Re: [Ace] AD review of draft-ietf-ace-dtls-authorize-09
Olaf Bergmann <bergmann@tzi.org> Tue, 30 June 2020 10:19 UTC
Return-Path: <bergmann@tzi.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7F503A1175; Tue, 30 Jun 2020 03:19:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O1gmAY8sOng3; Tue, 30 Jun 2020 03:19:44 -0700 (PDT)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE0A73A1176; Tue, 30 Jun 2020 03:19:43 -0700 (PDT)
Received: from wangari.tzi.org (p54bded4c.dip0.t-ipconnect.de [84.189.237.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 49x0hs69W7zyXR; Tue, 30 Jun 2020 12:19:41 +0200 (CEST)
From: Olaf Bergmann <bergmann@tzi.org>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: draft-ietf-ace-dtls-authorize.all@ietf.org, ace@ietf.org
References: <20200102234020.GI35479@kduck.mit.edu> <87pnca9gyx.fsf@wangari> <20200429011210.GC27494@kduck.mit.edu> <87mu6bn6zy.fsf@wangari> <20200527234227.GD58497@kduck.mit.edu> <87r1uczgyq.fsf@wangari> <20200629224537.GX58278@kduck.mit.edu>
Date: Tue, 30 Jun 2020 12:19:41 +0200
In-Reply-To: <20200629224537.GX58278@kduck.mit.edu> (Benjamin Kaduk's message of "Mon, 29 Jun 2020 15:45:37 -0700")
Message-ID: <87mu4konya.fsf@wangari>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/WN8ECPr3qPxdoiGN_nPiPwM5gQE>
Subject: Re: [Ace] AD review of draft-ietf-ace-dtls-authorize-09
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 10:19:48 -0000
Hi Ben, Thank you for the quick followup and another set of very useful comments. I have created a working copy with updates as listed inline. If you want me to, I can submit these as -12. Benjamin Kaduk <kaduk@mit.edu> writes: > Hi Olaf, > > Thanks for the updated -11! > Some minor replies below, though in general the proposals look good. > > On Thu, Jun 18, 2020 at 02:38:32PM +0200, Olaf Bergmann wrote: >> Hi Benjamin, >> >> Benjamin Kaduk <kaduk@mit.edu> writes: >> >> > Thanks! I think we will probably need an -11 fairly soon, though, given >> > the remaining comments I have. >> >> We have just submitted -11 that addresses your comments. See below for >> detailed responses. I have trimmed-down the email thread context a bit >> to improved readability and focus on the recent comments. >> >> > A couple general remarks looking at the -09-to-10 diff (not all new in >> > the -10, so I guess I missed it the first time around): >> > >> > In Section 3.2.1, I suggest applying: >> > >> > OLD: >> > [...] If CBOR web tokens [RFC8392] are used as recommended in >> > [I-D.ietf-ace-oauth-authz] [...] >> > >> > NEW: >> > [...] If CBOR web tokens [RFC8392] are used (as recommended in >> > [I-D.ietf-ace-oauth-authz]) [...] >> > >> > Making this a parenthetical statement makes it clear that the >> > conditional for "keys MUST be encoded" is "CWT are used" and separate >> > from the recommendation to do so. >> >> Done >> >> > Also in 3.2.1, we now have these two statements in fairly close >> > proximity: >> > >> > [RFC8747]. The resource server MUST use its own raw public key in >> > the DTLS handshake with the client. If the resource server has >> > several raw public keys, it must already know which key it is >> > supposed to use with this client. How this is achieved is not part >> > of this profile. >> > >> > The resource server MUST use the keying material that the >> > authorizations server has specified in the "cnf" parameter in the >> > access token for the DTLS handshake with the client. Thus, the >> > >> > which seems a bit redundant and potentially in conflict. Can we >> > consolidate this requirement a bit? >> >> Yes, the wording is a bit confusing. The following proposal states >> the intention more clearly, I think: >> >> NEW: >> >> The raw public key used in the DTLS handshake with the client MUST >> belong to the resource server. If the resource server has several > > (Someone might complain that this first sentence is tautological, but I > think we should leave it for now.) Okay. >> OLD: >> If a resource server receives a ClientKeyExchange message that >> contains a `psk_identity` with a length greater than zero, it MUST >> process the contents of the `psk_identity` field as access token >> that is stored with the authorization information endpoint, before >> continuing the DTLS handshake. If the contents of the >> `psk_identity` do not yield a valid access token for the requesting >> client, the resource server aborts the DTLS handshake with an >> `illegal_parameter` alert. >> >> NEW: >> >> If a resource server receives a ClientKeyExchange message that >> contains a `psk_identity` with a length greater than zero, it MUST >> parse the contents of the `psk_identity` field as CBOR data >> structure and process the contents as following: >> >> * If the data contains a `cnf` field with a `COSE_Key` structure >> with a `kid`, the resource server continues the DTLS handshake >> with the stored key associated with this kid. > > Maybe "corresponding" or "associated" stored key, since there is not > necessarily a unique kid/key relationship? Hm, I was hoping that this is sufficiently expressed by "the stored key associated with this kid". My assumption is that we have a mapping from kids to keys where a kid is mapped to at most one key. (Usually, this would be a bijection but there might be cases where a kid is known and the key is not yet known or has expired. How about this: OLD: continues the DTLS handshake with the stored key associated with this kid. NEW: continues the DTLS handshake with the associated key that corresponds to this kid. >> * If the data comprises additional CWT information, this >> information must be stored as access token for this DTLS > > nit: "as an" Fixed, thanks! >> >> > I think we need to give some guidance about what the semantics are if/when >> >> > it happens. My inclination would be to say that DTLS resumption can be >> >> > used to amortize the cost of a handshake, but DTLS 1.2 resumption does not >> >> > provide forward secrecy and also does not provide an opportunity for the >> >> > client to prove possession of the PoP key, so servers will want to >> >> > periodically force a full handshake according to their authentication >> >> > requirements. I'd also be inclined to forbid renegotiation entirely. >> >> >> >> True, especially because RFC 7925 requires resumption to be >> >> implemented. The security considerations now advise against session >> >> resumptions and renegotiation as you have suggested. The Security >> >> Considerations section now has been structured in sub-sections for >> >> clarity. >> > >> > The discussion in the -10 is reasonable (and the stated motivation of >> > having a fresh proof of possession is fairly compelling), though to be >> > clear, my initial "inclination" above was just to forbid renegotiation >> > but allow resumption. >> >> Sorry, I had misinterpreted that. Actually, I am not entirely >> convinced by the "fresh PoP" argument anymore. When the access token >> made its way to the server through the client, there is no significant >> difference between keeping the DTLS session open and session >> resumption. Additional security against breaching the encryption of >> the (encrypted part of the) access token would be provided only by token >> introspection. But in that case, session resumption again would not >> harm security as we do not need to store precious information in the >> session ticket. >> >> Are you in favor of allowing session resumption? > > I think it would be safe to allow resumption, but I personally am > indifferent about whether or not we should do so. Okay. Currently, the section has a discussion that concludes in a NOT RECOMMENDED. If someone argues for generally allowing session resumption we would not have to do much more than just removing that conclusion. >> >> > Up in Section 3.3 we talk about a case where the AS and RS are assumed to >> >> > share a key derivation key that's used to derive symmetric keys for the RS >> >> > to share with the client. The KDF input is the IKM and the 'info' (since >> >> > 'salt' is empty), and the IKM is just that same "key derivation key". So >> >> > the only input to HKDF that changes for different clients (and the same RS) >> >> > is the 'info'. The 'info', in turn contains a string constant 'type' plus >> >> > the 'kid' and (presumably fixed) output length. If I'm reading this >> >> > correctly, the 'kid' is the only HKDF input that varies between clients, so >> >> > if the 'kid' was reused for different clients, the AS and RS would derive >> >> > the same symmetric key for those distinct client/RS pairs. Furthermore, >> >> > since the AS returns the actual symmetric key to the client in the token >> >> > response, that means that the symmetric key is shared by *three* parties >> >> > (vs. just client and RS, ignoring in the count the AS which knows >> >> > everything). I guess technically this is not the scenario forbidden by the >> >> > core framework (which is to have the same symmetric key used at multiple >> >> > RSes, but it still is bad hygeine and would let one client impersonate the >> >> > other. >> >> > >> >> > In cases not using the KDF, the 'kid' is just a hint to finding the actual >> >> > key, and the actual key is assumed to be constructed uniquely by the AS >> >> > each time. >> >> >> >> Thank you, this is absolutely true. I have now changed the input for the >> >> key derivation mechanism in the sense of what originally has been >> >> specified in draft-gerdes-ace-dcaf-authorize, i.e., including the access >> >> token as input to the KDF. This enables the authorization server to >> >> include a certain amount of unifying attributes in the info parameter, >> >> esp. with a randomly generated kid and the iat claim. I would have loved >> >> to have a claim type for carrying a nonce in the access token… >> > >> > Hmm, we say that "access_token is the decrypted access_token as >> > transferred from the AS to the RS", but it's supposed to be a CBOR map; >> > is this intended to just be the claims set from the CWT? If so, we >> > should say that. >> >> I do not see the difference: The access token is comprised of a CWT >> claim set which is represented on the wire as a CBOR map. > > The Message of the CWT is a CBOR map, but the access token itself is not > just the Message, and "the decrypted access_token" is perhaps a bit > informal of language for what we wang. (I think I was a bit confused when > I wrote the original comment, though, as for JWT the structure is a bit > different and the Claims Set a much more distinct object.) Maybe this is a bit more specific without adding a more detailed explanation of how this is supposed to work below the bullet list: OLD: access_token is the decrypted access_token as transferred from the authorization server to the resource server. NEW: access_token is the decrypted content of the access_token field as transferred from the authorization server to the resource server. >> Unfortunately, this is not explained in draft-ietf-ace-oauth-params. >> >> To avoid confusion here, the following clarification has been added: >> >> NEW: >> >> The decrypted access token usually denotes a CWT claim set >> represented as CBOR map. > > Thanks. > >> >> As there is no guidance so far on how permission sets in access tokens >> >> are to be combined properly it seems to be wise at least to advise >> >> against. >> > >> > I agree that's the right advice to give; what is less clear to me is >> > whether this document needs to be the place to give that advice (vs. the >> > framework doing so). But I don't have a strong stance on this at the >> > moment, and am happy to move forward with the text as-is if you want. >> >> Okay, to avoid last-minute changes to the framework document I leave >> it as it is. >> >> >> >> > I think RFCs 7250, 7251, and 8422 need to be normative. >> >> >> >> >> >> done >> >> >> >> Actually, I had to revert this for the informational RFC 7251 as the >> >> idnits tool did not allow the downref from normative. >> > >> > idnits is just a tool to raise potential issues that a human can look >> > at and think about; in this case, idnits is wrong: 7251 is listed at >> > https://datatracker.ietf.org/doc/downref/ and is perfectly fine to use >> > as a normative reference. >> >> Oh, sorry, I was not aware of that. This now has been reverted. > > Thanks for all the updates! > > I did have just a few nits from looking at the diff from -09 to -11; we can > probably address those along with other IETF LC feedback (though fixing > them earlier is not discouraged). That sounds as if shipping -12 now would be okay :-) > Section 3.2 > > An example access token response from the authorization to the client > is depicted in Figure 4. Here, the contents of the "access_token" > > nit: s/authorization/authorization server/ Fixed, thanks! > Section 3.3 > > I guess if we want the AS and RS to get the same key-derivation output we > need to say that the encoding for 'L' is the minimum-length encoding Good point. As this is also true for the length encoding of the text string in the type field, I have added the following clarification: NEW: All CBOR data types are encoded in canonical CBOR as defined in Section 3.9 of {{RFC7049}}. This implies in particular that the `type` and `L` components use the minimum length encoding. (This unfortunately imposes additional restrictions on the access_token which would not be required for key derivation. But IIRC there has been some implicit agreement that the access_token should be encoded in canonical CBOR as well. > Section 7 > > valid access tokens. The protection of access tokens that are stored > in the authorization information endpoint depends on the keying > material that is used between the authorization server and the > resource server: The resource server must ensure that it processes > only access tokens that are encrypted and integrity-protected by an > authorization server that is authorized to provide access tokens for > the resource server. > > We may want to put "encrypted and" in parentheses, as we don't require the > use of encrypted CWTs. Done. However, the only situation where encryption is not a MUST is in case of key derivation. > Section 7.1 > > nit: s/renogiation/renegotiation/ Thanks. I had to read this word several times to spot the difference :-) Grüße Olaf
- [Ace] AD review of draft-ietf-ace-dtls-authorize-… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Jim Schaad
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Olaf Bergmann
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Jim Schaad
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Olaf Bergmann
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Jim Schaad
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Jim Schaad
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Jim Schaad
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Olaf Bergmann
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Olaf Bergmann
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Olaf Bergmann
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Olaf Bergmann
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Olaf Bergmann
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Carsten Bormann
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Olaf Bergmann
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Carsten Bormann
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Olaf Bergmann
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Jim Schaad
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Olaf Bergmann
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Benjamin Kaduk
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Jim Schaad
- Re: [Ace] AD review of draft-ietf-ace-dtls-author… Olaf Bergmann