Re: [Ace] Key IDs ... RE: WGLC on draft-ietf-ace-cwt-proof-of-possession-02

Jim Schaad <ietf@augustcellars.com> Sat, 23 June 2018 16:03 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1188130E8B; Sat, 23 Jun 2018 09:03:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9N4n6NCyijKG; Sat, 23 Jun 2018 09:03:52 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B68A9130E88; Sat, 23 Jun 2018 09:03:51 -0700 (PDT)
Received: from Jude (151.127.12.101) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Sat, 23 Jun 2018 09:00:42 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Benjamin Kaduk' <kaduk@mit.edu>, 'Hannes Tschofenig' <Hannes.Tschofenig@arm.com>
CC: 'Mike Jones' <Michael.Jones@microsoft.com>, <draft-ietf-ace-cwt-proof-of-possession@ietf.org>, <ace@ietf.org>
References: <VI1PR0801MB2112C4D6D3CED7C15D9AE886FA750@VI1PR0801MB2112.eurprd08.prod.outlook.com> <20180622204344.GP64617@kduck.kaduk.org>
In-Reply-To: <20180622204344.GP64617@kduck.kaduk.org>
Date: Sat, 23 Jun 2018 18:03:40 +0200
Message-ID: <023601d40b0b$c2df58f0$489e0ad0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJmkbQj82tMYvZUbCUZIMhlVFE4oQHH3wOzozq01UA=
Content-Language: en-us
X-Originating-IP: [151.127.12.101]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/8Wm_I0kmzQfhLs9D0DBUNdLDjmA>
Subject: Re: [Ace] Key IDs ... RE: WGLC on draft-ietf-ace-cwt-proof-of-possession-02
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jun 2018 16:03:55 -0000


> -----Original Message-----
> From: Benjamin Kaduk <kaduk@mit.edu>;
> Sent: Friday, June 22, 2018 10:44 PM
> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>;
> Cc: Jim Schaad <ietf@augustcellars.com>;; 'Mike Jones'
> <Michael.Jones@microsoft.com>;; draft-ietf-ace-cwt-proof-of-
> possession@ietf.org; ace@ietf.org
> Subject: Re: [Ace] Key IDs ... RE: WGLC on draft-ietf-ace-cwt-proof-of-
> possession-02
> 
> On Fri, Jun 22, 2018 at 01:36:16PM +0000, Hannes Tschofenig wrote:
> > Hi Jim,
> >
> >
> > > My problem is that if there are two different people with the same
> > > Key ID,
> > either intentionally or unintentionally, then using the key ID to
> > identify the key may allow the other person to masquerade as the first
> > person.  I am unworried about the instance of a failure to get a key
based
> on a key id.
> > That is not the problem you are proposing to address.
> >
> > -----
> >
> > I think we should document this issue. Here is some text proposal that
> > could go into a separate operational consideration section (or into the
> security consideration section instead).
> >
> > "
> > - Operational Considerations
> >
> > The use of CWTs with proof-of-possession keys requires additional
> > information to be shared between the involved parties in order to
> > ensure correct processing. The recipient needs to be able to use
> > credentials to verify the authenticity, integrity and potentially the
> confidentiality of the CWT and its content. This requires the recipient to
> know information about the issuer.
> > Like-wise there needs to be an upfront agreement between the issuer
> > and the recipient about the claims that need to be present and what
> degree of trust can be put into those.
> >
> > When an issuer creates a CWT containing a key id claim, it needs to
> > make sure that it does not issue another CWT containing the same key
> > id with a different content, or for a different subject, within the
> > lifetime of the CWTs, unless intentionally desired. Failure to do so may
> allow one party to impersonate another party with the potential to gain
> additional privileges.
> > "
> 
> When would this be "intentionally desired"?  It seems like there would be
> better ways to share authorization between parties than to issue such
> duplicate CWTs.

One case where this is desired is if you issue a second CWT with additional
permissions for a client and you want to tie it to the same key.  You could
either duplicate the key or just reference it by ID.

Jim

> 
> -Ben