Re: [Ace] Review of draft-ietf-ace-oauth-authz-07 by Mike Jones
Ludwig Seitz <ludwig.seitz@ri.se> Wed, 11 October 2017 07:59 UTC
Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42B0E13219B for <ace@ietfa.amsl.com>; Wed, 11 Oct 2017 00:59:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.401
X-Spam-Level:
X-Spam-Status: No, score=-5.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nfJu2634cTVj for <ace@ietfa.amsl.com>; Wed, 11 Oct 2017 00:59:30 -0700 (PDT)
Received: from se-out2.mx-wecloud.net (se-out2.mx-wecloud.net [89.221.255.177]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F8C313202D for <ace@ietf.org>; Wed, 11 Oct 2017 00:59:30 -0700 (PDT)
Received: from sp-mail-2.sp.se (unknown [194.218.146.197]) by se-out2.mx-wecloud.net (Postfix) with ESMTPS id BF898223B04; Wed, 11 Oct 2017 07:59:27 +0000 (UTC)
Received: from [192.168.0.166] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.32; Wed, 11 Oct 2017 09:59:27 +0200
To: Anthony Nadalin <tonynad@microsoft.com>, Mike Jones <Michael.Jones@microsoft.com>, "ace@ietf.org" <ace@ietf.org>
References: <CY4PR21MB0504D057E5B47ED166F35083F57D0@CY4PR21MB0504.namprd21.prod.outlook.com> <70d9981f-3e4d-7389-5281-938618f1d3c1@ri.se> <SN2PR00MB00949DEA486899AABBF92849A6750@SN2PR00MB0094.namprd00.prod.outlook.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <760bd132-3996-2242-3b1c-111034094e0d@ri.se>
Date: Wed, 11 Oct 2017 09:59:14 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <SN2PR00MB00949DEA486899AABBF92849A6750@SN2PR00MB0094.namprd00.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-CMAE-Score: 0
X-CMAE-Analysis: v=2.2 cv=KqQ94SeN c=1 sm=1 tr=0 a=L5DDne6A+dD0FbDkt2Fblw==:117 a=L5DDne6A+dD0FbDkt2Fblw==:17 a=sZ8rJzgPlrQA:10 a=IkcTkHD0fZMA:10 a=02M-m0pO-4AA:10 a=Srg91UCDZRYOU3zLZEoA:9 a=QEXdDO2ut3YA:10
X-Virus-Scanned: clamav-milter 0.99.2 at MailSecurity
X-Virus-Status: Clean
X-MailSecurity-Status: 0
X-Scanned-By: WeCloud MailSecurity
X-MailSecurity-Score: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/2lZ_qB6WdQ6HQTYCWkDs0t6Uazk>
Subject: Re: [Ace] Review of draft-ietf-ace-oauth-authz-07 by Mike Jones
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Oct 2017 07:59:32 -0000
On 2017-10-10 19:30, Anthony Nadalin wrote: > The point here about the optional extensions is that not all devices > are constrained the same, so some devices may actually be able to > support Oauth yet you prohibit that from happening with the mandatory > extensions I'm assuming that you are considering a scenario where some devices are less constrained while others are constrained, otherwise using ACE makes no sense in the first place (you could just use OAuth). The main requirement that precludes mixing plain OAuth with ACE-OAuth is that protocol parameters need to be encoded in CBOR instead of JSON. If we made this optional, a client could make a request to the token endpoint using plain OAuth (i.e. unabbreviated parameters). I see the following undesirable outcomes from such a solution: a.) The AS has to support both abbreviations and full parameter names (more code complexity at AS). b.) We need some protocol mechanics to tell the AS whether the client is using regular OAuth or ACE-OAuth (more code complexity at both client and AS, more protocol complexity, possibility of mixup errors). c.) RS that need to do introspection need the same protocol mechanics as in b.) I don't believe this is a good trade-off. Note that nothing precludes you from using regular OAuth, as long as the client and AS support it and the RS can process the resulting access token. /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE SICS Phone +46(0)70-349 92 51
- [Ace] Review of draft-ietf-ace-oauth-authz-07 by … Mike Jones
- Re: [Ace] Review of draft-ietf-ace-oauth-authz-07… Ludwig Seitz
- Re: [Ace] Review of draft-ietf-ace-oauth-authz-07… Anthony Nadalin
- Re: [Ace] Review of draft-ietf-ace-oauth-authz-07… Ludwig Seitz