Re: [Ace] Review of draft-sengul-ace-mqtt-tls-profile-02
Cigdem Sengul <cigdem.sengul@gmail.com> Fri, 15 June 2018 13:38 UTC
Return-Path: <cigdem.sengul@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89E90130ED6 for <ace@ietfa.amsl.com>; Fri, 15 Jun 2018 06:38:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 470zt1odV1tb for <ace@ietfa.amsl.com>; Fri, 15 Jun 2018 06:38:41 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F23D2130ED2 for <ace@ietf.org>; Fri, 15 Jun 2018 06:38:40 -0700 (PDT)
Received: by mail-qk0-x236.google.com with SMTP id j80-v6so5581050qke.9 for <ace@ietf.org>; Fri, 15 Jun 2018 06:38:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JYLKfzjdkfXNKfyutZrwG6jatDfSvTvEpqLHTGWyaos=; b=VYDDflrulkn4JzwTVn1vOtYGVGxUFMyZL6dyAbbLgN+Rs5/yKdolVqL/BslHVJGDn/ pVQK5Ue/S9D7zjymDVJiAJFp39gorsbnotVHpqLK6bQAEy6gmEnCoaM1sJkRSZHEFVC+ z6LBp+kZ1G4owdAGt/oCqKfeJQMGEE9uDArCqlU2f0Q4XuWC2iENS0XSJ5yXC7Usp3J8 1JmhVttSP0WHjDK6KbGTI62RW+JrrzCJEtjlAIC3ixvmCu/hvWWUcOYYnDtICZYWe8lV D+NpTXiMRRWm+1h6f5rhalIsfiSe9YK3x64jKzsaWXYtxn0AAS5xykwmmqr3tn8KsKVv B8WQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JYLKfzjdkfXNKfyutZrwG6jatDfSvTvEpqLHTGWyaos=; b=pD79pmyGDGNWmjmLshCTQLjaXzXj5ngTqzrxtrZZa0Baun0woZFAyZsixR1chot0YF 8Fj/7ajXsTYe71G0cABToR8ts6NuQDXcZFjcpTtYM+o2WAlUpD/7nfXqlCphRaQ993Kz nArxIZ6LD5wB/hWzF4mgR/WwH1oKRY4rNdCkAkjWGrZ+A0ijdiMmO5ercHAIDIgqkuSc CK1LIdVj9ezFo7jEugOXfB42WQu7b1QqMnwZWzkstj+8lxCcqh1SxKVBhFvcNj8cdHdG xfSdpGlp+ZoK7kB9kssX9tKvsr+4H99t8KEpOjURRZhIaxpw0qtgbi1vCbReP/wG/Lzm uvPw==
X-Gm-Message-State: APt69E1FEAG97EGbd/1OnZ6WjSA8bpprNgwwaebE9k2RXxBHC4BjDqRH CaIVdN6vNTlLNwCb1NqvyJySoT0cQLSZLdW6uqM=
X-Google-Smtp-Source: ADUXVKK7wvwKgCBIfqkmIeqYngC+2oAOW0K2Oos1wpg2F3CQubJyrc5wHBnyzZnGaKAIEEmyAEgfnk/+NkXvKyjHJ98=
X-Received: by 2002:a37:5607:: with SMTP id k7-v6mr1315238qkb.342.1529069920165; Fri, 15 Jun 2018 06:38:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a37:d199:0:0:0:0:0 with HTTP; Fri, 15 Jun 2018 06:38:39 -0700 (PDT)
In-Reply-To: <5b1f40ed-4df1-29ef-f911-05b8fc0168dc@ri.se>
References: <99638740-7df6-c646-29bf-a3b295213396@ri.se> <CAA7SwCOhh2pEpjz9kJwe4Hwc9aAiDVJzqJS78DrGvRSV0vdNBQ@mail.gmail.com> <5b1f40ed-4df1-29ef-f911-05b8fc0168dc@ri.se>
From: Cigdem Sengul <cigdem.sengul@gmail.com>
Date: Fri, 15 Jun 2018 14:38:39 +0100
Message-ID: <CAA7SwCM3tUntuivAsDPFcm1YG19NJtUXEMZN=mRG5SVQeLBPkA@mail.gmail.com>
To: Ludwig Seitz <ludwig.seitz@ri.se>, ace@ietf.org
Cc: Anthony Kirby <Anthony.Kirby@nominet.uk>, Paul Fremantle <paul.fremantle@port.ac.uk>
Content-Type: multipart/alternative; boundary="0000000000006da3e3056eae5582"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/0pc3xQRnSQx6YOYycnLm0H8GOvk>
Subject: Re: [Ace] Review of draft-sengul-ace-mqtt-tls-profile-02
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2018 13:38:44 -0000
Thanks for clarifications Ludwig, True, aud can be an array. We typically avoided this, hence, the omission. For the case (2) to be used, there would be a single RS assumption indeed. This should be clearly said when we are proposing the option 2. Thanks for your response, --Cigdem On Fri, Jun 15, 2018 at 2:07 PM, Ludwig Seitz <ludwig.seitz@ri.se> wrote: > On 2018-06-14 14:09, Cigdem Sengul wrote: > >> Hello Ludwig, >> >> Again thank you for your comments. >> We are going through them and making several revisions to our draft. >> >> We want to discuss two of your comments further: >> >> (1) Our text: ”and the client is authorized to obtain a token for the >> indicated >> audience (e.g., topics) and scopes (e.g., publish/subscribe >> permissions)" >> >> Your comment: Note that the audience claim is typically used to identify >> the RS (so in this case the MQTT broker), while the scope is intended to >> identify both the resource (=topic) and the actions (=publish, subscribe). >> See this for how OAuth scopes are typically used: >> https://www.brandur.org/oauth-scope >> >> Our response: >> According to the draft-IETF-ace-oauth-authz-12, the audience of an access >> token can be a specific resource or one or many resource servers. >> >> So, we considered three ways to structure our tokens,given that a token >> can hold multiple scopes but only a single audience : >> >> (1) aud: RS >> >> scopes: underscoreseparated keywords representing<permission>_<topic>, >> e.g.,"publish_valve2012/temperature", "subscribe_/foo/+/bar", >> "subscribe_$SYS/#" >> >> (2) aud: resource, i.e., a topic in MQTT context >> >> scopes: permissions, i.e., publish and/or subscribe keywords >> >> (3) aud: permission, i.e., publish or subscribe >> scope: topics (i.e., resources), e.g., topic1 topic2 topic3 >> >> >> We think Options (1) and (2) fit the current text in the ace-oauthdraft, >> especially, when we consider this example: >> { >> "grant_type" : "client_credentials", >> "client_id" : "myclient", >> "client_secret" : "mysecret234", >> "aud" : "valve424", >> "scope" : "read", >> "cnf" : { >> "kid" : b64'6kg0dXJM13U' >> } >> >> If using option (1), we can choose to leave this as an "application >> specific convention". On the other hand, it could be useful to have >> this defined, because MQTT only allows publish & subscribe, and there are >> rules for the MQTT topic string. This would make ACE-savvy MQTT clients & >> servers generally more compatible/interoperable. >> >> Based on our option (2), these would be in MQTT - “aud”: “valve424”, >> “scope”: “subscribe” Note that, the multiple tokens trade-off we mention in >> our draft still exists for the core’s valve example too. This token does >> not help with reading “valve425”. >> >> >> Option (3)is more left-field proposition and does not align with the rest >> of the core draft. Though, it doeshavean efficiency advantage that a single >> token can permit access to multiple topics. >> >> Based on the ace-oauth draft, the first two options for token structure >> should be acceptable. We want to list both to avoid being too prescriptive >> about scope structures (as the option (1) dictates). >> >> > Note that 'the "aud" value is an array of case- > sensitive strings' (RFC7519 section 4.1.3), while scope is a "... list > of space-delimited, case-sensitive strings." (RFC6749 section 3.3), so you > could authorize access to several topics with different permissions in a > single token with all of the approaches you define above. > > Option 3 is clearly far off from the intended use of aud > (' the "aud" (audience) claim identifies the recipients that the JWT is > intended for.' ) > > In option 2 how do you avoid the use of an access token at a different > resource broker? > (For clarification: Say you have resource broker A and B who both serve > similarly named topics, but in entirely different locations, and who happen > to use the same AS.) > > > (2) >> >> Your comment: An example of how the CONNECT message could look like would >> be good. >> >> We think we need a bit of clarification about what kind of an example you >> have in mind. Our draft has a figure 2 that explains the different field an >> MQTT Connect packet will have. We could add an example in hex (MQTT being >> binary) but it wouldn't be as easy to read as the HTTP example. >> >> > > Perhaps hex-code with explanations under the different parts of it as in: > > 45FC 481A F56B 1234 A527 > Header Parameter1 Parameter2 Payload > > /Ludwig > > > > -- > Ludwig Seitz, PhD > Security Lab, RISE SICS > Phone +46(0)70-349 92 51 >
- Re: [Ace] Review of draft-sengul-ace-mqtt-tls-pro… Cigdem Sengul
- Re: [Ace] Review of draft-sengul-ace-mqtt-tls-pro… Ludwig Seitz
- Re: [Ace] Review of draft-sengul-ace-mqtt-tls-pro… Cigdem Sengul
- [Ace] Review of draft-sengul-ace-mqtt-tls-profile… Ludwig Seitz
- Re: [Ace] Review of draft-sengul-ace-mqtt-tls-pro… Cigdem Sengul