Re: [Ace] draft-ietf-ace-oauth-authz-35 - unauthorized AS address, DoS, and privacy
Stefanie Gerdes <gerdes@tzi.de> Thu, 10 September 2020 12:52 UTC
Return-Path: <gerdes@tzi.de>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D8793A0A9C for <ace@ietfa.amsl.com>; Thu, 10 Sep 2020 05:52:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.846
X-Spam-Level:
X-Spam-Status: No, score=-2.846 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.948, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9hbjQVj5KdZR for <ace@ietfa.amsl.com>; Thu, 10 Sep 2020 05:52:50 -0700 (PDT)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BACA3A09A5 for <ace@ietf.org>; Thu, 10 Sep 2020 05:52:49 -0700 (PDT)
Received: from [192.168.0.57] (p508a4e5d.dip0.t-ipconnect.de [80.138.78.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4BnJhJ2VpXzyt0 for <ace@ietf.org>; Thu, 10 Sep 2020 14:52:48 +0200 (CEST)
To: ace@ietf.org
References: <8CF8DD8C-895F-489D-8D21-FE2048B550EA@ericsson.com> <877dt3l5u1.fsf@wangari> <C3C52EBE-CD20-4201-9E93-F7FB4D92D77C@ericsson.com> <04f797cb-ec58-a8f8-a9d6-6cdbf8878376@tzi.de> <000201d686f6$2c4aba60$84e02f20$@augustcellars.com> <a3b290cd909f487690e718dee4b94ab0@combitech.se> <1fc88f97-dc69-54f0-bde1-6ddd37b7aad0@tzi.de>
From: Stefanie Gerdes <gerdes@tzi.de>
Message-ID: <8cdebd54-618e-ae0e-f8f9-ea5fa0e418c7@tzi.de>
Date: Thu, 10 Sep 2020 14:52:47 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <1fc88f97-dc69-54f0-bde1-6ddd37b7aad0@tzi.de>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/0-_Rr7rKkfNSydccgRXFRDeOIII>
Subject: Re: [Ace] draft-ietf-ace-oauth-authz-35 - unauthorized AS address, DoS, and privacy
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 12:52:58 -0000
Hi all, On 09/10/2020 02:10 PM, Stefanie Gerdes wrote: > We also should decouple the AS request creation hints from the > explanation of the AS discovery mechanism. The hints have the additional > purpose that they may contain the resource server's cnonce that the > resource server can later use to validate the access token. > Therefore, the AS URI should be optional in the AS request creation > hints, and we should make section 5.1.1 section 5.2. Looking at section 5.1, I think that we would need to change the text in there, too. old: In order to determine the AS in charge of a resource hosted at the RS, C MAY send an initial Unauthorized Resource Request message to RS. RS then denies the request and sends the address of its AS back to C. Instead of the initial Unauthorized Resource Request message, other discovery methods may be used, or the client may be pre-provisioned with an RS-to-AS mapping. new: C must discover the AS in charge of RS to determine where to request the access token. To do so, C must 1. find out the AS URI to which the token request message must be sent and 2. MUST validate that the AS with this URI is authorized to provide access tokens for this RS. In order to determine the AS URI, C MAY send an initial Unauthorized Resource Request message to RS. RS then denies the request and sends the address of its AS back to C (see section 5.2). How C validates the AS authorization is not in scope for this document. C may, e.g., ask it's owner if this AS is authorized for this RS. C may also use a mechanism that addresses both problems at once. Viele Grüße Steffi
- [Ace] draft-ietf-ace-oauth-authz-35 - unauthorize… John Mattsson
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Olaf Bergmann
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… John Mattsson
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Stefanie Gerdes
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Olaf Bergmann
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Jim Schaad
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Seitz Ludwig
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Olaf Bergmann
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Stefanie Gerdes
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Stefanie Gerdes
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Stefanie Gerdes
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Michael Richardson
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Michael Richardson
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Benjamin Kaduk
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Michael Richardson
- Re: [Ace] draft-ietf-ace-oauth-authz-35 - unautho… Seitz Ludwig