[Ace] Keeping the same key identifier for groups

Jim Schaad <ietf@augustcellars.com> Mon, 19 August 2019 20:41 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C740812016E for <ace@ietfa.amsl.com>; Mon, 19 Aug 2019 13:41:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id SNzf8GhY21P2 for <ace@ietfa.amsl.com>; Mon, 19 Aug 2019 13:41:06 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04625120048 for <ace@ietf.org>; Mon, 19 Aug 2019 13:41:06 -0700 (PDT)
Received: from Jude ( by mail2.augustcellars.com ( with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 19 Aug 2019 13:41:00 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: <ace@ietf.org>
Date: Mon, 19 Aug 2019 13:40:58 -0700
Message-ID: <01fc01d556ce$69f73cc0$3de5b640$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdVWyjz3vcmK8hoCQY6gnIkskr9oiw==
Content-Language: en-us
X-Originating-IP: []
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/I1603SP6I2MmPZNb55QxGgNWIyU>
Subject: [Ace] Keeping the same key identifier for groups
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2019 20:41:08 -0000

As Ludwig pointed out during the F2F, it makes far more sense to try and
keep an entity using the same key identifier for as long as possible.  This
is in part to make sure that signing keys do not need to be retrieved if
they can be easily cached.  In looking at this deeper during my
implementation I ended up with the following question:

The way that I have set things up in my implementation it is simple to
ensure that the same kid value is going to be used with the same CWT,
however it might make more sense to use the signing key as the continuity
identifier instead.  The issue that arises in this case is that there might
be two different active CWT objects that are associated with the same
signing key.  That is there are two CWTs but the same signing key was used
while doing a join operation.   I already do some matching between different
CWTs by assuming that if the bearer key in the CWT is the same then they are
sufficiently equivalent to threat them as the same.  This lead to some
interesting discussions in Montreal about if this meant just the "secret" or
if it meant all of the elements provided by the AS which are used in the key
derivation process.  (I have gone back and forth on this and currently am
sitting on the "just the secret" side of the fence.)

Does anyone have any opinions?