IETF Logo Mail Archive

Re: [Ace] Update of access rights

Francesca Palombini <francesca.palombini@ericsson.com> Tue, 05 May 2020 17:35 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F33A33A0AD7 for <ace@ietfa.amsl.com>; Tue, 5 May 2020 10:35:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7YHchNsdwUdK for <ace@ietfa.amsl.com>; Tue, 5 May 2020 10:35:54 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30045.outbound.protection.outlook.com [40.107.3.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D8393A0AD5 for <ace@ietf.org>; Tue, 5 May 2020 10:35:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=A8jk4WcIN15tZ35V/rsmppjD5P0G+YFd5If4cVAr4rRQEd2n5dfJ4gs2iJkG5UF04hYEVJk7I4zLthpEoqc/S/w4ssLJy3WsAMTNmz4NqOb0Lf7GWXfMSeZUGGMSzpXZBsAjI3lwVhKnXU4WjkCcQYpvRk6FILtE1Ap1KQuBBJif+H3IrJKpdbrLAV9sVkBxCjbI0Ex/QBuOX/GJtiAuhE/e2l0VY+ii2pq9naYCLxuX+FjUtfwIVZ33OwJ9fPzAIKcoT9du9p3SNqwQaAJGJ/GFxPr8XJ57Wuf91wr51neAupX55WWS58XfWG3sn6XYFEK798cjUVfJRh5Xz+Lqog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nS/rTWHKnkFwdYi5rBKbfQg2hncDk7sH1tvC5swNZFU=; b=grRxCKW7ho1KrvtV+2Yo57VJZmOa8xG1MR9740Qa1X2BVG3XT54eoirgc577Y8iY31quR6oCC/edNu7kQ2JN39i2o4CIZrzJqOYCz91yZ0iJhFCViW0XkwzZVQnZ6rNlCq/30YNseCyR1RzCLj8EjDCvImBoV8+BGuFhDsMCK+jkBeVl+vXXKfu7fz87HEwpNmW6lEp/Z1mdZu5NU84spZMHlPAyJFBrOwdc+zBnUlBZYQaQz21SCqswNBDbWrbLTzbbK7aLRO5ODAwc612rpwohYKSyguJNFqWzvxlCy/+PZWlTv6oVUhhfhN7VpZO5A7tKBi4imbIfUGraLvTltQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nS/rTWHKnkFwdYi5rBKbfQg2hncDk7sH1tvC5swNZFU=; b=Cn2HgnVnnA99I73ZflFoalNlIu898HW9ovowwx219L54qczK7vekF1ghzWlGAtsFljz69+URsRGb9V/09Rm1ANi0F4rKERccxFuZMVunvyyKVtgy2ZYcMoXFzkWqKILyqcsjyfAAh8AZpZKCLp9qkrX8zsF3Gu3F/T3hCs+SL2U=
Received: from HE1PR0702MB3818.eurprd07.prod.outlook.com (2603:10a6:7:8c::18) by HE1PR0702MB3740.eurprd07.prod.outlook.com (2603:10a6:7:81::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.24; Tue, 5 May 2020 17:35:51 +0000
Received: from HE1PR0702MB3818.eurprd07.prod.outlook.com ([fe80::f0bb:b1ae:bf22:4526]) by HE1PR0702MB3818.eurprd07.prod.outlook.com ([fe80::f0bb:b1ae:bf22:4526%6]) with mapi id 15.20.2979.025; Tue, 5 May 2020 17:35:51 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Ace Wg <ace@ietf.org>
Thread-Topic: [Ace] Update of access rights
Thread-Index: AQHWIuI1Lkw8gf+fQkGotEAa9X56JaiZpvsAgAA8BAA=
Date: Tue, 05 May 2020 17:35:51 +0000
Message-ID: <CB1396B3-5D52-422A-AFC4-0FB362C2C0F5@ericsson.com>
References: <8063D003-2C48-4157-B80E-B7AF3D2099FC@ericsson.com> <20680.1588694462@localhost>
In-Reply-To: <20680.1588694462@localhost>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.36.20041300
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.219.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6d371730-9404-4cdd-af23-08d7f11ac1b6
x-ms-traffictypediagnostic: HE1PR0702MB3740:
x-microsoft-antispam-prvs: <HE1PR0702MB3740A31E08D7EC98F6DAB74D98A70@HE1PR0702MB3740.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0394259C80
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uUy/HRMmgpfBRdnVgXC51OtpfJARVg8/dViVs/EgvNKKgYRFgXBBBZ353cuAl7y74aLtewW40CQFsN6zgyERtAGb0vxIxHiPTFBOWjJLkN/PWVu1Ua+OmXnGPhm2AGGf7iFrZuEopkK+H0xG/kMxmsUW5nTwg7nrl8AsAaoddjrrtbx9F7pk/Ayfplc323YOXos8LNqsChnl4Sep+0ng7ea0Fshvqq2jyXvzE3GUW2sNv1KBAfh7Cuhz+YNTK5a23Wdvwgv/ifnE55YfEUvfyPv0kQ5HgSjPgpixTNVBxBBMtRP70NNuv6MTcuFqtQ5oASaVRv8wJ6fjlW+Pm0B4mlW5GEhO/RhiNlwO6pYm0uhFAGMoqzF9ZRmVFwd+emuE/UCjBC5s+Ri3NQTLRF4T3roN4MHxCHH4sOO0xeJ1FBU8sY+X2fex/I784G6suuv95KEs9UwbtHyjrzKGhiO7Oaa1+Ua1CuDAev8XTgKd2LM0c1OGr2GQyMBej0SHcrLnDJlA1rgZPjYmSM2wqoFpQw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3818.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(33430700001)(26005)(86362001)(44832011)(36756003)(6506007)(498600001)(15650500001)(2616005)(33656002)(110136005)(8936002)(76116006)(2906002)(66946007)(71200400001)(8676002)(66446008)(6512007)(5660300002)(33440700001)(186003)(64756008)(66476007)(6486002)(66556008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: qBmcjpr9g56F9I0f0XUIt01RpGRgjtU1KhMEFH4ECvCG8JlqW27mnuqkEl6nWkZPqu5ZCClBeX80FLAAkC8RY+vpxSZ9kAuRO40gjdIvv4N/wnbRFctMugBkOcV2kgHO9Q44JdmS5AeY1QT4ug9CMrcqSKlWrobkFoUMppbF1rQfC/k7qaEPPvYzTr2Q+O4j8sXwuYXkguUARKkTUYmKANL//djNNXhkC40VE/8YX3yPRA9QQi3LS6UhMVYapyzsY/7T8Fjzx6bdYR/RtQIF6X+LkzE3sJo9/cJZkDYGQ3xXrY2skjmgYzD4WlnkOQq6xDl7Mq9rTACC0pQ+UDhlrSMfhlZVB2N8O+0Cv3VieKUmgvHBWiwdmyz8d9W8Rt6xf8fU1cVPrGMuR8kMN+vr65wvNNLW46YUiSm2kfvW5fnkZEvrsxopywB/haPDeL99id4lAjc0JCDCsExMeboVuapoVGf39EfBgpNSLqGxKKqb3/sjfdXNN0AKTE/62tfJhImOtLKtuclCCMO3lyru887k1Ak/v9voDo96rdhxD4xfWABUM64u7CU6Mdc8tT/a57FVwddnBKwWB6Tx6/qmYSgbCBck61w5qEtq0cSxmSLrUz6Q7twWPo6jTa9tSZhO/Z1bWhGRBuXFk1LWZWIOqE/Z00r7Yg0dUHn4RzUe/TOZJAXaVn1eaxO8Ps5zkrJlC70jCgQcULMNdnTkmy4PAWLr3ybDLaPAXlmuyvqO+PCEodOCK2JoD14OgL8c5Nt0+RVdvpmALDUfR5yYEp+k8RcMJfIrCv6yT/eXhB4L21FprnxIs/mgJUCiVGJN+VM0
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <AA99986A0C7AFA47B875FF2DCBE6C094@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6d371730-9404-4cdd-af23-08d7f11ac1b6
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 May 2020 17:35:51.6464 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: usyMCa4W4+TExqCmTsn8aEs+V9vnXYNcXGfmRGl0kFUrZx9cjX7+cpFzfto22Di4v9W6y+bLcWqKR3KwoofoPtg/Y69hjLJyvECA4q1J+q9NI1DUZPJdiPaykDRe7puf
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3740
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/dWZjdE5oB1xxwbHxwQ9no-HitcE>
Subject: Re: [Ace] Update of access rights
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 17:35:56 -0000

Hi Michael,

On 05/05/2020, 18:01, "Ace on behalf of Michael Richardson" <ace-bounces@ietf.org on behalf of mcr+ietf@sandelman.ca> wrote:


    Francesca Palombini <francesca.palombini=40ericsson.com@dmarc.ietf.org> wrote:
        > 7. Client wants to update its access rights: retrieves T2 from AS. Note
        > that this T2 has different authorization info, but does not contain
        > input keying material ("osc"), only a reference to identify Sec1 ("kid"

    Is there an assumption that the access rights(T2) >= access rights(T1)?

FP: No. But at the same time if access rights(T2) is a subset of access rights(T1), then there is no point in the client requesting T2 from the AS... These could be a disjoint sets of access rights.

        > Moreover, while comparing with DTLS profile, we realized there is no
        > reason for which 8. should be sent unprotected. In fact, doing so opens
        > up to possible attacks where an old update (token non expired) is
        > re-injected to the RS by an adversary:

    I agree and I see your point.
    Thank you for explaining it so well.

FP: Thank you! I tried to be as clear as possible :)

    My question is whether step 8 results in Sec Ctx sec1 being deleted?
    Could Client want to keep it alive in the case that T1 and T2 actually do
    different things?

FP: As currently defined in the document, yes, Sec1 ends up being deleted as soon as Sec2 is validated (i.e. a request is correctly decrypted by the receiving endpoint using Sec2). If T1 and T2 do different things and the client wants to (and is allowed to - T1 is not expired or revoked for some reason) keep T1 alive, then we are not in the case of "update of access rights", i.e. the case where T2 replaces T1. My "Final point" was to cover exactly the case you mention, where T1 and T2 are used to derive 2 different security contexts, where the RS does not realize they come from the same Client. It is up to the AS to make sure that T1 and T2 are disjoints: why would the AS even send 2 different tokens that cover part of or the entire same scope at the same RS to the same client? By the way, if it is not already in there, I think that that is another excellent consideration point for the Ace framework.

Thanks,
Francesca

    -- 
    ]               Never tell me the odds!                 | ipv6 mesh networks [
    ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
    ]     mcr@sandelman.ca     [

v2.23.0 | Report a Bug | By Email