IETF Logo Mail Archive

Re: [Ace] draft-ietf-ace-oauth-authz

Peter van der Stok <stokcons@bbhmail.nl> Tue, 05 May 2020 17:11 UTC

Return-Path: <stokcons@bbhmail.nl>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C97B03A0A05 for <ace@ietfa.amsl.com>; Tue, 5 May 2020 10:11:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bbhmail.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bjy4y3QJqBDe for <ace@ietfa.amsl.com>; Tue, 5 May 2020 10:11:24 -0700 (PDT)
Received: from smtprelay.hostedemail.com (smtprelay0206.hostedemail.com [216.40.44.206]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A42383A09FD for <ace@ietf.org>; Tue, 5 May 2020 10:11:24 -0700 (PDT)
Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay04.hostedemail.com (Postfix) with ESMTP id 5FA00180A6310; Tue, 5 May 2020 17:11:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bbhmail.nl; h= mime-version:content-type:date:from:to:cc:subject:reply-to :in-reply-to:references:message-id; s=key; bh=kx7YskG/oKLlktIsxR d3Gh3Y50ZV3QDf0ZgI3G3PtsU=; b=aXb8h2kZ8YuqJTBnL/tcj34lRgyydeANwW jjmPe7ls7FOhAYYJI3RxjGOU4+9F8rX8kzALjHmwqaft9gSlB9/VCa/IUZXLco0n BT+kvbiu+qYfdek+tKBJpA+TqnMEYs+YIM7qjK7ROLxcL8KhcYadPQMxgjOX5jPT Wp7Xqnn8E=
X-Session-Marker: 73746F6B636F6E73406262686D61696C2E6E6C
X-Spam-Summary: 2, 0, 0, , d41d8cd98f00b204, stokcons@bbhmail.nl, , RULES_HIT:1:2:41:72:152:355:379:582:599:800:960:962:967:973:983:988:989:1152:1189:1208:1221:1260:1313:1314:1345:1359:1431:1436:1437:1516:1517:1518:1575:1588:1589:1592:1594:1605:1730:1775:1792:2198:2199:2526:2527:2551:2553:2557:2559:2562:2693:2892:2898:2900:2901:2902:2917:2924:2926:3138:3139:3140:3141:3142:3586:3622:3769:3865:3866:3867:3868:3870:3871:3872:3873:3874:4049:4250:4321:4362:4379:5007:6248:6261:6298:6657:6659:6678:7576:7903:8583:8603:8957:9036:9080:9177:9545:10004:10026:10848:11232:11656:11657:11658:11914:12043:12050:12109:12114:12663:12740:12895:13139:13436:13972:14196:21060:21063:21080:21324:21433:21451:21499:21625:21740:21809:21939:21990:30003:30054:30070:30075:30090:30091, 0, RBL:none, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:, MSBL:0, DNSBL:none, Custom_rules:0:0:0, LFtime:2, LUA_SUMMARY:none
X-HE-Tag: month81_635e4ef940648
X-Filterd-Recvd-Size: 11581
Received: from mail.bbhmail.nl (imap-ext [216.40.42.5]) (Authenticated sender: webmail@stokcons@bbhmail.nl) by omf09.hostedemail.com (Postfix) with ESMTPA; Tue, 5 May 2020 17:11:22 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_89c3a29a31e7b48d47b310a8036e5c15"
Date: Tue, 05 May 2020 19:11:22 +0200
From: Peter van der Stok <stokcons@bbhmail.nl>
To: Jim Schaad <ietf@augustcellars.com>
Cc: consultancy@vanderstok.org, 'Benjamin Kaduk' <kaduk@mit.edu>, 'Olaf Bergmann' <bergmann@tzi.org>, 'Ace' <ace@ietf.org>
Reply-To: consultancy@vanderstok.org
In-Reply-To: <034101d622f3$fd0c5710$f7250530$@augustcellars.com>
References: <56d31e581571721e176b59db20e08c23@bbhmail.nl> <00f101d61f03$a26bb920$e7432b60$@augustcellars.com> <0873a3115cab89036002cf42b1c97608@bbhmail.nl> <87mu6o6u8t.fsf@wangari> <20200505040917.GM27494@kduck.mit.edu> <90932754f76d8978bdb8a30c794e5343@bbhmail.nl> <034101d622f3$fd0c5710$f7250530$@augustcellars.com>
User-Agent: Roundcube Webmail/1.4-rc2
Message-ID: <aff0e364e9ba01853b56f5c47c7b6f47@bbhmail.nl>
X-Sender: stokcons@bbhmail.nl
Organization: vanderstok consultancy
X-Originating-IP: [5.206.216.229]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/1Rg_kxS-FeTb33idhiC8GffTImY>
Subject: Re: [Ace] draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 17:11:27 -0000

HI Jim,

Agree.
That's a new draft then with an rt value for a given upload protocol.

Peter
Jim Schaad schreef op 2020-05-05 17:43:

>> 

> Thanks Peter, that makes things a lot clearer.  However I think that you are not asking for who is an AS, but who is an AS that has a particular interface.  It would make more sense to define a new interface identifier for the upload/control protocol rather than just identifying who is an AS. 
> 
> Jim 
> 
> From: Ace <ace-bounces@ietf.org> On Behalf Of Peter van der Stok
> Sent: Tuesday, May 5, 2020 12:26 AM
> To: Benjamin Kaduk <kaduk@mit.edu>
> Cc: Jim Schaad <ietf@augustcellars.com>; Olaf Bergmann <bergmann@tzi.org>; 'Ace' <ace@ietf.org>
> Subject: Re: [Ace] draft-ietf-ace-oauth-authz 
> 
> HI all,
> 
> I agree about the authorization/trust problem.
> My request concerns something more trivial.
> 
> Suppose we have this new network with a set of servers, an (AS) (may be more) and a controller.
> The servers, controller and AS may have used BRSKI to enter the network.
> The servers will only provide their service when a token has been sent.
> The AS is completely empty, not aware of the servers or its clients.
> The controller wants to fill the AS with the necessary information.
> 
> Both controller and AS have agreed on an initialization protocol, and are equipped with the necessary secrets. (A protocol to be standardized in general, but not my concen here)
> 
> Now, what IP address does the controller use to start the communication?
> 
> Typing in the IP address is a possibility, switching off all other devices is another, etc...
> I hoped that a coap discovery could be used such that the controller learns the IP address of the AS.
> 
> When several AS servers are present, the controller can access each one of them out till it accesses the AS with the correct credentials.
> 
> I hope my request has become a bit clearer.
> 
> Peter
> 
> Benjamin Kaduk schreef op 2020-05-05 06:09: 
> 
> On Mon, May 04, 2020 at 09:21:06AM +0200, Olaf Bergmann wrote: 
> 
> Hi Peter,
> 
> Peter van der Stok <stokcons@bbhmail.nl> writes:
> 
> When I want to access an OCF device I can find its IP address through
> service discovery (rfc7252 section 7) using an rt-value registered at
> the IANA core parameters registry.  For example, when I want to
> initialize the AS I have to type in the IP address of the AS.  From
> that moment on keys and certificates can be compared to continue
> initialization.
> 
> Using service discovery can automate that process.
> 
> My request is that authz draft registers an rt-value in core
> parameters registry for service discovery of the AS, unless a
> different process has already been established for AS initialization. 
> 
> That is exaclty what originally has been done in section 9 of
> draft-gerdes-ace-dcaf-authorize [1]. Somehow, this got lost in the
> process.

I think I'm still a little confused as to what good being able to
"discover" that the network says something is an AS is, without some
prior
trust and/or key material for that AS.  How would the necessary trust be
established as part of such a discovery scheme?

Thanks,

Ben

v2.23.0 | Report a Bug | By Email