Re: [Ace] Fwd: New Version Notification for draft-tiloca-ace-revoked-token-notification-04.txt
Marco Tiloca <marco.tiloca@ri.se> Thu, 04 March 2021 11:11 UTC
Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5A7C3A0CBB for <ace@ietfa.amsl.com>; Thu, 4 Mar 2021 03:11:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ri.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b0aTRXmp_s6j for <ace@ietfa.amsl.com>; Thu, 4 Mar 2021 03:11:17 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50051.outbound.protection.outlook.com [40.107.5.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DB113A17CC for <ace@ietf.org>; Thu, 4 Mar 2021 03:11:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=R5r55keGYGexKtAWVNTLO/nRawgzTzp/Dcc+Zuf7ooWugT/x2+oIrOUSOYT3Xc5GM45481s8CnNlh3wlTpIgtu41D3GDtglbp2UgGUybp7ZxHm7OxVn4ikfhREr+JcdnIGMgpo2II2yn+p50T6HrxwafGrkuigAkTksBMQI9c3eUR6WhkDDFJifcZ5tf/AfhwrCcTPMyb1v9ixXH7JyWpIVGeuNASwKnODZReW/2p0aLn2PjoMHLfIWcP4on0rWL/glIxgNoS1yAYut48svK6thSARHtQ/oD3jOBjQIC0gv6qH223dAKG+PKk0I/0ICR+YiHLXSRO/rHL0NnmN5LVw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VPKgjBQISzX12cDhRwR2Y5z5JZKVCjxKhtqa6nJXNMU=; b=DQTjgB2ZRdnew7iQDj7BoN1kET8VotRUwvBAI7J+ZA0sZufcw7N423EfXvvNfgsNPbCRblekXwZZKG9ZRF5KPon0K+05X7ccOAsgSqqr80JEgxsWEqJNcqSiykWxnw4mw6fFdZQVs+tfgp+yxoNHt9j70aI1pWLsm3GfXhUjaON7+h54Pjm/yqhZClI7eN/K15mhpTb9g/iVpdk0YWLwzcmnmUoWtuKPnWqZPHHouvEGn2l9VcE+QOnARpZGMTPNn+T1uLY/ACWGtieCeMHF4EuyQ6QffvdfgCYLImSqWykN6HLlQjNb6yhB4koA4H635oGjGzGdajceDeQ1Y4cTgA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VPKgjBQISzX12cDhRwR2Y5z5JZKVCjxKhtqa6nJXNMU=; b=dpJ5jEwrFZWgAPsqF3M/CuX7XLvDrQra9SJFBuLc+RWJMDZUyO0AtdP+ggOgjWXxTSdOR4BJG6CqjyG/A8EDd8DGp4s8Qi3vj3AKhOK5cgwFyaZpPyNAEBfQuIHJDB4ePefN0R/etPe45y6IwJ8k7RoHsoQ+NFbl99bYkTiBB+4=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ri.se;
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14) by DBBP189MB1212.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:1e7::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Thu, 4 Mar 2021 11:11:12 +0000
Received: from DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::1df7:be0c:4934:88bf]) by DB8P189MB1032.EURP189.PROD.OUTLOOK.COM ([fe80::1df7:be0c:4934:88bf%9]) with mapi id 15.20.3912.019; Thu, 4 Mar 2021 11:11:11 +0000
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: Ace Wg <ace@ietf.org>
References: <161401385754.26094.8496440307212896123@ietfa.amsl.com> <6e239432-de60-6341-1c81-17a0905b6d05@ri.se> <31457.1614809227@localhost>
From: Marco Tiloca <marco.tiloca@ri.se>
Message-ID: <c7467d2b-02df-2dc7-9018-24faf5f443f0@ri.se>
Date: Thu, 04 Mar 2021 12:11:05 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
In-Reply-To: <31457.1614809227@localhost>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="j9KEVD3ovJhaMLjSys0lKaYnUmiSEEgmF"
X-Originating-IP: [92.34.17.243]
X-ClientProxiedBy: BL1PR13CA0229.namprd13.prod.outlook.com (2603:10b6:208:2bf::24) To DB8P189MB1032.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:16e::14)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.0.68] (92.34.17.243) by BL1PR13CA0229.namprd13.prod.outlook.com (2603:10b6:208:2bf::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.10 via Frontend Transport; Thu, 4 Mar 2021 11:11:10 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: bbe9b7b9-41c9-4b87-d759-08d8defe3804
X-MS-TrafficTypeDiagnostic: DBBP189MB1212:
X-Microsoft-Antispam-PRVS: <DBBP189MB12124481E1E95D2ACEF4BF5999979@DBBP189MB1212.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: iOgdmjw9a8gYQTh8GV0yYs2z3ALmPp+5Z32U4eznWjPSh80pgoS0w8BgOIScDxVYFarWPWqFk/N7GPql9el8QDaaEhmL0ZKvt7E0T6sw085rK7YCrqz83rtIF11pomIBSzvlLZKcIOd0qTSVOWFRf7jQPh1kO870XVkkui4+u6/1xjfCY5yfrCpEYnKLUYRTfKD8jihCazvwmZJrdxOx4Kf/HKhdDUGmgxJhsyGichfTnScPkWMpEBGogZ6cOnoZrqniZSahoHrXsTnmfT/BtLddBFWwwXwLcIadmUbYzvvetkfaqjWItWydKr1CN+fsM2s73cdT4mDU/DmD7OsQtAaV43+PaUxXe4PLs7SqbN7oqLzJfpuYySyKWbgjt9AeVuNq76Me6iGPkd3gNyunuwUnfhcMVhwyhqhvIUTB5/QurLlyyRMoeviu7RJ6+G7D+CG6qMA5Y02bL1d2KevCPt0PvmV3p7r8k4IrsVwRf096u8BanqjNRtVT0vZhD6YEuBYV2EuEd7VPazDkXforbuZlhDAfV0mN2234+mYqtlpnquQqkCMZK7eexDTaunM9RtIA2h8If9kyiaNlwEi4X+Zdeb7FSpC7uxq/qIMnV71l46aw7+NgWJo2eYiLcux+ZTG0rd0vvMHnyxWy1iV7oe/ad36Glph92tQ6b4QJgj0T5RqWo0LUZiHjont0hZM2
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB8P189MB1032.EURP189.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(956004)(966005)(186003)(2616005)(16526019)(31696002)(26005)(66476007)(15650500001)(66556008)(8676002)(31686004)(44832011)(498600001)(66946007)(83380400001)(21480400003)(36756003)(16576012)(6666004)(66574015)(52116002)(235185007)(4326008)(8936002)(6486002)(33964004)(5660300002)(86362001)(2906002)(53546011)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: +HZw4ZoeuQXohyvdhBMR3lu8FEWQC5w33KS91fMNxrGe18c6Rm04uD/oCEJtFXzHhoKyJp4LO3P4JMNkhKm8fdqj+2gBid/dKuDJsSR1E0wmZc34zQngx3/ItJwe92y5iyoOvOcYNSs4Aw4frwlw/2ep46QPdcxtgkXIp27s5wiqkDkKIaGFsom0N6IlLgjoMUruNPUE4Yf8UgI9XISZCWuQZHuc4tzE5co9aJwVsQOP7/juDlcFlbOtaEyEOj/SpnmeasCw2goOIHN7qhwKwZ4GuuNyVjysSjbQrnGcug9mCzJT/Kn/NupP3bJVS/IYxCy2Vyo9tPFu+ObjAAsECus8im6fFeWiDyX6WsasGvWM3wzyjjkWDYSQ+7WE12pkoSDM+hRP66RCNqrwCypH0FYC2wQ1XdUUjp3IkPFxycH7AA3hpbzHJHPiOXZTBEssWStD2/LZ3GoodTNFDE4Fj1lQkTnATZWLApxxZVN+tc6vjG0PM26zdZSxwCP5YWstgCniYHaFYeOi3Oj0Rch58S4CVA/4MopHhKCzDboaDrGbVtP8QlIIgSrFdDYuM0YIsQYadbYTinqbI1E+nBEizAo8k8gIelL6GPLucPnWdvTodHavHLSd05LQxnTbLJqH2PDmrf7VPJpa5EB9Uob4XiI8yirorbXOc9Y4okzFuO5QIY7Gnsxn+Hp7JwMMcJXH0GWlZFerEbvPVZ+dIlUcU8ksLqMGKgRa7LoQbUYIflQFfDWEJFOwW9iHqdt7UpDteLItSMWhE+o+M9eIo8ZKn+yKoEP2lKXPKuIm94aYoIYJc5N/QvRPxh5jOLyyO9Oh5EnEsZkX5g/vv/luqwIuW/37GwmuD+5l0c+ivE+vzMlB5b+MfyhfglYaAwf00zfD3yqk/34IDtGgzooRVul0sh9JW9sq828MXNSK74Yt6Lhj7cXbubvKoFjlOBjYXUx4FCk7grbja9Y5y+goaYIL6L1pMa9Q8PXSOXQ4pbQdW0PZkjfivzX/Jw7BhpTxTZuLcB6JBBGl78FEVYEoryZyguNbRXo2UTMHv+p0drb862XvcM0dqsmWoAAknsAOXa2MoaMZfeHTxKSXeOCnLcIWV/gtaXkTSj9AY2CY2OQpp7BUj9wDQyzn/w0ImnWqeT13YJ8J2Iw2x/vf6iDsnrIa0ZGDBJudpaK2LGiQRuzFjvcDZGwLCA/+2Iymn+CeUvxBrbrpSx7fllSMSVbR3epuHzh1HO3OOUKZ8TDN4RtceXkWmspcm3nrNMdMiAE1uMzROjBJSkuvw7dk0n0/fsKjC2gkbeuVUnpzoa6pA9HooN5Nd/Wlx7Oc5uczdbZZAY9t
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: bbe9b7b9-41c9-4b87-d759-08d8defe3804
X-MS-Exchange-CrossTenant-AuthSource: DB8P189MB1032.EURP189.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 04 Mar 2021 11:11:11.7339 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: R/te4YHl5yXii7jCGmlR6h/DcKWr3lAkodMHf9xxTRqNhORqZBmFGVJbdUisTSF3npwbnEPGOMZgUN7ECXYw4A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBP189MB1212
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/4eg79d-ekcI--O5zXa3irpHxqrc>
Subject: Re: [Ace] Fwd: New Version Notification for draft-tiloca-ace-revoked-token-notification-04.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2021 11:11:21 -0000
Hi Michael, Thank you for your feedback! Please, see some answers inline. Best, /Marco On 2021-03-03 23:07, Michael Richardson wrote: > Marco Tiloca <marco.tiloca@ri.se> wrote: > > We have recently submitted an updated version of > > draft-tiloca-ace-revoked-token-notification > > > https://tools.ietf.org/html/draft-tiloca-ace-revoked-token-notification-04 > > I hadn't noticed this document before. > I will say that I'm skeptical about the use cases. > I took a quick read through section 1. > {If I had to make allusions to PKIX, I wonder if isn't more like an > "OCSP"-staple than a CRL} ==>MT In the method we propose, requests to the AS do not include a (reference to a) Token to validate. Instead, they ask for an indication of pertaining revoked Tokens, with a granularity that the requester can control (see the different modes in Section 5.1, Section 5.2 and Appendix B). I think that a kind of similarity with the OCSP model can rather be seen in the optional introspection interaction, as optionally provided by the Authorization Server. There the requester actually provides a Token to be validated. Note that, while potentially applicable also for a Client, introspection in ACE is intended for the Resource Server. <== > >> For a Client to >> access the Resource Server, the Client must present the issued Access >> Token at the Resource Server, which then validates and stores it. > I guess the "stores it" seems surprising to me. ==>MT This is simply referring to the main original workflow of the ACE framework, as background information. From Section 5.10.1.1 "Verifying an Access Token" [1]: "When an RS receives an access token, it MUST verify it before storing it." That is, a Token is stored at the RS (as well as at the Client it was issued to), until the Token expires or the entity owning it "somehow" learns it got revoked. This documents proposes a way to learn about that, through the TRL interaction and observe-based subscription. [1] https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-37 <== > I think that it might be worth clarifying that it's the RS that would be > subscribed to the TRL on the AS. ==>MT Right, we can more explicitly mention the registration to be a subscription. Note that the same applies to the Client just as well, for what concerns its pertaining Tokens it has obtained from the Authorization Server. <== > I think that the Intro should discuss > Client vs RS code, and if there is a goal to require code changes at both > ends or not. ==>MT Good point; the abstract and introduction already say that this method does not require new ACE endpoints on Client and Resource Server, which would certainly be a notable addition. As to additional required code, I can only think of: - The actual request/response interaction with the AS to retrieve portions of the TRL; the real delta here should be limited to including the query parameters of the diff-query mode in Section 5.2 and to the parsing of the response payload. - The local computing of Token hashes from the stored Tokens, to be compared against the responses from the Authorization Server. Note that, once aware of a Token being revoked, a Client or Resource Server simply proceeds as in the case of an expired Token. That is, it runs already available operations to delete the Token and purge associated security association as well as keying material. <== > > Your protocol looks (at a quick scan) is very well worked out, but I don't > know enough about when this would be used to understand what tradeoff you have made. ==>MT Thanks, I think tradeoffs here boil down to the requester being able to request information on revoked pertaining Tokens with a granularity and level of detail under its control. This can be expressed especially with the query parameters of the diff-query mode (see Section 5.2), and with further expressiveness in the enhanced diff-query mode based on the Series Transfer Pattern (see Appendix B). The latter additionally allows the Authorization Server to split the information to return into different transfers. As highlighted in the examples in Section 8, a requester can also rely on a mix of Observe and non-Observe interactions with the Authorization Server, thus having a mix of actual subscriptions (e.g. in full-query mode) and polling (e.g. in diff-query mode). One additional degree of control for the requester can be the usage of "pmax" conditional control attribute defined in the CoRE Dynlink document [2]. [2] https://tools.ietf.org/html/draft-ietf-core-dynlink-13 Thanks a lot again for your comments! Best, /Marco <== > > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide -- Marco Tiloca Ph.D., Senior Researcher RISE Research Institutes of Sweden Division ICT Isafjordsgatan 22 / Kistagången 16 SE-164 40 Kista (Sweden) Phone: +46 (0)70 60 46 501 https://www.ri.se
- [Ace] Fwd: New Version Notification for draft-til… Marco Tiloca
- Re: [Ace] Fwd: New Version Notification for draft… Michael Richardson
- Re: [Ace] Fwd: New Version Notification for draft… Marco Tiloca