IETF Logo Mail Archive

Re: [Ace] bringing draft-selander-ace-ake-authz to ACE?

Göran Selander <goran.selander@ericsson.com> Wed, 09 September 2020 08:40 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DAB43A1132 for <ace@ietfa.amsl.com>; Wed, 9 Sep 2020 01:40:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZhENRjAEyi5K for <ace@ietfa.amsl.com>; Wed, 9 Sep 2020 01:40:31 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50076.outbound.protection.outlook.com [40.107.5.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DECA3A1133 for <ace@ietf.org>; Wed, 9 Sep 2020 01:40:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gYl0lj60SPgUatBiFQ+RY7vghyzMdz1Tgs9Nn8BK8TpPZ+ypg7Mdekq93pUqLPXT4Ujjl9NE6/T/hJYtKhk8timULsUokoLlb9gOnx7pNKaxmQv9/I/oIUqeo/0YGopcKYW+0bem9KUGY9sBrJyi4OhZJ4RVYbzeeGli0k+/AnfR1ZOWw/w48APz6xzKSF1+/pOsGWvuB60Tlpkxo+r+u2c893tn+UIwzB0qF7ORePef0AFMRKCsEOClPTqO/Un8K636EcrmWO8Z+4Z9To0MUJAtzQfT07JL6AHpxQlcD0mifUWc/MK+YviTU2mCGvOaMAZWZkDBqQiNmLlE29dxEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tgQcFNc6lormbosmrGfY94tt3PgcvCzFw3z9kRBCHFw=; b=C4KFEI12WmMg0x7o0b6GKLzNiAbXhHJZp2DZxefwMbjZMxGiiTfs+NCtPQmmCXtCqTDslqJWWi5lOwo6GhXgvKkLXI7Rlf3FHuXEIUC48EQ0x1qNsfxZNc2NjpgmvqI7DNXxDUdo5y4Ji+oZYNIt1YrzR1IeHrOf/UMpa+l28k16ISYGvWLJc0Rk3tqYshoNof5k0jglQ5fbL8XnnUURUnaRozzZFsf06izLR6NISlYdrQp/5HBJVVwI6E742NdUCeuCFRHwsDKhxECjRaloYGR+Wmq5lmsZUN0KqdSh9WNCXwY0bDkaFp4Qd6p1m/0EWLFbct1bYsiZEXgV262nNA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tgQcFNc6lormbosmrGfY94tt3PgcvCzFw3z9kRBCHFw=; b=egbfCTi8MS45wmK08mw53Di/ncEp06ad+e+mC/A/1vhRrYyf90RZCbeyooPAJfUqBJQTikJPd0xtmJdl0tAK3XR0Mnd1Aig+ohqNJVQIvF1GDOsCpyVG82QDZ2P3Md3mP4kWlkD6yNBBIT7dajyS9YcVymQHWD1ATWVF5s+bTIQ=
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com (2603:10a6:7:82::14) by HE1PR0702MB3673.eurprd07.prod.outlook.com (2603:10a6:7:81::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3370.9; Wed, 9 Sep 2020 08:40:27 +0000
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::3168:e1aa:8f49:6de3]) by HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::3168:e1aa:8f49:6de3%7]) with mapi id 15.20.3370.016; Wed, 9 Sep 2020 08:40:27 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: bringing draft-selander-ace-ake-authz to ACE?
Thread-Index: AQHWhXv6gip5xQIlA0CjALi0nKhesqlgIEkA
Date: Wed, 09 Sep 2020 08:40:26 +0000
Message-ID: <C868440B-9359-4347-BD04-2145E04275E7@ericsson.com>
References: <007201d6807a$9febe250$dfc3a6f0$@augustcellars.com> <86E83EED-DCF5-4665-B77F-15A7E8DA9E21@ericsson.com> <01ad01d6826e$5e498be0$1adca3a0$@augustcellars.com> <46BBE2A4-67C2-4224-BDC0-33CB44EEBFD6@ericsson.com> <4476.1599527043@localhost>
In-Reply-To: <4476.1599527043@localhost>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.251.145.232]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 628c7960-ca21-4240-48d5-08d8549c0055
x-ms-traffictypediagnostic: HE1PR0702MB3673:
x-microsoft-antispam-prvs: <HE1PR0702MB3673B3D9286AF92252E24EB6F4260@HE1PR0702MB3673.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RkEQlk4IWGBuSUM2iF/VoM1IfDxgf87Chb1sSCsaKzMm2K5RIU7VHzKif5jQAd6PFjIwF8ReyzW439FABToB36eAogUz4TDsS1GAewzeUVew8ciPFjl5V5Ft5GEQ5BKuPym7RNe7krSTaRKoZlJEjYM3OI6vKyCqRQBLS1GmBsuWuySLmGBX2Jo1NuJq4stBxn0Erqfwh3Ii6IhOg/iLpC892eXb8NhGEq0UqaL/tG/UVqwVn8NlU0G3AFTWjHtp1VfOLObSv4rC+LYOEGISxME3Ye59eEsmACfZkfYljuXAutq+HmLqh227A6d3gJ/+OtJEfVhpm/i5X0qiUAf70EkV+q1fqwrLluv7nyVY6mePGT2x7hbGijs2UjZP72kl2BTV6j+qRZHwICk3i3eQjw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3674.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(136003)(376002)(346002)(396003)(39860400002)(8936002)(33656002)(26005)(66574015)(6486002)(76116006)(86362001)(83380400001)(36756003)(6506007)(2616005)(85202003)(8676002)(5660300002)(110136005)(2906002)(85182001)(6512007)(66946007)(66446008)(64756008)(66556008)(66476007)(478600001)(966005)(71200400001)(316002)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: UFHgqIn5VZ2BHFTAvILyZJPHcAXUVWIXKR+AW17nk6DdK1A14IFr9BcHQKavVqr5dFTlazLeaWqooFe3sFarzXZpCEciBQ7lr+WmgOJbRKRd/CyJ/lfH6b4lflSaWY1RTcDp0RJaBmSBbWljGVfH90ktWeJEhNS573yn1SpDpYehCaJqhzLFgg8qheq4WLlt/MAgQEvn6pmTqaZ7KHg/o2QCtC/DqHZbcYVRbKCkgOC1p+pXXaXpfbDgkCijKmKenMgJSfyJXRhDF1fksnV2++teZhzyiDrcIN/rMhDa4zHFHGxD8W7wN9J5eu4obnIz7CyqzIo9F2ohepjfdPqawC5+rI1OLQZl0M99IOJKlMZt1JjYTkKkoO2mEqv4ClqSiqw3PzeEXOapk0kf4UsVJpjZpyIeXxlgVmTqBKyC/nvblqyUYCoCbCiRk7VpNkdXlgLfgtFWZ59nnJtBmCZOMMDQCYk2gwFMyjqkkdg5lFquGW9PNwD0qxRKaQx/BaytlxLz3mNaLz7fZPxxZeVTFo7CBhhnhEWarhV6Q+Z2WFPHzLsCU5Z8gE0IY67vYwFj7ECyuUx/W76MFylHkRILyfQP4njC2GjeXTzTxiIcYKhAdoXNrYWFsSKjvW0srxoJQOYl6Y1wvniE4Zw35cdoaA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <C683EBB29C74AE479A8731A13DF67FCD@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3674.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 628c7960-ca21-4240-48d5-08d8549c0055
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Sep 2020 08:40:26.9276 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pdQmI6cVwn8gnOJZ+lllBbkoErJ/TpIoOhQXN+W29nus+XsouXJg+rRDjAbzqS2C5GBH4B/j/nyXUKadpZk6Ps9CmKSgYnPp+l/EV4pMw20=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3673
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/SRogazDz-EHyIOsPjVDYQHyXWiU>
Subject: Re: [Ace] bringing draft-selander-ace-ake-authz to ACE?
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2020 08:40:34 -0000

Hi Michael, and all, 

No, this hasn't been discussed in ACE yet. But since you brought it to the list, we may restart the discussion here.

We have been working on lightweight procedures for an IoT device to join a network. The join process may include a number of components such as authentication, remote attestation, authorization, enrolment of locally significant certificate, etc. Much of current standards are based on doing things in sequence, one thing at a time. This may be a good idea but it introduces some redundancies. One way to reduce overhead is to reuse elements from the authentication protocol in the authorization or certificate enrolment processes. So, instead of passing public keys and signatures multiple times between the same endpoints over constrained links during different phases of the joining procedure, we try to make more use of the authentication protocol while ensuring that the security properties are as expected.

The draft in the subject is looking at third party authorization. It uses the "auxiliary data" extension point of EDHOC, and reuses the client ephemeral key/nonce with the authorization server. The actual authorization information is carried in a "voucher" using the ANIMA terminology, but is requested and retrieved as an 8 byte access token using a new ACE profile. This enables mutual authentication and authorization at completion of EDHOC, and with little additional overhead compared to EDHOC.

A certificate enrolment request may in a similar way be included in message 3 (not covered in this draft) since authentication and authorization of responder takes place at reception of message 2. In order for sending back a certificate (or a reference to a certificate) to the initator, a fourth message needs to be added, but the overall join procedure could be completed in two round trips.

The question is if ACE is the right place to discuss this topic.

Göran




On 2020-09-08, 03:04, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote:


    I'm sorry that I missed today's meeting.
    I guess this wasn't on the agenda in the end?

    Göran Selander <goran.selander@ericsson.com> wrote:
        > But you are right that the draft is not just a new ACE profile. The
        > voucher concept fits into ANIMA, but is carried as an ACE access
        > token. It also makes use of the auxiliary data and other elements of
        > EDHOC. But neither ANIMA nor LAKE seems to be the right working
        > groups. ANIMA is not using the ACE framework, and LAKE is for the
        > nearest future only concerned with the basic AKE.

    ANIMA BRSKI is not using the ACE framework, but that's because I don't think
    it was clear when we started the work that vouchers were semantically similar
    to JWT/CWT.  Well, I tried to move things that way, but it was just too soon.

    When we started, I thought that the thing that the AS (W) returns to V is an 
    RFC8366 semantic voucher (encoded to CBOR a la draft-ietf-anima-constrained-voucher).
    However, in the document it has taken on it's own life.
    I think that we tried to make it close to an ACE token.

    This is where the connection comes in.

    Jim:
        jim>     I have been sitting this to try and make a decision and figure out
        jim> what my feelings are with this draft.  I did a fast read through the
        jim> document, too fast to actually understand what it is trying to do, and
        jim> I immediately ran into the question of why this document would be part
        jim> of ACE.  It is using the concepts of a voucher, which is not currently
        jim> an ACE concept, as one of the fundamental concepts.  That combined with
        jim> the use of an AKE makes me very wary of this document.  (I have not
        jim> spent enough time embedded in the ECIES and HPKE world to understand
        jim> this well.)

    I think that the ECIES and HPKE part is not particularly significant.
    There are some links at:
       https://protect2.fireeye.com/v1/url?k=245f61e6-7affa3a3-245f217d-8692dc8284cb-0438c9725de3a5ae&q=1&e=43232919-eac0-44fe-9b22-4dd1e1e25947&u=https%3A%2F%2Fwww.sandelman.ca%2FSSW%2Fietf%2Fbrski-links%2F

    The link:   Generic Animation of BRSKI - Bootstrapping Remote Secure Key
                Infrastructure (ODP) (screencast) (enterprise/IoT screencast)
    points to:  https://www.youtube.com/watch?v=Mtbh_GN0Ce4 which is only 5
                minutes long.

    I should redo this for ACE-AKE-AUTHZ, aka Ultra-Constrained enrollment.

    -- 
    ]               Never tell me the odds!                 | ipv6 mesh networks [
    ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
    ]     mcr@sandelman.ca  https://protect2.fireeye.com/v1/url?k=d54ae6c7-8bea2482-d54aa65c-8692dc8284cb-93b42ef9756fce01&q=1&e=43232919-eac0-44fe-9b22-4dd1e1e25947&u=http%3A%2F%2Fwww.sandelman.ca%2F        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email