Hi Peter,

Many thanks for your review. Comments inline

On 2017-12-06 11:10, "core on behalf of peter van der Stok"
[GS] Correct, the current abstract does neither explain how CoAP or HTTP
message fields are protected nor transported, this is described on high
level in Section 1. It may be difficult to phrase this briefly in the
abstract, since part of the CoAP message remains unchanged through the
OSCORE transformation so it is not a clean cut "transport with CoAP”.

I propose we leave it to section 1, but make sure that it is sufficiently
well described there (which I take from your later comments is not yet the
case).
[GS] It was not entirely clear to me what "distribution and generation of
keys” refers to. There is always a need to introduce some initial keys -
that is unavoidable and seems redundant to remark. Note that pre-shared
keys can be used directly with the key derivation specified in the
document, so in that case there is no need for additional "distribution
and generation of keys”.

Then there may be TTP-assisted key distribution (like ACE), or the use of
a key exchange protocol to get an OSCORE master key in place. If that is
what you refer to, then I can agree we could give make clear that it is
out of scope earlier in the document but perhaps better in the section 1
rather than in the abstract?
[GS] While the term "end-to-end" is commonly used, I agree that we could
clarify what the endpoints can be.
[GS] OK, we add text about OSCORE allows proxy processing on certain
message data.
[GS] Agreed. That comment was received also from another reviewer.
[GS] These abstractions are used in the Introduction to avoid going into
which CoAP headers are protected, which is done later in the document.
Perhaps a forward reference to relevant sections would be sufficient?
Also, the description of how CoAP works above Figure 1 gives a high level
explanation of how CoAP payload, options and header fields are handled
(again, this part can be made more clear).
[GS] I agree that the term may be confusing and we should probably remove
it. Here is anyway the rationale for the term:

OSCORE is an extension to CoAP which protects the CoAP message and
replaces the original CoAP message with a modified CoAP message (the
OSCORE message). In this sense, it does not depend on any other layer in
the stack, which in turn enables the independence of underlying layers and
support for CoAP proxy operations etc.. We need to make this part clear,
but we don’t need to use the term “in-layer”.
[GS] It is stated that:

"The use of OSCORE is signaled with the Object-Security CoAP option or
HTTP header, defined in Section 2 and Section 10.2.”

Is it the word “new” you are missing?
[GS] This is the part I’ve been referring to previously in this mail, and
I can agree upon re-reading that it has not transformed well in the latest
iterations of the text.
[GS] Aah, now I see what went wrong. There used to be a ‘CoAP’ before the
word ‘message', like this:

"The solution transforms a CoAP message into an "OSCORE message" before
sending, and vice versa after
receiving.”


But when we extended the scope the HTTP, we removed the explicit
mentioning of ‘CoAP’ in “CoAP message”, with the assumption that "message"
could be either "CoAP message" or "HTTP message”.

Likewise there used to be a sentence explaining that the OSCORE message is
indeed a CoAP message, but that seems also have been lost in the ambition
of explaining how it works with CoAP and HTTP at the same time. I need to
think about what is best, either reverting and discuss the HTTP part
separate or adding "CoAP/HTTP” before message.
[GS] Yes, let’s add that too.
[GS] Yes, in OSCORE only COSE_Encrypt0 with AEAD is defined. There is a
placeholder for an additional countersignature, which is defined in the
Group OSCORE draft.

There has been a discussion about reading and verify integrity in proxies,
and that can be achieved e.g. by having a Class I or Class U option with a
COSE_Mac0 object verified in the proxy. This would be an application of
OSCORE, and if necessary, can described in a separate draft.

Are there any other kind of COSE objects you want to use (what are the use
cases)?
[GS] I didn’t understand this part of the comment.
[GS] Same question as above, what are the use cases for the COSE objects
not already mentioned? Since different COSE objects assume different
security contexts and different processing steps we didn’t try to cover
them all in one specification. Should additional COSE objects be needed we
could make an extension (e.g. using the OSCORE flag byte as an extension
point.)
[GS] The derivations in client and server are identical. It is possible to
distribute the derived keys, but we didn’t see any benefits compared to
just distributing the few input parameters needed for key derivation. What
use case did you have in mind?
[GS] OK, good point. I note that the ACE framework is referenced instead
of the OSCORE profile of ACE and we should change that too.
[GS] Since this part has been lost from the introduction I can understand
the confusion. The original CoAP message is transformed by the sender into
a OSCORE message (which is a CoAP message containing the protected message
fields), and the OSCORE message is transformed back by the recipient.
[GS] We have had some discussions about how to best illustrate the
different processing cases for the options. Since there are three classes
(E, I , U) and the term Outer maps to both I and U, some information gets
lost by only speaking about Inner and Outer. Then again, since there are
not any class I options defined yet, I understand your point of view.
[GS] I would not say Class I options are main focus, but they require
special processing and anticipating their usefulness (see example above)
we wanted to include their processing in the specification.
[GS] Yes, these words do start with the same letter, but there is no
"Class O” so I believe it should be possible to make the distinction.
[GS] Sorry, I didn’t understand what is confusing and why a new option
would be better.

As all options which has both inner and outer instances, this enables the
feature to communicate differently with endpoint and with an intermediate
proxy. In particular for legacy proxies, we need to use the legacy options
as outer option instances to communicate with the proxy. And at the same
time we can use the inner option to communicate with the endpoint. For the
endpoint we use Max-Age in the usual way, for a proxy we use Max-age to
avoid unnecessary caching.
[GS] Your understanding is entirely correct. However, we need to describe
outer block processing to the extent it has an impact on the OSCORE
processing. Since proxies may perform block processing on OSCORE messages,
a recipient may receive a fragment (block) of an OSCORE message, and thus
first need to wait for the remaining blocks before processing the OSCORE
message.

This is in contrast to other CoAP processing which comes after OSCORE has
verified and decrypted the message. Outer block is thus an exception,
which is visible in the processing steps, see e.g. section 7.2, but we
should highlight that better in the description about the outer block
option.
[GS] Good point. Yes, compression can mean different things, in this case
it is basically eliding fixed data. We include your proposal.
Thanks, very helpful!

Göran