Re: [Ace] [OAUTH-WG] New OAuth client credentials RPK and PSK
Samuel Erdtman <samuel@erdtman.se> Sun, 14 May 2017 10:14 UTC
Return-Path: <samuel@erdtman.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4537127076 for <ace@ietfa.amsl.com>; Sun, 14 May 2017 03:14:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LXp3v3_sxrnJ for <ace@ietfa.amsl.com>; Sun, 14 May 2017 03:14:17 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5CDB1287A0 for <Ace@ietf.org>; Sun, 14 May 2017 03:12:23 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id w10so104410601oif.0 for <Ace@ietf.org>; Sun, 14 May 2017 03:12:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Klg4BDvrvlcQmAEwnfMyJ4PGGz53h8XLRx21D+ksuXM=; b=sSq6lExH+aQlhX/o2a1wXsT+ziLLo46C0j8VmWo3PPv1JL3fEjcrHTejSaOW8EXtjE QEjfknocD55ZA4DQJdm7x5USGSifktkUc8bGttekSP8Y/6AgtQmXUGiEETlAjPv9Om/1 mHPuHxd56pI/1BRccSwyzj66XnpmV0ZS2ulYu7gJMayzZjHZZEREYoczCyEkVVZcKarc cHRYeZ3/l8FNCG3kWIHCm26FMDxqRzkHSlCpScvBsLUZW8mGz+WXcYekm1OcGozHZLhV HbQy2a0JaajGEjs85fJgUyaIZBuz5JxSKsPLKTRx7f2B8b/zRPC4QUicH3pUNpGSyj3O 2GtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Klg4BDvrvlcQmAEwnfMyJ4PGGz53h8XLRx21D+ksuXM=; b=oWrYeIezuJez2cjkdpge6xX4xkpvKDJeQZHzAkdMv0KNvWg4tqPPey8u/8htZl1a6/ jNGrq9BQyLyI7zh/ib1QWOkIaSpZ4/vCfG6XTzcJeaMQx6Ba8I+1Pz8bElpnvDHcLwKa HHf2P9cCUfdhqFoHW9UPkZ6KEn9y9ywD7mxdTIK9T2brp5hMehIzw8Hg0TWkLBfWrCs5 kAUVfEMeUcMZ1L1dKiw+Spdux/yr4aoqMNhNslqpURJbFjek7iAKEo8dlBxX1++r8ieQ V1LamwHQRcElFYPoHmVgxQvwk1+HOSRneq7HK4dfqTjVHXixNQjOVq4gQPoYoAPCb7YL ZFuA==
X-Gm-Message-State: AODbwcD2hvz8Bqg0XrKoKrr4OW5LPPJ6cp2Q/9BJbyErYcZR6x6NZziO 6qLc8K++qeqjz0oPLxiyTfKXy1ekGg==
X-Received: by 10.157.82.87 with SMTP id q23mr278733otg.52.1494756742923; Sun, 14 May 2017 03:12:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.255.137 with HTTP; Sun, 14 May 2017 03:12:22 -0700 (PDT)
In-Reply-To: <22C1AD59-1B76-4596-AAFB-2CF1770FA58B@lodderstedt.net>
References: <CAF2hCbZpWTCMg617dK7D+F+0w=hxrz4VNdsFZHPGM1rZy+K3TA@mail.gmail.com> <22C1AD59-1B76-4596-AAFB-2CF1770FA58B@lodderstedt.net>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Sun, 14 May 2017 12:12:22 +0200
Message-ID: <CAF2hCbZqm2+FJnLkNaRO2DSHnBJCdUFwoiMCDyy6trwXmiR5ig@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, ace <Ace@ietf.org>
Content-Type: multipart/alternative; boundary="f403043c4becb01b5b054f792c79"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/U-T2vk1Hpz2unrv_6XJBsJnujmk>
Subject: Re: [Ace] [OAUTH-WG] New OAuth client credentials RPK and PSK
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 May 2017 10:14:20 -0000
Hi Torsten, That is a possibility, I excluded it to keep the scope limited and because I don´t think it is as applicable with these credential types. I think these credential types will mostly be used in IoT deployments using the ACE framework, in that case the token will have its own key that will most likely be used in the (D)TLS handshake between the client and resource server see e.g. https://tools.ietf.org/html/draft-gerdes-ace-dtls-authorize-01. However if the token would not be a PoP token then it could make sense. Do you fore see such use cases where it would be useful? One thing that I did not mention in my earlier email that could be a possible path forward would be to merge this draft into the mtls one. //Samuel On Sat, May 13, 2017 at 11:58 AM, Torsten Lodderstedt < torsten@lodderstedt.net> wrote: > Hi Samuel, > > as far as I understand your draft, it utilizes results of the (D)TLS > client authentication for authentication towards the tokens endpoint - > similar to https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html. Do > you intend to also utilize the binding of the access token to a certain key > pair as described in oauth-ietf-mtls? > > best regards, > Torsten. > > Am 12.05.2017 um 10:03 schrieb Samuel Erdtman <samuel@erdtman.se>: > > Hi ACE and OAuth WGs, > > I and Ludwig submitted a new draft yesterday defining how to use Raw > Public Key and Pre Shared Key with (D)TLS as OAuth client credentials, > https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/. > > We think this is valuable to the ACE work since the ACE framework is based > on OAuth, but client credentials as defined in the OAuth framework are not > the best match for embedded devices. > > We think Raw Public Keys and Pre Shared Keys are more suitable credentials > for embedded devices for the following reasons: > * Better security by binding to transport layer. > * If PSK DTLS is to be used a key need to be distributed any way, why not > make use of it as credential. > * Client id and client secret accommodates for manual input by a humans. > This does not scale well and requires some for of input device. > * Some/many devices will have crypto-hardware that can protect key > material, to not use that possibility would be a waste. > * There are probably more reasons these was just the once on top of my > head. > > This is not the first resent initiative to create new client credential > types, the OAuth WG adopted a similar draft for certificate based client > credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html). > That work is also valuable to ACE but not all devices will be able to work > with certificates or even asymmetric cryptos . > > Please review and comment. > > Cheers > //Samuel > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [Ace] New OAuth client credentials RPK and PSK Samuel Erdtman
- Re: [Ace] [OAUTH-WG] New OAuth client credentials… Torsten Lodderstedt
- Re: [Ace] [OAUTH-WG] New OAuth client credentials… Samuel Erdtman
- Re: [Ace] New OAuth client credentials RPK and PSK Jim Schaad
- Re: [Ace] New OAuth client credentials RPK and PSK Samuel Erdtman
- Re: [Ace] [OAUTH-WG] New OAuth client credentials… Adrian Imach