Re: [Ace] Fwd: New Version Notification for draft-ietf-ace-oauth-authz-17.txt and draft-ietf-ace-oauth-params-01.txt
Stefanie Gerdes <gerdes@tzi.de> Thu, 13 December 2018 14:42 UTC
Return-Path: <gerdes@tzi.de>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DBF8126F72 for <ace@ietfa.amsl.com>; Thu, 13 Dec 2018 06:42:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 767QYMH8Wcyj for <ace@ietfa.amsl.com>; Thu, 13 Dec 2018 06:42:14 -0800 (PST)
Received: from smtp.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A49E124408 for <ace@ietf.org>; Thu, 13 Dec 2018 06:42:14 -0800 (PST)
Received: from [134.102.218.250] (dynamic-218-250.informatik.uni-bremen.de [134.102.218.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.uni-bremen.de (Postfix) with ESMTPSA id 2A75C205F3; Thu, 13 Dec 2018 15:42:12 +0100 (CET)
From: Stefanie Gerdes <gerdes@tzi.de>
To: Ludwig Seitz <ludwig.seitz@ri.se>, Jim Schaad <ietf@augustcellars.com>, ace@ietf.org
References: <154322421294.8323.8505315870685563404.idtracker@ietfa.amsl.com> <cbd083d1-cb95-0732-aa8b-7c7de3f480d1@ri.se> <a0cdd836-7fe3-339e-0c48-961503857447@tzi.de> <03b601d49191$7d1bb400$77531c00$@augustcellars.com> <945fbebe-659f-ac72-3ab6-8e05447e7c92@ri.se>
Message-ID: <1c5b81f3-50ce-be68-bec3-68ce2ff15b43@tzi.de>
Date: Thu, 13 Dec 2018 15:42:12 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <945fbebe-659f-ac72-3ab6-8e05447e7c92@ri.se>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Od0BbecgAjjaTXzVWHuLaWT3pX4>
Subject: Re: [Ace] Fwd: New Version Notification for draft-ietf-ace-oauth-authz-17.txt and draft-ietf-ace-oauth-params-01.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2018 14:42:18 -0000
Hi Ludwig, On 12/12/2018 10:47 AM, Ludwig Seitz wrote: > The value of checking the iss field is indeed limited, but if present I > feel it MUST be checked. > > The text does say that the RS must check the integrity of the token (see > 5.8.1.1.) > > "Since the cryptographic wrapper of the token (e.g. a COSE message) > could include encryption, it needs to be verified first, based on shared > cryptographic material with recognized AS." > > This implies that the RS must check that the AS is recognized, I will > rephrase this to clarify that "recognized" means that the AS is > authorized to issue tokens for the RS. I cannot find the term "integrity" in section 5.8.1.1. Encryption is not the same as integrity protection. Also, providing a "cryptographic wrapper" for the token seems to be optional, which means that RS does not necessarily check the authenticity of the token. The RS must check that the token stems from an authorized AS, otherwise anyone can issue a token to RS. BTW, "shared cryptographic material with recognized AS" implies that only symmetric solutions can be used between RS and AS. Is that what you intend here? The current text to the iss field implies that this field somehow helps RS to determine the origin of the token, but this is not the case. Anyone can write an authorized issuer into an issuer field. Authenticity can only be achieved with cryptographic measures. > >>> Instead of demanding that the exp field is checked the document should >>> demand that the RS somehow validates that the token is not expired. >> Checking >>> the exp field may be one example. > The document demands that exp is checked _if present_. > I don't like to normatively require something that is not concrete such > as "somehow validate that the token is not expired". If we define other > ways than exp and exi, then normative requirements should be placed in > the documents that define those. So you say that the exp field is optional. And the exi field is optional. If they are missing, the RS does not check if the token is still valid and may use outdated tokens. For the security of the solution it is required that the RS checks if the token is still valid. You should point out this requirement to achieve a secure solution. > > Well you have several cases of keying material here: > > a.) A symmetric pop-key bound to one or more tokens. That will only be > valid as long as there is a valid token. > > b.) An asymmetric key belonging to either client of RS, which may be > bound to a token, or used to authenticate (e.g. in a DTLS-RPK > handshake). Those are valid independently of the ACE framework and need > to be managed, updated and expired by some other mechanisms. > > c.) A symmetric key shared between C-AS or RS-AS for authentication > purposes. ACE has no mechanisms for managing and updating this kind of > keys. Starting to look into this looks lite a rat-hole to me. I am currently only referring to the keying material that AS provides to C, i.e., the symmetric key shared between C and RS or, if asymmetric keys are used, RS's RPK. Since it is clear to you that symmetric keys are only valid as long as the token, you should point that out in the document. C then has at least some clue how long the token is valid. Which is better than nothing. In the RPK case, the AS may be the one that provides C with RS's RPK. RPKs do not contain semantic information. Therefore, C must be able assume that the RPK is valid as long as the access token. As I said, the framework must also state that the client must check if its keying material is still valid each time before it sends a request to the RS. Otherwise the confidentiality of the request data may be breached. Viele Grüße Steffi
- [Ace] Fwd: New Version Notification for draft-iet… Ludwig Seitz
- Re: [Ace] Fwd: New Version Notification for draft… Jim Schaad
- Re: [Ace] Fwd: New Version Notification for draft… Stefanie Gerdes
- Re: [Ace] Fwd: New Version Notification for draft… Jim Schaad
- Re: [Ace] Fwd: New Version Notification for draft… Ludwig Seitz
- Re: [Ace] Fwd: New Version Notification for draft… Stefanie Gerdes
- [Ace] Overwriting Tokens Stefanie Gerdes
- Re: [Ace] Fwd: New Version Notification for draft… Ludwig Seitz
- Re: [Ace] Fwd: New Version Notification for draft… Ludwig Seitz
- Re: [Ace] Overwriting Tokens Ludwig Seitz
- Re: [Ace] Overwriting Tokens Stefanie Gerdes
- Re: [Ace] Overwriting Tokens Jim Schaad
- Re: [Ace] Fwd: New Version Notification for draft… Stefanie Gerdes
- Re: [Ace] Fwd: New Version Notification for draft… Ludwig Seitz
- [Ace] Token (In)Security Stefanie Gerdes
- [Ace] Security of the Communication Between C and… Stefanie Gerdes
- Re: [Ace] Token (In)Security Hannes Tschofenig
- Re: [Ace] Token (In)Security Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Token (In)Security Ludwig Seitz
- Re: [Ace] Security of the Communication Between C… Ludwig Seitz
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Ludwig Seitz
- Re: [Ace] Security of the Communication Between C… Stefanie Gerdes
- Re: [Ace] Security of the Communication Between C… Stefanie Gerdes
- Re: [Ace] Token (In)Security Stefanie Gerdes
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Stefanie Gerdes
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Stefanie Gerdes
- Re: [Ace] Security of the Communication Between C… Ludwig Seitz
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Ludwig Seitz
- Re: [Ace] Security of the Communication Between C… Jim Schaad
- Re: [Ace] Security of the Communication Between C… Ludwig Seitz
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Sebastian Echeverria
- Re: [Ace] Token (In)Security Ludwig Seitz
- Re: [Ace] Token (In)Security Stefanie Gerdes
- Re: [Ace] Security of the Communication Between C… Benjamin Kaduk