Re: [Ace] Key IDs ... RE: WGLC on draft-ietf-ace-cwt-proof-of-possession-02

Ludwig Seitz <ludwig.seitz@ri.se> Mon, 25 June 2018 07:24 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34768127598 for <ace@ietfa.amsl.com>; Mon, 25 Jun 2018 00:24:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04qo7EURhPNW for <ace@ietfa.amsl.com>; Mon, 25 Jun 2018 00:24:27 -0700 (PDT)
Received: from smtp-out10.electric.net (smtp-out10.electric.net [185.38.180.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E528D124D68 for <ace@ietf.org>; Mon, 25 Jun 2018 00:24:26 -0700 (PDT)
Received: from 1fXLrM-000ZOc-V0 by out10c.electric.net with emc1-ok (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1fXLrM-000ZRC-Vo for ace@ietf.org; Mon, 25 Jun 2018 00:24:24 -0700
Received: by emcmailer; Mon, 25 Jun 2018 00:24:24 -0700
Received: from [194.218.146.197] (helo=sp-mail-2.sp.se) by out10c.electric.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128) (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1fXLrM-000ZOc-V0 for ace@ietf.org; Mon, 25 Jun 2018 00:24:24 -0700
Received: from [192.168.0.166] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Mon, 25 Jun 2018 09:24:24 +0200
To: <ace@ietf.org>
References: <VI1PR0801MB2112C4D6D3CED7C15D9AE886FA750@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <6c4cb55d-e350-4389-181f-cf797cdffb00@ri.se>
Date: Mon, 25 Jun 2018 09:24:24 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <VI1PR0801MB2112C4D6D3CED7C15D9AE886FA750@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-Outbound-IP: 194.218.146.197
X-Env-From: ludwig.seitz@ri.se
X-Proto: esmtps
X-Revdns:
X-HELO: sp-mail-2.sp.se
X-TLS: TLSv1.2:ECDHE-RSA-AES128-SHA256:128
X-Authenticated_ID:
X-PolicySMART: 14510320
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/4eL2JskOFmvT9YJ3LiMlATQw1Wc>
Subject: Re: [Ace] Key IDs ... RE: WGLC on draft-ietf-ace-cwt-proof-of-possession-02
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jun 2018 07:24:29 -0000

On 2018-06-22 15:36, Hannes Tschofenig wrote:
> Hi Jim,
> 
> I would like to comment on this issue.
> 
> -----
>>> 14.  I have real problems w/ the use of a KID for POP identification.  It
> may
>> identify the wrong key or, if used for granting access, may have problems
> w/
>> identity collisions.  These need to be spelt out someplace to help people
>> tracking down questions of why can't I verify w/ this CWT, I know it's
> right.


I just wanted to note that we inherited that issue from RFC 7800, does 
someone recall what the security considerations were in that case?


Perhaps a variant of Hannes' text comes closer to what Jim is looking for:

"
- Operational Considerations

...

When an issuer creates a CWT containing a key id claim, it is not 
acceptable to issue another CWT containing the same key id, unless they 
both are for the same subject and for the same audience (e.g. providing 
additional privileges for the subject).
"

/Ludwig

-- 
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51