Re: [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-params
Brian Campbell <bcampbell@pingidentity.com> Thu, 23 January 2020 21:31 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE91F120077 for <ace@ietfa.amsl.com>; Thu, 23 Jan 2020 13:31:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JS-RrlGj-iiy for <ace@ietfa.amsl.com>; Thu, 23 Jan 2020 13:31:49 -0800 (PST)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF5AB12011C for <ace@ietf.org>; Thu, 23 Jan 2020 13:31:48 -0800 (PST)
Received: by mail-lj1-x232.google.com with SMTP id h23so5402155ljc.8 for <ace@ietf.org>; Thu, 23 Jan 2020 13:31:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UJfgky6Wlrj0vVNTfhi18OCtvPiz6ZLKvn6pTlY6Pr0=; b=Xrlnd++ccjZ7GLZJ85OJxt9D83eZ/ZuoOUO0fGLd4F0AMtxhCl3zGepqjmTkVyvXQw Kll3bFUXMwz8DyuAVJhq6HyaUc5CH1ucs2ugS2jgRf4viCm1roTOvMpI4H+Lb+n39XX6 9BFLm2JDAe0xanA/V57RydWoxL7TaiIkt5XPw367E+GvWZom5KnBk11glYmRBaQCSTlc wvBSnnpvMG8DXJYxFAldURT/dNAHu07NcIF5CKRp4Evti8PStK619tFY/G2goBHSuFw0 SXdQEa++l8QXJWmSxM+jbcfJzpmNzcKn7ZizSXgv/kgSLFDQyPEEmyzRIfEJLUlGgbO1 wHKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UJfgky6Wlrj0vVNTfhi18OCtvPiz6ZLKvn6pTlY6Pr0=; b=QYmGzDYGx8EgavuP/QXU3TRA17gYe1P3GMMI82qssQTxNmXQG1FYIWoLtas8mlK40I rxTBNS3qkCuQOpf5Fq4L92QnYRqyHW9CoJcVAQNcce2/QXP3B4YwMjul7PEotwWwORSm HvQlSD7PGuO8EQ24xChlsGfXiI2/VoXHMkZbLZz7AK+eQwkdR0bIhOSuA7UuqzsU6xbd 8EIJ2qfL++jDxPiyBBPvvjVRrQWLIDkJkZOxnakbpsVCKX1ZhF4m19EKgz3C3uI38rWz qmTf7Sgvsh64Nuy8jawgpWPVDrZD/tuHUFNPpYJPGQ0Byp9NJfFOV2aFhXD1gOjzci0P d3Pg==
X-Gm-Message-State: APjAAAVuA7rtbPol/GSe0v2lFTIxs9SPW0a6fENOjxcSzzfN7Aiy/P1j iLKNbNDjKY6wBVRCTh0ltzBBsgvPXbyf1zzK5Z9IkiN+dFnHQmXx2WRBCQnzv4ExGE81fzqBhH6 5OAhBquTt2gk=
X-Google-Smtp-Source: APXvYqxClnrO17gdfqHHx6uJ9kHJok2F1vqjzkY1rEfr0h+tHDeJl8x7mLtWDfExoaKtaUl8ySubekp//r3bXUPRRY0=
X-Received: by 2002:a2e:b4ef:: with SMTP id s15mr268566ljm.20.1579815106958; Thu, 23 Jan 2020 13:31:46 -0800 (PST)
MIME-Version: 1.0
References: <9c32d171-9a4a-ba71-c989-92a177d9e989@gmx.de> <CA+k3eCSocYYpHQtWAfs=EnOTcOFbRSFH52FK=Ak5RiTZs4nOYA@mail.gmail.com> <77781da882414f4aae98ae2443691933@combitech.se> <CA+k3eCT0TLgUxzggV1WE-eQ8hSXGSUxXjimkp1ZPvUxXbnrAFA@mail.gmail.com> <582bfd3fbdee4cc592b92857c955721b@combitech.se>
In-Reply-To: <582bfd3fbdee4cc592b92857c955721b@combitech.se>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 23 Jan 2020 14:31:20 -0700
Message-ID: <CA+k3eCToZEQjkCGUawbWJSg51u24QOvmxBFvKS1Fk+KY4hwELA@mail.gmail.com>
To: Seitz Ludwig <ludwig.seitz@combitech.se>
Cc: Ludwig Seitz <ludwig_seitz@gmx.de>, Roman Danyliw <rdd@cert.org>, "oauth-ext-review@ietf.org" <oauth-ext-review@ietf.org>, Daniel Migault <daniel.migault@ericsson.com>, Jim Schaad <ietf@augustcellars.com>, Benjamin Kaduk <kaduk@mit.edu>, "ace@ietf.org" <ace@ietf.org>, "drafts-lastcall@iana.org" <drafts-lastcall@iana.org>, jwt-reg-review@ietf.org
Content-Type: multipart/alternative; boundary="00000000000042f0e5059cd55e31"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/3T5vG-k6SH5ZTYB-5YaznyizhGY>
X-Mailman-Approved-At: Thu, 23 Jan 2020 17:12:34 -0800
Subject: Re: [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-params
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 21:31:53 -0000
Apologies, I forgot to reply-all at some earlier point and dropped the mailing lists and other cc's off the thread. Added back now. And also apologies because I think I need to recuse myself from the DE responsibility on the JWT registry request here. I've spent more time than I'd like to admit or really have to spare on it and am still struggling to understand. I appreciate you pointing out the authz-info endpoint in ACE but I still don't follow how "rs_cnf" in an access token would really work in practice. The client sends the token to the RS's authz-info endpoint on an insecure connection or one that has the server auth with potentially different key and the RS stores the access token for later use. Then on resource access the RS looks up the access token (with respect to the cnf key in it) based on the key the client used in establishing a new mutually authentication connection to the RS. For the RS to choose a key for server it will use during the handshake (and as far as I know the server key is the first in the authn process of the handshake) based on the "rs_cnf" in the access token, it needs to remember and associate that client and the access token with something else (IP address?) that will be available during the handshake. It doesn't fit together for me in a way that seems likely to work or be interoperable but, like I said, I'm really struggling to understand. On Thu, Jan 16, 2020 at 12:54 AM Seitz Ludwig <ludwig.seitz@combitech.se> wrote: > Hi Brian, > > > > Comments inline. > > > > /Ludwig > > > > *From:* Brian Campbell <bcampbell@pingidentity.com> > *Sent:* den 13 januari 2020 21:22 > *To:* Seitz Ludwig <ludwig.seitz@combitech.se> > *Subject:* Re: [Ace] Requested review for IANA registration in > draft-ietf-ace-oauth-params > > > > Thanks for the response and updates Ludwig, > > > > Please bear with me while I try to wrap my head around some things. > > > > The JWT registration request for the "rs_cnf" claim points to Sec 3.3 > <https://tools.ietf.org/html/draft-ietf-ace-oauth-params-08#section-3.3> > saying it is "a hint [in the access token] to the RS about which key it > should use to authenticate towards the client". But doesn't the client > have to go through the DTLS/TLS handshake with the RS (which is presumably > when it authenticates to the client) before it presents the access token? > I'm not seeing how this would work as seems the RS won't see the hint until > after it needs it. > > > > > > [LS] Not in the ACE flow. We use the access token to establish keys at the > RS both for the client and the RS. We have therefore defined a new > ACE-OAuth endpoint (authz-info) at the RS. The client can POST access > tokens to this endpoint without prior authentication. > > At that point, the RS only validates the signature/MAC by the AS. > > > > Later at the time of access, the corresponding token is linked to the > access request via the pop-mechanism and the client/access specific parts > are validated (e.g. scope, subject). > > > > Hope that clarifies things a bit. > > > > On Sat, Jan 11, 2020 at 8:30 AM Seitz Ludwig <ludwig.seitz@combitech.se> > wrote: > > Hello again Brian, > > > > Thank you for reviewing this! Indeed the handling of JWT/JSON interactions > was handled sloppily here. I will soon issue a draft update that specifies > that the JSON-based interactions should use the syntax from RFC7800 while > the CBOR-based ones should use ID.ietf-ace-cwt-proof-of-possession. > > > > This correction goes for all the use of “cnf”, “req_cnf” and “rs_cnf”. > > > > Regards, > > > > Ludwig > > > > *From:* Ace <ace-bounces@ietf.org> *On Behalf Of *Brian Campbell > *Sent:* den 10 januari 2020 22:12 > *To:* Ludwig Seitz <ludwig_seitz@gmx.de> > *Cc:* Roman Danyliw <rdd@cert.org>; jwt-reg-review@ietf.org; Jim Schaad < > ietf@augustcellars.com>; The IESG <iesg@ietf.org>; ace@ietf.org; > drafts-lastcall@iana.org; Benjamin Kaduk <kaduk@mit.edu> > *Subject:* Re: [Ace] Requested review for IANA registration in > draft-ietf-ace-oauth-params > > > > That "rs_cnf" claim registration request in 9.1 points to 3.3 which says > it has 'the same syntax and semantics as defined in for the "rs_cnf" > parameter', which I think is in 4.1. And 4.1 says that the "rs_cnf" values > 'follow the syntax of the "cnf" claim from section 3.1 of > [I-D.ietf-ace-cwt-proof-of-possession].' Similar to other comments I've > made today, I don't follow what that would mean for the value of the claim > when it's a JWT. And that seems like something that's important to > understand for the purpose of a JWT claims registry request. > > > > > > On Sat, Dec 21, 2019 at 4:11 AM Ludwig Seitz <ludwig_seitz@gmx.de> wrote: > > Hello JWT registry reviewers, > > the IESG-designated experts for the JWT claims registry have asked me to > send a review request to you about the "rs_cnf" claim registered here: > > https://tools.ietf.org/html/draft-ietf-ace-oauth-params-07#section-9.1 > > Thank you in advance for you review comments. > > Regards, > > Ludwig > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited.. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [Ace] Requested review for IANA registration in d… Ludwig Seitz
- Re: [Ace] Requested review for IANA registration … Ludwig Seitz
- Re: [Ace] Requested review for IANA registration … Brian Campbell
- Re: [Ace] [Jwt-reg-review] Requested review for I… Brian Campbell
- Re: [Ace] [Jwt-reg-review] Requested review for I… Seitz Ludwig
- Re: [Ace] [Jwt-reg-review] Requested review for I… Brian Campbell
- Re: [Ace] [Jwt-reg-review] Requested review for I… Ludwig Seitz
- Re: [Ace] [Jwt-reg-review] Requested review for I… Brian Campbell
- Re: [Ace] Requested review for IANA registration … Brian Campbell
- Re: [Ace] Requested review for IANA registration … Benjamin Kaduk
- [Ace] [IANA #1160802] Re: Requested review for IA… Sabrina Tanamal via RT
- Re: [Ace] Requested review for IANA registration … Ludwig Seitz
- Re: [Ace] Requested review for IANA registration … Brian Campbell
- Re: [Ace] [EXTERNAL] [Jwt-reg-review] [IANA #1160… Mike Jones