Re: [Ace] draft-ietf-ace-dtls-authorize-01
Olaf Bergmann <bergmann@tzi.org> Wed, 04 October 2017 14:47 UTC
Return-Path: <bergmann@tzi.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B40A124B17 for <ace@ietfa.amsl.com>; Wed, 4 Oct 2017 07:47:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lfo7ULBwzPcW for <ace@ietfa.amsl.com>; Wed, 4 Oct 2017 07:47:38 -0700 (PDT)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 041B81321DF for <ace@ietf.org>; Wed, 4 Oct 2017 07:47:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [134.102.201.11]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id v94ElYv7004422; Wed, 4 Oct 2017 16:47:34 +0200 (CEST)
Received: from wangari.tzi.org (p508A448A.dip0.t-ipconnect.de [80.138.68.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 3y6dzT72mfzDLBB; Wed, 4 Oct 2017 16:47:33 +0200 (CEST)
From: Olaf Bergmann <bergmann@tzi.org>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Cc: ace@ietf.org, Ludwig Seitz <ludwig.seitz@ri.se>
References: <55ac5e55-2570-6126-2211-a6c1b65c3006@gmx.net> <bd90e268-d25b-3d2a-a945-7e26ab06d58f@ri.se>
Date: Wed, 04 Oct 2017 16:47:33 +0200
In-Reply-To: <bd90e268-d25b-3d2a-a945-7e26ab06d58f@ri.se> (Ludwig Seitz's message of "Mon, 2 Oct 2017 12:39:36 +0200")
Message-ID: <87infvhsvu.fsf@tzi.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/1fPuqs36viaKlgWlY0GG4pNMGFk>
Subject: Re: [Ace] draft-ietf-ace-dtls-authorize-01
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Oct 2017 14:47:41 -0000
Hello Hannes, Thank you very much for your comments. I am replying to the comment that Ludwig did not yet address: Ludwig Seitz <ludwig.seitz@ri.se> writes: > On 2017-10-01 11:35, Hannes Tschofenig wrote: >> - What is the reasoning behind this statement: >> >> "This specification mandates that at least the key derivation >> algorithm "HKDF SHA-256" as defined in [I-D.ietf-cose-msg] MUST be >> supported." >> >> I would have assumed at the session key provided by the AS to the client >> and the key embedded in the access token is used directly within TLS as >> a PSK. Yes, you could embed the session key in the access token. But then, you would always have to encrypt the access token and ensure that is never decrypted by unauthorized parties. Key derivation allows you to transfer the access token unencrypted (as long as the privacy objectives are met, of course). This could even save some bytes in the token as the encrypted session key does not have to be transferred. This mechanism has previously been discussed in section 6 of [1] but now has been adjusted from the simple ad-hoc syntax in DCAF to the more flexible COSE method. [1] https://tools.ietf.org/html/draft-gerdes-ace-dcaf-authorize-04#section-6 Grüße Olaf
- [Ace] draft-ietf-ace-dtls-authorize-01 Hannes Tschofenig
- Re: [Ace] draft-ietf-ace-dtls-authorize-01 Ludwig Seitz
- Re: [Ace] draft-ietf-ace-dtls-authorize-01 Olaf Bergmann