Re: [Ace] Shepard review for draft-ietf-ace-oauth-authz

Ludwig Seitz <ludwig.seitz@ri.se> Thu, 31 January 2019 09:41 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAEE0128D09; Thu, 31 Jan 2019 01:41:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.043
X-Spam-Level:
X-Spam-Status: No, score=-2.043 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JIXRAxyRzDv2; Thu, 31 Jan 2019 01:41:02 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20068.outbound.protection.outlook.com [40.107.2.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84EB6126CB6; Thu, 31 Jan 2019 01:41:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=epatKbGcmNxNHIQneuY2ItV/vVSTClL+4hEP6YDWf6U=; b=eyml7VEJNdVIgXNLncqIjXOjE4b5oLdOBcvLFjKAsDWzXBY0O6MIVpy2jHTlvqBQhej1zzf/B/PTrGnQZwFPte9llpyGODck5/Bv8RDiAh0HEVgP29o8KVGYd4O4Z0FyOtRXcwloBg4uLFFEgApU5H3v5COJ+wim7zrLmw5lt/8=
Received: from DB6P189CA0016.EURP189.PROD.OUTLOOK.COM (2603:10a6:6:2e::29) by AM5P18901MB0097.EURP189.PROD.OUTLOOK.COM (2603:10a6:203:78::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1558.21; Thu, 31 Jan 2019 09:40:58 +0000
Received: from VE1EUR02FT060.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e06::200) by DB6P189CA0016.outlook.office365.com (2603:10a6:6:2e::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.16 via Frontend Transport; Thu, 31 Jan 2019 09:40:58 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by VE1EUR02FT060.mail.protection.outlook.com (10.152.13.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1580.10 via Frontend Transport; Thu, 31 Jan 2019 09:40:58 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Thu, 31 Jan 2019 10:40:57 +0100
To: <draft-ietf-ace-oauth-authz@ietf.org>, <ace@ietf.org>
References: <01e801d4b861$4d7d41e0$e877c5a0$@augustcellars.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <1ce364d1-2154-3fc3-5589-5be3d7606717@ri.se>
Date: Thu, 31 Jan 2019 10:40:57 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <01e801d4b861$4d7d41e0$e877c5a0$@augustcellars.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(39860400002)(136003)(396003)(346002)(376002)(2980300002)(189003)(199004)(6246003)(110136005)(16526019)(50466002)(65806001)(2906002)(33896004)(64126003)(65956001)(53936002)(229853002)(14444005)(67846002)(65826007)(77096007)(16576012)(26005)(97736004)(6306002)(36756003)(316002)(76176011)(2486003)(23676004)(106002)(47776003)(386003)(186003)(40036005)(22746008)(356004)(11346002)(22756006)(478600001)(7736002)(81156014)(81166006)(8936002)(44832011)(106466001)(58126008)(69596002)(104016004)(8676002)(74482002)(68736007)(31686004)(3846002)(86362001)(966005)(126002)(446003)(336012)(230700001)(476003)(305945005)(6116002)(450100002)(31696002)(2616005)(486006); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5P18901MB0097; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-Microsoft-Exchange-Diagnostics: 1; VE1EUR02FT060; 1:Hec88AiCcyjWDyx3Mrm/1Zh/LHyh4VS/vwXcnz97+tbXxqxWi+xde45+syR5rfEwn8Fm45uxtd/KSBr8gDFaOgjwXUxx2VPSskalS4SOSJdsM3a80Lh5Np4Qtize7GfNBnnDZhtVg2hx+RsjIHClq9ZSIxFGZbaYuzn+pIF/feU=
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 7752df5c-eb63-431a-8f60-08d687603461
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4608076)(4709027)(2017052603328)(7153060)(7193020); SRVR:AM5P18901MB0097;
X-Microsoft-Exchange-Diagnostics: 1; AM5P18901MB0097; 3:P0u4EnayOs0eDeCBf0Eh848XDRtXZLOphV1eJq09IwmnQNWxjKTrj1lnP0/HG+rjOCxmK3xqxEK1xW+e3aHDV+syNgwq66reFl9LVUm6cLB+J08+54qptP/S1QXYSgGGck1tqCKhiUpkR73o760+M9M2ZSecox8vfnDaMXWkd7itzN2lC4nbgJE5cNRUQF+eXKcxhU2WwvYAgQdF6N/ZwNeFrF0qTxZjojrpd9IiSStTxOjMZ58Gu7Jduu2D2DjjPp6048nzagmPVlCPz6W0WSkP5aCCl9IycJy82Meq4CvbRFKfrt8GuzrsFersD9y95uJeJmjCUwGdNyHK6C7T8/fKqMDEIV05UKT3EbiW4FtvQ6Z+8Xs7mx0PbnBYcEL3; 25:l84gLngiuV2V8WriUOBF530pOviRVanGxD5TJbp9Rb0Rm3juJNI8Mz8shOKDieQC6nqtltsmFaXgtge8peeM3MBl3gUR/PqJ1R/cIwmL+7ODRPHpIM3v0g3eCrcv17C/F55cpyzYN9khB0yVEkmHfG+u/bjUmbultsX1q/W6MDRjirmxEJ0Rwiol8VD5zNPvWZGuEi0J4KE3wJhdJh5qem18UjjhOoAVexYLk7z62GxkuOOd0ff9UTNHhJXkL4NuDwk8cGXCta5YVg/D4EJ+yRVjwzCmWkLYmHKqnla3+LTFOhokzCLf4US9p4JJDJJNBjwD5bBbfe+Im/EJNhLvng==
X-MS-TrafficTypeDiagnostic: AM5P18901MB0097:
X-Microsoft-Exchange-Diagnostics: 1; AM5P18901MB0097; 31:a2rfHncIm5d/MX5K2XyicQIfidPfaGEegelJK6mJCXK6cOxOTMoV7Og1z4lCILod5rDEAbA4y78RcATsFVUcC0HZt01kY6o5lMRDEQafPRP0a5Ks47SrCZTQYhoGPJRaA1MiYd9LKyDawwJ9Pm/+jYUOcHqAmqXPGXoWHMUrZ6G4jba5rqPUmv2Ek+hS1YNcUtJ1h4kLvpfJuQE2M77LqJe0aVKvKmHNPGEsc/xDaYc=; 20:HPp7H2XgMZvjZjf/mV0nFzDxC+bber6K0kJ9xmBXomQV4bhFnRMkPxcIXC4PXt7HBFxrrT27BXjJU8oiUNTqAmsI6VrbYjOyfpuJ2IcaPqKzHiNHTLwPWQ6CBlxyWeJxxrdj5kWQmA3Ymen99aKbn+NjtyB0zRaYALrr7yg9AVkJsBYUi+q3MuZKgxHuXYC9tlLkEBSjMB1FHToiR6sZ1pNAG7x+L13WvZ8NPOSOI8iYqhiNIsFcL/ukR+8HIlsX; 4:nE9DKBuK8WMuO3CSQMdEEkvy/j7Dzas7BEmPeClTWZI4CWhiZH6EsQdoZJMjvBRUvBjM58OcP3J5teIBgNyN2kKQi0eSMLf32w+thF21DpM43tEzd4/Xr4HY5Rpss0gL4dcioeVZKPrdiToPVzjIzGv2wk6YBPsRcYDyDrLrYoKKHv97mO0v8NseAqJi7hlht+9EGP6KM10QXRlwqp3F9SPnkJg7hR+8P7onMexyADk28SrXSGJ/mm9+As0lhgyMnA8yA5mow2ZtAsww4CfWDUFOhzyKGxc1oMUusTHPpIjDMUV3q/VL6kGSGLPA707l
X-Microsoft-Antispam-PRVS: <AM5P18901MB0097C31EC95C9A08DE2BF4D082910@AM5P18901MB0097.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 09347618C4
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtBTTVQMTg5MDFNQjAwOTc7MjM6VHd3Slc0WkZIR0k1cWV4RWlqOHhWdjkz?= =?utf-8?B?aHU2eCt2Qks0bFNRbjhRdmdaZTMrR3d5N0U3MnRvZ2Y5b1h0MjVLdnJNMVhS?= =?utf-8?B?TFpVZ0tiWmcxcnJwaEFCK2RmcUsvb3FVTnpQUkU3VVRyeG83eExsR0lZcDYw?= =?utf-8?B?MHUwekpIL3RxTVhNUms2VDZKaGZPdEp6bUt4M2tTajZBYkRPNGNTWTF1R0gv?= =?utf-8?B?NXdiWkRML2ppa0Eya0d3OWVZT3cvOXowbU1BWnRlQTlSa3MxK2R0TlFTem1C?= =?utf-8?B?VmpTdU81QThHTElFQlZCVXlERktONGI5d0JrZ2ZHTnJ2WHZOZnFVZm9FVXBq?= =?utf-8?B?WnZsM29RRHFRdkcwYXc5Z2owM0tLblFnWHptbUdPaDdSQi9MR2xlM0gzc0VQ?= =?utf-8?B?ODN6TmpYUTUxeUl5ZzAzNUR2eVM1QWJHQlhmNk1HRzZycjRJZWdNWXk4a01j?= =?utf-8?B?a0pLRGNQNjIwNUJubU1taXJJSFo2Q0RqMFRNTEZGckc2aVVFUEpmVFM0Nzlk?= =?utf-8?B?L2oyQ2ZCVjRUeTZxZmtpa0p2UnlMNVJLM29GU3dubS9nMXNtdW1vQ3RFZjF1?= =?utf-8?B?ZTZKVThzeTF5MUZRNkpHU0VWV1RtNEtOZkpaRGdxTXUxL0hyOSswZExGbTlX?= =?utf-8?B?T2I2Vm1OK3pFZVhlYzNPdmRPeGo2MDgrWlRtZzVSL2t6ZXA2UHV2Q3hUWUdo?= =?utf-8?B?NDB6WTRZWDJkay9OeXVPMFdlTlVFdG9Db0o4cGtUZmI2T3hxTHJIcTgxOEN2?= =?utf-8?B?eFZyUFdhRCtlZWFveEFFUHIzcWYzSmtoZlRxVDdQTEVYV2taZ09ZQkxUUnA2?= =?utf-8?B?OEo2Vjc1a1VlVFM3REs3ZldORHpwQW9YUDVZbWpBL2ZCdDdSM2xVWnJDMWYx?= =?utf-8?B?enZaSXExdXZsTkxzZnNvTG1NWVIwWmhud0NKbCtydzBDQ2UzUjFPK21vV1Av?= =?utf-8?B?Yjl2NzJtdVRmUXZTVGtyODFXRWlvdFEzMWRFdHFIb0tkRndBY2k1eWxXUjZK?= =?utf-8?B?TVQrdjdodGhJSmxmdmdlTWNTOXVPNjRQTXYyelFNdC9pL1FzK3hldllqL2ww?= =?utf-8?B?YlYweGdycmIveXJJK2NhYnFsRjdqcER3YTcwSVp5RGVDM01yRUg2dHFHYldW?= =?utf-8?B?VlpNTWZMRERBQ0FsM3Z1ZFB1WnRWa1YxRlpmaXZwMURCV2RBVHcyVmtDOHVU?= =?utf-8?B?MFpiTXFwaWt4Zld0b2tsd3dDeHAwRlZnN0FLaVpEQjRBbEJWTHkvaTB4b2Zp?= =?utf-8?B?UFQxWlpsL1E2SHBrT3l6VWVLc1lZNnp1VEVBWFdON1F5bTBjdWxLMzc5MkpU?= =?utf-8?B?dzI4VlBYdktYa2tRVnROQmRlUnkvVWdKZFltRUpQbW9CdXVLN3lWYUkyTEpO?= =?utf-8?B?NTVETWZkRytZdzRETlR5MUVJWHBKSEFEbmRtdWdjOERPWlVzS3hYUGd0THYz?= =?utf-8?B?NkFhTGJTc0s5a2hFSWp2dGFrak1Eb1dhSDlTQVQ5clA0M0RNNGcvTjZXTHY2?= =?utf-8?B?aGczUkRzWDZyQTZjck1pRXV5dnZ5aDFKSDJ0RytwS094aWFnSGNiNmNpekY2?= =?utf-8?B?NmxSMDUwMmM0TjcrenlIVk9ZTlZBR0YwMVpsN2YxRnBIWkNsMG9QZnlKSE0z?= =?utf-8?B?ZW1yV2MwRDJWYnRoT0RCL2U2RFU5TnpuZ29MR0Vwa2dZV2FBTWFiVmcyamov?= =?utf-8?B?eHNVNVdBVTNBOEhINkN0ZlFIbm1XQmkxbGEvWlVqUEZDaTRRWks4UG9mMTRT?= =?utf-8?B?ZFhEQ1dMMjBNSFc5eFFRejFmWjlaUkEweUpaNWI5S0NnYTNIY09lU2hKM2x0?= =?utf-8?B?ZGhGalh4Z2dDc2tMRVE1bHRvYy93Z1dkck5SWFI2cW9hTHpnc1p6ajA2a3dP?= =?utf-8?B?WGFCakFWWGZuWldKdVk1eVJHZGE4N3lKZVVMTFppYklrenZYVzI4NDN0UXFD?= =?utf-8?B?UXJuWTByZ2FyNktUNy9SK0Z1TG5icWIzZHNKR1Z5WlpXb2xnMU9xOVpGSVVy?= =?utf-8?B?Rm9UK21JZDNvemo0UHNjdy9wMFVIM0NnMjRoQ3Q1M0VjOG5uS2ZabkQrbmR3?= =?utf-8?Q?AGYiXk=3D?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: 2hOAZOabRHjpYF6jo2lKLJdD8t2GabaZbBPhRLcRzocK7MxIUDeokVXCnko5vBILcyON+bdOJLoFSrnJ9uFTkRkVMxmoirfr3lg73U1Ww5KwzWsRstKHNJ35mm+y185HU5ATmtVDLeCzA0i+UcYusEIV2slUh2vQ406p8HlXH9tecDXAwGBf++m+AOiRov3Uw8LUNupCZSgQgr+AIyr0FWDxSa5pNWeGUV5KbudIRKrkMLF+HuEqIbU67RvnPITE3Yq3rFi/p6/Vv1E6nSrg8RYoGgQNma/h8Ucj6ek6DyxmnEIlUhvCk2bvoDJKMvwY8AtBoRdC0t32jHSv3Q3n5SOvU9RyREnEQJyEonrOM+pTnGwi4kaB7fJyvdjec3SWjkWIQi5O7ufMJfraCmcRrLGTx4R+xW6Ca6Tu8uuEI6o=
X-Microsoft-Exchange-Diagnostics: 1; AM5P18901MB0097; 6:aD2uuu7yT6BInUvYQiRbWLLgHO4jVKzecxh16B1Omy0F/30umuAK3Ez7YBsONvLhgu+2ugLDK8RTusf3JIBt6j1wzrin0akN92K3WPZfDy8a3/u0knzHbA4YgBM/8jK1UJB2RLIeVYqeb7K4mv91pOsXIK5z0jXjVaLLeNfFpq8xdROh8+XI2IMFRgKdudfxqw4+6EsvkEASF0bnt/30T3McRCJa0XnDPmhO7aebbG7btVSb2lKzh1HQv7O0ADUH58hbJHeNPDigydTd6PyJgxghTXfTl9h9P9+j7qv0cIDxNXZycfYbaSwsM7i+ZZeAfDwrd4uEZ2Hzvujsr7SYbvbBl54u/CpzdB3VHpepWSlk5AiWKUGoipKAsNPRtOhLy+RwTEKIHCFOytbNHLHIrH4bKkmvZUh6tIbhSgWj2SrWleVT3kTMAn3chA5HbBTSEBn+QDPwvWRfixwJqt8JcQ==; 5:CnrqY/lLq2fwxOUQMndkI2lQ9E1mitZS6y7r2gLMxb+kPHsOL8DJzb/qqvrrCSkJ1PA2LA1BM0/zPH/Plst1ZdQlO8BU7th4uwvgSgPErmVMyEdmVa4dKrPAUHmSEi7vmFk3C7iVXKaO3PabZpYx09uZUc8N+Wf5UotKtaZTNbviOqFOdBsyA8faUOjCMcSTwrEhu/W3ZqpLkFzyPlH40g==; 7:lJRuNsB4ooGG9RvZUyh8g4WKIqMD3MKe7+rEKx8uJ1VupH9mFU73rP/eKrDIZv8qqNEZQkDGcsm40q+RYPC5FubVUH04Z1oos60xixLNGbs/1RAUTSaplGGHyvw6D4B53QZ98NeJe0gZgxjt9zWDbQ==
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 Jan 2019 09:40:58.3822 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7752df5c-eb63-431a-8f60-08d687603461
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P18901MB0097
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/GeB6NQbiJpscitlImg_UcJ7Vxj8>
Subject: Re: [Ace] Shepard review for draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jan 2019 09:41:05 -0000

Hello,

we have an unresolved review comment by Steffi that got lost in the 
holiday season:

https://mailarchive.ietf.org/arch/msg/ace/CBTkVUBzYrfC55zH3_UJDngiy9U
https://mailarchive.ietf.org/arch/msg/ace/NrQWetugoy0TWp9eg3lwtSictc8


The issue is the following (my words):

The AS provides the client with key material used by the RS. This can 
either be a common symmetric pop-key, or an asymmetric key used by the 
RS to authenticate towards the client.

Since there is (currently) no metadata associated to those keys, the 
client has no way of knowing if these keys are still valid. This may 
lead to situations where the client sends requests containing sensitive 
information to the RS using a key that is expired and possibly in the 
hands of an attacker, or accepts responses from the RS that are no 
properly protected and could possibly have been forged by an attacker.


The options to resolve this that I currently see are this:


1. If the client has no additional data it MUST assume that the key is 
valid as long as the access token together with which it received that 
key. Since the access token is opaque to the client, the client MUST now 
determine how long the token is valid:

Option 1.1 The client is provisioned in advance with a default validity 
time for tokens issued by the AS. This could be done when the client is 
registered at the AS.

Option 1.2 The AS informs the client using the "expires_in" parameter in 
the Access Information.

This means that we need to implement a check whether the client knows a 
default validity, and if that is not the case reject an access token 
that does not come together with an "expires_in" parameter.

2. We can define a new parameter that informs the client specifically 
about the validity of the keys the RS uses, if that differs from the 
validity of the token. Note that this is a realistic use case, since the 
RS might use an asymmetric key for authentication that is valid for a 
significantly longer period than some access token.


I would need some feed-back from the group to proceed here.

/Ludwig

-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51