Re: [Ace] Shepard review for draft-ietf-ace-oauth-authz
Ludwig Seitz <ludwig.seitz@ri.se> Thu, 31 January 2019 09:41 UTC
Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAEE0128D09; Thu, 31 Jan 2019 01:41:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.043
X-Spam-Level:
X-Spam-Status: No, score=-2.043 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JIXRAxyRzDv2; Thu, 31 Jan 2019 01:41:02 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20068.outbound.protection.outlook.com [40.107.2.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84EB6126CB6; Thu, 31 Jan 2019 01:41:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=epatKbGcmNxNHIQneuY2ItV/vVSTClL+4hEP6YDWf6U=; b=eyml7VEJNdVIgXNLncqIjXOjE4b5oLdOBcvLFjKAsDWzXBY0O6MIVpy2jHTlvqBQhej1zzf/B/PTrGnQZwFPte9llpyGODck5/Bv8RDiAh0HEVgP29o8KVGYd4O4Z0FyOtRXcwloBg4uLFFEgApU5H3v5COJ+wim7zrLmw5lt/8=
Received: from DB6P189CA0016.EURP189.PROD.OUTLOOK.COM (2603:10a6:6:2e::29) by AM5P18901MB0097.EURP189.PROD.OUTLOOK.COM (2603:10a6:203:78::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1558.21; Thu, 31 Jan 2019 09:40:58 +0000
Received: from VE1EUR02FT060.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e06::200) by DB6P189CA0016.outlook.office365.com (2603:10a6:6:2e::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.16 via Frontend Transport; Thu, 31 Jan 2019 09:40:58 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by VE1EUR02FT060.mail.protection.outlook.com (10.152.13.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1580.10 via Frontend Transport; Thu, 31 Jan 2019 09:40:58 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Thu, 31 Jan 2019 10:40:57 +0100
To: draft-ietf-ace-oauth-authz@ietf.org, ace@ietf.org
References: <01e801d4b861$4d7d41e0$e877c5a0$@augustcellars.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <1ce364d1-2154-3fc3-5589-5be3d7606717@ri.se>
Date: Thu, 31 Jan 2019 10:40:57 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <01e801d4b861$4d7d41e0$e877c5a0$@augustcellars.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(39860400002)(136003)(396003)(346002)(376002)(2980300002)(189003)(199004)(6246003)(110136005)(16526019)(50466002)(65806001)(2906002)(33896004)(64126003)(65956001)(53936002)(229853002)(14444005)(67846002)(65826007)(77096007)(16576012)(26005)(97736004)(6306002)(36756003)(316002)(76176011)(2486003)(23676004)(106002)(47776003)(386003)(186003)(40036005)(22746008)(356004)(11346002)(22756006)(478600001)(7736002)(81156014)(81166006)(8936002)(44832011)(106466001)(58126008)(69596002)(104016004)(8676002)(74482002)(68736007)(31686004)(3846002)(86362001)(966005)(126002)(446003)(336012)(230700001)(476003)(305945005)(6116002)(450100002)(31696002)(2616005)(486006); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5P18901MB0097; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-Microsoft-Exchange-Diagnostics: 1; VE1EUR02FT060; 1:Hec88AiCcyjWDyx3Mrm/1Zh/LHyh4VS/vwXcnz97+tbXxqxWi+xde45+syR5rfEwn8Fm45uxtd/KSBr8gDFaOgjwXUxx2VPSskalS4SOSJdsM3a80Lh5Np4Qtize7GfNBnnDZhtVg2hx+RsjIHClq9ZSIxFGZbaYuzn+pIF/feU=
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 7752df5c-eb63-431a-8f60-08d687603461
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4608076)(4709027)(2017052603328)(7153060)(7193020); SRVR:AM5P18901MB0097;
X-Microsoft-Exchange-Diagnostics: 1; AM5P18901MB0097; 3:P0u4EnayOs0eDeCBf0Eh848XDRtXZLOphV1eJq09IwmnQNWxjKTrj1lnP0/HG+rjOCxmK3xqxEK1xW+e3aHDV+syNgwq66reFl9LVUm6cLB+J08+54qptP/S1QXYSgGGck1tqCKhiUpkR73o760+M9M2ZSecox8vfnDaMXWkd7itzN2lC4nbgJE5cNRUQF+eXKcxhU2WwvYAgQdF6N/ZwNeFrF0qTxZjojrpd9IiSStTxOjMZ58Gu7Jduu2D2DjjPp6048nzagmPVlCPz6W0WSkP5aCCl9IycJy82Meq4CvbRFKfrt8GuzrsFersD9y95uJeJmjCUwGdNyHK6C7T8/fKqMDEIV05UKT3EbiW4FtvQ6Z+8Xs7mx0PbnBYcEL3; 25:l84gLngiuV2V8WriUOBF530pOviRVanGxD5TJbp9Rb0Rm3juJNI8Mz8shOKDieQC6nqtltsmFaXgtge8peeM3MBl3gUR/PqJ1R/cIwmL+7ODRPHpIM3v0g3eCrcv17C/F55cpyzYN9khB0yVEkmHfG+u/bjUmbultsX1q/W6MDRjirmxEJ0Rwiol8VD5zNPvWZGuEi0J4KE3wJhdJh5qem18UjjhOoAVexYLk7z62GxkuOOd0ff9UTNHhJXkL4NuDwk8cGXCta5YVg/D4EJ+yRVjwzCmWkLYmHKqnla3+LTFOhokzCLf4US9p4JJDJJNBjwD5bBbfe+Im/EJNhLvng==
X-MS-TrafficTypeDiagnostic: AM5P18901MB0097:
X-Microsoft-Exchange-Diagnostics: 1; AM5P18901MB0097; 31:a2rfHncIm5d/MX5K2XyicQIfidPfaGEegelJK6mJCXK6cOxOTMoV7Og1z4lCILod5rDEAbA4y78RcATsFVUcC0HZt01kY6o5lMRDEQafPRP0a5Ks47SrCZTQYhoGPJRaA1MiYd9LKyDawwJ9Pm/+jYUOcHqAmqXPGXoWHMUrZ6G4jba5rqPUmv2Ek+hS1YNcUtJ1h4kLvpfJuQE2M77LqJe0aVKvKmHNPGEsc/xDaYc=; 20:HPp7H2XgMZvjZjf/mV0nFzDxC+bber6K0kJ9xmBXomQV4bhFnRMkPxcIXC4PXt7HBFxrrT27BXjJU8oiUNTqAmsI6VrbYjOyfpuJ2IcaPqKzHiNHTLwPWQ6CBlxyWeJxxrdj5kWQmA3Ymen99aKbn+NjtyB0zRaYALrr7yg9AVkJsBYUi+q3MuZKgxHuXYC9tlLkEBSjMB1FHToiR6sZ1pNAG7x+L13WvZ8NPOSOI8iYqhiNIsFcL/ukR+8HIlsX; 4:nE9DKBuK8WMuO3CSQMdEEkvy/j7Dzas7BEmPeClTWZI4CWhiZH6EsQdoZJMjvBRUvBjM58OcP3J5teIBgNyN2kKQi0eSMLf32w+thF21DpM43tEzd4/Xr4HY5Rpss0gL4dcioeVZKPrdiToPVzjIzGv2wk6YBPsRcYDyDrLrYoKKHv97mO0v8NseAqJi7hlht+9EGP6KM10QXRlwqp3F9SPnkJg7hR+8P7onMexyADk28SrXSGJ/mm9+As0lhgyMnA8yA5mow2ZtAsww4CfWDUFOhzyKGxc1oMUusTHPpIjDMUV3q/VL6kGSGLPA707l
X-Microsoft-Antispam-PRVS: <AM5P18901MB0097C31EC95C9A08DE2BF4D082910@AM5P18901MB0097.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 09347618C4
X-Microsoft-Exchange-Diagnostics: 1;AM5P18901MB0097;23:TwwJW4ZFHGI5qexEij8xVv93hu6x+vBK4lSQn8QvgZe3+Gwy7E72togf9oXt25KvrM1XRLZUgKbZg1rrphAB+dfqK/oqUNzPRE7UTrxo7xLlGIYp600u0zJH/tqMXMRk6T6JhfOtJzmKx3kSj6AbDO4cSY1uGH/5wbZDL/jikA2kGw9eYOw/9z0mMAZteA9Rks1+dtNQSzmBVjSuO5A8GLIEBVBUyDFKN4b9wBkgfGNrvXvNfqUfoEUpjZvl3oQDqQvG0aw9gj03KKnQgXzmmGOh7RB/LGle3H3sEP83zNjXQ51yIyg035DvyS5AbGBXf6MGG6rr4IegMYy8kMckJKDcP6205BnmMmirIHZ6CDj0TMLFFrG6iUEPJfTS479d/j2CfBV4Ty6qfkikJvRyL5RK3oFSwnm/g1smumoCtEf1ue6JU8sy1y1FQ6JGSEVWTm4KNfJZDgqMu1/Hr9+0dLFm9WOb6VmN+zEeXec3OvdOxj608+ZTmg5R/kzep6PuvCxTYGh40zY4YX2dk/NyuO0WeNUEtoCoJ8pkTfb6OxqLrHq818CvxVrPWaD+eeaoxAEPr3qf3JkhfTqT7PLEXWkZgOYBLTRp68J6V75kUeTS7DK7fWNDzpAoXP5YmjA/fBt7R3lUZrC1f1zvZIq1uvlNLsfsoLmMYR0ZhnwCJl+rw0CCe3R1O+moWP/b9v72muTfQvSTkr81WEiotQ31dEtqHoKdFwAci5ylWR6JMT+v7hthIJlfvgeMcS9uO64PMv2zQMt/i/Qs+xevYj/l0bV0xgrrb/yrI+cabqlF7jpDwa70IZyDeC3MrEH6tqGbWVVZMMfLDDACAl3vudPuZtVkV1FZfivp1DBWdATw2VkC8uT0ZbMqpikxfWtoklwwCxp0FVg7AKiZDB4AlBVLy/i0xofiPT1ZZl/Q6HpkOyzUeKsYY6zuTEAXWN7Qym0culK3792JTw28VPXvKXkkQVtNBdeRy/UgJdYmEJPmoBuuK7yVaI2LJN55DMfdG+Yw4DNTy1EIXpJHADndmugc8DOZUsKxXPgtLv36AaLbSsK9khEIjvtakjMDoWaH9SAT9rP43DM4g/N6WLv6hg3RDsX6rA6crMiEuyvvyh1JH2tG+pKOxiagHcb6cizF66lR0502c4N7+zyHVOYNVAGF01Zl7f1FpHZCl0oPfyJHM3emrWc0D2VbthODB/e6DU9NzngoLGEpkgYWaAMabVg2jj/xsU5WAU3A8HH6CtfQHnmWBi1la/ZUjPFCi4QZK8Pof14SdXDCWL20MHW9xQQz1fZ9ZRA0yJZ5b9KCga3HcOeShJ3ltdhFjXxggCskLEQ5ltoc/wgWdrNRXR6qoaLzgsZzj06kwOXaBjAVXfnZWJuY5yRGda87yJeULLZibIkzvXW2843tQqCQrnY0rgar6KT7/R+FuLnbqb3dsJGVyZZWolg1Oq9ZFIUrFoT+mId3ozj4Pscw/p0UH3Cg24hCt53Ec8nnKfZnD+ndwAGYiXk=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: 2hOAZOabRHjpYF6jo2lKLJdD8t2GabaZbBPhRLcRzocK7MxIUDeokVXCnko5vBILcyON+bdOJLoFSrnJ9uFTkRkVMxmoirfr3lg73U1Ww5KwzWsRstKHNJ35mm+y185HU5ATmtVDLeCzA0i+UcYusEIV2slUh2vQ406p8HlXH9tecDXAwGBf++m+AOiRov3Uw8LUNupCZSgQgr+AIyr0FWDxSa5pNWeGUV5KbudIRKrkMLF+HuEqIbU67RvnPITE3Yq3rFi/p6/Vv1E6nSrg8RYoGgQNma/h8Ucj6ek6DyxmnEIlUhvCk2bvoDJKMvwY8AtBoRdC0t32jHSv3Q3n5SOvU9RyREnEQJyEonrOM+pTnGwi4kaB7fJyvdjec3SWjkWIQi5O7ufMJfraCmcRrLGTx4R+xW6Ca6Tu8uuEI6o=
X-Microsoft-Exchange-Diagnostics: 1; AM5P18901MB0097; 6:aD2uuu7yT6BInUvYQiRbWLLgHO4jVKzecxh16B1Omy0F/30umuAK3Ez7YBsONvLhgu+2ugLDK8RTusf3JIBt6j1wzrin0akN92K3WPZfDy8a3/u0knzHbA4YgBM/8jK1UJB2RLIeVYqeb7K4mv91pOsXIK5z0jXjVaLLeNfFpq8xdROh8+XI2IMFRgKdudfxqw4+6EsvkEASF0bnt/30T3McRCJa0XnDPmhO7aebbG7btVSb2lKzh1HQv7O0ADUH58hbJHeNPDigydTd6PyJgxghTXfTl9h9P9+j7qv0cIDxNXZycfYbaSwsM7i+ZZeAfDwrd4uEZ2Hzvujsr7SYbvbBl54u/CpzdB3VHpepWSlk5AiWKUGoipKAsNPRtOhLy+RwTEKIHCFOytbNHLHIrH4bKkmvZUh6tIbhSgWj2SrWleVT3kTMAn3chA5HbBTSEBn+QDPwvWRfixwJqt8JcQ==; 5:CnrqY/lLq2fwxOUQMndkI2lQ9E1mitZS6y7r2gLMxb+kPHsOL8DJzb/qqvrrCSkJ1PA2LA1BM0/zPH/Plst1ZdQlO8BU7th4uwvgSgPErmVMyEdmVa4dKrPAUHmSEi7vmFk3C7iVXKaO3PabZpYx09uZUc8N+Wf5UotKtaZTNbviOqFOdBsyA8faUOjCMcSTwrEhu/W3ZqpLkFzyPlH40g==; 7:lJRuNsB4ooGG9RvZUyh8g4WKIqMD3MKe7+rEKx8uJ1VupH9mFU73rP/eKrDIZv8qqNEZQkDGcsm40q+RYPC5FubVUH04Z1oos60xixLNGbs/1RAUTSaplGGHyvw6D4B53QZ98NeJe0gZgxjt9zWDbQ==
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Jan 2019 09:40:58.3822 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7752df5c-eb63-431a-8f60-08d687603461
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P18901MB0097
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/GeB6NQbiJpscitlImg_UcJ7Vxj8>
Subject: Re: [Ace] Shepard review for draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jan 2019 09:41:05 -0000
Hello, we have an unresolved review comment by Steffi that got lost in the holiday season: https://mailarchive.ietf.org/arch/msg/ace/CBTkVUBzYrfC55zH3_UJDngiy9U https://mailarchive.ietf.org/arch/msg/ace/NrQWetugoy0TWp9eg3lwtSictc8 The issue is the following (my words): The AS provides the client with key material used by the RS. This can either be a common symmetric pop-key, or an asymmetric key used by the RS to authenticate towards the client. Since there is (currently) no metadata associated to those keys, the client has no way of knowing if these keys are still valid. This may lead to situations where the client sends requests containing sensitive information to the RS using a key that is expired and possibly in the hands of an attacker, or accepts responses from the RS that are no properly protected and could possibly have been forged by an attacker. The options to resolve this that I currently see are this: 1. If the client has no additional data it MUST assume that the key is valid as long as the access token together with which it received that key. Since the access token is opaque to the client, the client MUST now determine how long the token is valid: Option 1.1 The client is provisioned in advance with a default validity time for tokens issued by the AS. This could be done when the client is registered at the AS. Option 1.2 The AS informs the client using the "expires_in" parameter in the Access Information. This means that we need to implement a check whether the client knows a default validity, and if that is not the case reject an access token that does not come together with an "expires_in" parameter. 2. We can define a new parameter that informs the client specifically about the validity of the keys the RS uses, if that differs from the validity of the token. Note that this is a realistic use case, since the RS might use an asymmetric key for authentication that is valid for a significantly longer period than some access token. I would need some feed-back from the group to proceed here. /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51
- [Ace] Shepard review for draft-ietf-ace-oauth-aut… Jim Schaad
- Re: [Ace] Shepard review for draft-ietf-ace-oauth… Ludwig Seitz
- Re: [Ace] Shepard review for draft-ietf-ace-oauth… Benjamin Kaduk
- Re: [Ace] Shepard review for draft-ietf-ace-oauth… Jim Schaad
- Re: [Ace] Shepard review for draft-ietf-ace-oauth… Ludwig Seitz
- Re: [Ace] Shepard review for draft-ietf-ace-oauth… Ludwig Seitz
- Re: [Ace] Shepard review for draft-ietf-ace-oauth… Jim Schaad
- [Ace] Unresolved issue blocking progress for draf… Ludwig Seitz
- Re: [Ace] Unresolved issue blocking progress for … Jim Schaad
- Re: [Ace] Unresolved issue blocking progress for … Göran Selander