IETF Logo Mail Archive

[Ace] Removal of the Client Token from ACE-OAuth draft

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 01 February 2018 13:59 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88EC713157F for <ace@ietfa.amsl.com>; Thu, 1 Feb 2018 05:59:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.91
X-Spam-Level:
X-Spam-Status: No, score=-2.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WLgU2104Cp_S for <ace@ietfa.amsl.com>; Thu, 1 Feb 2018 05:59:52 -0800 (PST)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on0061.outbound.protection.outlook.com [104.47.2.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A39512EAC1 for <ace@ietf.org>; Thu, 1 Feb 2018 05:59:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=3aivBoe4KUG2KD0apkTSWbvdHdZaAnHkjvVQVtaAoDI=; b=WTQ3BsuMeoTQdf0SFgHPqrQGDNkob4YqIYxpH1y/0U/f9v/XYwizJBfB52ndyjM6pqAoiYpsdDKgpQTkIswzOjFjV9FQ0Gd/LmFNswSZVF3cmwbVWtt3OOQ0NnL0i4XUk+kgTqoqeQy+UHDw1/u9JiiAYVlRPv3hnQ89g5N83/k=
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com (10.167.90.148) by AM4PR0801MB1507.eurprd08.prod.outlook.com (10.168.5.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.444.14; Thu, 1 Feb 2018 13:59:49 +0000
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::b863:80d:692b:e64b]) by AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::b863:80d:692b:e64b%14]) with mapi id 15.20.0444.016; Thu, 1 Feb 2018 13:59:48 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Removal of the Client Token from ACE-OAuth draft
Thread-Index: AdObY8LeTLQDRQpHTLmnZxVwN5CDtQ==
Date: Thu, 01 Feb 2018 13:59:48 +0000
Message-ID: <AM4PR0801MB27062B8FD8B05971648F1E8CFAFA0@AM4PR0801MB2706.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.119.5]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0801MB1507; 7:2FvdxQp2Ic4AaxT3FsaHFcPHhF04CCh6OudJP7/8zo+HNCg1bEwsmbMoGP1RFBKe+7AGXeIJXYZd1HxGooYgFvGVEkpAha5EVfd42JQDxufbQWEpsq5Uu5tmdWHgCkXfu9xCDSI5m4eSWmGJxJE2T184L/1yeHYFeKdwDKMhNvulSx82VD4V8QcjCgRQGTUGE6zChI3PunYoyfRYcSzMUypjFtWHku1GleGjrOD3QUY5Dmg2iTqM1X5J9V4lGXOB
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: c2414de7-1739-45d7-d082-08d5697c0ecf
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:AM4PR0801MB1507;
x-ms-traffictypediagnostic: AM4PR0801MB1507:
x-microsoft-antispam-prvs: <AM4PR0801MB1507E12A62F3CA49A8A47494FAFA0@AM4PR0801MB1507.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(8121501046)(5005006)(93006095)(93001095)(3231101)(2400082)(944501161)(3002001)(10201501046)(6055026)(6041288)(20161123558120)(20161123564045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011); SRVR:AM4PR0801MB1507; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0801MB1507;
x-forefront-prvs: 0570F1F193
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39380400002)(39860400002)(376002)(396003)(346002)(366004)(40434004)(199004)(189003)(53754006)(97736004)(5640700003)(6306002)(86362001)(55016002)(5890100001)(316002)(54896002)(5660300001)(53936002)(66066001)(9686003)(26005)(59450400001)(6116002)(74316002)(5630700001)(99286004)(186003)(7696005)(6506007)(3660700001)(2906002)(102836004)(6916009)(2501003)(25786009)(5250100002)(3280700002)(6436002)(7736002)(2351001)(106356001)(478600001)(3846002)(790700001)(105586002)(2900100001)(81166006)(68736007)(33656002)(1730700003)(81156014)(8936002)(72206003)(8676002)(14454004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0801MB1507; H:AM4PR0801MB2706.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: ykgqd7+ZPqWqTOqnoY8zM0s6xEsFw/QB1WiYfKOICxDpKqZU0dfVwYFshczEeVHa1KkLFC8NKZAq8bnNThXyaA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_AM4PR0801MB27062B8FD8B05971648F1E8CFAFA0AM4PR0801MB2706_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c2414de7-1739-45d7-d082-08d5697c0ecf
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Feb 2018 13:59:48.7060 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0801MB1507
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/3urlZCV_QUM3Py6ttZGFEmCwrqQ>
Subject: [Ace] Removal of the Client Token from ACE-OAuth draft
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2018 13:59:54 -0000

Hi all,

the Client Token is a new mechanism in the ACE-OAuth that aims to solve a scenario where the Client does not have connectivity to the Authorization Server to obtain an access token while the Resource Server does.

The solution is therefore for the Client to use the Resource Server to relay messages to the Authorization Server.

While this sounds nice it does not follow the OAuth model and we, at ARM, have not seen anyone requesting this feature. It is also not fully specified in the spec: since I have been doing a formal analysis of this protocol variant for the OAuth Security Workshop I had to notice that it is not secure. (I will post the paper to the list asap.)

Note that I am not saying that we should never do this work but I prefer that someone who really cares about this use case describes it in an independent document.

In summary, I am again requesting that the Client Token functionality is removed from the ACE-OAuth draft.

Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email