IETF Logo Mail Archive

Re: [Ace] Token (In)Security

Ludwig Seitz <ludwig.seitz@ri.se> Tue, 18 December 2018 08:21 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 336AB127598 for <ace@ietfa.amsl.com>; Tue, 18 Dec 2018 00:21:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.36
X-Spam-Level:
X-Spam-Status: No, score=-3.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6_Z46aROHbWg for <ace@ietfa.amsl.com>; Tue, 18 Dec 2018 00:21:23 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-he1eur02on060f.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe05::60f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2012C128CF2 for <ace@ietf.org>; Tue, 18 Dec 2018 00:21:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nyRpebReOTdUKaEUKV/EYNdt91g4YzO5YchneaQbxxI=; b=De6VYqWjDs2MGYQgD1edVpe+zCkhE4aHN9OVXNIbesDje8VmkOEyvLHK/bfq2iDAtSY0et1aAOXEpXrbOnC8gXDE6ESanaI9ATyYFJT6b9WMoJd5hgX+q0FKiy2uffEFi07v7yQNpSbNcMxA2ikiLmnb1CADIwcVTNGAAk4OhrE=
Received: from DB6P18901CA0006.EURP189.PROD.OUTLOOK.COM (2603:10a6:4:16::16) by AM5P18901MB0099.EURP189.PROD.OUTLOOK.COM (2603:10a6:203:78::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1425.19; Tue, 18 Dec 2018 08:21:20 +0000
Received: from HE1EUR02FT014.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e05::202) by DB6P18901CA0006.outlook.office365.com (2603:10a6:4:16::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1446.17 via Frontend Transport; Tue, 18 Dec 2018 08:21:20 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by HE1EUR02FT014.mail.protection.outlook.com (10.152.10.118) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1446.11 via Frontend Transport; Tue, 18 Dec 2018 08:21:19 +0000
Received: from [192.168.0.166] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Tue, 18 Dec 2018 09:21:19 +0100
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Stefanie Gerdes <gerdes@tzi.de>, Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
References: <154322421294.8323.8505315870685563404.idtracker@ietfa.amsl.com> <cbd083d1-cb95-0732-aa8b-7c7de3f480d1@ri.se> <a0cdd836-7fe3-339e-0c48-961503857447@tzi.de> <03b601d49191$7d1bb400$77531c00$@augustcellars.com> <945fbebe-659f-ac72-3ab6-8e05447e7c92@ri.se> <1c5b81f3-50ce-be68-bec3-68ce2ff15b43@tzi.de> <4ae4eccd-68bf-18ef-f909-142f8172eca1@ri.se> <b0d3ff24-5842-62ca-3d16-1dd7b4875c66@tzi.de> <VI1PR0801MB2112CE85678921B892FA7C09FAA10@VI1PR0801MB2112.eurprd08.prod.outlook.com> <VI1PR0801MB21129CED50E760A28AD9A38AFAA20@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <5fdf1a4f-4e82-657a-d384-ba34d1a26b7a@ri.se>
Date: Tue, 18 Dec 2018 09:21:19 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <VI1PR0801MB21129CED50E760A28AD9A38AFAA20@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(396003)(346002)(39860400002)(376002)(136003)(2980300002)(199004)(189003)(508600001)(106002)(36756003)(446003)(110136005)(86362001)(53936002)(11346002)(58126008)(16576012)(31696002)(2486003)(2616005)(486006)(316002)(8936002)(65826007)(6246003)(2501003)(69596002)(33896004)(44832011)(5660300001)(76176011)(966005)(8676002)(81156014)(81166006)(15650500001)(386003)(53546011)(106466001)(50466002)(93886005)(67846002)(97736004)(47776003)(26005)(14444005)(77096007)(31686004)(229853002)(65956001)(65806001)(356004)(230700001)(74482002)(7736002)(22746007)(22756006)(104016004)(64126003)(40036005)(476003)(126002)(68736007)(6306002)(23676004)(2906002)(6116002)(117156002)(3846002)(305945005)(336012)(16526019)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5P18901MB0099; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-Microsoft-Exchange-Diagnostics: 1; HE1EUR02FT014; 1:RbMmJGVLuz0Doe8jKpOeDTkgr3CsxOlD9SmrGoh3sCd9P7+zJoF8BucpJL3PyBVbLOF8UGZNcUOEDAkGKkcCHSlFTf+A2F5y8BiVnbtboTiEC3NUvtqyVwtdv3QVAGRC
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0205ad33-1384-41d6-15c8-08d664c1ca09
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(5600074)(711020)(4608076)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7153060)(7193020); SRVR:AM5P18901MB0099;
X-Microsoft-Exchange-Diagnostics: 1; AM5P18901MB0099; 3:8aoLikQGkw45/rXs8hSga1OFLo7w7+3VQo8BnUfUoy9qvRwsJzMIjVGrRaacsKzGmfKX4dpmZw7d46xY9LXWhKPEoVHlCn90Sa5BkS6/HGyH+ysARXbe0C9QUM5uPqCYOZbKUajzKl1BPmezNZFcPp1McLiy+CU62yaWKZuksH+socAmwXmQB/kmCSd3xQcfLYmxcp/gFsP35RiiinzoD1KsNz9/f7tzV+Sl4k8BdFh7iV9qol+LarSpVxniEslVxKa6u6Q/cUCQ7pM2xEcSguJQAtCUrsIjMtt7MqUIb5B+SjFnyTO8wuTTekKchyOVb7mL8trWrJ2bD6iiCJMSvDf6DHHff5xE+ECkkGNjbAI=; 25:pZZCalpvk3LkNbhwcByRv26SNmztsMK8TqCetvYTRRijA1uEEuRRAnoDiDAygvOJPgVhVJZUJocxZng2JhADZo7N6thVZGwKqxB+eMJpQWby9pWFixD08dMbCz1ExIMTII4oVc9mDyHP0AbA+fELUxD/9hLNOrem5IH8E7O/lFQ24t7MryeeQ9ER2NGP6MuvWb1mRAphQo4WXzjpAv27/6oiH7sB0GDcP8RGnpTg7YZ4MsyFyZR8aVCPzeqIGNTsMaBC/nWQNZ9DMobhnuhXfptvld19+8dj/CIPHpaI+0acQ5cKDhfGUf1Yh3x8kG+umyAdn+iDLhaQY+VsZvgEfw==
X-MS-TrafficTypeDiagnostic: AM5P18901MB0099:
X-Microsoft-Exchange-Diagnostics: 1; AM5P18901MB0099; 31:5GkBHT8kAQ2W1aYoAatmE6DO0IyV5r02tcd7ZZ4mlmJ2wydaxi5F5C8KYb3qW25gowENxslP/SqdGb8x6p/7/iSdz/QS8tGMp230n2+ftey6cbW/pIogsrguVIsZuydjEHZGTNiU7pe4YZ+Zmuiq69FrAdR+6FmKNOUiLrm3+9TmRF35bTsyYQgxwuZRuoWJsr/GJpwheSJm9GYl6NH62ObIRgFiUTdXe3S550APNyc=; 20:cicZSYzMySFrm0wpnMQ5KV96MDFOUbq3Fi8VrgM1KdXay0mZ37VV4VJARoe2nlW5nOyMAdXV5SBNjy6FOWPWz/tthW86bVkqr43Bs00FKRhaV2N7f1c/WOylES28gfqdmQZhxJKrk+hsDQTi+rxsJ14PIF20OLfuL4cT5jYzkt9r4he9nCRofKgJ5a0d+6BEZYZcnodKiNdYkJxQUiTQfu41jpwSv9ISs4LWDdEcubi4LqWN/uufMXpI0pKHJQLI; 4:AymLcZFN8JcbA4u9Cz9/cR4VKuJFhyYDgPZ5oJPQCMBALlEQy+K73z4VK2qAMkFcrM5Baaaioed4znTWX5UyqYLcRNEKdkRJGU7a3acrXNi+Uq+arLLBZ0E3Q+oD+lh1ZRShf5yPcZ2p+5WQmx0dGd+qYmuO02pfQ4kqaPm+rdJYlx9uqCTPuD14uhbV8IN+z5CHfcxo8Iwl1NEjTRENN/QFbGATD1CVD0oc5CgrKbwzX1P54RvSC5+uYyaoZqdnXzALQL2uRHapXJPWlDN/iA==
X-Microsoft-Antispam-PRVS: <AM5P18901MB009904B57E9615007C123DB682BD0@AM5P18901MB0099.EURP189.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(3230021)(999002)(6040522)(2401047)(5005006)(8121501046)(3231475)(944501520)(52105112)(93006095)(93004095)(3002001)(10201501046)(148016)(149066)(150057)(6041310)(20161123558120)(2016111802025)(20161123562045)(20161123560045)(20161123564045)(6043046)(201708071742011)(7699051)(76991095); SRVR:AM5P18901MB0099; BCL:0; PCL:0; RULEID:; SRVR:AM5P18901MB0099;
X-Forefront-PRVS: 08902E536D
X-Microsoft-Exchange-Diagnostics: 1;AM5P18901MB0099;23:WvtQORPZ1P5I3iWMKqnbcC08m/kd5lRdPx7h4o6J/BJPMOiTpOpcLR6T/zc2UyWA7gus+n6+NU7vXlkoAjEBhjmdOz4BWjMTMwfaZ+kcS96HPIk2gClATKQxEWm0cKjz8srmOQEDNbTN1X2LByhrJ4x6eZthVvJxLXw0n2v3nGjtR9hat+XN1LbbUJxnPOy2skAT7GN4CVaB8sR92YYDBZz0lFbqEIiWerhVoGuE0HZDCIU3TFOoxP1tsf80jYz720oY/9MgwJzbpBZpgJXbjU+PcmDuR80PQMc0olujxPactHvI6LXNEoSqKEurOS5CHLU+4tesukLD4RZ8rQ+kBrQmNanPg4EXziiPLZtfOTAMnok5o6AVPs7vOTB7qiP6Ze+XZtfmr8kKK4tab2PAf2E/LFqbe4BdzajWAp2Rat7oappne4BZaGaiIJC1wWoONNVcO/FqqOjWj9PKPupFZLL7rAQBiwLtcigDlhDZlxfKGwvXxEPcANJFKf/7fVxmLVxYIVvKYfSmRMExcCCcykUHhPj51NrXgkAiPjXK4lc68rYQoErNcSsHiGIyDBr/4v7cfIoL27gfNJkeqTK6ehz08ka7kOUXZYrhsnIC0GCKe81Ta8ax1g/gcq2Hnzt7ekAgLIdNsRnVlakgd/qc1LXCynlHfA1zKqYFNJjNuTVjb9HVLXdK4GlWP4e1cs9Z/0x3YCXZWReaAy7vJmKdcQ4GG1gCL0Gu8I1AQ2V9xa9ehZNHwX+cpXt3j3AXnC3ffFHhgBxDjdmyd1EFxrJdg5JMntGOgIZF1uGn5TL7ajVbaCNcriG9BOkcBEBTLC0O1erQq56Dd3RJEt6UKSiIIovcLdRxdstY6JP8ct6QWEgTJN08hHLLNz07xzvyM9nxySCo7XxMitw5goF5QdBbBOlyQxL+MBOapQVfzUDaFKlcUNSnyLLG97Yg5QC7Eb2l6TBjwDrmUvdKW/L17R/ot/mJy/kMp2P5caJj1mAOOEm5XbiDHgyE0j5xvymknMiUCAq8Tkx9VmghP771cEfFsgGS0mrOsmTTJJurFBo1qC7uNVU7ecQ264/wG9/RoaYlC/rzwcHo83Z8HMP2HwLN5INphy6mhjIXawIHC1iVTCkjd0wlqrsh85z18SAa/vh/fddnbxJ67Vi3CU1AbSesDEhNZAbn/q3tt2J41Zm/Qqinjx4ek9VaUgUrAzKV0y2adMDsurA6d7Wh69a40Rqn0qcm9Bg9zLTL+zjroiEA8S94EmJnoShMLTggnuPtzxl7R1080yhDzvir2voeHXt0tr4Bs/AkcAqbuXNGvffCvR2OXCrEGI6q9qY2DZIL83KfW1TP4wBWUiQQqvmftDlUTf2LbzswMD5jjd+9cDHPAGUC2sL/r9VmoCF/XxLhPSm1peIhhRKgh3mkDD5dqjmSnSjBPrOCHvanyO+f68JYpYqspoA0emeZ1/NaaoIgMK8uaM6NHgjOxzc9GPxq/MWiqdkHP8vwqWAa7LkLEXzFFIBqnmo8AiBSOnICdkgriSBmSvGQh8Nxt5K310UPcH5Po+k5DlU8p7zmrLGEsb9SCvzwCFp885sILfdq0NxZfxWEw4NZ1x1NrTAegZCwZJsQqA==
X-Microsoft-Antispam-Message-Info: rke8gRf0O32cJ0+eXcWXO6A7W2BIIxk1GT/DiAU6xD6xmQX5weF8/cXCmj+i2ky2EjgqiN3kU7meY1XUTmbGUvr1d9pmHaanQ4NqxidPVi6MrbwP4kFqET7b/zpr3uNuedvW24hNyKxGlRAwjP8heWrZapbX2KDfczoCrKG817Bs2wnzMb1p1XvRnDLme1hK5hkWcbWGMkPGQCAZwxGPkraNKTPvUeYC76YZTidIigMZUhL4s3dUrmxor6ZXjzx60H5WbwsPCzS0o47aXZY+rO6sFXkRMdSh66bbeq2yJnJkY6objElnSaqw4xXJeBM0
X-Microsoft-Exchange-Diagnostics: 1; AM5P18901MB0099; 6:oo47mWEqxQ2s31CxyeXVJtinnT1xKpuGLjrxh788wW8HDTcf6YdlHKHwkBPCaPREAuEiDFdXp6ep+lMYPWOqsc5aNnCvtXITu9aGEsqMFomCgUExF1bdyjC4KWH2865tffDMnBSD57MjWuRJjbfYJNfsS1NvLekyBCkMo7P7tPEnMVMjwaNY2ITyAoznRI5nwaWNrgmoVwi6FttHUuIe4Pfrlk0fwLjUhFWMz23+PDJcNswsWpOlkwa9HI81U+fgCdEKwZPs4GgoKH9kqVMwxe1Zcf3fVN261ePyBH8E9JE8mnWtFfjzdS86b9wF1pRPn15BDYmBi/WSNpvRwgHjgNxK06yxebo9FVKLuWIlR4D7JY0U7omuPmpxhfTRIt/PiARndGDsYEwHmBeTPEJzdaFoM5BAN8ID/R/504jBiLpTJlXNFFASMniongfQ5FIriepXobjNpgV8XsfVNrQx+g==; 5:YgWl2frGxnLYJa80CIWOuVlVABbXCfFChMdxHJVE4DSHgPseNyhNkNjiQi4wkPZUIhCvwis0b1iwj6mwkatvbRIDZqs/KCEN6YcE4E/O2A4YpM10YuApOGZxW/s5mzkZjR/T4zfMbpxKZtcwAf7lzvVCr9mhKgzrD9b9QYlRbPU=; 7:jpFibfKXC3CsB8+TaSnVepV8GwtM1CDxaAOVVYNiBiijOXN63o5JGgtXrhL1B6mFQw0x1BsjxGbmktQKF0MgvGRuSLje2Usuj6SNVFGQ+1+dxJZG47saIEnxwBHdhkCvU9Znmn3+dslmyRFL8K3+Sg==
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Dec 2018 08:21:19.8531 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0205ad33-1384-41d6-15c8-08d664c1ca09
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P18901MB0099
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/A1e1LwCAVmNA43wfHvsSdsSaU24>
Subject: Re: [Ace] Token (In)Security
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 08:21:27 -0000

On 15/12/2018 15:58, Hannes Tschofenig wrote:
> Hi Steffi
> 
> I checked the text and the text is indeed confusing.
> 
> I have made an attempt to update it to address your comment. Here is the pull request:
> https://github.com/ace-wg/ace-oauth/pull/168
> 
> Let me know if you think I captured everything properly.
> 
> Ciao
> Hannes
> 

I agree that your text improves the "verification" section.

I'm holding off with merging in order to wait for Steffi's confirmation 
that it addresses her comments.

/Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51

v2.23.0 | Report a Bug | By Email