search

ace-wg / est-oscore

Other
0 stars 0 forks source link

Clarify initial authentication #53

Open malishav opened 1 week ago

malishav commented 1 week ago

The draft needs to clarify how the initial authentication is established.

Esko wrote:

From a quick scan in the draft I didn’t see much text on how the client got its initial authentication information (eg a X509 certificate, or other) that it needs to establish the first secure transport. Any ideas on that? Is it like BRSKI (using the IDevID certificate for the first connection, after that using LDevID certificate for future connections) ? Or rather a PSK-based initial access? (Or maybe all these options are potentially in scope)

malishav commented 1 week ago

Göran wrote:

In general we have tried to follow EST-CoAPs unless other optimizations or features seemed relevant. I haven’t checked if it mentions initial authentication, but the mindset has been some existing credential, like IDevID, or a previously made authentication. For example, running EST-OSCORE immediately following the voucher-based authorization (draft-ietf-lake-authz), optimally using combined EDHOC and OSCORE protocol (draft-ietf-core-oscore-edhoc), would enable authentication, authorization and certificate enrolment completed in two round trips and avoiding the transport of some duplicate information. That is something that we defintiely should clarify.

malishav commented 4 days ago

The draft currently states:

Prior to running EST-oscore, the protocol defined in this specification, there must exist a trust relation between the EST-oscore client and the EST-oscore server. This trust relation may be based on the pre-shared OSCORE security context, or based on the common root of trust. In case there is a pre-shared OSCORE security context, the CoAP exchange carrying EST payloads can occur immediately. In case there is a common root of trust, a security handshake based on the Ephemeral Diffie-Hellman over COSE (EDHOC, {{RFC9528}}) protocol needs to occur prior to running CoAP. How this trust relation is established is out of scope of this document.

@gselander I believe the existing text is clear that the initial authentication credentials are out of scope of the document. Let me know what do you think.

gselander commented 1 day ago

I think this is fine. This comment came from Esko's first scan, let's see if the comment remains after the review.

malishav commented 1 day ago

@EskoDijk see comments above