Re: [Ace] Update of access rights
Seitz Ludwig <ludwig.seitz@combitech.se> Mon, 18 May 2020 06:49 UTC
Return-Path: <ludwig.seitz@combitech.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 162E23A08A6 for <ace@ietfa.amsl.com>; Sun, 17 May 2020 23:49:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.002
X-Spam-Level:
X-Spam-Status: No, score=0.002 tagged_above=-999 required=5 tests=[RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gV8xkGf5I2Hb for <ace@ietfa.amsl.com>; Sun, 17 May 2020 23:49:42 -0700 (PDT)
Received: from weald2.air.saab.se (weald2.air.saab.se [136.163.212.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E5E13A08A3 for <ace@ietf.org>; Sun, 17 May 2020 23:49:41 -0700 (PDT)
Received: from mailhub1.air.saab.se ([136.163.213.4]) by weald2.air.saab.se (8.14.4/8.14.4) with ESMTP id 04I6nV4l005940 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 18 May 2020 08:49:31 +0200
DKIM-Filter: OpenDKIM Filter v2.11.0 weald2.air.saab.se 04I6nV4l005940
Received: from corpappl16350.corp.saab.se (corpappl16350.corp.saab.se [10.12.12.113]) by mailhub1.air.saab.se (8.13.8/8.13.8) with ESMTP id 04I6mxbm022533 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 18 May 2020 08:49:00 +0200
Received: from corpappl16593.corp.saab.se (10.12.12.125) by corpappl16350.corp.saab.se (10.12.12.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Mon, 18 May 2020 08:48:59 +0200
Received: from corpappl16593.corp.saab.se ([fe80::b4c9:ca69:a80d:fa3]) by corpappl16593.corp.saab.se ([fe80::b4c9:ca69:a80d:fa3%4]) with mapi id 15.01.1847.009; Mon, 18 May 2020 08:48:59 +0200
From: Seitz Ludwig <ludwig.seitz@combitech.se>
To: Jim Schaad <ietf@augustcellars.com>, 'Francesca Palombini' <francesca.palombini@ericsson.com>
CC: 'Ace Wg' <ace@ietf.org>
Thread-Topic: [Ace] Update of access rights
Thread-Index: AQHWIuI1Lkw8gf+fQkGotEAa9X56JaiZhXQAgAAafoCAAXcYAIASCIiAgABYuGA=
Date: Mon, 18 May 2020 06:48:59 +0000
Message-ID: <dc614a13e4e84657b29b9b06e9066c76@combitech.se>
References: <8063D003-2C48-4157-B80E-B7AF3D2099FC@ericsson.com> <20680.1588694462@localhost> <CB1396B3-5D52-422A-AFC4-0FB362C2C0F5@ericsson.com> <29287.1588780702@localhost> <006401d62cc3$70d795f0$5286c1d0$@augustcellars.com>
In-Reply-To: <006401d62cc3$70d795f0$5286c1d0$@augustcellars.com>
Accept-Language: en-SE, sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.12.13.211]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Saab-MailScanner-Information: Please contact the ISP for more information
X-Saab-MailScanner-ID: 04I6mxbm022533
X-Saab-MailScanner: Found to be clean
X-Saab-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=1.561, required 5, ALL_TRUSTED -1.00, SARE_MLB_Stock6 1.56, SURBL_BLOCKED 1.00, URIBL_BLOCKED 0.00)
X-Saab-MailScanner-SpamScore: s
X-Saab-MailScanner-From: ludwig.seitz@combitech.se
X-Saab-MailScanner-Watermark: 1590389340.26303@KexJLY5R5FLVFcUqviazkQ
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (weald2.air.saab.se [136.163.212.4]); Mon, 18 May 2020 08:49:31 +0200 (CEST)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/4M4I1tsuI9uGhkDFhoc7Bey1Hj4>
Subject: Re: [Ace] Update of access rights
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2020 06:49:45 -0000
Hi Jim, This sounds over-engineered to me. If we go for introducing new claims (or putting requirements on existing ones like 'cti'), I would suggest to EITHER Use the solution recommended in the framework today: One token per pop-key, new token overwrites old token, adding a strict ordering, e.g. by requiring that the AS uses a incremented number in the cti claim (or a new claim if we don't want to use cti for that). This would introduce part of what Olaf suggested, i.e. a strict ordering. OR Go with Olaf's full suggestion and introduce a revocation mechanism. /Ludwig -----Original Message----- From: Ace <ace-bounces@ietf.org> On Behalf Of Jim Schaad Sent: den 18 maj 2020 05:22 To: 'Francesca Palombini' <francesca.palombini@ericsson.com> Cc: 'Ace Wg' <ace@ietf.org> Subject: Re: [Ace] Update of access rights I have not had a chance to think this out and get all of the implications right, but my understanding is that what we were trying to avoid was having the same secret key/public key present on the RS in more than one token. This simplifies what the RS needs to do. However, I am now under the impression that having the RS deal with multiple tokens with the same public key might be less of an issue than trying to make some decisions on what tokens are supposed to supersede other tokens. One of the ways that this might be avoided is to push the problem to where it, in some sense, belongs. The AS should be able to make this type of decision if a token is supposed to replace an existing token or not and it has more knowledge about what tokens are associated with what keys. If we go back and say - the AS should include a CWTID in the token and then define a new claim which says - This token supersedes the token(s) with CWTID values of "x", "y" and "z". Jim _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
- [Ace] Update of access rights Francesca Palombini
- Re: [Ace] Update of access rights Seitz Ludwig
- Re: [Ace] Update of access rights Francesca Palombini
- Re: [Ace] Update of access rights Michael Richardson
- Re: [Ace] Update of access rights Francesca Palombini
- Re: [Ace] Update of access rights Michael Richardson
- Re: [Ace] Update of access rights Benjamin Kaduk
- Re: [Ace] Update of access rights Jim Schaad
- Re: [Ace] Update of access rights Olaf Bergmann
- Re: [Ace] Update of access rights Seitz Ludwig
- Re: [Ace] Update of access rights Jim Schaad