[Ace] Review of actors draft
Samuel Erdtman <samuel@erdtman.se> Thu, 22 October 2015 22:22 UTC
Return-Path: <samuel@erdtman.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC7E11B2E1B for <ace@ietfa.amsl.com>; Thu, 22 Oct 2015 15:22:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kw_Arh5dZh2T for <ace@ietfa.amsl.com>; Thu, 22 Oct 2015 15:22:47 -0700 (PDT)
Received: from mail-qk0-f172.google.com (mail-qk0-f172.google.com [209.85.220.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 945E01B2E0E for <Ace@ietf.org>; Thu, 22 Oct 2015 15:22:46 -0700 (PDT)
Received: by qkcy65 with SMTP id y65so60513713qkc.0 for <Ace@ietf.org>; Thu, 22 Oct 2015 15:22:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=JtEaQ02coFPjXMHgENHkKL0gxCM7r6nMS+WSJT77QFA=; b=TbTOoVCNYS6NUjogHI+2dOgOI1CEDYKctJQEK57PG1k8WDcEpciugAqm2OXYUEp1vW lOszZHnQogSL9QXqL1z1O6+X5qpeNvzUXw87WQfhYeFz3N9AYF6IxMArc5b/mWJDjv5u jPVl4SVe8W1QlxmxODpZ+40IjKh4ouLcoUwMZ/2jZixN5JYZXEKoaJPoDFBjMKPhECRH 52clbSsMQhw7fQC9T7BiBo6HQ/ZrBkYa2rWlhhmNhaWE2boF85Uqvh0chhyHZX4RfkMr 1dp4wkTq2JZrKLXkAEvdGLBmd6N5r2iCi6WAhYmGER8RSQT66T/ehHKHgLMJWjQziIJ3 GC4Q==
X-Gm-Message-State: ALoCoQlhGf1FCNn3a1/sK5wFJQNHI2xroXM7PBpKwz9ADZHWGvJjBF0pqc9VzLh0XYaIlld7ggW/
MIME-Version: 1.0
X-Received: by 10.55.207.134 with SMTP id v6mr21680451qkl.53.1445552565584; Thu, 22 Oct 2015 15:22:45 -0700 (PDT)
Received: by 10.55.181.69 with HTTP; Thu, 22 Oct 2015 15:22:45 -0700 (PDT)
Date: Fri, 23 Oct 2015 00:22:45 +0200
Message-ID: <CAF2hCbYL1hNnENQcQHaMEFtsgqQjkVjgOJTqY5V+TKW4FkUn0g@mail.gmail.com>
From: Samuel Erdtman <samuel@erdtman.se>
To: Ace@ietf.org
Content-Type: multipart/alternative; boundary="001a1145b8be2d1e3f0522b8ef7b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ace/_WgXrcum4-r2ANbdWQLGcN5OG-A>
Subject: [Ace] Review of actors draft
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 22:22:52 -0000
Hi, Review is based on https://tools.ietf.org/html/draft-ietf-ace-actors-01 I absolutely do not want to be rude but the actors draft contributed more to my confusion then to my understanding. This might be a lack in me but IMHO the document needs to be reworked before becoming useful, sorry for saying it. It might be better to spend the energy on the solution drafts instead of reworking this into a useful state. == General comments The text is written with lots of parantheses, IMHO that makes the text harder to read. I don’t like the we-statements, this is of cource a subjective opinion but i prefer specifications to be written in a more neutral form. The text feels quite academic and unnecessarily complex, from my point of view readably is very important I some times had to read paragraphs several times to get what they meant (this could of cource once again just be me, english is not my native language but I usually get things) This might be do to my lack of understanding but I cannot se the point with CAS I think it adds unnecessary complexity without any added value. Could I get a practical example, I can easily envision the AS being a server managing policies and access rules on who can access what and lists of resources but I have a hard time getting a picture of a CAS. With CAS it is hard to see how RS and C gets a common point of trust, I am therefor is in favour of just AS that serves both C and RS. I think that what is included in CAS should be split up into AS and C. I think that by taking things from AS and C and putting it into CAS the description of things become complicated and it is hard to understand how things are connected. The constrained device limitations are mentioned again and again in the document but seldom with specific connection to the problem e.g is never says to limit code since one should use this technology, it is alway these are the constrains and then comes the list (processing power, memory, non-volatile storage, etc) and after that a choice but seldom or never a direct connection. for an example look at “6. Kinds of Protocols” >From here on comes a list of comments on small and large things in the text, As mentioned previously I don’t think the document is ready to be taken to RFC level and that is visible in the amount of comments. Many of the comments are questions as a result of the text being hard to read for me. 1. Introduction I think the section is to long and with sections that is a bit to general. “Without appropriate security mechanisms attackers might gain control over things relevant to our lives.” What is ment by “relevant to out lives”? will it hurt us physical? will it be problematic integrity wise? It is nuclear to me what is meant hear. My first interpretation was that it was privacy that was the problem but when I read it again I was not so sure. “(for example, it may be sufficient to authenticate the age of an actor, so no identifier is needed or even desired)” This example does not feel very IoT connected, I would rather have an example that authenticates the user as an employee of a company but not the specific person. “Moreover, several use cases illustrate the need for fine-grained access control policies, for which for instance a basic access control list concept may not be sufficiently powerful.” What use cases? I guess it refers to the use case document, if so a reference two it would be appreciated 1.1. Terminology “Client (C): An entity which attempts to access a resource on an RS.” change to “Client (C): An entity which attempts to access a resource on a RS.” “Authorization Server (AS): An entity that prepares and endorses authentication and authorization data for a Resource Server.” “Client Authorization Server (CAS): An entity that prepares and endorses authentication and authorization data for a Client.” I might be stupid but I don’t get the description, maybe a few more words could make it clearer. “Authenticated Authorization: A synthesis of mechanisms for authentication and authorization.” Once again i don’t get it, why is this term needed here? could it be explained a bit more. “Note that other authorization architectures such as OAuth [RFC6749] or UMA [I-D.hardjono-oauth-umacore] focus on the authorization problems on the RS side, in particular what accesses to resources the RS is to allow. In this document the term authorization includes this aspect, but is also used for the client-side aspect of authorization, i.e., more generally to describe allowed interactions with other endpoints.” I agree that UMA and OAuth2 focuses on the authoriztion of the client to access a resource at RS but they do not leave client to chance, in the original context of OAuth2 and UMA the endpoints are more powerful and the authentication of the server is offloaded to TLS and the CA list of the involved clients. In UMA and OAuth2 the client will not accept a RS if it does not trust its certificate. I agree that we in this environment need to give the client more help on this part but I think this statement is a bit simplified. 2. Architecture and High-level Problem Statement Absolutely not necessary but it looks better and is usually good to have a section introduction. 2.1. Elements of an Architecture “The following setting is assumed:” How does these release to the whole chapter “8. Assumptions and Requirements”, there is no referens to it from here, I prefer the text from this section. “To reuse OAuth and UMA terminology, the present document calls C's controlling principal the Requesting Party (RqP), and calls RS's controlling principal the Resource Owner (RO).” It might be correct that the RqP takes authorisation decisions for the client but it feels quite contra intuitively so some more explanation of it would be appreciated. 2.3. Information flows This section show that to allow initiation of communication from either of the two endpoint they would need to both act as RS and C. with the section title I expected more details on each arrow. I also feel that what is in the section is a bit abundant as it is now, it mostly complicates things that can be implicitly understod I have not seen the HTTP specification saying that if the server would like to communicate with the client the client also needs to deploy a server. 2.4. Problem statement “The interaction between potentially constrained endpoints is controlled by control information provided by less-constrained nodes on behalf of the principals of the endpoints.” Is this really a problem? To me this sounds more like a solution “control information” new concept, is it the same as authorization information? should it maybe be mentioned in the terminology list. 3. Security Objectives “Misconfigured or wrongly designed authorization solutions can result in availability breaches: Users might no longer be able to use data and services as they are supposed to.” I guess this refers to a denial of service (DOS) attack, maybe that could be mentioned, it would very quickly put it in a security context by just mentioning the word. “if RqP requires the integrity of representations of a resource R that RS is hosting, both C and RS need to partake in integrity-protecting the transmitted data.” Why does C need to participate? is it because it validates the returned R from RS before presenting it to RqP? if thats it I’m okay with that but one again could be clearer. “Moreover, RS needs to protect any write access to this resource as well as to relevant other resources (such as configuration information, firmware update resources) to prevent unauthorized users from manipulating R.” What is this sentens trying to say? Is it referring to physical tampering? or is it again the integrity and confidentiality of the data returned and/or received? Or is it that RS needs to verify all wire access, i.e. incoming data? 3.1. End-to-End Security Objectives “Note that there may also be cases of intermediary nodes that very much partake in the security objectives to be achieved.” It is a bit unclear what these cases may be, is that intentional? or did you not find any? “What is the endpoint to which communication needs end-to-end protection is defined by the use case.“ What use case? a general use case or one from the use case document or a potential use case? 4. Authentication and Authorization This whole section is very unspecific and adds very little to the IoT setting it mostly speaks of Authentication and Authorisation in general terms so it could probably be shortened to a third without losing much valuable information for the context. 5. Actors and their Tasks “This section provides a more detailed description of the various "actors" in the architecture” Why is actors within quotation marks? is it not really actors in the architecture? if not what is it then? “the logical functional entities performing the tasks required” The tasks required for what? secure communication? authorisation? something else? 5.1. Constrained Level Actors “Validate that an entity is an authorized server for R.” Does this mean that C validates the identity of RS or that it validates the integrity of a response form RS i.e. R? “For simplicity of exposition, these resources are described as if they had separate RS.” What does this relate to I see no further descriptions that this is relevant for so I would just skip this sentence. 5.2. Principal Level Actors I think there need to bee more motivation for why and how RqP decides on the communication security required between C and RS. In practice RpQ will not take any decisions it will be based on the system setup in the same way as you don’t look at all your TLS handshakes when you surf the web then you just accept that the browser comes bundled with a set of good CAs. In this setting it will probably have be a more dynamic setup where AS will inform C how to communicate with RS instead of as on the web there is one size fits all, TLS. 5.3. Less-Constrained Level Actors I think this section becomes problematic since I don’t think CAS adds value just complexity 7.1. Authorization “AS needs to transfer authorization information to RS and CAS needs to transfer authorization information to C.” And how does CAS and AS relate to each other so that the authorisation information transfered to RS and C is compatible? Once again I thin CAS adds more complexity then value. 7.4. Cryptographic Keys Does this section at all belong in this draft 7.4. Cryptographic Keys Symmetric vs Asymmetric Keys feels half done, with the unanswerd question and the headline is like a question but with no answer 7.4. Cryptographic Keys - Key Establishment I like the reference to the use case document, that is missing in the rest of the document 8.1. Architecture Architecture is defined again? is that really necessary? 8.2. Constrained Devices “All devices under consideration can process symmetric cryptography without incurring an excessive performance penalty.” Then there is two bullets that AES is used and for super constrained devices SHA256, that is two completely different things, that does not solve the same problem further one could agree that for super constrained devices we can only do integrity protection and the use a MAC algorithm i.e. not SHA256 but HMAC with SHA256. 8.7. Resource Access “Resources are accessed in a RESTful manner using GET, PUT, POST, DELETE.” Feels like a technology choice that maybe should not be done in this document, I think it unnecessarily limits where the architecture could be used. “By default, the response to a request needs to be integrity protected and encrypted end-to-end from RS to C. It needs to be possible for C to detect a replayed response.” Encryption does not necessarily provide integrity protection 8.8. Keys and Cipher Suites Here comes a new concept authorization manager, do we need it? if yes mate we should have it in the terminology section. Best Regard Samuel Erdtman
- [Ace] Review of actors draft Samuel Erdtman