Re: [Ace] Relaxing OAuth-ACE profiles
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 19 December 2017 11:22 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 406A912DA44 for <ace@ietfa.amsl.com>; Tue, 19 Dec 2017 03:22:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NpQbL8BF81v6 for <ace@ietfa.amsl.com>; Tue, 19 Dec 2017 03:21:57 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40060.outbound.protection.outlook.com [40.107.4.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57047127909 for <ace@ietf.org>; Tue, 19 Dec 2017 03:21:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Hdcq2XaymfwDG822iNVm7Pj5V3XBPuo/Y5dsLKuo33Q=; b=a2vFTE4w+Vcsk5IJlRCZVJfgjR3rzX3UBCWwXulozjNViX/9/xRRFQjUkrik+U8zsXvHPu/DaqUjOHlkJVSG94jQV3Mh6P49NLDA23nevo5xCRfUaCaa6UAsGEvC0Rzo0cldncWDfXTQ3l3Q5pccEkVXHpoNLYtvUCyOOFMN5E8=
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com (10.167.90.148) by AM4PR0801MB2706.eurprd08.prod.outlook.com (10.167.90.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.15; Tue, 19 Dec 2017 11:21:55 +0000
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::b9af:5048:9d97:f7e6]) by AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::b9af:5048:9d97:f7e6%14]) with mapi id 15.20.0323.018; Tue, 19 Dec 2017 11:21:55 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Carsten Bormann <cabo@tzi.org>
CC: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Relaxing OAuth-ACE profiles
Thread-Index: AdN3/ysrdoP8lI5/QReEo7xBRgSrTQAAwGUAAC3sgiA=
Date: Tue, 19 Dec 2017 11:21:54 +0000
Message-ID: <AM4PR0801MB27066A53219069D67144E617FA0F0@AM4PR0801MB2706.eurprd08.prod.outlook.com>
References: <AM4PR0801MB27061CC885236367556ABBB2FA0E0@AM4PR0801MB2706.eurprd08.prod.outlook.com> <05CFF2B1-9E19-40B9-9F40-A8C066BAAA21@tzi.org>
In-Reply-To: <05CFF2B1-9E19-40B9-9F40-A8C066BAAA21@tzi.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.123.79]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0801MB2706; 6:lWE+PrsVtVCOXH9yblDoWQoOPDUp4RWMafH/cXnOL5VIkJfy0/gex4w/gVcGMLBty6pXCFYrKVHn7X3h/5ELbYo3+1xh/tUbbDBqFf1rjhgzfilWDg0ur+qX89egWo1TZncsWpmP02NQIcOcUBH3bLeQjM8C86iVtG7PKNyu5E53cG08sigWvTy87Kel5ryNAGdDot+R/7liw19R5TLonA9vRDG6D/hOyewITi34T3XNhlBUb3qbuRPtQ6UHvJqhsLbUtEzb57M5e3RzERzkxsE9cNGSe2KG6cLhb/Y4Ml0+lpsAufObn4W6staEZeGUaXcwTb9dEpUU7pXrfTxHkEcXEXiWV/ofYCDpTHg5UCU=; 5:hdXWSuPf9u1ay9YV1tlQTQBASWctbJ4oZIYPpNZ6MHUpjUYkigZmJrsIYfSAgm4un4BhGVnPEucekTKz3kpRLDf6R2uxfCHO5jRYSN2sddkYs4rnBeT48OlDftTODFd7oHSIx3wpuh3owzerUAl9bmDBAVZ8hKPBTqvztRIhN64=; 24:18PljyW4CwVQwe+cUJMos2nsg3KuTSKOBCokopl+yYfj8NcLXqvuwVMq7/Kdp3M5dWZqGluJyPg/3cL/B6akRdrDx8YFpT5GhtDzeA+lUUI=; 7:6jkGAgUtUjcXYnukwwribiSdb/v3S1dMB7EYWbYaIUJWwm3+5fIPCkjn8SVozSsC4m/gOl11IME7gKSbDh9/l1lpxII5eQFgk35/P1JRQCC1t+QoB0qqY/22GVHi0hKQ/U4t4V1iJKu6dtmaUntLF5vYbiN2pb9+EsuhDTjzLJHhkc/mIDxckLcXVeRXBacRS3jcJidQ0P0X9dT3y4AmIxksGZKQRON9AVCCW2Uo+PpBKaY1uCGt8H9ULFW63T2C
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 2799e9c4-05f9-4f39-2b77-08d546d2b5d2
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(48565401081)(2017052603307); SRVR:AM4PR0801MB2706;
x-ms-traffictypediagnostic: AM4PR0801MB2706:
x-microsoft-antispam-prvs: <AM4PR0801MB27067BBC3A98573575703122FA0F0@AM4PR0801MB2706.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3231023)(3002001)(6055026)(6041248)(20161123564025)(20161123558100)(20161123562025)(20161123555025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:AM4PR0801MB2706; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:AM4PR0801MB2706;
x-forefront-prvs: 052670E5A4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(376002)(346002)(396003)(40434004)(199004)(189003)(76176011)(81166006)(105586002)(81156014)(6116002)(7736002)(99286004)(106356001)(59450400001)(33656002)(7696005)(8936002)(53936002)(2906002)(3280700002)(8676002)(3660700001)(5250100002)(2900100001)(5890100001)(68736007)(55016002)(6436002)(66066001)(9686003)(72206003)(3846002)(5660300001)(229853002)(102836003)(6506007)(74316002)(2950100002)(316002)(6246003)(6916009)(478600001)(4326008)(25786009)(14454004)(86362001)(305945005)(97736004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0801MB2706; H:AM4PR0801MB2706.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2799e9c4-05f9-4f39-2b77-08d546d2b5d2
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2017 11:21:55.0006 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0801MB2706
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/4TIJz0ZWYrwUuk5plqM84162Hzk>
Subject: Re: [Ace] Relaxing OAuth-ACE profiles
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Dec 2017 11:22:00 -0000
Hi Carsten, ~snip~ > draft-ietf-ace-actors tells you that aceclient-AS is a less-constrained interface, so it doesn’t need to be limited to protocols for constrained devices. aceclient-RS is a constrained interface. (And at some point the client authorization manager CAM will escape from the aceclient and we get back the more rational four-legged architecture.) We have certainly envisioned this use case early on in the group and it is good that the actors draft covers it. Samuel, Erik and I had used this scenario at ARM TechCon a few years ago as a showcase using a door lock to illustrate what ACE-OAuth does. It is just that the current ACE-OAuth draft version doesn't support it well IMHO. Even though that interface is not limited we would still have to use some of the newly defined parameters (and features (e.g., CWT). > Not sure why you need JSON to use HTTP, but of course this can be opened up because it is the less-constrained CAM-SAM interface. More generally, the CAM-SAM interface (aceclient-AS in current terminology) really is about business logic, so go ahead and do XMLDSig and BPEL and SOAP and whatever makes the software architect happy. I might not have used the terminology appropriately but what I was trying to accomplish is to use RFC 8252 on the phone/tablet and to request a CWT (instead of a JWT). RFC 8252 uses a mixture of technologies, including a JSON-based encoding for the Access Token Response. The Access Token Request, on the other hand, would be form encoded. Maybe I should include an example in the appendix to make it clearer. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Ace] Relaxing OAuth-ACE profiles Hannes Tschofenig
- Re: [Ace] Relaxing OAuth-ACE profiles Carsten Bormann
- Re: [Ace] Relaxing OAuth-ACE profiles Hannes Tschofenig