Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)

draft-ietf-ace-dtls-authorize

I apologize for the lateness of the review but I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The summary of the review is Ready with one issue:

The draft-ietf-ace-dtls-authorize document is well written and provides a very good profile for use of the ACE framework with a client and a resource server use CoAP [RFC7252] over DTLS version 1.2 [RFC6347] to communicate.  The document provides the necessary specification details to use Authentication and Authorization for Constrained Environments (ACE) using the OAuth 2.0 Framework (ACE-OAuth) [I-D.ietf-ace-oauth-authz] with one single exception.

Since the document under review is a profile for [I-D.ietf-ace-oauth-authz], it must meet the requirements for a profile contained in [I-D.ietf-ace-oauth-authz].  Section 6.2 of [I-D.ietf-ace-oauth-authz] specifically requires that "Profiles MUST specify how communication security according to the requirements in Section 5 is provided." The document under review does provide this detail for use of CoAP and DTLS however the current wording of this profile document does not require that CoAP and DTLS be used for this profile. Quoting a part of 6. "The use of CoAP and DTLS for this communication is RECOMMENDED in this profile, other protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be used instead."  

Since use of other protocols (besides CoAP and DTLS) is clearly permitted by current wording and there is no information about how communication security will be provided by these other protocols, section 6 of this profile does not appear to meet the MUST requirement of 6.2 of [I-D.ietf-ace-oauth-authz].

The simplest resolution of this inconsistency appears to be to require use of CoAP and DTLS for compliance with this profile and revise the wording relating to the other currently listed protocols to define additional profile specifications.

For example, current wording: 
"The use of CoAP and DTLS for this communication is RECOMMENDED in this profile, other protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) MAY be used instead." 

could be changed to: 
"The use of CoAP and DTLS for this communication is REQUIRED in this profile. Other protocols (such as HTTP and TLS, or CoAP and OSCORE [RFC8613]) will require specification of additional profile(s)."

Another possible resolution of the inconsistency would be to include additional details in this specification to define how communication security requirements will be met by these other protocols.