Re: [Ace] Review of draft-ietf-ace-oauth-params-00

Ludwig Seitz <ludwig.seitz@ri.se> Wed, 24 October 2018 08:00 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71802130DC0 for <ace@ietfa.amsl.com>; Wed, 24 Oct 2018 01:00:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id faMNt3b7wPy8 for <ace@ietfa.amsl.com>; Wed, 24 Oct 2018 01:00:32 -0700 (PDT)
Received: from smtp-out10.electric.net (smtp-out10.electric.net [185.38.180.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C17ED1293FB for <ace@ietf.org>; Wed, 24 Oct 2018 01:00:32 -0700 (PDT)
Received: from 1gFE5d-000JWx-Vx by out10c.electric.net with emc1-ok (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gFE5e-000Ja4-TY for ace@ietf.org; Wed, 24 Oct 2018 01:00:30 -0700
Received: by emcmailer; Wed, 24 Oct 2018 01:00:30 -0700
Received: from [194.218.146.197] (helo=sp-mail-2.sp.se) by out10c.electric.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128) (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gFE5d-000JWx-Vx for ace@ietf.org; Wed, 24 Oct 2018 01:00:29 -0700
Received: from [192.168.0.166] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Wed, 24 Oct 2018 10:00:29 +0200
To: <ace@ietf.org>
References: <VI1PR0801MB2112DD9ECD09B98C5060D868FAF50@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <c55b3179-ad19-0dbf-c183-3723ff2dade6@ri.se>
Date: Wed, 24 Oct 2018 10:00:29 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <VI1PR0801MB2112DD9ECD09B98C5060D868FAF50@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-Outbound-IP: 194.218.146.197
X-Env-From: ludwig.seitz@ri.se
X-Proto: esmtps
X-Revdns:
X-HELO: sp-mail-2.sp.se
X-TLS: TLSv1.2:ECDHE-RSA-AES128-SHA256:128
X-Authenticated_ID:
X-PolicySMART: 14510320
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/7euTVBJkLEgK27FlrYGKh9va62Y>
Subject: Re: [Ace] Review of draft-ietf-ace-oauth-params-00
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 08:00:35 -0000

On 23/10/2018 21:09, Hannes Tschofenig wrote:

> 2) 'req_aud' parameter
> 
> At the last IETF OAuth meeting in Montreal we agreed to adopt a new 
> document, called resource indicators, and it can be found here:
> 
> https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-01
> 
> I believe the parameter name and semantics defined in 
> draft-ietf-oauth-resource-indicators-01 should match what is defined in 
> draft-ietf-ace-oauth-params-00.
> 
> The name of the parameter in draft-ietf-oauth-resource-indicators-01 is 
> 'resource' and it is defined as
> 
>     resource
> 
>        Indicates the location of the target service or resource where
> 
>        access is being requested.  Its value MUST be an absolute URI, as
> 
>        specified by Section 4.3 of [RFC3986], which MAY include a query
> 
>        component but MUST NOT include a fragment component.  Multiple
> 
>        "resource" parameters MAY be used to indicate that the requested
> 
>        token is intended to be used at multiple resources.
> 
>


Looking closer at this draft:

The resource parameter seems to be much more limited than the audience 
claim, since a URI is required. As Steffi recently remarked in her 
review of draft-ietf-oauth-authz, URIs are not a good way to identify 
resources in constrained environments, since the address of a device can 
change.

Furthermore there seems also to be an overlap with the 'scope' 
parameter, since the 'resource' parameter can be used to indicate 
specific resources and not only the target RS.

What if we want to identify the audience by its public key instead of an 
URI?

What if a client wants to request a token for a group of RS identified 
by a specific audience value (e.g. "thermostats-building-1")?


/Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51