Re: [Ace] Security of the Communication Between C and RS

Ludwig Seitz <ludwig.seitz@ri.se> Tue, 18 December 2018 14:38 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3713126CC7 for <ace@ietfa.amsl.com>; Tue, 18 Dec 2018 06:38:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.36
X-Spam-Level:
X-Spam-Status: No, score=-3.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vm7z_foI7JVB for <ace@ietfa.amsl.com>; Tue, 18 Dec 2018 06:38:39 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on0622.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::622]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4B66127AC2 for <ace@ietf.org>; Tue, 18 Dec 2018 06:38:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+FF3+bkQ+bC4Zn1KzYnKsjc+0/P74MsFxX0g90DDHmI=; b=hsWKKo3RxKwbV92uUme1ROzNPR8ABKUxV8nC8m8VjpG2SMBQN8O68mUyg4w9D+0b2kZV1s4BKzPsiOlxHvYAuakFCsfKhFw/GiJKEU4rvqOrFtpxiHZcpFfeFlqtCg35R/vgmXvpXbjm0BKwcQ09gpNFt3rsIfKDbC1FCPWGKj8=
Received: from DB6P189CA0026.EURP189.PROD.OUTLOOK.COM (2603:10a6:6:2e::39) by DB6P18901MB0102.EURP189.PROD.OUTLOOK.COM (2603:10a6:4:26::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1446.17; Tue, 18 Dec 2018 14:38:36 +0000
Received: from VE1EUR02FT064.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e06::208) by DB6P189CA0026.outlook.office365.com (2603:10a6:6:2e::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1425.19 via Frontend Transport; Tue, 18 Dec 2018 14:38:35 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by VE1EUR02FT064.mail.protection.outlook.com (10.152.13.199) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1446.11 via Frontend Transport; Tue, 18 Dec 2018 14:38:35 +0000
Received: from [192.168.0.166] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Tue, 18 Dec 2018 15:38:34 +0100
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Stefanie Gerdes <gerdes@tzi.de>, Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
References: <154322421294.8323.8505315870685563404.idtracker@ietfa.amsl.com> <cbd083d1-cb95-0732-aa8b-7c7de3f480d1@ri.se> <a0cdd836-7fe3-339e-0c48-961503857447@tzi.de> <03b601d49191$7d1bb400$77531c00$@augustcellars.com> <945fbebe-659f-ac72-3ab6-8e05447e7c92@ri.se> <1c5b81f3-50ce-be68-bec3-68ce2ff15b43@tzi.de> <4ae4eccd-68bf-18ef-f909-142f8172eca1@ri.se> <81ba3ab4-a9ce-a6fd-fbe6-c36a6fbbd9a5@tzi.de> <VI1PR0801MB2112E04F9FD7412350995417FAA20@VI1PR0801MB2112.eurprd08.prod.outlook.com> <b994af16-9bb8-4386-e7d2-321e453417fc@ri.se> <VI1PR0801MB21124D7C11F3A1F49DCA9A2CFABD0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <VI1PR0801MB21126DDCCA251EEB8DB21DAAFABD0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <6aa8d090-df64-ab97-326e-4511dbe105de@ri.se>
Date: Tue, 18 Dec 2018 15:38:34 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <VI1PR0801MB21126DDCCA251EEB8DB21DAAFABD0@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(396003)(376002)(39860400002)(346002)(136003)(2980300002)(199004)(189003)(14444005)(508600001)(26005)(64126003)(31686004)(53546011)(386003)(16526019)(11346002)(33896004)(305945005)(77096007)(186003)(7736002)(336012)(76176011)(6246003)(22746007)(22756006)(40036005)(104016004)(74482002)(446003)(2616005)(44832011)(230700001)(476003)(486006)(126002)(117156002)(3846002)(6116002)(2906002)(67846002)(106466001)(5660300001)(65806001)(65956001)(8936002)(229853002)(47776003)(8676002)(81156014)(81166006)(93886005)(65826007)(36756003)(106002)(356004)(69596002)(58126008)(110136005)(16576012)(316002)(68736007)(97736004)(86362001)(31696002)(2501003)(50466002)(15650500001)(53936002)(2486003)(23676004); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6P18901MB0102; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-Microsoft-Exchange-Diagnostics: 1; VE1EUR02FT064; 1:D2jQt5tYI4aRHUly4L/D/5C8XetOAa3zsOq4CTz/Ih/Cvdvq+AaWJziGrrv7K1Z0/RIEdHRe+oUhSlZvbdgH4RHNiaDdhzJR++UQW4e5uOXY50wjOJHSz5B3Qkqlbl7U
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 27c6e4ec-5a75-4bdf-3d53-08d664f67df2
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4608076)(2017052603328)(7153060)(7193020); SRVR:DB6P18901MB0102;
X-Microsoft-Exchange-Diagnostics: 1; DB6P18901MB0102; 3:MKrpDg4IHvSHSf7zIebOozgSkHTw8P9WJGViwI7Viko5szDMKWYhJWXTZgf8eNsBTOttO3dGi6vG8nW2Q09VU/YmkPO5+dEic/Kvlb0FF8hcqGanX+Gok93qxfA7Y+5o1f6xcIxy4yM5zlvjzSKdOQSDj5VdT9sumRDhQXICtrbsoc09BMozkGW4zZw01QBktB+ivWvnQhc6bo3v+Je565O2GY7HJIsDJVpDD3xD25yNadZisrARVSsU5TUUxneU/7HRY1T9IaDpWuo1UNH0FJfF+1DfLemOGExO51SE/+IfVUM9jibBPdYIAgn672N+OcWQ25v/eqwHlDt92PYBUzy5LWNtYmhkm3Mj8SnE0m8=; 25:8z6MVCnUXjwWRVnBeu19p1iox5mDdOG3/EkNmD8WJh3g0WGhxVFPyemO8DrbDekBT0raUaPEwT85dnZdIk8ALHQ57IrF6C4ZZ1CZ4knGJlObU0CxI8H8QkEAOCY2zRTukQ84RYyWVPqPwXZCMJFXXP09khMSacxtQNtuJYJkzLrAyLkMRtQCBNc2ogshA97LNNf6Qv+xKZGUqDDfruuH1YInS5oIgRkhFqdiD3AhQeXfujYQaeVCYltz+Dsqgx9QfCVzBDuFg4giaPwkAsaT/2cuijBcsGGosNP+NzkBinbQmx1EGiSl3EpnqDpsKYkDwh54OUOH1pMRxy09hVIKuA==
X-MS-TrafficTypeDiagnostic: DB6P18901MB0102:
X-Microsoft-Exchange-Diagnostics: 1; DB6P18901MB0102; 31:qr8mGTAn6ZddvIW86nf+n5ss56GnJLKHYpnDjiAUak67VyFotgloNNHb2Dx2H+QitlwE0P/RbLaSyTetDWIlQsexUZrPISx/mqEcmGyUQF3hsgCgG2pIXgg2SgQX9hWMa1lJ+7vc+NQZQwwpVnmsktWhKku1dbCAhG+CTSsrXDWTG/XoFCqXFO0ol31YSkLnNalbPQe8pmHJ5yPNkYzs8BwFIK1xKREGtLEFeDQ77Wo=; 20:FrZZMPvxbz2vXlswpCtNF6JZpTrdeFEN2Qw8VShJU9WvYGQzmZnEAKKxbIEiefPUvUOTe+YhgO3kRhNdNRO4gzKvaLnkVHDqstRVn4Yz5meRpbF12o8Xub1rfEZ6sLDuyDmeQTvvDaoc+uFkrlk16OxiIH+gC0veWFvvWovahOz8XHknUBkNyKbW4DxCHUFq7UKb4jBHzJiqe7OERRrRC77isWTK64rFMcpZ4RdhRXlfEgOFEjp5zDa4+bfxTkOD; 4:nkJtoSszsMFq7RYWtEipHXmMmWhESZbTAJIAVihitSQ7zWMIyZEMh9CUO1OUagPvzVgUp2PhSOljaIcT6M0RIL06H0THKyXBPvahQS6WL6kvhM70qM1l1h2mKSGtmxobh4gnbXTfEy6Ucj3ZL87oGDZ2xxt5gXfRwz5EU1ONR+efTayxBaCs9U2azi4MZ6J52iwlcwEWI2DPLSvQLeaHpxCFjth7jErJHsrtPyDjPibf0L3PNJlAHEdRPbZa7c77QJNv9tNM0/tCyoRuFuNB/w==
X-Microsoft-Antispam-PRVS: <DB6P18901MB0102766DFDCCDA39BF324A9282BD0@DB6P18901MB0102.EURP189.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(3230021)(999002)(6040522)(2401047)(5005006)(8121501046)(93006095)(93004095)(3231475)(944501520)(52105112)(10201501046)(3002001)(148016)(149066)(150057)(6041310)(20161123562045)(20161123564045)(2016111802025)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(20161123560045)(6043046)(201708071742011)(7699051)(76991095); SRVR:DB6P18901MB0102; BCL:0; PCL:0; RULEID:; SRVR:DB6P18901MB0102;
X-Forefront-PRVS: 08902E536D
X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtEQjZQMTg5MDFNQjAxMDI7MjM6YkJyTUdxVFM2OFNDWnBadmFrNXBjcHdt?= =?utf-8?B?ejIvOGR2aUR3dm9sQmlxZnVyb09Nc2JZcUNQTUk5Q0pjQ2lCUm0zSmlTS1FE?= =?utf-8?B?b2dSNmViSGlrREVmN1NTSzljVUxIOGtqbHVtWjNLUStNVXhCYy93M0hELy9P?= =?utf-8?B?ODBxNDJETk9Da01TMVBHOEhRN1RFVUkxM1RDUExUaUcwdzNJaDljRnhpOWpi?= =?utf-8?B?MStjbmRpdU9OaFNlbGJHOG5JcnFGWmxNUDhGK0pYcERoUHdlT1NCVTFLdGc4?= =?utf-8?B?dVp5REw4UHNnT29KMDNkWVFWS2JDRjRvaUZ4ZzdscnBvWitKZmYzWkJCeGVG?= =?utf-8?B?dnlvQUtKNkMxdWxObTB1V3R6cWV5YXBkWU5oUGZGai9uL3RteUVZZGNZQ2U1?= =?utf-8?B?UmtFejMxVUpnR1dGT3Aybkc4aVJaTmNDVEZDVzVORkw5dW9jdk45N1k2M1po?= =?utf-8?B?UjNCUHlLdEI1VnFrczNvVU5UMXd6VGJiQmdsV3JOQjR3OE1vYyt3amVyMjNr?= =?utf-8?B?VzRMcWhRNTI5Wkd0V2JNTEdmQTZ1c3NkSUFjNzBuRnVxdGgxTlFBdnRDK0xZ?= =?utf-8?B?WWQvcTdYZC9VY1kzYlJoTzNEVFVjREc3KzhCUUxFU2JOY0hSbDBDZGJCNnpy?= =?utf-8?B?SDZSNjBlMWU4Y1hseXdzZ2MveldxSkdmcS8xK1NyOElXb1dvR1VNOUZGN09i?= =?utf-8?B?WEVQdXpXOUNDeS9WZzNaOWFhcVBYUDNBUTd1YXgxeGVRWThnTWgyakVnMng3?= =?utf-8?B?Yk5yT3BESlJlWG5temhNTmMwc1NmaUUvQXhROWZtaUZ5OEo4bVVUMmVKdGZt?= =?utf-8?B?TEx0anF3Q3U2Vmk1Qkk2VjAyM2dZTFhFek1pajlvd0lVcjgzbVlFOCtTWS9q?= =?utf-8?B?ODhrZmNRakROY29qU3ZqQnVjbG1oY294S3A5L05RUHBMTWZCNit4U3pERmtU?= =?utf-8?B?Tnh2YzdzUXZuQ3JyOVRDVVI3YnhxWmZHNDhrN0h0aHZZQmQvNWtFRmRIYXRO?= =?utf-8?B?UTNhaUQvTGxodStyWXowVWMvVlFhVENIUUxzeTRiWXNZSWVyNmFtK3JTb3NJ?= =?utf-8?B?VjJBT29QK0dSSjhkak5ad1llSXlaanRZWDBPTUNlV3dOelJXclNlcllneFNM?= =?utf-8?B?bEVnWkxKek95R0RneFk1ZzJaZTVKbjU0cGNkWGtNSGwwS2sySG44SmJCcjdu?= =?utf-8?B?QlhVK1VKNnl1SFd0UzJqbWVpWG5kcGdSNEN5Smc0b1grT2xaM2REWlIzV0p0?= =?utf-8?B?NWFJZ21VcnNjUzFiOGxMTW9PVXZzMFBONDJKOXRHcWFPdmpDSEdNMnRKZkJW?= =?utf-8?B?d1FLOHY4aUg4eTZHUGxYMXY1SlRDUXJiUzB1dkxjYzF0K3JnSTJQMVpIQVZR?= =?utf-8?B?U2NCZHFMVkMrVXc2dHRuRUM1b0JVNkwyU3pZdzR0SC9TbHFsM3hFTGxuVTM5?= =?utf-8?B?RlBaRVRBTGk0VjZUKzduWThTdWRiaW1KdFpSWE45VWxSMklSejFqRVQwenFa?= =?utf-8?B?SWZ5enNheWRMcm4zbUpqTEFlcEpDYUFQZEl1c1pJaWx4TWZWUXN3UVZIVTVu?= =?utf-8?B?eFUySGlra1FiVU91RHFwYm5QVXRjR0NoRjhMdHNvaDZJb0FyR2ZlY0Q4eE9T?= =?utf-8?B?MmUrQTJxRSt5b2FSejlHTzFwT210THROcFlFQy9kd0FFTysxV0hLcjk3b2M0?= =?utf-8?B?VjNnKzBIVjVIY0dxdHRhOEFBbUI0MGFtenlGZmdyM2IxcnpCWmxKejhxdUE2?= =?utf-8?B?MTZpUGVGaklGcGNIdTVkSDRidTlvYUs2UDhwSHFGT3J2MEpnaVlITEV2YS8x?= =?utf-8?B?S3UwbDJyaEtYbWg2TVJyOGNsMUlYTlVyN1BCdmpzQlVhT0hORkpsbXZWbmhn?= =?utf-8?B?M0NUYVpJN3RYYjJzOFc3RUhEY0hlTzBwbDFiZDh3L0N6dXNOY21vTHR5M2tB?= =?utf-8?B?Ujc2RmVwODIxaFlncVp4Y1o4NzBGbTdXZmdpMHpLelJzZXNWRFY3aGVPZnEy?= =?utf-8?B?WWEyRHNwODhKM1JyQ0FxeTRuVFdiQkx2bHNDelMzdTcxSVcyd2JFMEVXMWpD?= =?utf-8?B?bzJxQm1yRXpzS2RDLy8vTEM2Z3RtcTUzdEZ0RFU4eUlZWEVSS3JLTTBuNTg2?= =?utf-8?Q?IqNc64WfposbrNVkS5xJ7vdgw=3D?=
X-Microsoft-Antispam-Message-Info: Wve0vf/Y3u+/KEMaRe+6mYEktZmgOIok+p/S9N4EUAmF3t9FSwGpqvvt3tUpyTYHe1jJju67dyhUTw0SHZrHiBf48HIHxme9ouCtKnFysg3UfDOwFjCzGI8kaVQBVyQqTZECGiRAarLuiVlcmjYagPv3EOO1kjOCqMqSux4SsHPUjhnYSecOiHwImesLvIwvHSNWuQkZOl0FH2w0melFUIhfdmihnTJY/83sIhSKWVCicX5wSdhVOwJgo81qGZ25HKqQaepKMdbOx5ko9KXMAzoZCSdq6e+K9zW4F/GSQ7UsIwvIwOf0HnYoBr18aKv4
X-Microsoft-Exchange-Diagnostics: 1; DB6P18901MB0102; 6:ZIBwS/AqZKQE9gv5AbaKRuZPgoS8SKW6otFwzLPac0FbsbyX6NPJrL6is4KNZ73Wj2onA0N4Z9p9ZMVcbYxzDw7Vo/8jID5qLWcXEJAaiqw45+q1t7+wKWouoGYe9UFGlo2o5/L7377AP58SzPwHwoyPHNq1CRynisnZt2fHzDMFwHtjHZQFVCBzje4kXEaQx6s0+/aEbGNp5iME8yLLl6A3vnhB24cg/+257QS+msEiFNegmKb+A2Nx13OB7BlKehQEiRzo+FazkhpswOOu4hn+JexxYaLALiKx0ZRzqRstmij7J+NG07yfNO/JGUO9R1PY3U465QaZ6T4wPr2MyLWdvu+FkEDIWMw+OpSsf0FkzyVBrSdHEBzeOosfz691rWJ3HQEq4XWIqkfACHuBA5QYVcFo78h5jmi+63xFq75WO38blOAnEEqrWqRNlNoIM7ggSuij8hdSJi1+SEJZ5A==; 5:Ku4Et/NCw+bpasCP7DAaV4QoKKnioIeVBClNUa5DHutsqqq0OljX1BemO5Mj9NMv1c3VQQSJeB2fHipky1pxlTbpbdFAnTP2jPcXxnTJYRNkoDA+8zIN9Q8yavlhICq1N/4HQhSYhQN1SDcnJ3sa6Vm+lcD6xX0+ajB0gBZkv60=; 7:jEyb/+k07Z0Prbgo+8gjAsR1st2aC9+6TWqx33fUv9JzK2nPI+o09Wc9pa2K6OGOgSu9b//4b5XqrFra2TvLP5bqGhXWe44UD7oR/zLbrYu/sKUKkOanQMQNvgZ6Uc2ZAThDqfj879WFrRBVJ4SP/Q==
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Dec 2018 14:38:35.5701 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 27c6e4ec-5a75-4bdf-3d53-08d664f67df2
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P18901MB0102
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ek7NdtEHs2TfTRfIBkCde_rvwIg>
Subject: Re: [Ace] Security of the Communication Between C and RS
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 14:38:43 -0000

On 18/12/2018 14:51, Hannes Tschofenig wrote:
> Hi Steffi, Hi Ludwig,
> 
> ~snip~
> 
>>> The access information optionally can contain an expires_in
>>> field. It would help to prevent security breaches under the
>>> following conditions:
>> 1. the keying material is valid as long as the ticket, 2. the 
>> expires_in field is present in the access information that AS sends
>> to C, 3. the client checks the expires_in field when it gets the
>> access information from the AS, and 4. the client checks if the
>> keying material is still valid each time before it sends a request
>> to RS.
>> 
>> These checks make sense to me.
>> 
> Are you proposing we make the expires_in field mandatory? If so, why
> isn't it mandatory already in OAuth (currently only RECOMMENDED)?
> 
> [Hannes] I would do the check when the field is actually there.
> However, it is a good question why it is not mandatory in OAuth. Let
> me drop a mail to the list.
> 
> 
> Now that I got a response from the OAuth working group (in the sense
> that I was thinking about the claims in the access token rather than
> the parameters in the response from the AS) I think checking the
> expires_in field has to be optional since * the expires_in parameter
> is optional, and * it only has an advisory nature.
> 
> It is useful to send the parameter so that the client can determine
> when to request a new access token (for example, via the refresh
> token) but it is not absolutely necessary for the protocol
> operation.
> 
> Ciao Hannes

Hannes,

Steffi's point was (and remains) that if we don't give the client a way 
to determine whether the token is not expired (except for client 
introspection), it might use an expired token and old keys to 
communicate with the RS.
The argument if I understood Steffi correctly is that the client's 
request may contain sensitive data (think a POST/PUT with some 
significant payload) and that sending it to an RS with outdated keys 
might be a risk.

My take would be that in cases where this is relevant, one would specify 
a profile where the expires_in parameter is mandatory. Furthermore we 
should add text to the security considerations describing the issue.

/Ludwig

-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51