Re: [Ace] Fwd: New Version Notification for draft-tiloca-ace-revoked-token-notification-04.txt

Marco Tiloca <marco.tiloca@ri.se> Thu, 04 March 2021 11:11 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5A7C3A0CBB for <ace@ietfa.amsl.com>; Thu, 4 Mar 2021 03:11:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0aTRXmp_s6j for <ace@ietfa.amsl.com>; Thu, 4 Mar 2021 03:11:17 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50051.outbound.protection.outlook.com [40.107.5.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DB113A17CC for <ace@ietf.org>; Thu, 4 Mar 2021 03:11:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=R5r55keGYGexKtAWVNTLO/nRawgzTzp/Dcc+Zuf7ooWugT/x2+oIrOUSOYT3Xc5GM45481s8CnNlh3wlTpIgtu41D3GDtglbp2UgGUybp7ZxHm7OxVn4ikfhREr+JcdnIGMgpo2II2yn+p50T6HrxwafGrkuigAkTksBMQI9c3eUR6WhkDDFJifcZ5tf/AfhwrCcTPMyb1v9ixXH7JyWpIVGeuNASwKnODZReW/2p0aLn2PjoMHLfIWcP4on0rWL/glIxgNoS1yAYut48svK6thSARHtQ/oD3jOBjQIC0gv6qH223dAKG+PKk0I/0ICR+YiHLXSRO/rHL0NnmN5LVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VPKgjBQISzX12cDhRwR2Y5z5JZKVCjxKhtqa6nJXNMU=; b=DQTjgB2ZRdnew7iQDj7BoN1kET8VotRUwvBAI7J+ZA0sZufcw7N423EfXvvNfgsNPbCRblekXwZZKG9ZRF5KPon0K+05X7ccOAsgSqqr80JEgxsWEqJNcqSiykWxnw4mw6fFdZQVs+tfgp+yxoNHt9j70aI1pWLsm3GfXhUjaON7+h54Pjm/yqhZClI7eN/K15mhpTb9g/iVpdk0YWLwzcmnmUoWtuKPnWqZPHHouvEGn2l9VcE+QOnARpZGMTPNn+T1uLY/ACWGtieCeMHF4EuyQ6QffvdfgCYLImSqWykN6HLlQjNb6yhB4koA4H635oGjGzGdajceDeQ1Y4cTgA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VPKgjBQISzX12cDhRwR2Y5z5JZKVCjxKhtqa6nJXNMU=; b=dpJ5jEwrFZWgAPsqF3M/CuX7XLvDrQra9SJFBuLc+RWJMDZUyO0AtdP+ggOgjWXxTSdOR4BJG6CqjyG/A8EDd8DGp4s8Qi3vj3AKhOK5cgwFyaZpPyNAEBfQuIHJDB4ePefN0R/etPe45y6IwJ8k7RoHsoQ+NFbl99bYkTiBB+4=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ri.se;
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14) by DBBP189MB1212.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:1e7::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Thu, 4 Mar 2021 11:11:12 +0000
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::1df7:be0c:4934:88bf]) by DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::1df7:be0c:4934:88bf%9]) with mapi id 15.20.3912.019; Thu, 4 Mar 2021 11:11:11 +0000
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Ace Wg <ace@ietf.org>
References: <161401385754.26094.8496440307212896123@ietfa.amsl.com> <6e239432-de60-6341-1c81-17a0905b6d05@ri.se> <31457.1614809227@localhost>
From: Marco Tiloca <marco.tiloca@ri.se>
Message-ID: <c7467d2b-02df-2dc7-9018-24faf5f443f0@ri.se>
Date: Thu, 4 Mar 2021 12:11:05 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
In-Reply-To: <31457.1614809227@localhost>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="j9KEVD3ovJhaMLjSys0lKaYnUmiSEEgmF"
X-Originating-IP: [92.34.17.243]
X-ClientProxiedBy: BL1PR13CA0229.namprd13.prod.outlook.com (2603:10b6:208:2bf::24) To DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.0.68] (92.34.17.243) by BL1PR13CA0229.namprd13.prod.outlook.com (2603:10b6:208:2bf::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.10 via Frontend Transport; Thu, 4 Mar 2021 11:11:10 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: bbe9b7b9-41c9-4b87-d759-08d8defe3804
X-MS-TrafficTypeDiagnostic: DBBP189MB1212:
X-Microsoft-Antispam-PRVS: <DBBP189MB12124481E1E95D2ACEF4BF5999979@DBBP189MB1212.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: iOgdmjw9a8gYQTh8GV0yYs2z3ALmPp+5Z32U4eznWjPSh80pgoS0w8BgOIScDxVYFarWPWqFk/N7GPql9el8QDaaEhmL0ZKvt7E0T6sw085rK7YCrqz83rtIF11pomIBSzvlLZKcIOd0qTSVOWFRf7jQPh1kO870XVkkui4+u6/1xjfCY5yfrCpEYnKLUYRTfKD8jihCazvwmZJrdxOx4Kf/HKhdDUGmgxJhsyGichfTnScPkWMpEBGogZ6cOnoZrqniZSahoHrXsTnmfT/BtLddBFWwwXwLcIadmUbYzvvetkfaqjWItWydKr1CN+fsM2s73cdT4mDU/DmD7OsQtAaV43+PaUxXe4PLs7SqbN7oqLzJfpuYySyKWbgjt9AeVuNq76Me6iGPkd3gNyunuwUnfhcMVhwyhqhvIUTB5/QurLlyyRMoeviu7RJ6+G7D+CG6qMA5Y02bL1d2KevCPt0PvmV3p7r8k4IrsVwRf096u8BanqjNRtVT0vZhD6YEuBYV2EuEd7VPazDkXforbuZlhDAfV0mN2234+mYqtlpnquQqkCMZK7eexDTaunM9RtIA2h8If9kyiaNlwEi4X+Zdeb7FSpC7uxq/qIMnV71l46aw7+NgWJo2eYiLcux+ZTG0rd0vvMHnyxWy1iV7oe/ad36Glph92tQ6b4QJgj0T5RqWo0LUZiHjont0hZM2
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB8P189MB1032.EURP189.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(956004)(966005)(186003)(2616005)(16526019)(31696002)(26005)(66476007)(15650500001)(66556008)(8676002)(31686004)(44832011)(498600001)(66946007)(83380400001)(21480400003)(36756003)(16576012)(6666004)(66574015)(52116002)(235185007)(4326008)(8936002)(6486002)(33964004)(5660300002)(86362001)(2906002)(53546011)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?K0hadzRab2V1UVhvaHl2ZGhCTVIzbHU4RkVXUUM1dzMzS1M5MWZNTnhyR2Ux?= =?utf-8?B?OGM2Um0wNHVEL29DRUp0Rlh6SGhvS3lKcDRMTzNQNEpNTmtoS204ZmRxaisy?= =?utf-8?B?Z0JpZC9kS3VESnNTUjFFMHdtWmMzNHpRbmd4My9JdEp3ZTkyeTVpeW9Pdk9j?= =?utf-8?B?WU5TczRBdzRmcndsdy8yZXA0NlFQZGN4dGdrWElwMjdzNXdpcWtEa0tJYUdG?= =?utf-8?B?c29tME42SWxMZ2pvTVVydU5QVUU0WWY4VWdJOVhJU1pDV3VRWkh1YzR0ekU1?= =?utf-8?B?Y285YUp3VnNRT1A3L2p1RGxjRmxiT3RhRXlFT2ovU3BubWVhc0N3MmdvT0lI?= =?utf-8?B?TjdxaHdLd1o0R3V1TnlWanlzU2piUXJuR2N1ZzltQ3pKVC9Lbi9OdXBQM2JK?= =?utf-8?B?VlMvSVl4Q3kyVnlvOXRQRnUrT2JqQUFzRUN1czhpbTZmRmVXaUR5WDZXc2Fz?= =?utf-8?B?R3ZXTTN3enlqamtXRFlTUSs3V0UxMnBrb1NETStoUlA2NlJDTnFyd0N5cEgw?= =?utf-8?B?RllDMndRMVhkVVVqcDNJa1BGeHljSDdBQTNocGJ6SEpIUGlPWFpUQkVzc1dT?= =?utf-8?B?dEQyL0xaM0dvb2RUTkZERTRGajFsUWtUbkFUWldMQXB4eFpWTit0YzZ2akcw?= =?utf-8?B?UE0yNnpkWlN4d0NQNVlXc3RnQ25pWUhhRlllT2kzT2owUmNoNThTNENWQS80?= =?utf-8?B?TW9wSGhLQ3pEYm9hRHJHYlZ0UDhRbElJZ1NyRmREWXVNMFlJc1FZYWRiWVRp?= =?utf-8?B?bnFiSTFFK25CRWl6QW84azhnSWVsTDZHUEx1Y1BuV2R2VG9kSGF2SExTZDA1?= =?utf-8?B?TFF4blRiTEpxSDJQRG1yZjdWUEpwYTVFQjlVb2I0WGlJOHlpcm9yYlhPYzlZ?= =?utf-8?B?NG9rekZ1TzVRSVk3R25zeG4rSHA3SndNTWNKWEgwR1dsWkZlckVidlBWWitk?= =?utf-8?B?SWxVY1U4a3NMcU1HS2dSYTdMb1FiVVlJZmxRRmZEV0VKRk93VzlpSHFkdDdV?= =?utf-8?B?cER0ZUxJdFNNV2hFK28rTTllSW84WktuK3lLb0VQMmxLWFBLdUltOTRhWW9J?= =?utf-8?B?WUpjNU4vUXZSUHhoNWpPTHl5TzlPaDVFbkVzWmtYNWcvdnYvbHVxd0l1Vy8z?= =?utf-8?B?N0d3bXVEKzVsMGMraXZFK3Z6TWxCNWIrTWZ5aGZnbFlhQXdmMDB6ZkQzeXFr?= =?utf-8?B?LzM0SUR0R2d6b29SVnVsMHNoOUpXOXNxODI4TVhOU0s3NFl0NkxoajdjWGJ1?= =?utf-8?B?YnZLb0ZqbE9CallYVXg0RkNrN2dyYmphOVk1eStnb2FZSUw2TDFwTWE5UThQ?= =?utf-8?B?WFNPWFE0cGJRZFcwUFpramZpdnpYL0p3N0JocFR4VFp1TGNCNkpCQkdsNzhG?= =?utf-8?B?RVZZRW9yeVp5Z3VOYlJYbzJVVE1IditwMGRyYjg2Mlh2Y00wZHFzbVdvQUFr?= =?utf-8?B?bnNBT1hhMk1vYU1aZmVIVHhLU1hlT0NuTGNJV1YvZ3RhWGtUU2o5QVkyQ1ky?= =?utf-8?B?T1FwcDdCVWo5d0RReXpuL3cwSW1uV3FlVDEzWUo4SjJJdzJ4L3ZmNmlEc25y?= =?utf-8?B?SWEwWkdEQkp1ZHBhSzJMR2lRUnV6Rmp2Y0RaR3dMQ0EvKzJJeW1uK0NlVXZ4?= =?utf-8?B?QnJicnBTeDdmbGxTTVNWYlIzZXB1SHpoMUhPM09PVUtaOFRETjRSdGNlWGtX?= =?utf-8?B?bXNwY20zbnJOTWRNaUFFMXVNelJPakJKU2t1dnc3ZGswbjAvZnNLakMyZ2ti?= =?utf-8?Q?euVUnpzoa6pA9HooN5Nd/Wlx7Oc5uczdbZZAY9t?=
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: bbe9b7b9-41c9-4b87-d759-08d8defe3804
X-MS-Exchange-CrossTenant-AuthSource: DB8P189MB1032.EURP189.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Mar 2021 11:11:11.7339 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: R/te4YHl5yXii7jCGmlR6h/DcKWr3lAkodMHf9xxTRqNhORqZBmFGVJbdUisTSF3npwbnEPGOMZgUN7ECXYw4A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBP189MB1212
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/4eg79d-ekcI--O5zXa3irpHxqrc>
Subject: Re: [Ace] Fwd: New Version Notification for draft-tiloca-ace-revoked-token-notification-04.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2021 11:11:21 -0000

Hi Michael,

Thank you for your feedback! Please, see some answers inline.

Best,
/Marco

On 2021-03-03 23:07, Michael Richardson wrote:
> Marco Tiloca <marco.tiloca@ri.se> wrote:
>      > We have recently submitted an updated version of
>      > draft-tiloca-ace-revoked-token-notification
>
>      > https://tools.ietf.org/html/draft-tiloca-ace-revoked-token-notification-04
>
> I hadn't noticed this document before.
> I will say that I'm skeptical about the use cases.
> I took a quick read through section 1.
> {If I had to make allusions to PKIX, I wonder if isn't more like an
> "OCSP"-staple than a CRL}

==>MT
In the method we propose, requests to the AS do not include a (reference 
to a) Token to validate. Instead, they ask for an indication of 
pertaining revoked Tokens, with a granularity that the requester can 
control (see the different modes in Section 5.1, Section 5.2 and 
Appendix B).

I think that a kind of similarity with the OCSP model can rather be seen 
in the optional introspection interaction, as optionally provided by the 
Authorization Server. There the requester actually provides a Token to 
be validated. Note that, while potentially applicable also for a Client, 
introspection in ACE is intended for the Resource Server.
<==

>
>> For a Client to
>>     access the Resource Server, the Client must present the issued Access
>>    Token at the Resource Server, which then validates and stores it.
> I guess the "stores it" seems surprising to me.

==>MT
This is simply referring to the main original workflow of the ACE 
framework, as background information. From Section 5.10.1.1 "Verifying 
an Access Token" [1]:

"When an RS receives an access token, it MUST verify it before storing it."


That is, a Token is stored at the RS (as well as at the Client it was 
issued to), until the Token expires or the entity owning it "somehow" 
learns it got revoked. This documents proposes a way to learn about 
that, through the TRL interaction and observe-based subscription.

[1] https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-37
<==

> I think that it might be worth clarifying that it's the RS that would be
> subscribed to the TRL on the AS.

==>MT
Right, we can more explicitly mention the registration to be a subscription.

Note that the same applies to the Client just as well, for what concerns 
its pertaining Tokens it has obtained from the Authorization Server.
<==

> I think that the Intro should discuss
> Client vs RS code, and if there is a goal to require code changes at both
> ends or not.

==>MT
Good point; the abstract and introduction already say that this method 
does not require new ACE endpoints on Client and Resource Server, which 
would certainly be a notable addition.

As to additional required code, I can only think of:

- The actual request/response interaction with the AS to retrieve 
portions of the TRL; the real delta here should be limited to including 
the query parameters of the diff-query mode in Section 5.2 and to the 
parsing of the response payload.

- The local computing of Token hashes from the stored Tokens, to be 
compared against the responses from the Authorization Server.

Note that, once aware of a Token being revoked, a Client or Resource 
Server simply  proceeds as in the case of an expired Token. That is, it 
runs already available operations to delete the Token and purge 
associated security association as well as keying material.
<==

>
> Your protocol looks (at a quick scan) is very well worked out, but I don't
> know enough about when this would be used to understand what tradeoff you have made.

==>MT
Thanks, I think tradeoffs here boil down to the requester being able to 
request information on revoked pertaining Tokens with a granularity and 
level of detail under its control.

This can be expressed especially with the query parameters of the 
diff-query mode (see Section 5.2), and with further expressiveness in 
the enhanced diff-query mode based on the Series Transfer Pattern (see 
Appendix B). The latter additionally allows the Authorization Server to 
split the information to return into different transfers.

As highlighted in the examples in Section 8, a requester can also rely 
on a mix of Observe and non-Observe interactions with the Authorization 
Server, thus having a mix of actual subscriptions (e.g. in full-query 
mode) and polling (e.g. in diff-query mode).

One additional degree of control for the requester can be the usage of  
"pmax" conditional control attribute defined in the CoRE Dynlink 
document [2].


[2] https://tools.ietf.org/html/draft-ietf-core-dynlink-13



Thanks a lot again for your comments!

Best,
/Marco
<==

>
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>             Sandelman Software Works Inc, Ottawa and Worldwide

-- 
Marco Tiloca
Ph.D., Senior Researcher

RISE Research Institutes of Sweden
Division ICT
Isafjordsgatan 22 / Kistagången 16
SE-164 40 Kista (Sweden)

Phone: +46 (0)70 60 46 501
https://www.ri.se