Re: [Ace] Comment about error responses in draft-ietf-ace-oauth-authz-21

Sebastian Echeverria <secheverria@sei.cmu.edu> Wed, 20 February 2019 21:20 UTC

Return-Path: <secheverria@sei.cmu.edu>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 905C2130DC4 for <ace@ietfa.amsl.com>; Wed, 20 Feb 2019 13:20:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sei.cmu.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gLZ0Z5JAz7Ny for <ace@ietfa.amsl.com>; Wed, 20 Feb 2019 13:20:48 -0800 (PST)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EC5A12D4E7 for <ace@ietf.org>; Wed, 20 Feb 2019 13:20:48 -0800 (PST)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x1KLKkbt006820; Wed, 20 Feb 2019 16:20:46 -0500
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu x1KLKkbt006820
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sei.cmu.edu; s=t52kn2igOmwp; t=1550697646; bh=D+bt7fj2NnmbWcqqFBXu1uT/+jRL++t/iB99IxW+Qbo=; h=From:To:Subject:Date:References:In-Reply-To:From; b=RuMokSotT55ZMh0MCIlFmOkGvqMj43D0/uzgSlwXjGurHXeP/jiFzTFslDGiVXKUZ UvETzemTlGilwe6UrZ9G/lbkNn0vPHWfMOdaxQhKsZx4DyEnJMxbvemApJkcsKTO6j oGlBvhy3QIL8zXOpnczv3AmhUNd6IfVDEq6ibdFw=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x1KLKigv005731; Wed, 20 Feb 2019 16:20:44 -0500
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0435.000; Wed, 20 Feb 2019 16:20:44 -0500
From: Sebastian Echeverria <secheverria@sei.cmu.edu>
To: Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Comment about error responses in draft-ietf-ace-oauth-authz-21
Thread-Index: AQHUx5qFGyefWPMegEiYHRQaj1z5gKXoDpCAgAEmgIA=
Date: Wed, 20 Feb 2019 21:20:43 +0000
Message-ID: <44A523B3-76D1-4FAC-8862-DD174C4003D6@sei.cmu.edu>
References: <CAE70DDC-17CA-4B68-A43A-280DB9A20328@sei.cmu.edu> <024d01d4c8a4$fb6fd8f0$f24f8ad0$@augustcellars.com>
In-Reply-To: <024d01d4c8a4$fb6fd8f0$f24f8ad0$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.201.110]
Content-Type: multipart/alternative; boundary="_000_44A523B376D14FAC8862DD174C4003D6seicmuedu_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/-nPOTlgiG4KyXxN2BXFXW9CeHk4>
Subject: Re: [Ace] Comment about error responses in draft-ietf-ace-oauth-authz-21
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 21:20:51 -0000

Hello Jim,

Thanks for your comments! I understand and I agree. In any case, my point wasn’t really that there was no situation in which a 4.01 reply would make sense. My point was that, in the way the draft is currently written, it asks a RS to return 4.01 in certain cases, and in at least some of those cases, the RS can’t really reply with a 4.01 (and as Carsten mentioned, the RS can’t even get the actual request). I am not sure what the best way to clarify that is, but when we were trying to implement that part of the draft, it was confusing because we couldn’t really comply with what is requested there, at least in the specific case I described.

As a separate comment, I am not sure I understand the specific examples you mention. From the draft (same section 5.8.2), it looks as if, in the first case you are describing (different action on the same resource), 4.05 should be returned. And in your second example (same action on a different resource), it looks as if the RS should return 4.03. Is this correct? We are just trying to ensure we are implementing error handling properly here. This is only a comment on these specific examples; I am not saying there is no situation where 4.01 could be returned.

Sebastian

From: Jim Schaad <ietf@augustcellars.com>
Date: Tuesday, February 19, 2019 at 6:17 PM
To: Sebastian Echeverria <secheverria@sei.cmu.edu>du>, "ace@ietf.org" <ace@ietf.org>
Subject: RE: [Ace] Comment about error responses in draft-ietf-ace-oauth-authz-21

Sebastian,

The 4.01 is not restricted to just the DTLS case.  One could get this error from just trying to get the resource on the schema coap rather than coaps.  However, this could occur even in the DTLS profile case.  Consider the situation of the following:

I have a token which allows me to do a get on a resource
I setup the DTLS session with that token and preform the get
I then attempt to do a PUT on that same resource.

This would then return a 4.01 (Unauthorized) because I don’t have a valid access token for the purpose of doing the action.  The same thing would be true if I attempted to do a GET on a different resource.

Jim


From: Ace <ace-bounces@ietf.org> On Behalf Of Sebastian Echeverria
Sent: Monday, February 18, 2019 6:59 AM
To: ace@ietf.org
Subject: [Ace] Comment about error responses in draft-ietf-ace-oauth-authz-21

Hello,

I have a short comment about error responses from an RS in draft-ietf-ace-oauth-authz-21. More specifically, my question is about section 5.8.2. In the second paragraph, it states “The response code MUST be 4.01 (Unauthorized) in case the client has not performed the proof-of-possession, or if RS has no valid access token for the client.” I am assuming this means that if the client is trying to access a resource and sending a pop key id that is not known by the RS, either because the RS has never seen it or because it is associated to a token that has already been removed from the RS, then this is how the RS should reply.

If this is the case, I am a bit confused on how to implement this when using the DTLS profile. When using this profile, a client will first try to establish a DTLS session with the RS when accessing a resource. Once the session is established, it will actually try to access the resource over that DTLS connection. The pop key id to be used is sent when establishing the DTLS connection in the DTLS handshake messages, but if the RS does not have a key+token associated to that id for whatever reason, then it will cancel the DTLS handshake. If the DTLS handshake is never completed, then the RS can’t really send a reply at all, much less a 4.01 reply.

Thanks,

Sebastian Echeverria