[Ace] Possible issues to be resolved

Jim Schaad <ietf@augustcellars.com> Mon, 01 July 2019 22:02 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4FBA1200E7; Mon, 1 Jul 2019 15:02:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3iLUHAc81B2v; Mon, 1 Jul 2019 15:02:41 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 549C0120180; Mon, 1 Jul 2019 15:02:35 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 1 Jul 2019 15:02:29 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: <draft-ietf-ace-oscore-profile@ietf.org>
CC: <ace@ietf.org>
Date: Mon, 1 Jul 2019 15:02:27 -0700
Message-ID: <100401d53058$adaba420$0902ec60$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdUwVMsPrO4eaCUqSFed24IOTUzCIA==
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/SDu4NvZLlEmbOPDFWsmnEZ7QguI>
Subject: [Ace] Possible issues to be resolved
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2019 22:02:45 -0000

I was trying to get some work done in terms of getting this profile
implemented and came up with the following questions:

1.  In section 3.1, it references the kid that was assigned in section 3.2.
I was not able to find a kid field in Table 1.  How is this value to be
obtained?

2.  In section 3.2, the following requirements are imposed:
*  The AS MAY assign an identifier to the client
*  The AS MUST assign an identifier to the RS
*  The client identifiers MUST be unique in the set of all clients on a
single RS
*  The RS identifiers MUST be unique in the set of all RS for any given
client.

If it is not required to assign an identifier for the client, how can it be
unique?
If there are multiple AS, each with a set of unique RS, are the AS servers
expected to coordinate in order to make the RS identifiers unique?

3.  The example in figure 5 is incorrect.  It should be single not double
quotes for clientId and serverId.

4.  Please review the update CWT example with the most recent profile text
on having only a single CWT on the RS.  I don't know that this needs an
update but it probably does.

5.  If the AS creates a new, from scratch, CWT with the same clientId in the
case of a change in permissions, what happens with regards to the RS
matching to an existing context as oppose to treating it as a conflict.
This is going to be potentially even more of a problem in the case that the
RS changed the client ID and did not keep the full CWT around.

Jim