Re: [Ace] Keeping the same key identifier for groups

Ludwig Seitz <ludwig.seitz@ri.se> Tue, 20 August 2019 10:53 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A2ED12001B for <ace@ietfa.amsl.com>; Tue, 20 Aug 2019 03:53:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u7OeL5dln2Ab for <ace@ietfa.amsl.com>; Tue, 20 Aug 2019 03:53:05 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20078.outbound.protection.outlook.com [40.107.2.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AE4D12001A for <ace@ietf.org>; Tue, 20 Aug 2019 03:53:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KBi6i+UXpQy+5/F+l+JCLtmLOvh9OlqP5g90mSVgK/4CiQU8txGkwGatK3O5a4/pisTr3Jntl8A2zakutXSezUzIibYJR7yGaCzVdlMrB+yVNVfhM2qdRcSBHzvTYTleB64OtTfXEtNiOwBRg7FbSKmB+HB912GtIP4lhEGaaEVhd281ANSdQiHhUBd9J/r0dO3+1nCaIG2ZNSJAmynLsNbXDy0XqxT8E7YSlXRmGgDcbVtJ/XmMEN8GSlCyeHh8yiFQDOvVHLLPrtwIcbGEjJGF4NmWvkq5BZlQd/px2QwMYMM0iYE9SUDROWLLu35vT9XNPXkClYmys32ieeCg9w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MK0DVWL1ksQKVfpuTjYb9sVlfMMh7qvAFP1MtIWurDU=; b=Jou7uuJNJpxhLVt7d4G8HynGhoOeuE4rFKo/aKWDwSrWIynZhCfHs//HM9s5cWpooE8Ez8HRDieD1uA2X1w19nYZPQi32He/ZARsO3fZD4WkL11KazN5ehNbmKduJqCRJ5a+kGsAbw5TM9gS2jf5Rkjc0KgmI2qrAMHzaLoheqwck72gOW+n7o0Phb77M8HBRY6kARtdqrbC84b90mF9WH5wf69Lixgm8OONXa28t4KCEoYvyrq4Kwz2hfvaiQdBnlHCZGVlxhW/mJNabBGoYenVy7dX6QXFSzTe/1lBjUBNc1BZQenUZ1lp1En4Z5vhxxlnKRmV3nj4xVp/57A6TQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 194.218.146.197) smtp.rcpttodomain=ietf.org smtp.mailfrom=ri.se; dmarc=pass (p=none sp=none pct=100) action=none header.from=ri.se; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector2-RISEcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MK0DVWL1ksQKVfpuTjYb9sVlfMMh7qvAFP1MtIWurDU=; b=kXdgTVLgbv8a9q0bmExVZNcMD0W19ddzy5n33Pw8pSAuySe7BwRp4JkUV9Qy759VCuAA8641cH0ZFKi5gRk8pPP3AlklRYiU3hiZBDdag1B3VLLCfiKsiONp/5P6ZN6+IU6Ol8zSpDUZADhp0b47PNrQaIc61IbhCEZQCd9HhL0=
Received: from DB6P189CA0025.EURP189.PROD.OUTLOOK.COM (2603:10a6:6:2e::38) by VI1P18901MB0767.EURP189.PROD.OUTLOOK.COM (2603:10a6:800:123::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.16; Tue, 20 Aug 2019 10:53:02 +0000
Received: from VE1EUR02FT040.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e06::205) by DB6P189CA0025.outlook.office365.com (2603:10a6:6:2e::38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2178.16 via Frontend Transport; Tue, 20 Aug 2019 10:53:01 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=pass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by VE1EUR02FT040.mail.protection.outlook.com (10.152.13.217) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2178.16 via Frontend Transport; Tue, 20 Aug 2019 10:53:01 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Tue, 20 Aug 2019 12:53:01 +0200
To: <consultancy@vanderstok.org>
CC: <ace@ietf.org>
References: <01fc01d556ce$69f73cc0$3de5b640$@augustcellars.com> <01a391d0-8e6d-82cf-8f59-5a3e4d9f5605@ri.se> <c2712fce6d29f50d5c7868b3d11420a4@bbhmail.nl>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <95cb2283-4e4b-024d-39a5-9a5e7a716034@ri.se>
Date: Tue, 20 Aug 2019 12:53:00 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <c2712fce6d29f50d5c7868b3d11420a4@bbhmail.nl>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms080208080404010206030902"
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-1.sp.se (10.100.0.161) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(376002)(396003)(346002)(39860400002)(136003)(2980300002)(199004)(189003)(229853002)(31696002)(65956001)(65806001)(36756003)(305945005)(44832011)(486006)(5000100001)(2351001)(478600001)(8676002)(81156014)(81166006)(316002)(16576012)(14444005)(356004)(71190400001)(86362001)(7736002)(70586007)(70206006)(106002)(58126008)(16586007)(33964004)(76176011)(6916009)(26005)(31686004)(186003)(16526019)(386003)(22756006)(235185007)(5024004)(4326008)(64126003)(40036005)(6246003)(8936002)(53936002)(6116002)(568964002)(126002)(11346002)(446003)(476003)(2616005)(336012)(53546011)(3846002)(22746008)(2906002)(5660300002)(65826007); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1P18901MB0767; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 612aaef2-c86d-4844-7efa-08d7255c9244
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(4709080)(1401327)(2017052603328)(7193020); SRVR:VI1P18901MB0767;
X-MS-TrafficTypeDiagnostic: VI1P18901MB0767:
X-Microsoft-Antispam-PRVS: <VI1P18901MB0767DD5CD15C014CB0328B6882AB0@VI1P18901MB0767.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:2399;
X-Forefront-PRVS: 013568035E
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: TrsiVYY4VUctCOqWPmSOAvxJUbtga7IBeA5DgwjzAcm4+rhQfPNqeiINBFXn7DZr5vfwjYwI/PzxaCKcAQm+F++6K2tJZkWV7AO+vTlJgi1K2gYB+O2FRXQ3P+R/aWiBOYL07lWPWdeNQvXgJUO8NSS6HvPukOaF9EXobEdIcS31mgVGZd6Xa23FD1Uv4dzS/IDqV0S/vIvbkbHTw//bCY4dn/1Mm47CBPpwvJgKkSwzy5p24PAWl4c/n+mk2zR45tG+xzHRskcufgKLIkaPyZp50rhV85fstBxd3ertOVlP3ziP38ucp8g/LYvyhEm9RM02dbhszL1VKM/O+C+nv6b3FjDbn2kMKOEzuMGZs9fx9pBXuKjEX7C9NRYbvjAEsD3DoZr0851bp5rk68ZLV/TdfLEoek8UZs/h21viiac=
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Aug 2019 10:53:01.6415 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 612aaef2-c86d-4844-7efa-08d7255c9244
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P18901MB0767
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/cV7agNPIr5QPEINd_srFPXF1PTg>
Subject: Re: [Ace] Keeping the same key identifier for groups
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2019 10:53:08 -0000

On 20/08/2019 11:18, Peter van der Stok wrote:
> Example: If you have a CWT authorizing A for audience Z and you now also 
> need authorization B for audience Z, you should request a CWT for A+B 
> for audience Z, that replaces your previous one.
> 
> Do I understand?
> two possibilities:
> A and B are members of audience Z; no new CWT needed
> B is a new member of audience Z; then audience Z becomes audience 
> Z-prime and a new CWT seems reasonable.
> 
> Peter

No Peter,

sorry for being unclear. In my example A and B were permissions. Let me 
clarify:

You have a CWT authorizing to "read" (that's my A) traffic in group Z, 
now you also want authorization to "write" messages to group Z (that's 
my B). What I'm saying is you should get a new CWT that says "read+write 
on Z" (and not a separate one that says "write on Z" to combine with the 
first one "read on Z").

/Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51