Re: [Ace] [EXTERNAL] Roman Danyliw's Yes on draft-ietf-ace-oauth-authz-38: (with COMMENT)
Seitz Ludwig <ludwig.seitz@combitech.se> Fri, 16 April 2021 06:35 UTC
Return-Path: <ludwig.seitz@combitech.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F2D83A187A; Thu, 15 Apr 2021 23:35:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N4PL3qEZfoQ0; Thu, 15 Apr 2021 23:35:36 -0700 (PDT)
Received: from weald.air.saab.se (weald.air.saab.se [136.163.212.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0EF73A1878; Thu, 15 Apr 2021 23:35:35 -0700 (PDT)
Received: from mailhub2.air.saab.se ([136.163.213.5]) by weald.air.saab.se (8.14.7/8.14.7) with ESMTP id 13G6ZM3p027828 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 16 Apr 2021 08:35:22 +0200
Received: from corpappl17774.corp.saab.se (corpappl17774.corp.saab.se [10.12.196.81]) by mailhub2.air.saab.se (8.13.8/8.13.8) with ESMTP id 13G6ZBDK031639 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=OK); Fri, 16 Apr 2021 08:35:11 +0200
Received: from corpappl17773.corp.saab.se (10.12.196.80) by corpappl17774.corp.saab.se (10.12.196.81) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Fri, 16 Apr 2021 08:35:10 +0200
Received: from corpappl17773.corp.saab.se ([fe80::20a9:e9fa:54a3:2afd]) by corpappl17773.corp.saab.se ([fe80::20a9:e9fa:54a3:2afd%17]) with mapi id 15.02.0792.013; Fri, 16 Apr 2021 08:35:10 +0200
From: Seitz Ludwig <ludwig.seitz@combitech.se>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-ace-oauth-authz@ietf.org" <draft-ietf-ace-oauth-authz@ietf.org>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [EXTERNAL] Roman Danyliw's Yes on draft-ietf-ace-oauth-authz-38: (with COMMENT)
Thread-Index: AQHXH5Faz5aZ+htb9UOTtrroSqQdsqq21T9g
Date: Fri, 16 Apr 2021 06:35:10 +0000
Message-ID: <d5b4fdd713334d66b70267da6400310b@combitech.se>
References: <161646869070.23075.303761097693732783@ietfa.amsl.com>
In-Reply-To: <161646869070.23075.303761097693732783@ietfa.amsl.com>
Accept-Language: en-SE, sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [136.163.101.124]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Saab-MailScanner-Information: Please contact the ISP for more information
X-Saab-MailScanner-ID: 13G6ZBDK031639
X-Saab-MailScanner: Found to be clean
X-Saab-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=1.595, required 5, HELO_NO_DOMAIN 0.00, KAM_ASCII_DIVIDERS 0.80, RDNS_NONE 0.79, URIBL_BLOCKED 0.00)
X-Saab-MailScanner-SpamScore: s
X-Saab-MailScanner-From: ludwig.seitz@combitech.se
X-Saab-MailScanner-Watermark: 1619159711.46206@LU1/2i8oUbSUOeqciaAJQw
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/T7py_zVRPRED5_lCcLRYwu6taAw>
Subject: Re: [Ace] [EXTERNAL] Roman Danyliw's Yes on draft-ietf-ace-oauth-authz-38: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2021 06:35:41 -0000
Hello Roman, Thank you for reviewing this draft. Sorry for the long answering delay. Version -39 (https://datatracker.ietf.org/doc/html/draft-ietf-ace-oauth-authz-39) addresses your comments, except for: > ** Would the first paragraph of Section 7.2 of draft-ietf-ace-dtls-authorize > providing caution about the challenges of multiple access tokens be better > served by placing it in this document? Section 7 of draft-ietf-ace-oscore- > profile has similar words too. This comment requires coordination with the other draft's main authors, working on it. Regards, Ludwig > -----Original Message----- > From: Roman Danyliw via Datatracker <noreply@ietf.org> > Sent: den 23 mars 2021 04:05 > To: The IESG <iesg@ietf.org> > Cc: draft-ietf-ace-oauth-authz@ietf.org; ace-chairs@ietf.org; ace@ietf.org > Subject: [EXTERNAL] Roman Danyliw's Yes on draft-ietf-ace-oauth-authz-38: > (with COMMENT) > > Roman Danyliw has entered the following ballot position for > draft-ietf-ace-oauth-authz-38: Yes > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Stephen Kent for the SECDIR review, and thank you to the > authors for responding to it. > > ** Section 5.3. Per “The RS sending this response (i.e., RS) uses an internal > clock that is only loosely synchronized with the clock of the AS”, a more > precise phrase that “loosely synchronized” would be helpful. > > ** Section 6.2. It would be worthwhile to clarify the following: > > Section 6.2. > (a) Developers MUST ensure that ephemeral credentials … are not leaked to > third parties. > > (b) An > adversary in possession of the ephemeral credentials bound to the > access token will be able to impersonate the client. Be aware that > this is a real risk with many constrained environments, since > adversaries can often easily get physical access to the devices. > > (a) is helpful guidance; and independently (b) is a good reminder. However, > the risk of a leak to a third party seems independent of getting physical > access. > > ** Section 6.4. Per “C therefore MUST determine if an AS is authorized to > provide access tokens for a certain RS.”, this is good advice. Additionally, it > should be clarified that the means for a C to determine if the AS has the > authority to issue access tokens for a given RS is left to the application and > out of scope of this document. > > ** Fully appreciating that this document is already quite long, consider > whether it would be helpful to implementers to add another block of text to > explicitly enumerate how this framework alters OAuth. For example: ==[ > snip ]== > > This document adapts OAuth v2 to be suitable for the IoT environment. In > particular it differs from the normative requirements of OAuth in the > following > ways: > > * Use of TLS -- OAuth 2.0 requires the use of TLS both to protect the > communication between AS and client when requesting an access token; > between client and RS when accessing a resource and between AS and RS if > introspection is used. This framework requires similar security properties, > but does not require that they be realized with TLS. Section 5. > > * Cardinality of grant_type parameter -- In client-to-AS requests using OAuth > 2.0, the grant_type parameter is required (per [RFC6749]). In this > framework, this parameter is optional. See Section 5.8.1. > > * Encoding of scope parameter – In client-to-AS requests using OAuth 2.0, > the scope parameter is string encoded (per [RFC6749]). In this framework, > this parameter may also be encoded as a byte string. See Section 5.8.1. > > * Cardinality of token_type parameter – in AS-to-client responses using > OAuth 2.0, the token_type parameter is required (per [RFC 6749]). In this > framework, this parameter is optional. See Section 5.8.2. > > * Access token retention – in OAuth 2.0, the access token is sent with each > request to the RS. In this framework, the RS must be able to store these > tokens for later use. See Section 5.10.1. > > ==[ end ]== > > ** Would the first paragraph of Section 7.2 of draft-ietf-ace-dtls-authorize > providing caution about the challenges of multiple access tokens be better > served by placing it in this document? Section 7 of draft-ietf-ace-oscore- > profile has similar words too. > > ** Editorial Nits > > -- Section 3.1. Typo. s/token token/token/ > > -- Section 5.3. Typo s/nevetheless/nevertheless/ > > -- Section 6.6. Typo s/loose the current/lose the current/ > > -- Section 6.6. Typo s/the the/the/ > >
- [Ace] Roman Danyliw's Yes on draft-ietf-ace-oauth… Roman Danyliw via Datatracker
- Re: [Ace] [EXTERNAL] Roman Danyliw's Yes on draft… Seitz Ludwig
- Re: [Ace] [EXTERNAL] Roman Danyliw's Yes on draft… Seitz Ludwig