Re: [Ace] Review of draft-ietf-ace-oauth-params-00

Ludwig Seitz <ludwig.seitz@ri.se> Wed, 24 October 2018 07:39 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8D3112F1A2 for <ace@ietfa.amsl.com>; Wed, 24 Oct 2018 00:39:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bsPuagrgK9i for <ace@ietfa.amsl.com>; Wed, 24 Oct 2018 00:39:40 -0700 (PDT)
Received: from smtp-out10.electric.net (smtp-out10.electric.net [185.38.180.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BB581293FB for <ace@ietf.org>; Wed, 24 Oct 2018 00:39:40 -0700 (PDT)
Received: from 1gFDlS-000XxL-VD by out10c.electric.net with emc1-ok (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gFDlS-000XyP-Vu for ace@ietf.org; Wed, 24 Oct 2018 00:39:38 -0700
Received: by emcmailer; Wed, 24 Oct 2018 00:39:38 -0700
Received: from [194.218.146.197] (helo=sp-mail-2.sp.se) by out10c.electric.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128) (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gFDlS-000XxL-VD for ace@ietf.org; Wed, 24 Oct 2018 00:39:38 -0700
Received: from [192.168.0.166] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Wed, 24 Oct 2018 09:39:38 +0200
To: ace@ietf.org
References: <VI1PR0801MB2112DD9ECD09B98C5060D868FAF50@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <e6c23080-03c8-5cf5-4e3a-80f3d2f62ef4@ri.se>
Date: Wed, 24 Oct 2018 09:39:38 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <VI1PR0801MB2112DD9ECD09B98C5060D868FAF50@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-Outbound-IP: 194.218.146.197
X-Env-From: ludwig.seitz@ri.se
X-Proto: esmtps
X-Revdns:
X-HELO: sp-mail-2.sp.se
X-TLS: TLSv1.2:ECDHE-RSA-AES128-SHA256:128
X-Authenticated_ID:
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
X-PolicySMART: 14510320
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/6eXpqebCH2KmMErFUer_X5TWsM0>
Subject: Re: [Ace] Review of draft-ietf-ace-oauth-params-00
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 07:39:43 -0000

On 23/10/2018 21:09, Hannes Tschofenig wrote:
> Hi all,
> 
> I read through draft-ietf-ace-oauth-params-00 and have a few comments.
> 
> 1) I believe the document should explain in more detail about how it 
> fits into the rest of the OAuth PoP token work.
> 

Ok I can update the introduction.

> The story essentially is that we have the HTTP-based transport in the 
> OAuth WG and we have the CoAP-based transport
> 
> in ACE. draft-ietf-ace-oauth-params-00 is about registering the 
> necessary parameters for use with CoAP only.
> 
> Neither the abstract nor the intro says this.
> 

Actually at the moment it is about registering necessary parameters for 
both HTTP and CoAP and whatever other transport you can want, since when 
I wrote it draft-ietf-oauth-pop-key-distribution was dormant.


> 2) 'req_aud' parameter
> 
> At the last IETF OAuth meeting in Montreal we agreed to adopt a new 
> document, called resource indicators, and it can be found here:
> 
> https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-01
> 

I'll have a look at that draft. How close is it to WGLC?

> 
> 3) 'req_cnf' parameter
> 
> Changing the name of the parameter name from the previous 'cnf' is good 
> and that was also requested at the last IETF due to the potential 
> confusion with the 'cnf' claim name. However, I believe the semantics is 
> different to the semantics defined in 
> draft-ietf-oauth-pop-key-distribution. Unless I misunderstand but the 
> relevant text regarding the req_cnf parameter content is this:
> 
>     o  "req_cnf" in the token request C -> AS, OPTIONAL to indicate the
> 
>        client's raw public key, or the key-identifier of a previously
> 
>        established key between C and RS that the client wishes to use for
> 
>        proof-of-possession of the access token.
> 
> For example, in draft-ietf-oauth-pop-key-distribution there is no key 
> identifier passed from the client to the server when making the request 
> for a PoP token. Instead, the server just mints one (along with the 
> symmetric key) and sends it to the client.
> 

Weird, because in the RFC7800 there is a cnf claim with just a key-id. I 
thought that you would want to be able to do something similar when 
requesting a specific, previously known key.

> PS: Why was a standalone document written instead of leaving the 
> parameters in the ACE-OAuth framework spec? I guess there are reasons 
> (which I may have missed).

The idea was that OAuth could obsolete that document when they sort the 
pop stuff out, without obsoleting the ACE framework. Thus a different 
standalone document.

/Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51