Re: [Ace] Fwd: New Version Notification for draft-ietf-ace-oauth-authz-17.txt and draft-ietf-ace-oauth-params-01.txt

Stefanie Gerdes <gerdes@tzi.de> Thu, 13 December 2018 14:42 UTC

Return-Path: <gerdes@tzi.de>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DBF8126F72 for <ace@ietfa.amsl.com>; Thu, 13 Dec 2018 06:42:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 767QYMH8Wcyj for <ace@ietfa.amsl.com>; Thu, 13 Dec 2018 06:42:14 -0800 (PST)
Received: from smtp.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A49E124408 for <ace@ietf.org>; Thu, 13 Dec 2018 06:42:14 -0800 (PST)
Received: from [134.102.218.250] (dynamic-218-250.informatik.uni-bremen.de [134.102.218.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.uni-bremen.de (Postfix) with ESMTPSA id 2A75C205F3; Thu, 13 Dec 2018 15:42:12 +0100 (CET)
From: Stefanie Gerdes <gerdes@tzi.de>
To: Ludwig Seitz <ludwig.seitz@ri.se>, Jim Schaad <ietf@augustcellars.com>, ace@ietf.org
References: <154322421294.8323.8505315870685563404.idtracker@ietfa.amsl.com> <cbd083d1-cb95-0732-aa8b-7c7de3f480d1@ri.se> <a0cdd836-7fe3-339e-0c48-961503857447@tzi.de> <03b601d49191$7d1bb400$77531c00$@augustcellars.com> <945fbebe-659f-ac72-3ab6-8e05447e7c92@ri.se>
Message-ID: <1c5b81f3-50ce-be68-bec3-68ce2ff15b43@tzi.de>
Date: Thu, 13 Dec 2018 15:42:12 +0100
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <945fbebe-659f-ac72-3ab6-8e05447e7c92@ri.se>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Od0BbecgAjjaTXzVWHuLaWT3pX4>
Subject: Re: [Ace] Fwd: New Version Notification for draft-ietf-ace-oauth-authz-17.txt and draft-ietf-ace-oauth-params-01.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2018 14:42:18 -0000

Hi Ludwig,

On 12/12/2018 10:47 AM, Ludwig Seitz wrote:

> The value of checking the iss field is indeed limited, but if present I
> feel it MUST be checked.
> 
> The text does say that the RS must check the integrity of the token (see
> 5.8.1.1.)
> 
> "Since the cryptographic wrapper of the token (e.g. a COSE message)
> could include encryption, it needs to be verified first, based on shared
> cryptographic material with recognized AS."
> 
> This implies that the RS must check that the AS is recognized, I will
> rephrase this to clarify that "recognized" means that the AS is
> authorized to issue tokens for the RS.

I cannot find the term "integrity" in section 5.8.1.1. Encryption is not
the same as integrity protection. Also, providing a "cryptographic
wrapper" for the token seems to be optional, which means that RS does
not necessarily check the authenticity of the token. The RS must check
that the token stems from an authorized AS, otherwise anyone can issue a
token to RS.

BTW, "shared cryptographic material with recognized AS" implies that
only symmetric solutions can be used between RS and AS. Is that what you
intend here?

The current text to the iss field implies that this field somehow helps
RS to determine the origin of the token, but this is not the case.
Anyone can write an authorized issuer into an issuer field. Authenticity
can only be achieved with cryptographic measures.

> 
>>> Instead of demanding that the exp field is checked the document should
>>> demand that the RS somehow validates that the token is not expired.
>> Checking
>>> the exp field may be one example.
> The document demands that exp is checked _if present_.
> I don't like to normatively require something that is not concrete such
> as "somehow validate that the token is not expired". If we define other
> ways than exp and exi, then normative requirements should be placed in
> the documents that define those.

So you say that the exp field is optional. And the exi field is
optional. If they are missing, the RS does not check if the token is
still valid and may use outdated tokens. For the security of the
solution it is required that the RS checks if the token is still valid.
You should point out this requirement to achieve a secure solution.

> 
> Well you have several cases of keying material here:
> 
> a.) A symmetric pop-key bound to one or more tokens. That will only be
> valid as long as there is a valid token.
> 
> b.) An asymmetric key belonging to either client of RS, which may be
> bound to a token, or used to authenticate (e.g. in a DTLS-RPK
> handshake). Those are valid independently of the ACE framework and need
> to be managed, updated and expired by some other mechanisms.
> 
> c.) A symmetric key shared between C-AS or RS-AS for authentication
> purposes. ACE has no mechanisms for managing and updating this kind of
> keys. Starting to look into this looks lite a rat-hole to me.

I am currently only referring to the keying material that AS provides to
C, i.e., the symmetric key shared between C and RS or, if asymmetric
keys are used, RS's RPK. Since it is clear to you that symmetric keys
are only valid as long as the token, you should point that out in the
document. C then has at least some clue how long the token is valid.
Which is better than nothing.

In the RPK case, the AS may be the one that provides C with RS's RPK.
RPKs do not contain semantic information. Therefore, C must be able
assume that the RPK is valid as long as the access token.

As I said, the framework must also state that the client must check if
its keying material is still valid each time before it sends a request
to the RS. Otherwise the confidentiality of the request data may be
breached.

Viele Grüße
Steffi