IETF Logo Mail Archive

Re: [Ace] [EXTERNAL] Francesca Palombini's Discuss on draft-ietf-ace-oauth-authz-38: (with DISCUSS and COMMENT)

Ludwig Seitz <ludwig_seitz@gmx.de> Sat, 10 July 2021 10:08 UTC

Return-Path: <ludwig_seitz@gmx.de>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA8303A0D82; Sat, 10 Jul 2021 03:08:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 50l2bEaIrql2; Sat, 10 Jul 2021 03:07:55 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A54B3A0E90; Sat, 10 Jul 2021 03:07:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1625911656; bh=Scy8HtJtnhyyUbNKYzJiYImTJ91cbU+MVBAfAc/Miuc=; h=X-UI-Sender-Class:Date:Subject:From:To:Cc:In-Reply-To:References; b=cVqDMtaD1QPD5zNNt3WXNB5OYy+P5DOCI7abaz0pqzDacBU4aRVr7J0U+3P4cwr0g YoISQHo81mjUE7Ub0MHLD1Dyo5j4RO0/seZYb1CZalItYDAJ6tQVZ2po047oCmzh8z VSovApyKU3vmpAjJn84dmCCgWNDvhsuS3rk2hU3s=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [172.28.224.22] ([90.235.121.45]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MnJlc-1lLMx22J9w-00jIBk; Sat, 10 Jul 2021 12:07:36 +0200
Date: Sat, 10 Jul 2021 12:07:34 +0200
Message-ID: <pie1vmtegr4pcaoch9pi0pih.1625911605608@email.android.com>
From: Ludwig Seitz <ludwig_seitz@gmx.de>
To: Ludwig Seitz <ludwig.seitz@combitech.com>, Carsten Bormann <cabo@tzi.org>
Cc: ace-chairs@ietf.org, Cigdem Sengul <cigdem.sengul@gmail.com>, Francesca Palombini <francesca.palombini@ericsson.com>, ace@ietf.org, "Apple Inc." <goran.selander@ericsson.com>, Daniel Migault <mglt.ietf@gmail.com>
MIME-Version: 1.0
In-Reply-To: <5C41B62D-C4BD-469A-B370-99DFA0BC1873@tzi.org>
References: <161659738410.3239.3955409176349739508@ietfa.amsl.com> <5634f824f7b14878b5d7d1fdd3b2ed33@combitech.se> <EE1CBB56-8951-473C-A006-875D49BEE350@ericsson.com> <AM0PR0302MB3363E4EB817969E6B34FBBCF9E369@AM0PR0302MB3363.eurprd03.prod.outlook.com> <F44C49D2-C08E-4C04-A751-05ECBBB1DBA9@tzi.org> <AM0PR0302MB3363C4C6DBD796E67986BD079E369@AM0PR0302MB3363.eurprd03.prod.outlook.com> <43222AD5-BA56-423F-98C7-65128A6C35B6@tzi.org> <CADZyTknQEYbv=3vo_MfjGeWmJOcU-QfkFua-ZGnFHfXhni=omQ@mail.gmail.com> <3AF922BD-D6D7-4D20-AA39-5E0D5BEC8A29@tzi.org> <a040239b-fc8c-b2a3-c055-481246f4397c@tzi.de> <AM0PR0302MB3363B7DBB026447BE536D61D9E1C9@AM0PR0302MB3363.eurprd03.prod.outlook.com> <A15462D1-DD0F-4B3C-8C59-7652C6A5F471@ericsson.com> <78BAB6EA-0DDE-4C6C-A923-815E73F1B197@tzi.org> <F329D30F-EF2A-4BE3-B29A-8425CE44A6D2@tzi.org> <15769C3B-A3B5-46E6-AD3A-9FBA63783EAD@ericsson.com> <AM0PR0302MB33635AEFE7CE8642EDEE3B039E1B9@AM0PR0302MB3363.eurprd03.prod.outlook.com> <5C41B62D-C4BD-469A-B370-99DFA0BC1873@tzi.org>
Content-Type: multipart/alternative; boundary="--_com.sonymobile.email_966853707977510"
X-Provags-ID: V03:K1:opcjm2kvekucMYwdphUUyMhITeDCxVpIoyCfN6g58z2idHN0koF kziJ5ANGC6VSVO2eBG9zx1Z+8DlfIlXEiTzGxM8e5Anae+BfqwXsnzOkRH5xNUJvxI36Wra URQ6cVo81SYlx/bXxCDProwPeNAw+LJ9t3LJ0AGRvFflLxHy4AJZkEp70Zk+E26HjAzT3DK 8Fgr8GhdHMyGLGbouf9MQ==
X-UI-Out-Filterresults: notjunk:1;V03:K0:/LWB3q744gs=:KpSsgp2iBdyS1PUQAjBKJQ Zaijaa2bPBqwcgKt/9T88xteN4H7ZE+cwisLjZSh98lHqfvuBYk6F4e1xrc35hxHx6efzry94 B3ik5CwcSQ06IYIioCX7NSnWija0M1cv980CkpHEFp6AX54HM+TRASfaLg5uJjj4lbO2Q+MuL oKxntCo7ulIrdMX6Hjte/mioFXYD7NvtiVNZfFXtK9MsVM7sHcuSxOznpfIWQWmEJjC0U5Vzx wdZdbyAGH6ZXmyv43PyiajDah0YR165hX6ik4h9nXtkqhTq3m5CKOK4Skvgv+KQY0Zwf+1XY9 Ga6fe7R/j6UYOwO1IfylLAqGLOXQHGjErvAaRwNmHer5AtAml3dPpJKmp2rzYa2w1YXUCnTbJ 0+wiNeShy6EJ+l5sWi3Oy+WLBOD11Eiawq8PZyubCZowLPM5RkSjOiXcpua0faYFFtFgGlGuh 3ukFKfcBS+J+CgBQKBT6P9Ef6jSP+X/qQl1gYC4e/FoWatbz/iQ4JdIbED7AslD4/lECgoKv/ 1/IS8IEZ5/ABJgmmbiWKD9+OBviEWQJtzgSJ+Lz3lt0jJ2rQn5S3mHgNLQOzd2MQ1AyUHOnqk kiSK0BJeYh9ygk6ynI5FdB6OulJq0i63w5/hSvxuGTdMoQiyFk33HejHijAWwmPh6XqDTdsad fEqNdXFxKRx7rRTf7tP6BRkrxxqYt94zwj2AiKHafn8NKzRSG1V4PfVDzcanN+s/OVzXk77Zj ncgextjWV4XXkYuJeLv/CrIitMgB1yEWrVoTudK9sc1y26uUqcJyR1CC1tPOh8xBXtr2QuwE6 3WDxsnoG49ANZtLGSbMyHcAohKOwecphCb7v4WSOcbWSN2tZUoqV1JOnC3skrBL3k3qo0t7sk ERgXzu/5VmWYpFbvarCVgvs33e9mADFcllic9VI5R9nwXIG1F6v/JHcfAE8E0TgC4ymL1jtjk OQHNV9infeBdoXcrWtzXhTl9x+PvIm1/bl6ua+OOjrH+SD9vjNmvMMMbK5X/FE/dVCXzqxvDm FdsamDyFTOIdRRE+OeGsKkSBfcycI1hKcHm5+iPJvgdrZETVQ+wCuHw9MDtLbdxyZO+LeRKxi +RAc9E8H8fDexpsPWBScCQCbDcoF5FUGszG
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ItzxDjN1VY6-ztwzJyLGR8DlOLY>
Subject: Re: [Ace] [EXTERNAL] Francesca Palombini's Discuss on draft-ietf-ace-oauth-authz-38: (with DISCUSS and COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jul 2021 10:08:03 -0000

I can remove the text entirely, since we don't seem to agree on the details. Would that be acceptable? 

/Ludwig 

Sent from my smartphone

---- Carsten Bormann wrote ----

>How do we get this done before Monday’s I-D deadline?
>
>On 2021-07-06, at 08:22, Ludwig Seitz <ludwig.seitz@combitech.com> wrote:
>> 
>> Hello Francesca, Carsten,
>> 
>> Sorry but I do not like what you did in the first sentence. Combining profiles does not necessarily equate to creating a new one, and I still don't see why we should needlessly request that it be so.
>
>The devil is in the details.  If we have pairs profiles that combine, the component profiles should say so and say how.
>
>> Given an example use case where a client talks dtls-profile to the AS and gets token and parameters for an oscore-profile back for the client-RS leg, why should there be a need for a new profile to support this?
>
>Because the interaction e.g. with the DTLS and OSCORE/LAKE security setup has details that need to be covered in the component profiles.
>
>> I also do not like that you removed the requirement to design profiles so that the security for the different legs of the communication (C-AS, C-RS, RS-AS) stands on its own.
>
>Some of the security can stand on its own, but the overall security derives from the properties of the legs combining.
>
>> What could happen now is that someone designs clever protocol foo that has a dependency between the C-AS and the C-RS communication for its security, and thus breaks when it is used on only one leg of this communication. I don't think you need to know all possible future profiles to design yours to be secure in that way. Note that the framework puts requirements on the security of future profiles, so you can assume e.g., that communication will be secure.
>
>We may be better off writing a separate document that explains how to exactly do this mixing-and-matching.  
>
>I’d like to hear from others how they see this issue.
>
>Grüße, Carsten
>
>_______________________________________________
>Ace mailing list
>Ace@ietf.org
>https://www.ietf.org/mailman/listinfo/ace

v2.23.0 | Report a Bug | By Email