Re: [Ace] Unresolved issue blocking progress for draft-ietf-ace-oauth-authz

Göran Selander <goran.selander@ericsson.com> Tue, 12 February 2019 07:47 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07483124408 for <ace@ietfa.amsl.com>; Mon, 11 Feb 2019 23:47:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.323
X-Spam-Level:
X-Spam-Status: No, score=-3.323 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=adcl8w9j; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=ericsson.com header.b=btPmxwLx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xr5VecFDvW6F for <ace@ietfa.amsl.com>; Mon, 11 Feb 2019 23:47:34 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0514512F1AB for <ace@ietf.org>; Mon, 11 Feb 2019 23:47:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1549957651; x=1552549651; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=GYRZpGOaIrPLh6uediVNmdVSlpvbL5b2RwhlTXeBqmI=; b=adcl8w9jTUBMa5dAJ3RTmku1YukMAx9VOjkivph1QqFgTPg7fxMDQB3m2EcwOAz0 Omq4P2CNqyj/ZFIQk3ht9eDUBGYp1y4W4zPvAKr/Eqc4y/8ABtx7fyXm6FBtOSRF MUa6Ut8L8gonI/cXPbluDUxPKNSXKHOyPYM2exPcLaA=;
X-AuditID: c1b4fb2d-2198b9e00000062f-29-5c627a13afc7
Received: from ESESBMB504.ericsson.se (Unknown_Domain [153.88.183.117]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 0C.9A.01583.31A726C5; Tue, 12 Feb 2019 08:47:31 +0100 (CET)
Received: from ESESSMB502.ericsson.se (153.88.183.163) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Tue, 12 Feb 2019 08:47:28 +0100
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB502.ericsson.se (153.88.183.163) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Tue, 12 Feb 2019 08:47:28 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7HS6WPP17ur5PAY0A3sdyvEsJTDf2PHMbU/u2aLs8q4=; b=btPmxwLxLBKJFEyk/RIdqAAuV5TE4HCKRUKhS+u4UFNsyEVS90lRh25xD3l3rIFlPNrgmrkOaOZZHd2YafxxQkBn71LEt6XHeOHllJeTDiH2/AQ+L/ZrSIqC0ewAnymsaW3zhGNkhGha/M1WHwV0HHcGWY/gfq4plh3wzSrVcTg=
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com (20.176.166.25) by HE1PR07MB4220.eurprd07.prod.outlook.com (20.176.166.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1622.14; Tue, 12 Feb 2019 07:47:26 +0000
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::68c4:9b7b:a2ad:8b5a]) by HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::68c4:9b7b:a2ad:8b5a%3]) with mapi id 15.20.1622.016; Tue, 12 Feb 2019 07:47:26 +0000
From: =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander@ericsson.com>
To: Jim Schaad <ietf@augustcellars.com>
CC: Ludwig Seitz <ludwig.seitz@ri.se>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Unresolved issue blocking progress for draft-ietf-ace-oauth-authz
Thread-Index: AQHUwhVds51ZJhPYSUacaE81UFhRAKXa6xIAgADfJoA=
Date: Tue, 12 Feb 2019 07:47:26 +0000
Message-ID: <193D587B-203E-48FF-B30C-16531FA8D65D@ericsson.com>
References: <01e801d4b861$4d7d41e0$e877c5a0$@augustcellars.com> <1ce364d1-2154-3fc3-5589-5be3d7606717@ri.se> <ff6287e0-31a9-1a0a-ff4c-c6797f1e72f7@ri.se> <068b01d4c237$a049d4d0$e0dd7e70$@augustcellars.com>
In-Reply-To: <068b01d4c237$a049d4d0$e0dd7e70$@augustcellars.com>
Accept-Language: en-US
Content-Language: sv-SE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=goran.selander@ericsson.com;
x-originating-ip: [90.236.220.205]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB4220; 6:RTO0vTuvQzadAYCh7mSGt/0ZyfzrrPZJp0/5Cpo9l1qzR+UckhlUiEk9B9cBNpkCKsNiVCGee4B5fak0IDi3JleST1x9/hagVUWp203RKuyO4FdElZFV3G403o88wafbMfIta92WQyMYVoV6hvAhDhWD5zYj3SklGCzbSm6H8GEAZSpXsX8ZjCGjJ8kBYCRCjMOUVQRHOTu+65o4t7yF4mkc6obMKNGaQhHivTkuWiUvfjggTHsL52R/u4KTBKtGSASpBb8mbHuINLuPLVB7Gncg8jZ3ZMDVWEXsfC/GMuoEsyCITZZBT9oF9xBtSlL7/4kdA1hRVx/9twqv3fPXlnpRLPHdZS4PYN91GGaMFlK8v+wb0ftXh7hO64LdeRCIlV5bxXze+0Ec4eZdLKNNPJp9xxAOB+kFTxDA9KTm2AVqchfU8rFLoZ4K8z/qT01L8wdDtNKw8PK6baMK3DaOPA==; 5:dzc0aob+O49FrIEgCOL5rP2mW9r3+hmuGtXaEidJoAXFiNGh2jyu8o8PsF+BYFwYRP97z8exIx/K3HUxyMpbxzypBjf2wTRQ8pgycCT8sATNPhk8YjsVdKi0pryRGrl2ICT3j8iHGTYpsYq3TJo9DmIhTDd/GUgxZlfcv6QdrLzgX1RnkIxRuzEQdGK1T+N7YAat04lWH8FSEQE/rLUYDw==; 7:XIIkmZU+9yTqd+zi/LMH1/CU4MK9a8+jRWDO88jYSIZkMMB58yjZ6z+vTV0i5OPSW0oBZ1MzTJ2ZGLVCT0rzvBKioxc4/uKqmZ16LMVV8CakQsSgJlPpO9bvm+MXcR30esCHsqLQVvlq03vjmRBNnw==
x-ms-office365-filtering-correlation-id: b80d2594-0ee8-472f-2fde-08d690be5548
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(2017052603328)(7153060)(49563074)(7193020); SRVR:HE1PR07MB4220;
x-ms-traffictypediagnostic: HE1PR07MB4220:
x-microsoft-antispam-prvs: <HE1PR07MB42205349BFF1FD3CB07F55A7F4650@HE1PR07MB4220.eurprd07.prod.outlook.com>
x-forefront-prvs: 0946DC87A1
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39860400002)(396003)(376002)(346002)(366004)(53754006)(189003)(199004)(13464003)(229853002)(478600001)(2906002)(6306002)(68736007)(14454004)(6486002)(966005)(3846002)(6116002)(6512007)(7736002)(305945005)(26005)(25786009)(71200400001)(71190400001)(85202003)(106356001)(83716004)(105586002)(4326008)(6436002)(186003)(85182001)(102836004)(6916009)(76176011)(99286004)(36756003)(99936001)(11346002)(476003)(66066001)(33656002)(82746002)(86362001)(53546011)(6506007)(2616005)(486006)(446003)(316002)(81156014)(66574012)(54906003)(81166006)(6246003)(53936002)(8936002)(97736004)(8676002)(14444005)(256004)(93886005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4220; H:HE1PR07MB4172.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 2wCBIvH9fOQZQUc1/drVZJ0ZXqC/cE0X+s8qbdWRNWCyRwctODX8d7qioRPHRz2NBCDQN+N4aRF6Us+1s3R9EdWA+yCVjzQwV6xD8yD9davbCXxN5Ia7kOi1q+P2Sd9TznUAY97jPztyOQp5alnZEEXN0eHKV6gotaz7gPjOszeMGhUopZJTwo1KpcRbLfMeiyx3pzjshYJMs9960jIJriAUJUkTpC1wsAirL2LjOmWS/5sr+3QKZj6zObzkwZM7pSfPKP5a6hHlzijfbgEsSMdIAg8hzJ0Vlx1rpQsqU08McOp05JjIV3y2y2U+tbAJeDAxo18TXCS2Ps2Czm7p4FxKZpYWem/gWQVkSRih75KWolRl1kRe+Kq067CBsWnNiMlB/N8QzIVS++EVa4uRZZ0bP3kGNnLZPxTJxUv4wsU=
Content-Type: multipart/signed; boundary=Apple-Mail-BCF486CA-7908-469A-A542-8F43D2ED80AE; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b80d2594-0ee8-472f-2fde-08d690be5548
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Feb 2019 07:47:26.6592 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4220
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrPKsWRmVeSWpSXmKPExsUyM2J7qa5wVVKMwdbLlhbfv/UwW6ye/p3N 4tXn6awOzB4b50xn81iy5CeTx9KmzUwBzFFcNimpOZllqUX6dglcGVvW7WUsOBZc8evFf/YG xhmBXYycHBICJhKtD1aydzFycQgJHGGUeDbjApTzjVFi6pt2ZghnCZNE48k5YBkWgQnMEk8a NkGVTWGS6Fs1kwnCecQoMePOT1aQyWwCLhIPGh4xgdgiAuoSW1ffBLOZgeKPb9xmBLGFBcIk 9q3aAFUTLvFj8xu2LkYOINtKov0nO0iYRUBV4tLi/cwgNq+AvcTufbNZIXZdZpTovd8CNodT wEHi/tWNYA2MAmIS30+tgdolLvF57gMmiE9FJB5ePM0GYYtKvHz8jxWiPk6iaV0DVFxJoqVj AiOELStxaX43I8gyCYEmdol7vfeZIRK+Ei/u9LFBJB4zSrxoOgK1QUviRH87C4SdLdF2og1q koxE88GnUJOWskn03H8N1iAkkCqxfG0r4wRGnVlIrp0FVMcsMJlRoqnvBMsssL8FJU7OfMIC UaQpsb97OZStKDGl+yE7hG0t8XPOI0YI21Ti9dGPjMhqFjByrGIULU4tLs5NNzLWSy3KTC4u zs/Ty0st2cQITFoHt/zW3cG4+rXjIUYBDkYlHt6ugqQYIdbEsuLK3EOMKkBzHm1YfYFRiiUv Py9VSYR3RilQmjclsbIqtSg/vqg0J7X4EKM0B4uSOO8fIcEYIYH0xJLU7NTUgtQimCwTB6dU A2PXhPaCrONuTLdO/Q84qLHChU2k/FRgodC79XyNxVoHvtcpLF66pLrziciZxefU5Q3evpHa lO/q58LwQofjw4aOmo4am5d9v4oPrpZ747QuuVdnUTvPjYcHpH8sbHxz6OiFytKTnTcvHLFW e+Qv87thdc3cvp0R9WcP/V4nvle7h/XpTP58f00lluKMREMt5qLiRACZ34pQYgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/dXVCCA6oB0Eth7PbkTpBCs-xg3Y>
Subject: Re: [Ace] Unresolved issue blocking progress for draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 07:47:37 -0000


> 11 feb. 2019 kl. 19:29 skrev Jim Schaad <ietf@augustcellars.com>om>:
> 
> 
> 
>> -----Original Message-----
>> From: Ace <ace-bounces@ietf.org> On Behalf Of Ludwig Seitz
>> Sent: Monday, February 11, 2019 6:23 AM
>> To: ace@ietf.org
>> Subject: [Ace] Unresolved issue blocking progress for draft-ietf-ace-oauth-
>> authz
>> 
>> Hello all,
>> 
>> I would like to call the group's attention to this message of mine (it was
>> probably drowned out in the shepherd's review thread):
>> 
>>> On 31/01/2019 10:40, Ludwig Seitz wrote:
>>> Hello,
>>> 
>>> we have an unresolved review comment by Steffi that got lost in the
>>> holiday season:
>>> 
>>> 
>> https://mailarchive.ietf.org/arch/msg/ace/CBTkVUBzYrfC55zH3_UJDngiy9U
>>> 
>> https://mailarchive.ietf.org/arch/msg/ace/NrQWetugoy0TWp9eg3lwtSictc8
>>> 
>>> 
>>> The issue is the following (my words):
>>> 
>>> The AS provides the client with key material used by the RS. This can
>>> either be a common symmetric pop-key, or an asymmetric key used by the
>>> RS to authenticate towards the client.
>>> 
>>> Since there is (currently) no metadata associated to those keys, the
>>> client has no way of knowing if these keys are still valid. This may
>>> lead to situations where the client sends requests containing
>>> sensitive information to the RS using a key that is expired and
>>> possibly in the hands of an attacker, or accepts responses from the RS
>>> that are not properly protected and could possibly have been forged by an
>> attacker.
>>> 
>>> 
>>> The options to resolve this that I currently see are this:
>>> 
>>> 
>>> 1. If the client has no additional data it MUST assume that the key is
>>> valid as long as the access token together with which it received that
>>> key. Since the access token is opaque to the client, the client MUST
>>> now determine how long the token is valid:
>>> 
>>> Option 1.1 The client is provisioned in advance with a default
>>> validity time for tokens issued by the AS. This could be done when the
>>> client is registered at the AS.
>>> 
>>> Option 1.2 The AS informs the client using the "expires_in" parameter
>>> in the Access Information.
>>> 
>>> This means that we need to implement a check whether the client knows
>>> a default validity, and if that is not the case reject an access token
>>> that does not come together with an "expires_in" parameter.
> 
> This is my personal preference.  Telling the client that the RS key expires in a long time is only reasonable if you are planning to do client anonymous TLS connections.  It also has the problem that you no longer have a way to revoke that key.
> 

+1

Reusing ”expires_in” seems like a good solution. 

Göran


> Jim
> 
>>> 
>>> 2. We can define a new parameter that informs the client specifically
>>> about the validity of the keys the RS uses, if that differs from the
>>> validity of the token. Note that this is a realistic use case, since
>>> the RS might use an asymmetric key for authentication that is valid
>>> for a significantly longer period than some access token.
>>> 
>>> 
>>> I would need some feed-back from the group to proceed here.
>>> 
>>> /Ludwig
>>> 
>> 
>> 
>> /Ludwig
>> 
>> --
>> Ludwig Seitz, PhD
>> Security Lab, RISE
>> Phone +46(0)70-349 92 51
> 
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace