Re: [Ace] Key IDs ... RE: WGLC on draft-ietf-ace-cwt-proof-of-possession-02

[Jim Schaad <ietf@augustcellars.com>]

That language works if you assume that there is only one CWT that an RS will
look to.  If there are multiple CWTs then one needs coordination language
between them.

> -----Original Message-----
> From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
> Sent: Friday, June 22, 2018 6:36 AM
> To: Jim Schaad <ietf@augustcellars.com>; 'Mike Jones'
> <Michael.Jones@microsoft.com>; draft-ietf-ace-cwt-proof-of-
> possession@ietf.org
> Cc: ace@ietf.org
> Subject: Key IDs ... RE: [Ace] WGLC on draft-ietf-ace-cwt-proof-of-
> possession-02
> 
> Hi Jim,
> 
> I would like to comment on this issue.
> 
> -----
> > > 14.  I have real problems w/ the use of a KID for POP
> > > identification.  It
> may
> > identify the wrong key or, if used for granting access, may have
> > problems
> w/
> > identity collisions.  These need to be spelt out someplace to help
> > people tracking down questions of why can't I verify w/ this CWT, I
> > know it's
> right.
> >
> > The Key ID is a hint to help identify which PoP key to use.  Yes, if a
> > Key
> ID is
> > sent that doesn't correspond to the right PoP key, failures may occur.
> > I
> view
> > that as usage bug - not a protocol problem.  If keys aren't
> > consistently
> known
> > and identified by both parties, there are lots of things that can go
> wrong, and
> > this is only one such instance.  That said, I can try to say something
> about the
> > need for keys to be consistently and known by both parties, if you
> > think
> that
> > would help.
> 
> > My problem is that if there are two different people with the same Key
> > ID,
> either intentionally or unintentionally, then using the key ID to identify
the
> key may allow the other person to masquerade as the first person.  I am
> unworried about the instance of a failure to get a key based on a key id.
> That is not the problem you are proposing to address.
> 
> -----
> 
> I think we should document this issue. Here is some text proposal that
could
> go into a separate operational consideration section (or into the security
> consideration section instead).
> 
> "
> - Operational Considerations
> 
> The use of CWTs with proof-of-possession keys requires additional
> information to be shared between the involved parties in order to ensure
> correct processing. The recipient needs to be able to use credentials to
verify
> the authenticity, integrity and potentially the confidentiality of the CWT
and
> its content. This requires the recipient to know information about the
issuer.
> Like-wise there needs to be an upfront agreement between the issuer and
> the recipient about the claims that need to be present and what degree of
> trust can be put into those.
> 
> When an issuer creates a CWT containing a key id claim, it needs to make
> sure that it does not issue another CWT containing the same key id with a
> different content, or for a different subject, within the lifetime of the
CWTs,
> unless intentionally desired. Failure to do so may allow one party to
> impersonate another party with the potential to gain additional
privileges.
> "
> 
> 
> Ciao
> Hannes
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
recipient,
> please notify the sender immediately and do not disclose the contents to
any
> other person, use it for any purpose, or store or copy the information in
any
> medium. Thank you.