Re: [Ace] Ace Digest, Vol 29, Issue 12
Vasu Kantubukta <vasu.kantubukta@huawei.com> Tue, 19 April 2016 06:58 UTC
Return-Path: <vasu.kantubukta@huawei.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D0D312D80A for <ace@ietfa.amsl.com>; Mon, 18 Apr 2016 23:58:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.217
X-Spam-Level:
X-Spam-Status: No, score=-5.217 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VIumHmlnAvub for <ace@ietfa.amsl.com>; Mon, 18 Apr 2016 23:58:36 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D07CF12D55E for <ace@ietf.org>; Mon, 18 Apr 2016 23:58:35 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml706-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CMP30927; Tue, 19 Apr 2016 06:58:33 +0000 (GMT)
Received: from BLREML408-HUB.china.huawei.com (10.20.4.47) by lhreml706-cah.china.huawei.com (10.201.5.182) with Microsoft SMTP Server (TLS) id 14.3.235.1; Tue, 19 Apr 2016 07:58:31 +0100
Received: from BLREML509-MBB.china.huawei.com ([169.254.1.138]) by BLREML408-HUB.china.huawei.com ([10.20.4.47]) with mapi id 14.03.0235.001; Tue, 19 Apr 2016 12:28:21 +0530
From: Vasu Kantubukta <vasu.kantubukta@huawei.com>
To: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Ace Digest, Vol 29, Issue 12
Thread-Index: AQHRmaSe9/iz6l37DUaAbpj4CuW5UZ+Q1ekA
Date: Tue, 19 Apr 2016 06:58:20 +0000
Message-ID: <D6EBB546995C064A9492E8E27F62D90D0AA2B875@blreml509-mbb.china.huawei.com>
References: <mailman.46.1461006006.23559.ace@ietf.org>
In-Reply-To: <mailman.46.1461006006.23559.ace@ietf.org>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.211.249]
Content-Type: multipart/mixed; boundary="_005_D6EBB546995C064A9492E8E27F62D90D0AA2B875blreml509mbbchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090202.5715D71A.0013, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.1.138, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 4b7edd3c3e00d01f1d7042568d18c4bf
Archived-At: <http://mailarchive.ietf.org/arch/msg/ace/S4A1sGBsFJYjfxW9uRvgiT3cdyA>
Cc: "Caozhen (zcao)" <zhen.cao@huawei.com>, Ashutosh prakash <ashutosh.prakash@huawei.com>, Javed siddiqui <javed.siddiqui@huawei.com>, "Zuojing (2012 Laboratories)" <jing.zuo@huawei.com>
Subject: Re: [Ace] Ace Digest, Vol 29, Issue 12
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2016 06:58:44 -0000
Hi Ludwig Seitz,
I have a quick look on your draft. We are happy even to discuss about our draft and can collaborate.
Plz find my few inline comments below:
Actually that draft is not so much about pre-configuring endpoints with
tokens, the idea behind OAuth is that you supply these tokens on demand,
i.e. when a client tries to access a resource on a server.
Btw: The reference is wrong, it's now draft-ietf-ace-oauth-authz
----> Thanks for bringing me to notice the new draft "draft-ietf-ace-oauth-authz-01"
----> Yes, these tokens are not configured at the endpoints, those are at AS, my doubt is about how AS can make dynamic configuration of security policies about RS, and clients. Does there be any frequent updates about policies from RS to AS.
I'm not sure what you mean with those points. Priority of requests and
QoS could be parameters that have a bearing on what kind of access token
you get, but they are certainly out of scope for ACE.
The operations that clients can perform on the resource are supposed to
either be encoded in the token, or available through introspection by
ways of the "scope" of an OAuth token.
---> Authorization server provides resource access to client by giving access tokens to client that includes only security context, and kind of protocol
access.
---> Suppose RS cannot handle any request at that time, and some other similar resource can handle the request. Does the RS will update to AS?. If not, then request should not be allowed. Here the check is not happened based on the resource management. Only protocol operations like (PUT,POST,GET etc) may not be sufficient to distinguish the resource access. Resource oriented operations are more appropriate for resource control (for ex. for resource IP Camera, the operations allowed are {"turn it up", "turn it down", "play", "pause"}). Centralized resource control is required to admit client request. On what basis these tokens assigned is very important in constrained environments. only based on security context is not sufficient to authorize the resource. Authorization should include both admission and resource control. There should be some decision making required to provide access controls on resource access not only just by the security context.
---> Admission control does not have to consider about resource management, but resource control should consider. And, any access control mechanism should include both admission and resource control. Permission to access a resource is an authorization. So, managing and monitoring of access controls of a resource is also a part of resource access.
Moreover, other few queries about draft-ietf-ace-oauth-authz-01:
--->resource server is involved in processing the access token which is supplied as payload from client request. Or in other case, it has to construct new introspection request to AS and verify the access token of client. Which burdens the resource heavily due to limited memory.
--->why can't this be delegated to some intermediate server that do access token verification on behalf of RS.
--->Does the RS has to do this verification of access request for each client and resource request?.
-----Original Message-----
From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of ace-request@ietf.org
Sent: 2016年4月19日 0:30
To: ace@ietf.org
Subject: Ace Digest, Vol 29, Issue 12
Send Ace mailing list submissions to
ace@ietf.org
To subscribe or unsubscribe via the World Wide Web, visit
https://www.ietf.org/mailman/listinfo/ace
or, via email, send a message with subject or body 'help' to
ace-request@ietf.org
You can reach the person managing the list at
ace-owner@ietf.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Ace digest..."
--- Begin Message ---Dear CORE and ACE, We have submitted a draft on "access privilege provisioning for constrained devices" that provides a method to configure the policies for admission as well as resource control in constrained environment (including both constrained and non-constrained devices) which includes complete system architecture, methods for defining policies, and with commissioning procedures. Here, the service provisioning includes authentication, authorization, admission and resource control. The draft details about the following: 1) Discover provisioning server, and verify registered service with CORE-RD using commissioning procedure. 2) Defining admission control policies for registered resources. 3) How resource control policies can be configured to allow only privileged users to access the resource? We would like to discuss the CoRE, and ACE aspects of this draft in the CORE and ACE WG meeting. Thanks and Best Regards K Vasu -----Original Message----- From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] Sent: 2016年4月15日 21:40 To: Rahul Arvind Jadhav (Rahul Arvind Jadhav, 2012 Labs); Vasu Kantubukta; Vasu Kantubukta; Yangneng; Rahul Arvind Jadhav (Rahul Arvind Jadhav, 2012 Labs) Subject: New Version Notification for draft-vasu-ace-core-access-privilege-provisioning-00.txt A new version of I-D, draft-vasu-ace-core-access-privilege-provisioning-00.txt has been successfully submitted by Kantubukta Vasu and posted to the IETF repository. Name: draft-vasu-ace-core-access-privilege-provisioning Revision: 00 Title: Access Privilege Provisioning for Constrained Devices Document date: 2016-04-15 Group: Individual Submission Pages: 30 URL: https://www.ietf.org/internet-drafts/draft-vasu-ace-core-access-privilege-provisioning-00.txt Status: https://datatracker.ietf.org/doc/draft-vasu-ace-core-access-privilege-provisioning/ Htmlized: https://tools.ietf.org/html/draft-vasu-ace-core-access-privilege-provisioning-00 Abstract: As more constrained devices are integrating with current Internet, the ubiquitous computing in scenarios like smart home is very important. In smart home, the constrained devices (ex. thermostat) need to be provisioned in such a way that it can inter-operate with any kind of devices like other constrained devices (ex. Air conditioner) or client devices (ex. smart phone). This document provides a method to support access privilege provisioning based on pre-configured admission and resource control policies, where this method explains device's service access in two different use cases: first provisioning the service when a constrained device accessing the service provided by other constrained device, second, accessing the service provided by constrained device from the client device (non constrained device). Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat--- End Message ---
--- Begin Message ---On 2016-04-18 11:56, Vasu Kantubukta wrote: > Dear CORE and ACE, > > We have submitted a draft on "access privilege provisioning for > constrained devices" ... > Hello Vasu, thank you for your interest in the ACE work. I've had a quick look at your draft and noticed some issues that I'd like to clarify with your help. You write: > > Admission control is addressed with the draft (draft-seitz-ace-oauth- > authz) provides a mechanism for pre-configuring secure/authorization > policies with token mechanism to access the resource. Actually that draft is not so much about pre-configuring enpoints with tokens, the idea behind OAuth is that you supply these tokens on demand, i.e. when a client tries to access a resource on a server. Btw: The reference is wrong, it's now draft-ietf-ace-oauth-authz > It is not possible to manage the rest resources by using only tokens that > authorize the clients to access the resource. Because, it also needs > to handle resource control interms of various other parameters such > as priority of request, QoS, Operations that can be performed on > resource by various clients. I'm not sure what you mean with those points. Priority of requests and QoS could be parameters that have a bearing on what kind of access token you get, but they are certainly out of scope for ACE. The operations that clients can perform on the resource are supposed to either be encoded in the token, or available through introspection by ways of the "scope" of an OAuth token. > The draft (draft-seitz-ace-oauth-authz) > talks about how to provide admission control (conditional > authorization) for resource access from client device, but it does > not consider constrained device access from another constrained > device. That is simply not correct. If you look at section 6.1 of draft-ietf-ace-oauth-authz-01, this deployment example deals with the case of a constrained client accessing a constrained resource server. Maybe you have identified other requirements that are not currently covered by our draft, or that are unclear in the current document. If that is the case, please explain to the group what these requirements are, so that we can discuss them and try to find the best solution. I'd also like to clarify what you mean with 'Admission Control' vs 'Resource Control', the distinction does not seem very useful to me at this point, so perhaps I'm missing something. Regards, Ludwig Seitz -- Ludwig Seitz, PhD SICS Swedish ICT AB Ideon Science Park Building Beta 2 Scheelevägen 17 SE-223 70 Lund Phone +46(0)70-349 92 51 http://www.sics.se--- End Message ---
- Re: [Ace] Ace Digest, Vol 29, Issue 12 Vasu Kantubukta
- Re: [Ace] Ace Digest, Vol 29, Issue 12 Ludwig Seitz