Re: [Ace] Review of draft-ietf-ace-oauth-params-00
Ludwig Seitz <ludwig.seitz@ri.se> Wed, 24 October 2018 08:00 UTC
Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71802130DC0 for <ace@ietfa.amsl.com>; Wed, 24 Oct 2018 01:00:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id faMNt3b7wPy8 for <ace@ietfa.amsl.com>; Wed, 24 Oct 2018 01:00:32 -0700 (PDT)
Received: from smtp-out10.electric.net (smtp-out10.electric.net [185.38.180.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C17ED1293FB for <ace@ietf.org>; Wed, 24 Oct 2018 01:00:32 -0700 (PDT)
Received: from 1gFE5d-000JWx-Vx by out10c.electric.net with emc1-ok (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gFE5e-000Ja4-TY for ace@ietf.org; Wed, 24 Oct 2018 01:00:30 -0700
Received: by emcmailer; Wed, 24 Oct 2018 01:00:30 -0700
Received: from [194.218.146.197] (helo=sp-mail-2.sp.se) by out10c.electric.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128) (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gFE5d-000JWx-Vx for ace@ietf.org; Wed, 24 Oct 2018 01:00:29 -0700
Received: from [192.168.0.166] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Wed, 24 Oct 2018 10:00:29 +0200
To: ace@ietf.org
References: <VI1PR0801MB2112DD9ECD09B98C5060D868FAF50@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <c55b3179-ad19-0dbf-c183-3723ff2dade6@ri.se>
Date: Wed, 24 Oct 2018 10:00:29 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <VI1PR0801MB2112DD9ECD09B98C5060D868FAF50@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-Outbound-IP: 194.218.146.197
X-Env-From: ludwig.seitz@ri.se
X-Proto: esmtps
X-Revdns:
X-HELO: sp-mail-2.sp.se
X-TLS: TLSv1.2:ECDHE-RSA-AES128-SHA256:128
X-Authenticated_ID:
X-PolicySMART: 14510320
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/7euTVBJkLEgK27FlrYGKh9va62Y>
Subject: Re: [Ace] Review of draft-ietf-ace-oauth-params-00
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 08:00:35 -0000
On 23/10/2018 21:09, Hannes Tschofenig wrote: > 2) 'req_aud' parameter > > At the last IETF OAuth meeting in Montreal we agreed to adopt a new > document, called resource indicators, and it can be found here: > > https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-01 > > I believe the parameter name and semantics defined in > draft-ietf-oauth-resource-indicators-01 should match what is defined in > draft-ietf-ace-oauth-params-00. > > The name of the parameter in draft-ietf-oauth-resource-indicators-01 is > 'resource' and it is defined as > > resource > > Indicates the location of the target service or resource where > > access is being requested. Its value MUST be an absolute URI, as > > specified by Section 4.3 of [RFC3986], which MAY include a query > > component but MUST NOT include a fragment component. Multiple > > "resource" parameters MAY be used to indicate that the requested > > token is intended to be used at multiple resources. > > Looking closer at this draft: The resource parameter seems to be much more limited than the audience claim, since a URI is required. As Steffi recently remarked in her review of draft-ietf-oauth-authz, URIs are not a good way to identify resources in constrained environments, since the address of a device can change. Furthermore there seems also to be an overlap with the 'scope' parameter, since the 'resource' parameter can be used to indicate specific resources and not only the target RS. What if we want to identify the audience by its public key instead of an URI? What if a client wants to request a token for a group of RS identified by a specific audience value (e.g. "thermostats-building-1")? /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51
- [Ace] Review of draft-ietf-ace-oauth-params-00 Hannes Tschofenig
- Re: [Ace] Review of draft-ietf-ace-oauth-params-00 Ludwig Seitz
- Re: [Ace] Review of draft-ietf-ace-oauth-params-00 Ludwig Seitz
- Re: [Ace] Review of draft-ietf-ace-oauth-params-00 Jim Schaad