Re: [Ace] Martin Duke's No Objection on draft-ietf-ace-oscore-profile-17: (with COMMENT)

Göran Selander <goran.selander@ericsson.com> Wed, 24 March 2021 13:08 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D83C03A2C5F; Wed, 24 Mar 2021 06:08:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.352
X-Spam-Level:
X-Spam-Status: No, score=-2.352 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.251, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IpEPKPcbpSXI; Wed, 24 Mar 2021 06:08:37 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50055.outbound.protection.outlook.com [40.107.5.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C55F63A2C5E; Wed, 24 Mar 2021 06:08:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QD/zkaN2Rve0VVj7WAa19YxwwBYRU/7MgTlJgCIRq8h3FpG1/cKasy3y0Tao1uYPBX8d1BXBl+671iyWnqBzhXPEssKpWM/7BELY/PnbPUneBtMta2teT8Q6KyOzJAVOl4V76PHUrbDgqRuEq+QOKIjp/bOLBSlmfD6c9rXYqodyLFYQ6XAudDoxn/FMm0VdF8rx8az/luTM7oDkIuzUcCimuFfeGtaTRBL9vX7a0M1G0ehopvXOO4fIMtUDCq1EX5sGNpB0UU/Bcshbv4zEMVrhGGy7JRlJ928X7M9wGv2yFJchrrhkN5H3UTxYS+vTYoMWWGwgYNCY60fMgCzWNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eflGJDp4xq53YMIiHYGnRLtSdbFEZKkrnl1E32zkhVA=; b=bNAwdYehvcrbK4P9QKG1qihgtLRS9sEgoLfH1jIWD0MWnHt/M7rRm7v6WRgOSoZ5BM/ZsdhZTjSXEvCKRRjGIT9A3YmGlTOnYLd1O3RorSEgqIlC9HlpgdZ3mpVOkuT2MlnxMOX6JshEGt3LJGRbDeu2QTBL8oWrYt3pChKFhsI/oDx4vhOXe1sV8jZqPgT2dvqnv/DA3SJif8Vum1i5s3el6g5ayi1ar8VtMxQLIVR2EiEi1KbKUTGIegow3M3nbIOD6BvcRuDX6l1GUCzfQBmqzhISc7N/bD4u685GDujY772wtoomN3y3hwWSRlS2LszpEHLNH0UnEWK5gcEXYA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eflGJDp4xq53YMIiHYGnRLtSdbFEZKkrnl1E32zkhVA=; b=muStzhEcAo3ew0FhvYK+IEXFJSQQyCD6E3dRbehdPuHpHNtNBa+2h7Wafi9EkkAPIQtqwPMo4ZAvZbYK/OzLSiCIw+dWwMrpfBsZ7bcZfV0rhUhcCn+WsjAHLASaWl0g10eNtKEqRlDK6G15Q5+97deBmRZGU4Xg3wbKVD8uZHc=
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com (2603:10a6:7:82::14) by HE1PR0702MB3577.eurprd07.prod.outlook.com (2603:10a6:7:7f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.16; Wed, 24 Mar 2021 13:08:33 +0000
Received: from HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::2887:d795:feec:2f59]) by HE1PR0702MB3674.eurprd07.prod.outlook.com ([fe80::2887:d795:feec:2f59%7]) with mapi id 15.20.3977.025; Wed, 24 Mar 2021 13:08:33 +0000
From: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Martin Duke <martin.h.duke@gmail.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-ace-oscore-profile@ietf.org" <draft-ietf-ace-oscore-profile@ietf.org>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Martin Duke's No Objection on draft-ietf-ace-oscore-profile-17: (with COMMENT)
Thread-Index: AQHXHRDBtsOHl+lJFkKTgYrE7qpxKqqN62kAgAVIzQA=
Date: Wed, 24 Mar 2021 13:08:33 +0000
Message-ID: <93828364-8F7B-4402-AB3C-D1928DF33D05@ericsson.com>
References: <161619357138.21782.3555422752704211953@ietfa.amsl.com> <20210321052640.GQ79563@kduck.mit.edu>
In-Reply-To: <20210321052640.GQ79563@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.48.21031707
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [83.249.67.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a2e510a3-0861-4a69-71dc-08d8eec5ed86
x-ms-traffictypediagnostic: HE1PR0702MB3577:
x-microsoft-antispam-prvs: <HE1PR0702MB3577F7021379F5EBA563B38CF4639@HE1PR0702MB3577.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: HdB/KiC8HMZauURa5JKRUQmXqYU8WElRv5vKEyax01FrQm7jXAQiTK5A1PCX6vdmE4dOkw6e11bQRkdKcIO/hLVLNSdCFzdLcykjbYGM8KO6+K62BjdTTltRNgYix7RCLGJPXtUKK4EZWh2AfKWPRt/2kv5DInlrv5eEXCAMzy32OULWCIWES3jsQN9VdsRNLSsKO/uHrBC1BNRn8710BbrZPavJYv2jbU1p7QMVxfLypJikqV2hNgYvFp3RGYcVi7SpuAcK6Kp9L0E6cPj1RU/7PzfET59WpbBmN60RQLxpBV/ha3r5c3hJVNEyPc1GFQJ834gD6/r3DXtuTijjluUX+1uylZpxee4ITGShTtYz3x3lgZCqAWMCam4OvXgjvv1FYP49ow206hJn3zjPqX9bVs0NYTkVRr1nVR/orh1NuHp7NfjSLyiQfqMlVo/uv2V23AfGoY5YDyyVbedGBDJbuxs6IdcFncPmN19Pr0pXXx2Ts61ZPwdAg1HNbqsEaWb2xwr2lo/tdZ2btPJxKtUlnYJk3h6exmHNHSCFt4GVLyxKdnmCTQo24TjJornvvr7oEr8RXtBZEmpubC0SxPj0RlM7PRLPzNElG6oHLtlq0H3OUNWPMU2/GvyxQD58v48gWNnZAa9Uaen+JX/TosLoE51xkeOxmIZXCu8rBbGQUXYkr3uG9EjzXC2vCVEz3YZRrOhnDbyhXcpvSaj5WmWtXkmbVxLitY7Ltzqbvim417rMw881+0QQmgjODIsN/VZlSdNpYo3Mj8qUjRe2Hg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3674.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(396003)(366004)(136003)(39860400002)(346002)(966005)(66574015)(6486002)(4326008)(6506007)(316002)(478600001)(2616005)(66946007)(6512007)(8676002)(36756003)(86362001)(71200400001)(8936002)(85202003)(66446008)(186003)(85182001)(26005)(83380400001)(38100700001)(110136005)(54906003)(33656002)(2906002)(76116006)(64756008)(66476007)(5660300002)(66556008)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?L1VvZ2Q0R0VRWjdOM29sMzZZck8xemkzaE1MWlJkd3l2ME9xeGs1eDJZSVIw?= =?utf-8?B?SFhQc2xSMzExY04rbkIzYW1Nd01TcHAwR1BBQVBocm9jV1F2dE4vYVFoUzVw?= =?utf-8?B?NUNrYzR4czA0dG1qbkhtV0dCdW5TSVRJZG5nVVVob1pKeUdKbkpOYUk5U1V6?= =?utf-8?B?T1F2TzNyY1JRQWVvTEx5QWRVVHExUTJxLy9OUnVzZGFRaFdINTU4MVNWdGZ5?= =?utf-8?B?eUZNV1dTMllOTU1ydDQyRHhvU3R2TzBTbUhCVWQ5b0E4ek93YTFJaXh4TEwz?= =?utf-8?B?VXFCbFlOTC9rb3NhSXFTd1JUQmdveWtJTk82SjExdXVkWEVRSDBBa01oelRw?= =?utf-8?B?d1RER1JwbEprRUhQT0Vzd2RMYkZtM1o1bXQ5K1ovRnkxOWJCM1dLNzdMTUEr?= =?utf-8?B?SUFZNU1xbzVmTkkyMlpJTmUrOHN4bHBkcnVsS1kwdnE0dmZKRHhvbE5OMTJi?= =?utf-8?B?Y1RMa01zU203ZkJCUVBlQzBydlRDYXhGWUZpeW5tSm1jQU8wYUhuUFozYkl1?= =?utf-8?B?ZXdsS0ZtS2RxMVVqMnY5eVBIaWpQY1FXQVFla2ZQUGtLVHBEYjhyVk9zT0p2?= =?utf-8?B?VTlHYjNxclJVNVhkU2pBWDgwOFVQbWJ5SmtUR0ZRMzg5ZDFKam84aE5hR1RC?= =?utf-8?B?Y1FlS2xwVmszbjMvVU1PTWNZWW1yUzNYVEZwSnk1NHRlbk5NRUtwckR5U0Fr?= =?utf-8?B?VnJaSzFUSUc2WHhHV21tVFFDMTB3RGg3SXJ0L1QrcVFEVVlGRXVNb1QwTlJG?= =?utf-8?B?L044QW93eGZDT0haTWR6ejIxZVdlK0Jxd0syUE40eWtOTW5OYjdCenlnZ0oz?= =?utf-8?B?UDc5ZU1QbXJQbHN1WWQxMWt4S2h1UlNRdG5vZzY4dTJmcWxZQVVBWXpmbWN4?= =?utf-8?B?QjJLRlBxNEtSc240RWV1M3RiRFE5NlBNUWR5MmJ5MElWanAvRm80SElTVm1h?= =?utf-8?B?NVJPb1ZHQVMyNEVhVlo0aGFQbzB1eTdsYmFHRCtVU3AzQW96Wm9Tc2t2SzF5?= =?utf-8?B?d1BhNDYxZURjaXl0dk5OSm5VRUZkeFM0dXY3bzdhZWpjTFVTeWNRSXdkT3Q5?= =?utf-8?B?ZjRXK29VNUhIK0VNYUNJVXhlcU4xZ0dFQ1ozbzd1RDZhVGRqRW9CQXRscllh?= =?utf-8?B?MWdOaEtxRk1UdEpDc1BpMUZaejF3WXlwNWZMN1k4MzE1V05sOUhZTTRFR0lF?= =?utf-8?B?KzRHM1J6ZGdrcnhldDdOZ3VsMTYrODN0Vm5WK2FvOWRVS0FKOFNLRXp3NmFB?= =?utf-8?B?MS93T3kxcWVENCtVY0FIWGpualpuazg4a2pjTS9UU21FcTZSME95TDhZNG05?= =?utf-8?B?eVkyUDJqM2VOMkZhd1VJdHl4NVRlRzRXYWkzNy9zUFlubDQrckpYY1dyYTVm?= =?utf-8?B?RDJlTXhoZ3lldkhOdGJpa0E0QnAxOWdjd283clV3UDVPS1hkclp1M2puQ0l5?= =?utf-8?B?TVQxZ012L0hiNUhnUTZndFRmNjBrTmdQTDRvMWVKRkxJVW5YOXQxQXFiaFF0?= =?utf-8?B?OVhnOFh4SXAwYUdPWVZQS1B2S3lCYktBOExydzFwVTg5YWwyWnNYaHM3WVRF?= =?utf-8?B?QVJpVlJzMitKVWwwN1lXaWxVKzRaTFhrdnBBM0NqMXlzdFRJZm5CSWJoVXFm?= =?utf-8?B?dTJaMDJjNnVVOXFxcEcwM2dpK25NS0JWMzc3ZGlmRklzRUlQUEhrcU1zOXo4?= =?utf-8?B?b2tDb1FRSFJhbHc2emRFZkRGZ3RZUUpSdGxnVlJPeER5ejM5Q2lnb0dtMXBp?= =?utf-8?Q?0xUVZf1jKeGOYwSujBG7nvQOK4UPXMR3Mw5SRrY?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <2F2CAD7F14B11E41B13ED486BD567B82@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3674.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a2e510a3-0861-4a69-71dc-08d8eec5ed86
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Mar 2021 13:08:33.1705 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tXF2/OS8t8xFdnd4Kv4T1AvsDfITGkU3HLAn/jRitewZdbX5LlSxyJczebiSBrFNCQ8js+MmGouRAIW/DooMuYf+s7olLFSXl6Yxf8EhUC0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3577
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/bBDTGy6HLaJDPA2jg-mH5kHlAMA>
Subject: Re: [Ace] Martin Duke's No Objection on draft-ietf-ace-oscore-profile-17: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Mar 2021 13:08:43 -0000

Hello Martin, 

Thanks for the review. Please see proposed updates below.

On 2021-03-21, 06:27, "Benjamin Kaduk" <kaduk@mit.edu> wrote:

    On Fri, Mar 19, 2021 at 03:39:31PM -0700, Martin Duke via Datatracker wrote:
    > Martin Duke has entered the following ballot position for
    > draft-ietf-ace-oscore-profile-17: No Objection
    > 
    > When responding, please keep the subject line intact and reply to all
    > email addresses included in the To and CC lines. (Feel free to cut this
    > introductory paragraph, however.)
    > 
    > 
    > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
    > for more information about IESG DISCUSS and COMMENT positions.
    > 
    > 
    > The document, along with other ballot positions, can be found here:
    > https://datatracker.ietf.org/doc/draft-ietf-ace-oscore-profile/
    > 
    > 
    > 
    > ----------------------------------------------------------------------
    > COMMENT:
    > ----------------------------------------------------------------------
    > 
    > Sec 4.1. I don't understand how the OSCORE security context is secure. In Sec
    > 4.1 it says the C-RS communications need not be protected. But the context is
    > fully derived from parameters that go back and forth over this channel. Why
    > can't an observer simply compute the OSCORE keys?

    The POST to the authz-info endpoint includes just the access_token, nonce1,
    and ace_client_recipientid.  I think that your concerns focuus on the
    access_token itself, since that is how the various OSCORE security context
    parameters are conveyed from AS to RS (via C).  Note that these parameters
    need not be conveyed directly in the token, since the token could be an
    opaque reference that requires the RS to use token introspection in order
    to retrieve the associated parameters.  However, when introspection is not
    used, the security context parameters are indeed carried directly in the
    token, and this scheme does not provide security in that case unless the
    token contents themselves are protected.

    It seems (on a quick check, so I might have missed it) that we don't
    actually say "you have to use an encrypted or opaque token" (not one that's
    only signed) anywhere.  So ... good catch, and thank you!

[GS] 

The ACE framework (draft-ietf-ace-oauth-authz-38) mandates integrity protection of access token, and in the case it contains a symmetric key, encryption:

6.1.   Protecting Tokens

  "If the access token contains the
   symmetric key, this symmetric key MUST be encrypted by the
   authorization server so that only the resource server can decrypt it."

In oscore-profile, the access token is recommended to be CWT which are COSE objects, but the requirement to encrypt in case the access token contains the OSCORE master secret should of course be explicitly stated. Here is a proposed change:

Section 3.2 

OLD
"This profile RECOMMENDS the use of CBOR web token (CWT) as specified in [RFC8392]."

NEW
"The OSCORE master secret MUST be encrypted by the authorization server so that only the resource server can decrypt it (see Section 6.1. of [I-D.ietf-ace-oauth-authz]). This profile RECOMMENDS the use of CBOR web token (CWT) protected with COSE_Encrypt/COSE_Encrypt0 as specified in [RFC8392]."

Does this address the comment?

Thanks
Göran