Re: [Ace] PoP Key Distribution
Mike Jones <Michael.Jones@microsoft.com> Tue, 03 July 2018 20:13 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F7A4130DFB for <ace@ietfa.amsl.com>; Tue, 3 Jul 2018 13:13:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mqtpzGeOaTZg for <ace@ietfa.amsl.com>; Tue, 3 Jul 2018 13:13:27 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640139.outbound.protection.outlook.com [40.107.64.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1DAA130DF6 for <ace@ietf.org>; Tue, 3 Jul 2018 13:13:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lQJ+0qnu0wDkq+SNTmeVJEHemsdVzFFzzuhRW3f4ogg=; b=fLYgpIBnS6KPn1jgRH1oZfI6rz9YncCs/s3ZvW6mE9Og9efJQzm/aG/4LMmHm6Rr1C+uU6VJDlYgzgOgbg45eS6RVlL2NO6HeUuGwkrD1SZB/A2f6ezdIuPomKElrYD0HcTOq4X8UtBAjkxrikzRk2wbNjRFvOqTSe9o8LRM3Dw=
Received: from DM5PR00MB0293.namprd00.prod.outlook.com (52.132.128.34) by DM5PR00MB0373.namprd00.prod.outlook.com (52.132.129.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.965.0; Tue, 3 Jul 2018 20:13:06 +0000
Received: from DM5PR00MB0293.namprd00.prod.outlook.com ([fe80::4585:e342:2207:ca93]) by DM5PR00MB0293.namprd00.prod.outlook.com ([fe80::4585:e342:2207:ca93%4]) with mapi id 15.20.0967.000; Tue, 3 Jul 2018 20:13:06 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: PoP Key Distribution
Thread-Index: AdQTBj47ZlOcOW2pSHSpIBiWadk6FgAAD6QAAADejbA=
Date: Tue, 03 Jul 2018 20:13:06 +0000
Message-ID: <DM5PR00MB0293974A86883904605A2875F5420@DM5PR00MB0293.namprd00.prod.outlook.com>
References: <VI1PR0801MB21129BCC73AB78D6B06B1044FA420@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB21129BCC73AB78D6B06B1044FA420@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.47.80.188]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR00MB0373; 6:A93erWDWyq1bulmkH8y97PTmnOgojQdYYJjhS57SXIXaKWkygYw3iNVtIT7wFHeJo4pnm523rFuGhcs5jnzuJWPUuwYMSC9cbTmv1jJp+g1vBQ+2tb8C0118dRHOnXYZDOmbo4Y7QfhXDIQRKf4uNGu56dzxys++IwLXTl4t2PhUAAQMpydFPXusVkffawCmXotUBjmBgnZkLrcmDHU/qis5nABH66t3pFlEu9QbIMCUYwtIgz1Qf/Tyr97jGDKCpquailBzunhcy/DaiJLLXBR/+12WGPu4oyK8pZlsiWGsYLOHVrkURDQyJY65uigww1Jkpm2J71+HvnF2hQAxB1st0BYFo0ib18ui60eGUEVHakOuGPMOFsVaQ9jui3puGDAr70UeKLYpqswhDLOqJa2JRa/1610Bl4nFdtHP9nYtE99YFVhJ91jJD4sHZj0ocC41lp0E6b73tYZYyKuMqA==; 5:7trHq8F2eJJYMfK/H+zFwuY9hm92yBAe9+8G6G7hrk/dZMHhowp0P1xIKyZFc7MZYp6pJ52t8U1vT5p4C/o3gwg0+jxBm42K4w/xKEdAqL3VeuMSikE6nwx+pL2jx78x7Y3lnb+RxkKrFwRv1P3SnUp2+UUGX0yJ97IeUncbKLE=; 7:G84ir6ne1eah7VdpljvNr27pLWcoKDGV4nx98JDXfCB7UihQVVOhjxRcz1ug6123qsc5DbPLW/zM+VFfnm3bqMW72V3L1qRCTodWO0IAc6yd8/M9hN9v/Peg4krmYlAulSJt8fy16risgUb/d2inj0e7Ol752MoyibqvpdxYqWjmSX3eYGxQ4zZS3VpAXaHh3sFHOiaoc6RuSMk3eJq1N5zMXWiswck/9CL+raSscH7So0AcjexsDbe2eypluCPP
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 4828390c-d7d4-4d85-0c48-08d5e12163c4
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:(223705240517415); BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7193020); SRVR:DM5PR00MB0373;
x-ms-traffictypediagnostic: DM5PR00MB0373:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: <DM5PR00MB0373F0951209BEF69C621F1AF5420@DM5PR00MB0373.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(223705240517415)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(8121501046)(5005006)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(10201501046)(3231280)(2018427008)(944501410)(52105095)(93006095)(93001095)(3002001)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(6072148)(201708071742011)(7699016); SRVR:DM5PR00MB0373; BCL:0; PCL:0; RULEID:; SRVR:DM5PR00MB0373;
x-forefront-prvs: 0722981D2A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(376002)(366004)(39860400002)(396003)(346002)(189003)(199004)(40434004)(53754006)(54896002)(99286004)(97736004)(8990500004)(3846002)(790700001)(74316002)(7116003)(6116002)(2900100001)(6246003)(2906002)(5660300001)(110136005)(33656002)(7736002)(25786009)(3480700004)(66066001)(19609705001)(6436002)(476003)(486006)(966005)(72206003)(10090500001)(22452003)(102836004)(14454004)(106356001)(2501003)(81156014)(68736007)(606006)(256004)(14444005)(5250100002)(105586002)(5024004)(81166006)(53936002)(229853002)(9686003)(26005)(8676002)(8936002)(55016002)(7696005)(86612001)(316002)(6506007)(186003)(86362001)(53546011)(76176011)(6306002)(10290500003)(236005)(11346002)(478600001)(446003)(11634002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR00MB0373; H:DM5PR00MB0293.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: vh9OoiNrsPDXGtNQiwtgV86sRzkAf8Y+PW9PYcgJNIpcqGL30N6hPuHTtOqi9TbF8j+hbks6/A7Z2wIACdQX1tpau8FF9v0WudWNZC7o3XHZiJlEl+J0i0yPo39RClL/c/wvi7CSXrFQSlBVQaC7wcLvUSZ4d+PGZ8/Ehcx5Gki6SajYqtrvE3JKGvtGXIr9XD6ZShrPxVBeRcn26HDEJ7us87q9j+fujrLKfM94Ej1hvObzVnNEpJHBQn+ONRa7EV9WKfRRihry8/L9+n9ECpAQu7xH5W+YPVLghIzGgjNKvr9OLEJZL6UEyrnG+9DlQXrjsKCNSAy3jr5WudARHuRAPC5OMlkDcJWoUiQ3wIA=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR00MB0293974A86883904605A2875F5420DM5PR00MB0293namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4828390c-d7d4-4d85-0c48-08d5e12163c4
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jul 2018 20:13:06.5175 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR00MB0373
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/d0cOeBC5uORhPZ1PJonhIv1yiNM>
Subject: Re: [Ace] PoP Key Distribution
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jul 2018 20:13:29 -0000
I've replied on the OAuth mailing list. You can join it at https://www.ietf.org/mailman/listinfo/oauth to participate in the discussion. From: Ace <ace-bounces@ietf.org> On Behalf Of Hannes Tschofenig Sent: Tuesday, July 3, 2018 12:47 PM To: ace@ietf.org Subject: [Ace] FW: PoP Key Distribution Note that I posted a mail to the OAuth list about the PoP key distribution, which also relates to the work on ACE-OAuth. If you are interested in this topic please feel free to join the discussion on the OAuth mailing list. From: Hannes Tschofenig Sent: 03 July 2018 21:46 To: oauth@ietf.org<mailto:oauth@ietf.org> Subject: PoP Key Distribution Hi all, we have been working on an update for the draft-ietf-oauth-pop-key-distribution document in time for the deadline but we noticed several issues that are worthwhile to bring to your attention. draft-ietf-oauth-pop-key-distribution defines a mechanism that allows the client to talk to the AS to request a PoP access token and associated keying material. There are two other groups in the IETF where this concept is used. * The guys working on RTCWEB is the first. Misi (Mészáros Mihály) has been helping us to understand their needs. They have defined their own token format, which has been posted on the OAuth group a while ago for review. * The other group is ACE with their work on an OAuth-based profile for IoT. Where should the parameters needed for PoP key distribution should be defined? Currently, they are defined in two places -- in https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-13 and also in https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-03. In particular, the audience and the token_type parameters are defined in both specs. IMHO it appears that OAuth would be the best place to define the HTTP-based parameters. ACE could define the IoT-based protocols, such as CoAP, MQTT, and alike. Of course, this is subject for discussion, particularly if there is no interest in doing so in the OAuth working group. There is also a misalignment in terms of the content.. draft-ietf-oauth-pop-key-distribution defined an 'alg' parameter, which does not exist in the draft-ietf-ace-oauth-authz document. The draft-ietf-ace-oauth-authz document does, however, have a profile parameter, which does not exist in draft-ietf-oauth-pop-key-distribution. Some alignment is therefore needed. In the meanwhile the work on OAuth meta has been finalized and could potentially be re-used. When the work on draft-ietf-oauth-pop-key-distribution was initially started there was only a single, standardized token format, namely the JWT. Hence, it appeared reasonable to use the JWT keying structure for delivering keying material from the AS to the client. In the meanwhile two other formats have been standardized, namely RFC 7635 and the CWT. For use with those specs it appears less ideal to transport keys from the AS to the client using the JSON/JOSE-based format. It would be more appropriate to use whatever PoP token format is used instead. Currently, this hasn't been considered yet. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- Re: [Ace] PoP Key Distribution Mike Jones
- [Ace] FW: PoP Key Distribution Hannes Tschofenig