IETF Logo Mail Archive

Re: [Ace] AS discovery in draft-ietf-ace-oauth-authz-35

Seitz Ludwig <ludwig.seitz@combitech.se> Mon, 07 September 2020 06:28 UTC

Return-Path: <ludwig.seitz@combitech.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF06D3A15AB; Sun, 6 Sep 2020 23:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kI8d-Gbkcu57; Sun, 6 Sep 2020 23:28:03 -0700 (PDT)
Received: from weald.air.saab.se (weald.air.saab.se [136.163.212.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C6623A15AF; Sun, 6 Sep 2020 23:28:01 -0700 (PDT)
Received: from mailhub2.air.saab.se ([136.163.213.5]) by weald.air.saab.se (8.14.4/8.14.4) with ESMTP id 0876RwYZ021266 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 7 Sep 2020 08:27:58 +0200
DKIM-Filter: OpenDKIM Filter v2.11.0 weald.air.saab.se 0876RwYZ021266
Received: from corpappl16596.corp.saab.se (corpappl16596.corp.saab.se [10.12.12.128]) by mailhub2.air.saab.se (8.13.8/8.13.8) with ESMTP id 0876RiWN016354 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 7 Sep 2020 08:27:44 +0200
Received: from corpappl16595.corp.saab.se (10.12.12.127) by corpappl16596.corp.saab.se (10.12.12.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Mon, 7 Sep 2020 08:27:44 +0200
Received: from corpappl16595.corp.saab.se ([fe80::3c3e:6470:4c56:a86f]) by corpappl16595.corp.saab.se ([fe80::3c3e:6470:4c56:a86f%4]) with mapi id 15.01.1979.003; Mon, 7 Sep 2020 08:27:44 +0200
From: Seitz Ludwig <ludwig.seitz@combitech.se>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: AS discovery in draft-ietf-ace-oauth-authz-35
Thread-Index: AQHWg4NrTXd9yvNtVkmAYyGU/9Ff5KlcuGCA
Date: Mon, 07 Sep 2020 06:27:43 +0000
Message-ID: <022d4f7427be4edea9f96f116dc9ee3e@combitech.se>
References: <4A2220B7-A0FD-4706-A813-2476BCAD66CB@ericsson.com>
In-Reply-To: <4A2220B7-A0FD-4706-A813-2476BCAD66CB@ericsson.com>
Accept-Language: en-SE, sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.12.13.199]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Saab-MailScanner-Information: Please contact the ISP for more information
X-Saab-MailScanner-ID: 0876RiWN016354
X-Saab-MailScanner: Found to be clean
X-Saab-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.999, required 5, ALL_TRUSTED -1.00, BAYES_05 -0.50, KAM_NUMSUBJECT 0.50, URIBL_BLOCKED 0.00)
X-Saab-MailScanner-From: ludwig.seitz@combitech.se
X-Saab-MailScanner-Watermark: 1600064864.98262@l389MZWGIlCkhtFxPoCjJw
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (weald.air.saab.se [136.163.212.3]); Mon, 07 Sep 2020 08:27:58 +0200 (CEST)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/17w-BgsDtR1BMdt5iFtDmZjMG7A>
Subject: Re: [Ace] AS discovery in draft-ietf-ace-oauth-authz-35
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Sep 2020 06:28:07 -0000

Hi John,

Replies inline

/Ludwig

> -----Original Message-----
> From: Ace <ace-bounces@ietf.org> On Behalf Of John Mattsson
> Sent: den 5 september 2020 14:53
> To: ace@ietf.org
> Subject: [Ace] AS discovery in draft-ietf-ace-oauth-authz-35
> 
>  Hi,
> 
> I just reviewed draft-ietf-ace-oscore-profile. This made me wonder about
> the AS discovery mechanism in the ACE framework. Why is this particular
> discovery mechanism given so much attention? Of all possible discovery
> mechanisms, this seems like one of the worst as:
> 
> 1.	It requires a round-trip over the C-RS path which is typically the most
> constrained path in the architecture.
> 2.	The response would in many cases be unprotected, which means C
> does not know if the response comes from RS or an attacker.
> 
> A discovery mechanism using a non-contrained path (e.g. DNS, but could be
> any type of look up service) would in many cases be much more efficient and
> should be recommended. Such a mechanism might also be protected in
> more cases and therefore rule out the possibility that the response came
> from an attacker.
> 
> I understand that the ACE framework draft does not want to specify any
> other AS discovery mechanism, but at a minimum the severe limitations of
> the current mechanism should be detailed. 

The limitations of this mechanism are detailed in section 6.4, do you think that there is some consideration missing from that section?

> I my view the current mechanism
> should be not recommended and only used as an error message when the
> client in good faith try to access a resource believing that it might have the
> right to access it.
> 
It is indeed intended as an error message when the client in good faith tries to access a resource believing it might have the right to access it.

v2.23.0 | Report a Bug | By Email