[Ace] New OAuth client credentials RPK and PSK
Samuel Erdtman <samuel@erdtman.se> Fri, 12 May 2017 08:08 UTC
Return-Path: <samuel@erdtman.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0091812704B for <ace@ietfa.amsl.com>; Fri, 12 May 2017 01:08:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.198
X-Spam-Level:
X-Spam-Status: No, score=-1.198 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87CK9r-Oy4jy for <ace@ietfa.amsl.com>; Fri, 12 May 2017 01:08:48 -0700 (PDT)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88A3D129BC5 for <Ace@ietf.org>; Fri, 12 May 2017 01:03:29 -0700 (PDT)
Received: by mail-oi0-x235.google.com with SMTP id h4so57312490oib.3 for <Ace@ietf.org>; Fri, 12 May 2017 01:03:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=wUh1j6EuFqWpS7u28DmmHlrccW3TtTrlF+Ocn5WIjrA=; b=SWKJJsG24Z4B4BSf+2HmN5XkI+AAceqq9Zns/Pkk31+MzLqbRUqTwA913mYVlV3Wul z25Zn/ZM5qq/Mv75XhzdQwktYtKYLVMNs7+PAz/ZVh3uqlwVyriSGrVCJR5ps9VOSmQ0 BHq9sKfD6YHtLS1LfKxzol9zR+WBU14BDhR3j1mMav39//u8vzZGq1qPOEwvogRgxkS4 6wh/WVa9mtBBtHVxQaGVQ64lnnCl5SioYxtmtze5YbUJBpuFabos01HM42S6hDSUkFea jt+0397pr/cO5bs0+/vipSvR5qqVcw6X7so8lW6xCkZEriz3Epal9evYdfUlzF97GlTd FPng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=wUh1j6EuFqWpS7u28DmmHlrccW3TtTrlF+Ocn5WIjrA=; b=WDHToFamLofi0OovqUuRJOjob/h8HEkTf0okB3imJnrRK7KF2SqoXUf9SgFXk7Yney WFZlIMF9X/RF99JVjZcdkGBDyy1qsL/5LayzQ3Yy6yttIGbXJaLFnghzX9ICKz/l/D+C S6U5R0J8bwczyR1qFC6ARz6UAl8sJtiYqc8+K52yjA8Uy9JFYVO5ia+0FulcjINFkxhX suk2estTmWT6fUL3ogmyducqevXWVk71yLHoNzlgQYy16q1mRswiNMT64mobI64OoXsp Mt/brEKMmZeTMc7nxpdOLY2DkVNuR+KOTBM2mjW7rgBYGY2ZKyoM5k8MxcYyI94zDt5M Obww==
X-Gm-Message-State: AODbwcDyzPwnge0q9KQyyom2YC1e3iQ5AOxqsIAsy01Gr7az+Te+P2Lm VpplYT5HqGFlpzzfMHnnO7bbZ5Be6bVAP2c=
X-Received: by 10.202.190.85 with SMTP id o82mr1116584oif.19.1494576208511; Fri, 12 May 2017 01:03:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.42.193 with HTTP; Fri, 12 May 2017 01:03:28 -0700 (PDT)
From: Samuel Erdtman <samuel@erdtman.se>
Date: Fri, 12 May 2017 10:03:28 +0200
Message-ID: <CAF2hCbZpWTCMg617dK7D+F+0w=hxrz4VNdsFZHPGM1rZy+K3TA@mail.gmail.com>
To: "<oauth@ietf.org>" <oauth@ietf.org>, ace <Ace@ietf.org>
Cc: Ludwig Seitz <ludwig.seitz@ri.se>
Content-Type: multipart/alternative; boundary="001a113d6758ff9d1b054f4f2386"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/aFktuOskOv7fmMoon7grCGt307A>
Subject: [Ace] New OAuth client credentials RPK and PSK
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2017 08:08:50 -0000
Hi ACE and OAuth WGs, I and Ludwig submitted a new draft yesterday defining how to use Raw Public Key and Pre Shared Key with (D)TLS as OAuth client credentials, https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/. We think this is valuable to the ACE work since the ACE framework is based on OAuth, but client credentials as defined in the OAuth framework are not the best match for embedded devices. We think Raw Public Keys and Pre Shared Keys are more suitable credentials for embedded devices for the following reasons: * Better security by binding to transport layer. * If PSK DTLS is to be used a key need to be distributed any way, why not make use of it as credential. * Client id and client secret accommodates for manual input by a humans. This does not scale well and requires some for of input device. * Some/many devices will have crypto-hardware that can protect key material, to not use that possibility would be a waste. * There are probably more reasons these was just the once on top of my head. This is not the first resent initiative to create new client credential types, the OAuth WG adopted a similar draft for certificate based client credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html). That work is also valuable to ACE but not all devices will be able to work with certificates or even asymmetric cryptos . Please review and comment. Cheers //Samuel
- [Ace] New OAuth client credentials RPK and PSK Samuel Erdtman
- Re: [Ace] [OAUTH-WG] New OAuth client credentials… Torsten Lodderstedt
- Re: [Ace] [OAUTH-WG] New OAuth client credentials… Samuel Erdtman
- Re: [Ace] New OAuth client credentials RPK and PSK Jim Schaad
- Re: [Ace] New OAuth client credentials RPK and PSK Samuel Erdtman
- Re: [Ace] [OAUTH-WG] New OAuth client credentials… Adrian Imach