Re: [Ace] Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)
Francesca Palombini <francesca.palombini@ericsson.com> Tue, 08 June 2021 10:06 UTC
Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 023173A2B06; Tue, 8 Jun 2021 03:06:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.698, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OE0uoNqHe0Lo; Tue, 8 Jun 2021 03:06:21 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60076.outbound.protection.outlook.com [40.107.6.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CF833A2AFF; Tue, 8 Jun 2021 03:06:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lEctBAgIACk+UrcZJiwB1O6kCoMD3hAQjN5UsUufUjXrEDINxYn7RIx2N+MH9DcQ73VOmfx/cMFZlgiJvxwnVPNTg7yefwXjckJP2+8PdJ4zBCCGo/4ZQzDRXDscBvJBQzXH0zHy9dhQNM1z9Ert0BtutdXT0QIb9rA6IOVf6xvXS96Frw94ayLXOmJZqxRsRc2guQRBf4Kt2fRkzcFaRNOZqY/IgFhLaPDFb1hMGlEY2jAMaXyE0sSLlmGHvkgWTPOo8doYYyG9rH54ru5OZxw2QUoNUQo7eVYW1A+87Lh8D8+xwTnAMn1XhKP/2cYZyj9jUWOiERxwBkQE3Dq8xg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GxGnHYw2IFIHqPS7I9KgDZYyXC0x65brZFgqnbyzpx0=; b=AzRK589aqtvjmQ+8TKbC2Kt2finjATglbMNRUa5EjuU0Hy1s2sFZ1ACD5MwlaFqSg2YKFdla1kQGGCFiDAEgz4bfHTlujjkN6hVFmN32Z1QeoXdfN5UtyaH2ZRn5qZ+AWkAoP2jx5Ahw0UCHaoKJjNVMWOz60HkX5naWhciqD4k4dbN5dj4eRXJVvXRt8hrc8bJiKHa+XvEDS94miiiEDn0/WQX4oPbPxEqgDzCyhghJcvITr0rKWU7wV84uyVWajMPM4vjWVtnuEYaIvJok90FzqfT+8GWUSjhCXVlBgDLCo3SzgJRlazj/NaBWDXty8nrfTaYOxF8OpHjUPlIY+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GxGnHYw2IFIHqPS7I9KgDZYyXC0x65brZFgqnbyzpx0=; b=tigvcFsz1aarvjDeYyRG4Z28KWthbjOcTg+HRWKARJwv0qT0AwdLx9zOrtzZ2NcCQA6epobq+oM7mwEkKWoMmR782lLyamu7g1gytC4usIe9/Vn3Fq9VIf1FmzB5Jx2i+XjQFfv2wfs7XG0Nb+R9cmFyAHTxgP7CzB+WcFLaW/4=
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com (2603:10a6:7:96::33) by HE1PR0701MB2460.eurprd07.prod.outlook.com (2603:10a6:3:70::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.17; Tue, 8 Jun 2021 10:06:18 +0000
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::6ce5:7088:a9a8:15d9]) by HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::6ce5:7088:a9a8:15d9%7]) with mapi id 15.20.4219.021; Tue, 8 Jun 2021 10:06:18 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Olaf Bergmann <bergmann@tzi.org>
CC: Stefanie Gerdes <gerdes@tzi.de>, The IESG <iesg@ietf.org>, "draft-ietf-ace-dtls-authorize@ietf.org" <draft-ietf-ace-dtls-authorize@ietf.org>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)
Thread-Index: AQHXRmMB78EJt+uENUOdMKs2FvvQkar3STSMgBLeOID//+WzO4AAAfMO
Date: Tue, 08 Jun 2021 10:06:17 +0000
Message-ID: <E6892454-722B-47A1-AF87-FCD46365E257@ericsson.com>
References: <161660098197.9740.5845062491913232974@ietfa.amsl.com> <e82ac862-4e9d-8b5e-56f3-8550a768aafb@tzi.de> <871r9smnad.fsf@wangari> <C7FA8969-E67D-48B6-A82F-9E88EFF1B75D@ericsson.com>,<87k0n4fzit.fsf@wangari>
In-Reply-To: <87k0n4fzit.fsf@wangari>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: tzi.org; dkim=none (message not signed) header.d=none;tzi.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [217.213.66.232]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1bf17b64-5d2f-4bfb-dc0a-08d92a650ef2
x-ms-traffictypediagnostic: HE1PR0701MB2460:
x-microsoft-antispam-prvs: <HE1PR0701MB2460B7B5D7B91D9A8A9067A498379@HE1PR0701MB2460.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ByfViiUS76JwmOoKFFzJFw5faByTYxbTrqItglzxUH79Xt0dHQhhbK1fKX10LMyh59p4x1sRmnIPLViO2kKpkHg0mBVuaqTSTxcGWnOuYUVO830I/Qw8hgXkzk9XDBndcmroj14NdojM4A0Mzf5JoEzRjUw5gSXZQ8TElHd99Xrdx7cQt5+e9nMPMsa6shJnxfnD+GQ4RZ/kbDH7t+Zo4ea5gUnb5iQD02ygMMlaH7LWe87R2oQRC0i3zfCowmECizfz2p6bz3cdnBrpHG39RGuCnqUCAL38BH7hQQLPihtMSpqI5VstDW55PC0yNvdco5LRyIDFRH35RtNbQY4Y+vb2tAE+I0FwRb9uwKOA+js08fLZdKaaKHoLNElmaxv6AhJABePOOBT8Tjll2ZzZOlvIPzzytmt7DS5h9T5EBgqSYdyx3fgRSIs6PlNKrEkijwyEXzbQuj6GQtJSzC4aqRw/rEkjy6PsMG0Fr3ikGStAqmLGkzF0Y0DBnlkXUngLP05/ZYKW9HSLkXcBWsgpwtaK6etXtBcRNsnZoGp2Ixy6wGkmfmVbL9ahKAphfWz45edYsW/RhqIHpCNfedd0sRXW+l6j8t//S7cPhuYtwYYjBBkuarDYMyNgi2+cvtsR5Qsy5qmelmyUJK9NNXmoRFVhcwmVEzNsZ17lya/IfyQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4217.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(39860400002)(366004)(346002)(136003)(44832011)(6506007)(86362001)(2616005)(66476007)(66946007)(71200400001)(8676002)(8936002)(26005)(4326008)(64756008)(38100700002)(6512007)(83380400001)(54906003)(33656002)(186003)(53546011)(316002)(478600001)(122000001)(76116006)(5660300002)(6916009)(66446008)(36756003)(2906002)(6486002)(66556008)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: HRctjHViXs4hwR0E+PjFBcVVRIe9W4r635M7nXIElY6V/faP28N9ZNhOT0PnF3RFvLHCsgjPa2w/pkDiOOywiROU3BwtVSEfRaq/FOxm4SNmGWTYcc2MEHs5eE1fyaYnMBtCypiwcX9IM+g/kdzkkG7NngMkUiWsYEtjmQxesz5HihoCBJeUy9dKmpYIzeEb+qwnOV0qhRdHQ+Dzr9OWD4guQlWikxo1V0DHhw6SYbzgaGGI+cUKzzXiBULJSSxpsLKuEm4hY2VdUj3eSI8Rs3quQPb8mhLhXihapL8p0G0pmOacJHOI1y/yCh1maFIRdbJIguqgznQBivNou+J2zLPmPFIeTJGKs8XIes/QwpowKfaVCznRk92GCcjiyfacSAUXc4eR8PTNDOnVYjALNJh6Dz4rIs7TXwhKIqByk5vFG8K4aezqzZgzyCQTQgQwhLERikzQ4vFJkm2zgEX4hnEpkXx5Y8g6WuOodt3fXSPk30f5SqzcP80XcxOKRNfA3iFt8XIrqbxPHMHYlGr6Y4Jm8BNKsPSa/XeeLDf/e4RqabSjk+NCfz+qwrQ5KlT22D6VLyx8GqLFagF67LW0th3OJz1+rjAZvqWlPu2/HZ9z9g6za0WbqmWqsD9OhXfEOXMfxm3XrCC/uKNXxLDQReRt5H2wksWQP1fVUeQgRCLDf/XReo0J1AWSQW5K3BQMn+sKczRmL17mviK/cBAYt9/6oDKYanyxJs5tors+v/JhuAdxk9I9HBZ2iqqRrYuJY+HNiXbPtFxA+8D/cDcaWcUNGW8/6a3vCYAg9grMQHEVSPSmaZ2jrTxp8RzanJ00nzmlilKpPzh8Fgayz7bbQGD3xJ7pnol+K2gXikm2Mr7KlyJPOC1PioBL1fnD9IEvFyZxtKvJVKJJ5k9/m6Li/Tp58u/Cr+UOKFPCyQuy0IwUQevNyezcsXVFf1qqxwZSXorwzLja4nR1FduVL3aQFR5BIZq3A/Uw0Wq0xSm3iMEiKgbtf3pjDS/aqb4gLmJ30Olk+JqsqFaMtOLKZXY9fZv1DaYpbFm2IT5OMByiF9UIPcN3/+a2gvf5ucP4Fb6sA+TlhMhTZpaWhvNL5R4b48zYHmIC2RzATR+gcdYcAylNuF955nMtoAgqspidBEp1BR4s7Cx9jJId7eIBSko+N+PZBpMEe+D++oez4QOK7MKuF2pD650xsmyPCBqj7bCf7QdNw3d+HFzgAl3d04puXahFNqeD+/Mf3aoqX/9pvP6K8qFSKYOlvN7rTYNZ8C81dVEAckOJwKzET9UvN5OOHITTqli80YwSgtE17VOc0mn21fMQ7RAWEAmKJtef1Uy3
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_E6892454722B47A1AF87FCD46365E257ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4217.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1bf17b64-5d2f-4bfb-dc0a-08d92a650ef2
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jun 2021 10:06:17.9632 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: neLIN/0m/ctvw/AT96len53Z8fuOSqGvt+xEw+lb0brBwRcsRhdCmrsaR60YWhk+P9ECiYeE9jITvj5LkdQCHKsNVa/W06orWsCXg5Rt02oc0JjjDFYX6AQ8nu9hPVPx
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2460
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/-ewU_KeDtHjb0eMGFhpGjNBmgPo>
Subject: Re: [Ace] Francesca Palombini's Yes on draft-ietf-ace-dtls-authorize-16: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 10:06:27 -0000
Hi Olaf, Right! Somehow I managed to miss the « response » from the « access token response ». Thanks for the answers, it all looks good to me and ready to ship. Francesca On 8 June 2021 at 11:59:19 CEST, Olaf Bergmann <bergmann@tzi.org> wrote: Hi Francesca, On 2021-06-08, Francesca Palombini <francesca.palombini@ericsson.com> wrote: > My turn to apologize for the late reply :) I went through the comment > again and I believe I must have misread something. I am ok with the > current text, or the previous one as well, if you'd rather not add > this sentence. Thanks for the followup — we have kept the new text in version -18. > I do have one additional comment, which came out while looking this over again - about the following text: > > correct public key in the DTLS handshake. If the authorization > server has specified a "cnf" field in the access token response, the > client MUST use this key. Otherwise, the client MUST use the public > > The access token is opaque to the client (as defined the ace > framework), so the client is not necessarily able to read and extract > the key it is supposed to use from it. If I am not mistaken, the > correct way for the AS to tell the client what key to use would be to > use the "cnf" field defined in Section 3.2 of oauth-params. You are correct. That is basically what this text says (= if the AS has provided the cnf in its response, the client has to use it). Grüße Olaf
- [Ace] Francesca Palombini's Yes on draft-ietf-ace… Francesca Palombini via Datatracker
- Re: [Ace] Francesca Palombini's Yes on draft-ietf… Stefanie Gerdes
- Re: [Ace] Francesca Palombini's Yes on draft-ietf… Olaf Bergmann
- Re: [Ace] Francesca Palombini's Yes on draft-ietf… Francesca Palombini
- Re: [Ace] Francesca Palombini's Yes on draft-ietf… Olaf Bergmann
- Re: [Ace] Francesca Palombini's Yes on draft-ietf… Francesca Palombini
- Re: [Ace] Francesca Palombini's Yes on draft-ietf… Daniel Migault