[Ace] Review of draft-tiloca-ace-revoked-token-notification-00
Travis Spencer <travis.spencer@curity.io> Thu, 21 November 2019 07:43 UTC
Return-Path: <travis.spencer@curity.io>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F1491202A0 for <ace@ietfa.amsl.com>; Wed, 20 Nov 2019 23:43:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bbacuKF4e9gS for <ace@ietfa.amsl.com>; Wed, 20 Nov 2019 23:43:41 -0800 (PST)
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F507120048 for <ace@ietf.org>; Wed, 20 Nov 2019 23:43:41 -0800 (PST)
Received: by mail-yb1-xb29.google.com with SMTP id k206so1092321ybb.5 for <ace@ietf.org>; Wed, 20 Nov 2019 23:43:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity-io.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=g2HRt6fy+95OLcPfcDnRBVswsBUOZTJ2wDeBUwjSZnE=; b=BQg3KRej4mjrirHgKV3eWIAvFnUgzu8FYCHbTvJ2x8GewtwLExoPAudQb74gzGZFKK 1iw73I2fLRdTGhAEoY882kKMFvLqvptALOJb8b4+v8GrCgSXExmwXU31OyLqK6EPRHht RBYuez8u2Zh+QmYmHLVlM87WEKGhbVl3HrCOq0fxK3jLKDFn39nHWZXnWl9JZ1JG7ENu cTvJL4UHb54K2qNHZKbgyohA2rnYIx+Pa+G/wwMNR13/i/cn+F+FEMvLdJBxKrCGkaVS PHmEgWWV2PpcIvMnTep4WNd7XU/F42myv+JDSLtgskoX4Uuw6xRW7WuHbhXoLZdSCJoD H7gg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=g2HRt6fy+95OLcPfcDnRBVswsBUOZTJ2wDeBUwjSZnE=; b=hqaz2kEcppgH5WRTz5BfhrK/lVF8IJ2V2NKzNwmUbgSl1KDR01XqbEPIn/nHOpFjzR y1ZFnxVEtkQSP//466foagg5amJS50sfgvks9eqo4pHXVy2bdame1K8dpeCFyQMXbBDP 21kkqCxnR1kTFF9msmMqyfghlcuMbLs+SXDyBbKu1ABD7SFuu4hX0IDtO4kDUFe93Fl7 2SXpdYjkJ0Pr7+SBRFTE+RJQQA4JBeaqAdf00aBG7xvnucyek9XCm22ZSjFW3AWsY2mp dmdPHFIo0UFuJELcimPenCQg6oHBaPy/pI5rnZ3UsVfOHClw6dfws8r+MudowdFiTfPH xrxg==
X-Gm-Message-State: APjAAAWKqLFNj82kmoQ1aSUhiGNTIRq0Qthr8P9rXDzsCVAf72fL9iFO klhrbZdj7u6hVm8fvzFlGs1d2qdjGR9O5MrIr/qqH1rKqJ9zcA==
X-Google-Smtp-Source: APXvYqy88z1WIwfDLwJM62or3Lb0GQThF3D7vJLvqPOM00ywN1xSxdTvl6klzCTUjA1iuVZCXG3VO5vtdj1DZXNlUBw=
X-Received: by 2002:a25:d00f:: with SMTP id h15mr5373432ybg.70.1574322220240; Wed, 20 Nov 2019 23:43:40 -0800 (PST)
MIME-Version: 1.0
From: Travis Spencer <travis.spencer@curity.io>
Date: Thu, 21 Nov 2019 08:43:29 +0100
Message-ID: <CAEKOcs2MN8Vgd8+UR76CVE1Qww0oCwev_vW0qwWVBEFsCP3YPw@mail.gmail.com>
To: ace@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/1UK5QuLh4kmzlH211JBtotdchfQ>
Subject: [Ace] Review of draft-tiloca-ace-revoked-token-notification-00
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 07:43:44 -0000
Hi All, I wanted to submit a review of "Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments (ACE) Framework" (draft-tiloca-ace-revoked-token-notification-00). I am an ACE noob, but hopefully my feedback will be constructive and helpful. If they are not, it could be because of my ignorance of ACE. That said, I am an expert in OAuth, so that is my frame of reference. * The draft mixes casing and has inconsistent use of acronyms like RS, resource server, authorization server, AS, etc. This hangs me up as a reader. I'd appreciate if one was used for all or if none were used. * I recommend an ASCII art be added to the protocol overview. I know that there are some good diagrams in the examples, but an overview figure in that section would be helpful as a reader as comes to terms with what the doc specifies and decide if it's relevant. It would also be helpful if this section ended with a link/reference to the example sections below (e.g., something like “see examples in section X for more detailed flows”). * In my strong opinion, It should not be assumed that the TRL endpoint is at the root of the URL path of the AS. https://example.com/tenant1/trl should be valid; also, https://example.com/my-good-trl should be a valid URI. This should be included in the OAuth metadata (if the AS supports this) or communicated to the client/RS by some undefined method (e.g., documentation). The spec may recommend some URI and the non-normative examples can use whatever URI, but these must not be MTI. * The doc should not make any distinction between an OAuth client and resource server. This makes it very confusing IMHO. Instead, it should consider the caller/client of the TRL endpoint, regardless of what role that caller plays in an OAuth flow. This is similar to how introspection and other OAuth-related APIs are defined. * The TRL endpoint need not be per client/RS. The endpoint only exposes random hashes. Disclosing these to other parties will not pose a security issue (that I can think of). This will allow clients/RSes to collaborate in unforeseen ways that could be useful in certain deployments. This also means that the TRL endpoint will be global and not have a client-specific path segment in the path of the URI. * The TRL endpoint should accept some method for filter based, for example, on client ID. This could be done using a query string argument like "client_id" which can be supplied 0..INF times. This will allow a monitoring client (like a NOC) to subscribed to revocation messages for multiple clients/RSes. If the "client_id" (or whatever) parameter is supplied, the caller of the TRL endpoint should be notified of ALL revoked tokens. * If the idea above is accepted and the AS requires authentication of the TRL endpoint client, then the AS may automatically subscribe the client to notifications for just itself (which the AS knows the identity of the client due to authentication). This implicitly filtering may be beyond the scope of the doc, however, and I think that authentication in general should be dropped. If it remains though, this identification and implicit filter can be done irrespective of authentication scheme used. * I think that the token name term should be changed to token hash, so that it is more intuitively obvious what it is in case the term was skimmed over or missed. * Because the draft is only about non-revoked tokens, the RS/client still has to manage expired token checking. If the list included expired tokens as well, the RS/client could off-load all of this to the AS. This would make the development of the RS/client a lot simpler and push that complexity to the AS. This is keeping in the spirit and aim of OAuth. I've understood from Ludwig and Marco that this does introduce some issues in a CoAP environment, that I know nothing about. So, please take it as a suggestion and see what's best. * Clarify that the hashes in the CBOR array are unordered. CBOR has no set, I've been told, only arrays. Arrays are ordered though, so it should be stated that this ordering is irrelevant, and the subscriber should treat them as a set where the order has no significant meaning. HTH! -- Travis Spencer
- [Ace] Review of draft-tiloca-ace-revoked-token-no… Travis Spencer
- Re: [Ace] Review of draft-tiloca-ace-revoked-toke… Marco Tiloca