's comments partially addressed, remainer will come under Christmas Tree * CBOR Web Token (Michael B. Jones) - https://datatracker.ietf.org/doc/draft-ietf-ace-cbor-web-token/ Issues being tracked in github Better examples will be coming, volunteers are needed to validate them. Carsten will help. * Authorization using OAuth 2.0 (Ludwig Seitz) - https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/ Removed references to OAuth Proof of Possession drafts, added ACE-PoP specs in this framework draft and for each transport protocol (currently OSCOAP and DTLS). Profile normative text scattered and currently all in Appendix C, should they be in the normative part? Simplified Token Request Protocol, removed negotiation, AS knows RS capabilities based on registration info. Implementations are underway at SICS and SEI/CMU. Tony: Since you hacked stuff off of OAUTH, did you fix the problems we know about. Ludwig: Hannes did it, we need to check. Carsten: Problems caused by redirect being worked in core. * Ephemeral Diffie-Hellman Over COSE (John Mattsson) - https://datatracker.ietf.org/doc/draft-selander-ace-cose-ecdhe/ Changed to Sigma for better security and align with IKEv2 and TLS 1.3 Two implementations underway: SICS and Jim Schaad. Mike: I can't evaluate what is being done and why. Shouldn't CFRG do this? Jim: This is not a D-H exchange, this is a key exchange protocol using D-H. Mike: I will suspend disbelief. Jim: Symmetric Sigma, asymmetric Sigma-I, why shouldn't we use Sigma-I in both? John: Yes, probably what we should do. Will update accordingly. Ludwig: D-H for contrained environments, that's why it's here. * OSCOAP profile of ACE (Francesca Palombini) - https://datatracker.ietf.org/doc/draft-seitz-ace-oscoap-profile/ Updated for OSCOAP and EDHOC Carsten: Does resource server knows that this is EDHOC message ? Media type? Francesca: Yes, we will consider this and add it to the profile. Ludwig: Framework should talk about refresh token, an issue in github is created for the framework Carsten: Should I implememt now? Francesca: maybe wait a little bit, but will do soon. Will keep you updated on the mailing list. * DTLS Profile for ACE (Carsten Bormann) - https://datatracker.ietf.org/doc/draft-gerdes-ace-dtls-authorize/ Ludwig: We have seen two profiles: assumptions made that client and RS have pre-established relationships with AS. Should there be a constrained environment profile of the registration profile? Justin: should investigate, also the discovery process I agree with registration is definitely problem in dynamic environment. ?? : Management also an issue with dynamic registration I don't know how many people implement registration things. * Lightweight Authenticated Time (LATe) Synchronization Protocol (Renzo Navas, Remote) - https://datatracker.ietf.org/doc/draft-navas-ace-secure-time-synchronization/ Renzo asks: Do we need a lightweight time synchronization mechanism? ??: this entity is garanteed by this solution? Carsten: we assume RS has associatiion with AS, so this could be work very well. Matthias: Not having time synchronization for constrained environments is a larger issue. There was a lot of work in Wireless Sensor Networks, it is often required for applications, but none of the research results was standardized. ??:If you have multiple RS, each needs a pre-established relationship with AS? Renzo: yes * EST over COAP, Peter van der Stok - https://datatracker.ietf.org/doc/draft-vanderstok-core-coap-est/ EST=Enrollment of Secure Transport Peter asks: is there interest? Brian: both drafts are interesting, and should be done here Chairs:6tsch group looking at it, design team working on aligning to BRSKI, do convergence to constrained network once Carsten: new response code must be done in CORE, rest is security, and should be done in ACE Jim: Have to learn more about BRSKI. If we are doing enrollment protocols, EST is the way, and do it over COAP. Do full, then see Chairs: you mean doing this in this working group ? or in General? Jim: do it here (6tsch conflicts with my other groups) Brian: want to see work go, could be here or 6tsch Kathleen (AD): Decide if we adopt first, then we'll work out conflicts. Chairs: Is there interest in picking this up? Humm: Accept (strong) Chairs: get discussion going on mailing list Goran: Lots of work, lots of drafts not yet adopted, should we adopt some of those drafts? Chairs: we don't adopt draft, we just discuss. TUDA: Time Based unidirectional attestation, Carsten Bormann Chairs: Mike St Johns raised issues, about symmetric keys being a vulnerability that could be used to repurpose devices to mount attacks, even if the normal use case for those devices doesn't need high security.