IETF Logo Mail Archive

Re: [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-params

Ludwig Seitz <ludwig_seitz@gmx.de> Sat, 01 February 2020 10:20 UTC

Return-Path: <ludwig_seitz@gmx.de>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD28B1200B2; Sat, 1 Feb 2020 02:20:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gdnzElbeakw7; Sat, 1 Feb 2020 02:20:51 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9EBD12003E; Sat, 1 Feb 2020 02:20:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1580552405; bh=+98nkYhsM8Mr4Rl88bRrvtEGeOSdwlbUv/dZn9zeTtk=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=ac2IwGDTbjq/SxOEqkZTwsTwVaXVZv34VtzbqBA6x4DCYf5816gtS9fjX83C4rLnW DBO5LRU8Z4DavfNKQJwaTbibTghR7EM92qBdS3CzqkQCUMsKF3xk2lFG1FDJxMqsKs 5l77ExekOsCaNmbBBCCQeza5TxJwNuEsYhorDulY=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.1.220] ([84.217.44.37]) by mail.gmx.com (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MCKFk-1ipcgh1HOM-009Lzb; Sat, 01 Feb 2020 11:20:05 +0100
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Seitz Ludwig <ludwig.seitz@combitech.se>
Cc: Roman Danyliw <rdd@cert.org>, "oauth-ext-review@ietf.org" <oauth-ext-review@ietf.org>, Daniel Migault <daniel.migault@ericsson.com>, jwt-reg-review@ietf.org, Jim Schaad <ietf@augustcellars.com>, Benjamin Kaduk <kaduk@mit.edu>, "ace@ietf.org" <ace@ietf.org>, "drafts-lastcall@iana.org" <drafts-lastcall@iana.org>
References: <9c32d171-9a4a-ba71-c989-92a177d9e989@gmx.de> <CA+k3eCSocYYpHQtWAfs=EnOTcOFbRSFH52FK=Ak5RiTZs4nOYA@mail.gmail.com> <77781da882414f4aae98ae2443691933@combitech.se> <CA+k3eCT0TLgUxzggV1WE-eQ8hSXGSUxXjimkp1ZPvUxXbnrAFA@mail.gmail.com> <582bfd3fbdee4cc592b92857c955721b@combitech.se> <CA+k3eCToZEQjkCGUawbWJSg51u24QOvmxBFvKS1Fk+KY4hwELA@mail.gmail.com>
From: Ludwig Seitz <ludwig_seitz@gmx.de>
Message-ID: <d2c963bd-871c-7d71-3d90-eab5f7929c52@gmx.de>
Date: Sat, 01 Feb 2020 11:19:53 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
MIME-Version: 1.0
In-Reply-To: <CA+k3eCToZEQjkCGUawbWJSg51u24QOvmxBFvKS1Fk+KY4hwELA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:98plQ3KHndAmhMho4cyvFCidvdNNzvmGBTmagVCAt/8BIq9Reot fdmQRB13HQohugWMTM1+vZvyA1AjTXSgcMlaI/yhKAKqGsSlNdfkkje3JK6P88U+kccp9nU o2O+t/AGnb8fKmnDYZBhDhxgxKT/07dHXlcDQsrpP9UlbbgSFRUkpKeTCqnCV1CmTWs8nuu U5/DgMS3PeQlJb7swFT6A==
X-UI-Out-Filterresults: notjunk:1;V03:K0:lbUaxRfFmfk=:18lNccsdZj3Fwr3n7l57iM hXu5aWRW9bei4NvhCkBaOCVk3x1SpTBsTf7SvxZlP07RrIKIIweQq4yPrqjfCYw4xxUZWIoFb kO7AxnMWNhCopi0cQEHG2Svcdeq6N/6/1Zj3aOie85NhbYNKHv2Z3jAxp8iME6lpsXmzhn9jU DouokzmPW5uYcfZPiN+eIxdpt9T6CKGkd2rEceHptCaH/W59ZXT/zPLi9VtGdP465V1j6ogrB b4llrr0hrBnk0XqhWZ9EQCZhyrxeUVL6dmX4gHg1NjJeI7csVerHNraJCdm5bIuOG3LdQo+aI 0nY5DrrMO43BlvSLiZ3VnbR2NPH3C7hBsIft1sUJDRi5es4l905HsC658bBcn+xP6qe8DCJeB /dEWmeOo7MhHabAbLRJXW12J5KrjFxOuuaHDWWsWLPmvQ8RI2bOwOLQx6sDapbRWYJykXlZ1V Ol7rNsnWVfeozwG473Gsz8FSsmuDhpgrgKBF85aSuN6AgRLUxpE5SoRjdTtSz0WoE+Hbq1FNV foFJzZhhLUsvk5x56PhYNbvj8NiVq7mcazw1McWIpws1eDCMpJq/meIs9ydEURJ0WOx7X8mMp oae6jd4pmdhn3gb5O0gWPbLGOWXpHw8gc7adp1iF7N/Fx5DO3bZDwktuzEg8DHTbgJfdRZ0g2 LGd6YkPZAyBSd/cGAkeXpYqZCBRdXonPYBpEZddXQ45nhOnLvNg9rY8kih/FGx/o+ttlGnwli fSsFRNtmT79lR1S8UFUMbsFSa6GGnJgwIlEskERhQFTsJSci6+Sq8mk6VSfJxv/nC3PUOzlW5 iQLQWLjfZbiN2VMsHS1OLMbGiqvXeysf59GqBLyRPfdJKhpYuTtw8TJ8dqfZYb0cmFnbzswie 8s9HiSUlSzSyCmx/aKTpyjmwGRu/YytdIh4GbxDBH1kyBqWJX0dmGR9KfEpVWp/6hwHrgHUw8 CH0+7jd+48jAu7ptHGk09itNlQd4lCdVyc3ceZEZ0BFiu6MtQdmQkaEuNL7VJpt8cgk/6ns7m rPItm3KhzH95dqw6zAxUkieZAVoUvWDkNi1+PB8FJyB9BCi6K5TKzX9myalxzCF6hZ0ZbG5Hv jgG5RFT+wiP0Vw9+maZf0plMIGQJwlGH6jzHwMFt2Uha0QRnK05qVf1fBoI+GOeU+4HDWtmku 47AAq2nL3pemF6r31bZq2qtRf4Dff5WuDlgwm+mYstDP2FYH/M91ugm0sfdJ/1GJVyhkcfdlU KEOsXVHeehKDO4YpG
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/2MVB5xd8p3Zv8ZhmoX5vv25Qymk>
X-Mailman-Approved-At: Mon, 03 Feb 2020 09:28:10 -0800
Subject: Re: [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-params
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Feb 2020 10:20:52 -0000

On 2020-01-23 22:31, Brian Campbell wrote:
> Apologies, I forgot to reply-all at some earlier point and dropped the
> mailing lists and other cc's off the thread. Added back now.
>
> And also apologies because I think I need to recuse myself from the DE
> responsibility on the JWT registry request here. I've spent more time
> than I'd like to admit or really have to spare on it and am still
> struggling to understand.
>
> I appreciate you pointing out the authz-info endpoint in ACE but I still
> don't follow how "rs_cnf" in an access token would really work in
> practice. The client sends the token to the RS's authz-info endpoint on
> an insecure connection or one that has the server auth with potentially
> different key and the RS stores the access token for later use. Then on
> resource access the RS looks up the access token (with respect to the
> cnf key in it) based on the key the client used in establishing a new
> mutually authentication connection to the RS. For the RS to choose a key
> for server it will use during the handshake (and as far as I know the
> server key is the first in the authn process of the handshake) based on
> the "rs_cnf" in the access token, it needs to remember and associate
> that client and the access token with something else (IP address?) that
> will be available during the handshake. It doesn't fit together for me
> in a way that seems likely to work or be interoperable but, like I said,
> I'm really struggling to understand.
>
>

Hello Brian,

thank you for your efforts in reviewing the IANA registrations.
As for your struggling to understand, we should have struggled more,
since there was indeed a flaw in the reasoning behind the rs_cnf claim
(and introspection parameter). As a result of that we will remove both
the rs_cnf claim and the introspection parameter, keeping only the
rs_cnf token endpoint parameter, which I believe still makes sense.

Background: When introducing the rs_cnf claim, we had mistakenly assumed
that the RS could associate the token with the ongoing (D)TLS handshake
at the time the server certificate message is to be created, this is not
the case and the rs_cnf claim is therefore useless (same goes for the
rs_cnf introspection parameter).  Instead I will require that a RS MUST
NOT hold more than one asymmetric key pair based on the same algorithm,
used for authentication.  Thus the (D)TLS algorithm negotiation in the
handshake should resolve the issue of which key to use for the RS.

Updates of both draft-ietf-ace-oauth-params and
draft-ietf-ace-oauth-authz coming soon.


/Ludwig

v2.23.0 | Report a Bug | By Email