IETF Logo Mail Archive

Re: [Ace] Jim's Proposal on legal requestor

Marco Tiloca <marco.tiloca@ri.se> Thu, 27 February 2020 12:51 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 672733A041C for <ace@ietfa.amsl.com>; Thu, 27 Feb 2020 04:51:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 83x3v1md377t for <ace@ietfa.amsl.com>; Thu, 27 Feb 2020 04:51:33 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2089.outbound.protection.outlook.com [40.107.21.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96FDB3A041A for <ace@ietf.org>; Thu, 27 Feb 2020 04:51:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VQWQqgP5OeCp4J4wGUuX2RhPh8GiRdwq0hVHJ32md4W1eDGUqt14Hee2hQa0Rp6hJyHJdqAeK1W5kcNdRziC98/Tm5FfnDFQUiM4nPrMO4aBTviyLhlOI8iiDrb+oz+1DOwzm8JGDlVH5exMfodQdQ3uzqnURnS7lmxhMSdsYSdDNAwb5/0s0KuHap87JNAqcXz9K0ue6jnrUKderFT+xvc4LcDcjf91psBBnTPn69SF5csZoRoBxlvEsZDgxAGA2yi6LIGwEOk4kkx9cb217EPIHgMNoak2fajEl2PcMQTbW/avJ3mwD/bco/VNSLMNAPMgIEc/C1EXOOih3cLyMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y13FDe9Wu+aTNlMOdFrAsamvufsCyqW0UTkd0RxXvek=; b=QqyXMEwFIqhZKF6rQgo3BalmOWScffuCeOehL8ZJ/nJScCHslfjrvXmuDgQVFeCFWoljEJbz6UU4HUu5qP3JTFfAzCQp/R6Ezh27SLm+LezY2jbe0yV4T39iIbRyO6qYzbpBy9DYTx23eilHekhMW5IBu45FTcLQ+yoIua3TJtZ3kBLR5Uze92Dwe1ITVRGeZp9yg7ZhueW8i3rbertn9Cffy3CNbMzPhCtYln+ZTUBC/jeCREQFBJmQHtvjUwm6vRICo5h/zrdEMSLFzsWo1In7jehx/wgMZFd07tEHYbOrfjteF13RZEW8eDROxDmhCNkgzDZyBDfuUcxkagP7CA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-RISEcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y13FDe9Wu+aTNlMOdFrAsamvufsCyqW0UTkd0RxXvek=; b=kIYbTKjbz5/kY4ufADAxbWVcUNn3Szjn/BAxnC1ARpQMpT6fj43KgbgiaqTw5OHUItKOSBq8gwKl2b2wRpCSg3ak3to9cNo510w+JF5EnhahXayLo6xuRQhg0+CaYRskX0LjYcrw06iiqAoX5Oz9G+UzWDJ6w/HFuUlwyqVKGlQ=
Received: from VI1P189MB0398.EURP189.PROD.OUTLOOK.COM (10.165.195.159) by VI1P189MB0542.EURP189.PROD.OUTLOOK.COM (10.165.197.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.21; Thu, 27 Feb 2020 12:51:26 +0000
Received: from VI1P189MB0398.EURP189.PROD.OUTLOOK.COM ([fe80::80e4:7dc7:7d4e:c9cb]) by VI1P189MB0398.EURP189.PROD.OUTLOOK.COM ([fe80::80e4:7dc7:7d4e:c9cb%4]) with mapi id 15.20.2750.021; Thu, 27 Feb 2020 12:51:25 +0000
Received: from [10.8.8.32] (31.13.191.141) by HE1PR05CA0258.eurprd05.prod.outlook.com (2603:10a6:3:fb::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.18 via Frontend Transport; Thu, 27 Feb 2020 12:51:25 +0000
From: Marco Tiloca <marco.tiloca@ri.se>
To: Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Jim's Proposal on legal requestor
Thread-Index: AdXsVzWimzIpNHbGTwi1hLO0NkxspAAT9PYAAAHGCYAACBXGgAAniJKA
Date: Thu, 27 Feb 2020 12:51:25 +0000
Message-ID: <22cfc98d-e11f-dd6d-5bd7-9f5153a43a3b@ri.se>
References: <025b01d5ec5e$94f85000$bee8f000$@augustcellars.com> <20646.1582723024@localhost> <0c16f230-3471-9215-e0dd-60604a1e1e02@ri.se> <02b001d5ecce$7aa32cf0$6fe986d0$@augustcellars.com>
In-Reply-To: <02b001d5ecce$7aa32cf0$6fe986d0$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-clientproxiedby: HE1PR05CA0258.eurprd05.prod.outlook.com (2603:10a6:3:fb::34) To VI1P189MB0398.EURP189.PROD.OUTLOOK.COM (2603:10a6:802:35::31)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=marco.tiloca@ri.se;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [31.13.191.141]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a0d45322-f646-49c5-fe25-08d7bb83c13d
x-ms-traffictypediagnostic: VI1P189MB0542:
x-microsoft-antispam-prvs: <VI1P189MB05429B0845E8BB716C3A0A5D99EB0@VI1P189MB0542.EURP189.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:1850;
x-forefront-prvs: 03264AEA72
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(396003)(136003)(376002)(346002)(366004)(189003)(199004)(66946007)(66556008)(66616009)(66476007)(64756008)(71200400001)(66446008)(6486002)(8936002)(316002)(110136005)(16576012)(81166006)(31686004)(81156014)(52116002)(8676002)(956004)(44832011)(2616005)(66574012)(86362001)(26005)(5660300002)(53546011)(478600001)(36756003)(31696002)(186003)(966005)(16526019)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1P189MB0542; H:VI1P189MB0398.EURP189.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ri.se does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ln6H4iVGP0exclC1X9eCYQjkARC2b/52S9igwZ8igLKFWwAysj9ozZ4tsnNSbYpM5Ra9c+FQi0Bw/+rEdixgtgPv0FP+x0SNsoEcyGdbTDk715BzDmmV3ePpeVPHTC3BD9GG0yvGMjGFe233hxMSDOUkeWsN+ZYx+V0VqSBZ2wOCju4hiYg/6KGTmhNnTNqqP7nE5JDPQ6eMWQZ3eLvsA3gzD8diEbR+LHKzmd9BlAQcSx3th54aHvnlf1Zhz9EwKL2Un6TMXAF40TCfEs44M3/r+yCdMDCBwVc7stqlwlbxjFjWOZBp6b9q9UPWfV235lOtZagNHA10oM6nFSVIuznyP46KuVpbMuoLC1wcrzwzU/nEQhELCYyx5YKtLt5oFsEKgl3Qro0ziJpW5Kl1x7ee7vUsBKEl0IxWBNunZ9Gh9vMjyi2sKd2/lo26KVR2R9iPK84inv+6tzLzOmNcnbzFh2Pi+deNobUh4z9imBBdLz0CRAjSllUCbpWoJ+H+vEjEzc6EvNhROVrBh902vQ==
x-ms-exchange-antispam-messagedata: x94SHr7Ik24/ZKLxJwbNMTVdwpR0zsjORJsKyCmnpX/aAk9tMjvfzCyZNVktpxL3gRYyRD+d5Rktnm4eVGz+gXjiu1Bx1Zq2aE7eIT+9fdPUB2WJ8jCirHdKQSmBIl9x4S9SXYp0b9YHnhzbB4Fluw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="MpPuRfeRQrBXXgGtYBVkJHI9ufenMzZIu"
MIME-Version: 1.0
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: a0d45322-f646-49c5-fe25-08d7bb83c13d
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Feb 2020 12:51:25.7697 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: e34gE2KHKA8H5FrsmIPRSn913ILfMAk+pyYI+gMA/N24Rde82xbHdOPJ+Dp+TK2eqgfscPzeenifPGCaJo1BeA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P189MB0542
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/-M2U_T3yHdnUcw_WcXCAx7I5vXU>
Subject: Re: [Ace] Jim's Proposal on legal requestor
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2020 12:51:40 -0000

Hi Jim,

On 2020-02-26 18:59, Jim Schaad wrote:
>
>  
>
>  
>
> *From:* Ace <ace-bounces@ietf.org> *On Behalf Of *Marco Tiloca
> *Sent:* Wednesday, February 26, 2020 6:08 AM
> *To:* Michael Richardson <mcr+ietf@sandelman.ca>; Jim Schaad
> <ietf@augustcellars.com>; ace@ietf.org
> *Subject:* Re: [Ace] Jim's Proposal on legal requestor
>
>  
>
> Hi!
>
> Jim, I think now I understand your idea and it makes sense to me.
>
> Some comments in line below.
>
> Best,
> /Marco
>
> On 2020-02-26 14:17, Michael Richardson wrote:
>
>      
>
>     clarifying question.
>
>      
>
>     Jim Schaad <ietf@augustcellars.com> <mailto:ietf@augustcellars.com> wrote:
>
>         > I do not seem to have been doing a good job of explaining the issue
>
>         > that I am raising here, so I am going to go scenario based for a
>
>         > description.
>
>      
>
>         > (1) I get an access token from an AS with a scope of [
>
>         > "coap://multicast-01", ["responder"]]
>
>         > (2) I join the group associated
>
>         > with that address
>
>         > (3) I then decide to send the message below out
>
>         > encrypted with the group symmetric key and signed with the public key I
>
>         > registered during the join
>
>      
>
>         >    GET coap://multicast-01/resource1
>
>      
>
>     .... (I numbered the steps)
>
>     I believe that (1) was intended to allow you to become a responder for this resource.
>
>
> ==>MT
> Step (1) is intended to allow access to the group-membership resource
> at the Group Manager (GM), to get the keying material for
> communicating in the group.
>
> Practically, the roles are currently used only at the GM to determine
> which public keys is relevant to return to a node upon its joining.
> <==
>
> [JLS] When implies that the only roles of interest are “monitor” vs
> not “monitor”.
>
>
>
>
>      
>
>      
>
>         > It then processes the get request
>
>         > because it does not know that this is a violation of the scope assigned
>
>         > to me by the AS.
>
>      
>
>     !
>
>
> ==>MT
> As above, the original idea for that scope was to have it applied to
> the group joining itself and the resource at the GM to access for joining.
>
> But I agree that we should inform the other group members of that
> role, i.e. "allowed to send requests" and/or "allowed to send responses".
> <==
>
>
>      
>
>      
>
>         > The only way that I know for the server TimeX to enforce the allowable
>
>         > operations is for that information to be propagated along with the
>
>         > signature public key from the KDC to the server.  
>
>
> ==>MT
> This can be one more parameter in the Joining Response or in the
> Public Key Response, when request public keys of group members are
> included.
>
> Together with the array of public keys, we can have a same-ordered
> array of roles echoing the roles from the scope of the Access Token
> above. Each element of the array can possibly be an array of roles.
>
> How does it sound?
> <==
> [JLS] Yes this makes sense.  The only potential issue is what happens
> if the set of roles becomes in some sense unbounded for an
> application.  However, in that case I would expect that the list of
> roles would be known to the joining clients.  The one thing that comes
> up here is should there be a compression of these values since we are
> sending them to a larger group of people.
>

==>MT
Yes, I think so. One integer per role should work, registered by the
profile or application defining that role.

Other that the wider distribution you mention above, compression is good
anyway considering the recently discussion on 'scope' covering multiple
groups, each with its role(s) indicated.
<==

Best,
/Marco

>
>     One can create a
>
>         > similar scenario on the other side where a client sends a response when
>
>         > it is only authorized as a "requester".
>
>
> ==>MT
> Right, if it's "requester"-only.
> <==
>
>
>      
>
>     It seems to me that if the access control to the group is a group-shared
>
>     symmetric key + asymmetric signature, that each responder requires the list of valid signers.
>
>     Or, we need LAKE to turn the group key into 1:1.
>
>
> ==>MT
> What I understand from Jim's proposal is essentially enabling at each
> group member a list of valid request signers and valid response signers.
> <==
>
>
> ==>MT
> Just to complement, this is all fine for this level of "filtering",
> i.e. "this group member can send requests/responses or not".
>
> We have a separate draft at [1], defining a new Group OSCORE profile
> of ACE, to enforce access control within the group, i.e. to access
> group members' resources after having joined, i.e. as a group member
> towards another group member.
>
> That is, that profile considers a granularity of exact REST methods
> and resources, i.e. as fine-grained as ACE can be. Also, it enables
> having together ACE-based access control and Group OSCORE, which is so
> far not possible with other profiles.
>
> The current version -01 in the datatracker defines a "full mode" where
> both OSCORE and Group OSCORE are considered as security protocols
> between Client and RS. We plan to submit soon an updated version,
> focusing more on a lighter, intended-to-be main mode, that focuses on
> using only Group OSCORE as security protocol between Client and RS.
>
> [1] https://tools.ietf.org/html/draft-tiloca-ace-group-oscore-profile-01
> <==
>
> Best,
> /Marco
>
>
>      
>
>      
>
>     --
>
>     Michael Richardson <mcr+IETF@sandelman.ca> <mailto:mcr+IETF@sandelman.ca>, Sandelman Software Works
>
>      -= IPv6 IoT consulting =-
>
>      
>
>      
>
>      
>
>
>
>     _______________________________________________
>
>     Ace mailing list
>
>     Ace@ietf.org <mailto:Ace@ietf.org>
>
>     https://www.ietf.org/mailman/listinfo/ace
>
>
>
> -- 
> Marco Tiloca
> Ph.D., Senior Researcher
>  
> RISE Research Institutes of Sweden
> Division ICT
> Isafjordsgatan 22 / Kistagången 16
> SE-164 40 Kista (Sweden)
>  
> Phone: +46 (0)70 60 46 501
> https://www.ri.se
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace

-- 
Marco Tiloca
Ph.D., Senior Researcher

RISE Research Institutes of Sweden
Division ICT
Isafjordsgatan 22 / Kistagången 16
SE-164 40 Kista (Sweden)

Phone: +46 (0)70 60 46 501
https://www.ri.se

v2.23.0 | Report a Bug | By Email