Re: [Ace] WGLC for draft-ietf-ace-aif

Marco Tiloca <marco.tiloca@ri.se> Wed, 17 February 2021 21:47 UTC

To: Carsten Bormann <cabo@tzi.org>
Cc: Olaf Bergmann <bergmann@tzi.org>, Ace Wg <ace@ietf.org>
References: <CADZyTknQ97R+vR-tDcA6ZqCVA5qT-PMmPF44DzhLFzHhj8BU2w@mail.gmail.com> <7f1b0180-6996-c5da-a915-83ea93f14837@ri.se> <6469350B-8D20-442E-AD79-6954D988F02F@tzi.org>
From: Marco Tiloca <marco.tiloca@ri.se>
Autocrypt: addr=marco.tiloca@ri.se; prefer-encrypt=mutual; keydata= mQENBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAG0Nk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPokBNwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzuQENBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAGJAR8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
Message-ID: <f32fbbc0-0b01-f9a5-872d-e79c49c9696f@ri.se>
Date: Wed, 17 Feb 2021 22:46:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
In-Reply-To: <6469350B-8D20-442E-AD79-6954D988F02F@tzi.org>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="De48ZhegxrpeZ8W26dYU8H6D1CBwTvpmk"
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [10.8.3.4] (84.17.36.151) by HE1P190CA0043.EURP190.PROD.OUTLOOK.COM (2603:10a6:7:52::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3868.27 via Frontend Transport; Wed, 17 Feb 2021 21:47:14 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 11d2d111-903b-4fd3-ca98-08d8d38d9708
X-MS-TrafficTypeDiagnostic: DB6P18901MB0069:
X-Microsoft-Antispam-PRVS: <DB6P18901MB0069318458F2AD58B1C5AD4699869@DB6P18901MB0069.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: C+HYvr5eaKQtpl8O7r1arigkKQCzpKoEUgebdlQSDTnaMdoVfkb/Nsgvk1qldsCjCbYECRCEry68Ww02i50tBCpDM8BSjQK4/7gWlbL4/b2vhhKqplPPLoxT76Z5vPgPhYwjQKDFZxcdurZVuYxDCB2xphA2LRCj340+FiWO2LcvzXfsDmpjmIUS/ZUOkCxi/TJHmrAqM55tY9qp1iSUgdlP6QnlA3T89Nodjh8Mzy7UHH7FH5rVUE+cYEyqrAv59JoMSeGcOndgpq9meFlM0+/ZBr8+3bkHQnhPiC89PP51KaaFJZRR/khiAQKq/i2D5sK5rOW/avPywfVfV8//Yg3wmwvxpj+aBHQYuXp2YOPP5p9tA6YtsodEoryeNmTCkksYrWW8gwonjaZR9jwYV8+bJfv/pXFEkJnZL0UQ/66lFfkl2C7j4Z1cMVraOzzNM7kRGYaXEF/5ofJx8E99N8R5WMFupvcXHbDIKyW4p5A8oRf0MQIj1XtLVpVFKewdNsG16eKodj+ZHh93H3faotkUoOf4DriaCS3V4ZehlKIbVlHjZAlcG6ltdy71b+RAcK9n5dnESXT4IiqLml44/3fReqW8h65Ryi9rWDVi/yhRvC5fjC4xXCavSQNfwI6MIHyt9jGn39eE5Wpr9RFa7L5T2FxL2ZoeMUYySzQmrGDU4R8XCG4vjSoYrZubH+db
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB8P189MB1032.EURP189.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(136003)(39850400004)(366004)(376002)(396003)(346002)(316002)(36756003)(16576012)(235185007)(54906003)(956004)(2906002)(66574015)(6666004)(66476007)(66556008)(4326008)(66946007)(2616005)(16526019)(86362001)(478600001)(52116002)(966005)(31686004)(21480400003)(45080400002)(26005)(8676002)(31696002)(53546011)(83380400001)(33964004)(5660300002)(8936002)(186003)(6486002)(44832011)(6916009)(45980500001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: 9PmxKsNylTl9T5pV63pQQFVrxaGHR8J3iyM6fDZ7ZrPvfbRytXWIOuDSsdB7Kyhag80mb+HHTGCKLVgyoMQoCpsyZ/f5VhlzCSlckdMutUOQ57DOCjae5xzqaOadkoQqLnEgEhrSRkHiKnHdB4cYJ2JigVl/sNUJLJ6737/UoZFqXBZj9sxHnPy7hDwMzITjm+HKh0nUHs3K7O1gLmkcHoytGezEWQzxZqNkpLAgEftXjFc7N/Y302//LDpD6YBcVDDt+3M9ngUkwG+d3TOHSJ982nodZHe6QeBwOxyVzG1/ITeTbAN/CT8y+nt9cCzqnIm+HynOLlc/3sYjlhy0pslAn2NPjM2GEayDj6hy6jBjXPoptZAZgEkT3cqNR6ICGmE9RaV15Le84f4QOf2mkpD9lVUhBamjRKsX4zcodb0IEWtSWwDfXDpr9i7M++HQYdn2QYe0RRvJKeERtu0LzJtlonHDAaSLDELB54U5TrOB16XSpupQOUdPzddPpmXynhfxYZmMeyGEyQLual/KQQ9gtQexlMZc+a8NomTWOesCKNt68+nTS6MbWbmR9JLtd/UAMu9680W4it8pD2JS0fUFwFXz0awuPfNs/srFdMRkDYGLSeaEpLBa9/HqMtBvXIS7kF647U1KlVa2XXP+VvRwkVpoygwQB/eVmJ7mQYb2EY+z8Piut8sZYwnJlpUEeUbjB9FsLHrddNtnbt7nSepQYE+1h/3XD+VuVPZY0p+IwzWVbMMJbTaiKhHKymX+l+0y8uYlrqm65kUI3Z7TZLg7e3QEmrdrCKvoP2bl96SJOvoxBRKzRV5yeXcafJ8vd0sMVp15bVluetZx4L1cLLWYAyrGILqis99/7ZfrvSuRm3KfytVYmxu1Gm77Zvozz6JY4v+/Waf6ml3h7YmIYal8pRVjvx9M8oJAtg+1Fm6ogw62BJBxHyWEk30tzwbST4CXlp/KSB1w7XRjhb6EbRSIRyLPnp2vsw4UEjlW2s8XF4TUSGibRRU4WTAl9GhawCs+nNS8g9Wae8mXFo2f3+evsDGLxgqPo/P98Nccz5g5jsHUsmPcqc9mgj+oa+/yz90rvavFc8poLnhYfkfq8M6++fhvM8D/si8YGP2AbH5nYGIG6EuNEYSAYNa8AI0Ns1C6ZdL7EdOpqR/BuTz9IU+j6AJ6y2oAqG24auFb6CEwI7qiVrIOw8PYiIx0RrDnIudAD2FofMAW5MHj3+X0lLU6ycGuU6/0+92zC7t1V+Ofm1o2st1xvojFWHsz9kwRWdzJ0Gl6MFuWdmjzy8CVV8dUIPl7+yw51PWMDUnAH0/a+MtR5W06B7LwZZ1mF2CR
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: 11d2d111-903b-4fd3-ca98-08d8d38d9708
X-MS-Exchange-CrossTenant-AuthSource: DB8P189MB1032.EURP189.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Feb 2021 21:47:15.2353 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: KNkVH3asHJAI07MopskOReRzR0jwG+EfLsJBRAYkuyC5eWZ5chGdOuUBFjwEaNa3J2M3cRvm3fd7u0TeTFgTUg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P18901MB0069
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Vtu_PY6ZwSz36O41lsRe9B4aK_c>
Subject: Re: [Ace] WGLC for draft-ietf-ace-aif
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2021 21:47:23 -0000

Hi Carsten,

Thanks for the swift revision, it looks good!

On the open point:


On 2021-02-17 20:56, Carsten Bormann wrote:

~snip~

>> [Section 2]
>>
>> * I think it's worth mentioning examples of relevant "data structures" and "cryptographic armors". Especially thinking of the ACE framework, the capability list would be specified by the 'scope' of an protected Access Token.
> I couldn’t quite act on that.  Suggestions?

==>MT
It can be just fine to mention CWTs as "data structure" and default
choice for ACE, using COSE as "cryptographic armor".

Best,
/Marco
<==

>
>>    Can this actually be the case? At least for ACE, the AS is assumed to know the scopes that the RS supports [1]. I read this as intended to cover also the scope formats and data models used to express them. So, the AS would not issue a Token with a scope that the RS does not understand in the first place.
>>
>> [1] https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-ace-oauth-authz-37%23appendix-D&amp;data=04%7C01%7Cmarco.tiloca%40ri.se%7C38b1f9b1e3074a1bc65908d8d37e128f%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C637491885720799437%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=amkcQPgZ7sNsoHoFBRbn%2FkJiDEEteRWq6kGWo%2Ba34nM%3D&amp;reserved=0
> I didn’t discuss this, but added text to the security considerations — I believe implementations need to be able to cope with unexpected input, even if there is trust in an implementation that should not supply such.
>
>> * In Section 5.1, some fields from [4] are missing in the registrations.
> Yes, Alexey also pointed this out.
> (My standard technique is to copy the template from somewhere else, and that failed here :-)
>
>
> And re Olaf’s comments:
>
>> # 2. Information Model
>>
>>  "For the purposes of this specification, the underlying access
>>  control model will be that of an access matrix, which gives a set of
>>  permissions for each possible combination of a subject and an
>>  object. We do not concern the AIF format with the subject for which
>>  the AIF object is issued, focusing the AIF object [...]"
>>
>> Here, the different use of "object" might be confusing (first as one
>> dimension of the access matrix, then as "AIF object", i.e., the
>> serialization of permission+object; in the next paragraph it is again
>> the first meaning of object). Maybe this can be solved by
>> unfolding the abbreviation:
>>
>> "[...] We do not concern the AIF format with the subject for which
>>  the Authorization Information is issued, focusing the Authorization
>>  Information [...]"
> I found it simpler to just say “AIF data item”.
>
>> Also, "AIF format" would double as "Authorization Information Format
>> format". I would not bother, though.
> Indeed, “a foolish consistency…”
>
>> s/rfc5661/RFC5661/
> Only once I fixed this, idnits warned me that this is obsolete :-)
> Saying RFC8881 now.
>
>
> Thank you!
>
> I hope we can do another round before the I-D deadline.
>
> Grüße, Carsten
>

-- 
Marco Tiloca
Ph.D., Senior Researcher

RISE Research Institutes of Sweden
Division ICT
Isafjordsgatan 22 / Kistagången 16
SE-164 40 Kista (Sweden)

Phone: +46 (0)70 60 46 501
https://www.ri.se

Attachment: signature.asc

[Ace] WGLC for draft-ietf-ace-aif Daniel Migault
Re: [Ace] WGLC for draft-ietf-ace-aif Olaf Bergmann
Re: [Ace] WGLC for draft-ietf-ace-aif Daniel Migault
Re: [Ace] WGLC for draft-ietf-ace-aif Marco Tiloca
Re: [Ace] WGLC for draft-ietf-ace-aif Carsten Bormann
Re: [Ace] WGLC for draft-ietf-ace-aif Marco Tiloca

Re: [Ace] WGLC for draft-ietf-ace-aif

Attachment: signature.asc