[Ace] Unresolved issue blocking progress for draft-ietf-ace-oauth-authz

Ludwig Seitz <ludwig.seitz@ri.se> Mon, 11 February 2019 14:23 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CE80130ECE for <ace@ietfa.amsl.com>; Mon, 11 Feb 2019 06:23:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id elPfcM0qXMA4 for <ace@ietfa.amsl.com>; Mon, 11 Feb 2019 06:23:16 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70077.outbound.protection.outlook.com [40.107.7.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00020130E95 for <ace@ietf.org>; Mon, 11 Feb 2019 06:23:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u0vArcpTrEcTSRLNscy5evImQS5MYrhhvecmCEGrfXs=; b=YIuzkpgYg1rw5atYODUQzLmuQvgbFpworEEfy/YH0SxiGz2hjofadO0y1WIRVuuOuP93niAi4ucFYRYifX2EQGvPRpEWCEWoBgt6ht0+MfP6H6XKwJQjnrC4j2BG4QrHFbpqc+rqZ+tpbnRUIK8Z7B7DDr2DE2vmuIghOwvhKqM=
Received: from VI1P18901CA0023.EURP189.PROD.OUTLOOK.COM (2603:10a6:801::33) by VI1P18901MB0111.EURP189.PROD.OUTLOOK.COM (2603:10a6:801:f::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.19; Mon, 11 Feb 2019 14:23:13 +0000
Received: from HE1EUR02FT027.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e05::201) by VI1P18901CA0023.outlook.office365.com (2603:10a6:801::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.17 via Frontend Transport; Mon, 11 Feb 2019 14:23:13 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by HE1EUR02FT027.mail.protection.outlook.com (10.152.10.72) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1580.10 via Frontend Transport; Mon, 11 Feb 2019 14:23:12 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Mon, 11 Feb 2019 15:23:10 +0100
From: Ludwig Seitz <ludwig.seitz@ri.se>
To: <ace@ietf.org>
References: <01e801d4b861$4d7d41e0$e877c5a0$@augustcellars.com> <1ce364d1-2154-3fc3-5589-5be3d7606717@ri.se>
Message-ID: <ff6287e0-31a9-1a0a-ff4c-c6797f1e72f7@ri.se>
Date: Mon, 11 Feb 2019 15:23:10 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <1ce364d1-2154-3fc3-5589-5be3d7606717@ri.se>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms070907000305030708020800"
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(136003)(396003)(346002)(376002)(39860400002)(2980300002)(53754006)(189003)(199004)(476003)(14444005)(53936002)(11346002)(446003)(2616005)(26005)(106466001)(6306002)(65806001)(478600001)(2351001)(966005)(6116002)(3846002)(356004)(71190400001)(31686004)(5024004)(64126003)(58126008)(53546011)(386003)(65956001)(316002)(126002)(16586007)(7736002)(16576012)(305945005)(36756003)(486006)(84326002)(31696002)(97736004)(86362001)(77096007)(68736007)(8676002)(106002)(44832011)(33896004)(235185005)(22746008)(81156014)(8936002)(69596002)(2906002)(76176011)(74482002)(186003)(568964002)(16526019)(104016004)(22756006)(40036005)(65826007)(33964004)(336012)(6916009)(81166006); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1P18901MB0111; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-Microsoft-Exchange-Diagnostics: 1; HE1EUR02FT027; 1:RyNMmAhi1N0v6QnimKURmtP421f5reFBek+9SVUqF9eiWpiOBfHexx+R0XhEhzlCDZmDfj3dIsSSq5NLlc+VVLhTQ6v7jXBMaV9ScrUVq7mATDiKcZnsWLdp8kN82iAuSdGKONUo+2eiUVJ44hmGTQ==
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4620e974-2975-4e9d-04e1-08d6902c74ab
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4608076)(4709027)(2017052603328)(7153060)(7193020); SRVR:VI1P18901MB0111;
X-Microsoft-Exchange-Diagnostics: 1; VI1P18901MB0111; 3:xfnbQRfOza8sf2jglkf8C1XPzG9+ykk+GseuunulH2dgLs56q1KEIWO97h1+u5K9k5zXHTQXV4up6seRQqMZ9w0bIsUAPnAb9UOD3JxYjGMTqmUkFGrLp9SV8ByZ+GtktlRz1Zgh1F3l2Q+fJg1p9Dv0VyfI4q5wPIZxly9c1e/JiLg00LAT2i9upm2at4kiMyop/XUiMsSatSsH35nPSeC7UWE5mjvSErIN7neSZtvKxP5ZrSeQ60OsZn9DuHl7JbNbX66orTD30d50tDYYQPYUfzpv/RXk5CykoHyWJ5MwuDDJGBFTY0AvGYqzeOtTWBZutgnEayEZ9sb/jEpJBD9ACt6wci6x0mTEm3YXDSq0sOXXphBrcyEY6ChP22n/; 25:y9FK6oLl/TVjTf5LkH8+In2s/Np7iLSRvuViEoA60kIK488bseCPK2ZU+1QEgziNNK1cxZbKxEJFH2q7oSgBeGs1wOllEbCCBFHdIqh2RBjy28VCCInsxHJUbiNiaXmxIv+K2Fm0X8KWUPhLHlWv5TZO4x676PM0PkPuLOzuh+Com15XRmDiFxMEdZ0OVfurmm8iZlxfVrKZddzI+av6XNBsPzNvaonOX18YzcSr/Eqf0BJoVNAoq2yrw4M/kMao4/hvhlDr6GK54zWOSnps8IpKFaOZSBdlbylgT3EvqarZ7MzCf3skg6O3sHcRFFjpLQewkbeHJkS1yUon4ueIPA==
X-MS-TrafficTypeDiagnostic: VI1P18901MB0111:
X-Microsoft-Exchange-Diagnostics: 1; VI1P18901MB0111; 31:Vk8sdqkSNgrEfFuTSbDBgNkk0RIJxitoRA9ADJJIewtO/8H/YudidZCgNi7bBp41ETFRhVpaXHxTWnq8TEQHbNBIlb/X2SJdZVUCuNLdkcxDAmmsZOQNeQVtUIXzr7aAu6ibM1yB4lXpeRle6KU4zNUvMD8hSxr7sSKvqO+B4ebxNbyNrxBm+8DP8igBIsR1+K2rkIQKsNIcXmDFoQAjg+mYJNTfulrOpI6SfINrCkc=; 20:T8R7xjo53LsMFxRS6YCxabRsdHIl1zQmjegEijN4BMhcnFKK2S1zlYRdbvXgD129rOh2cDI++1ZjhiW4m6oFHLiCPWV9NLa0fEwtOwh9nkgLNAwKeEDhUKosVH659uy39/yGu6XU2E/+QgVmlx6RjaIMDIVr/QoB1nAfL8D/hPdA+uJPrUcXEmJmKG7nf9HCppF218zptYnzn6HNeMtveBAbAxgFQjZZNqBPCL3koyevGwGFzxDnT++Tj+4hoj8X; 4:jvKbY93LweA/FD/Ja0l2Pq/TR51SWkvb4uDpGGyHOGpVlTRDL5kV2ad/Y0WWDynWeI3s5uv4/03dRUEJtF7h0ROIULbCH2Y3hLx3ob9dNYF9yD++odJP2lvli2GlYth9S4FKIEnrU4loXsDEaXi1u1gCyyRVCMg/ydh5nYZ5bNtLRExou/1kmlkZX4EPTPGosnbFBqvD/VpASroJ1ZgKSSkrZe0sYidjq+fPj1e9A5Gz2mwCDmS9B6Bh9LvOarIl8mDNqRwUBn8BZpKOLqXvnUxQX7IeruO32cZqVH5T5o2mFE8Zmg1LlqqgXripFslQ
X-Microsoft-Antispam-PRVS: <VI1P18901MB01114EAA8B3E9FFB645AC29B82640@VI1P18901MB0111.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 0945B0CC72
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; VI1P18901MB0111; 23:7htKNlJrG6bj+ph+Tohoa7QRBr6/a93Pp2ynGfN?= =?us-ascii?Q?tucEfAiT1HIohn77XkdyXZ7Bzj2CuGtJN/64Rqs13uHULV/DLJ/DMbfWmzi2?= =?us-ascii?Q?/CdFoHO1RmRZEbVAhrjKKX4JFc90IEotCzsPMRxQp7qg/m5UvwcUaFPrecIC?= =?us-ascii?Q?j3GuoDW4CGjxZ3+Mv4vNR5BQdwKwKjKQqQ+tpaIeMIboB8scJZTJdRAq7+dJ?= =?us-ascii?Q?a1XQCvuYoXu5C0DgtCXWzOgG8UNY/d2vEcvZU5rPg5gK+AzBAVTHOCYeorbP?= =?us-ascii?Q?MMENeJcwOPgngJp/0PIE49Tk6ZM5IvImaIaMN/lTIEGMk+dOiSTQ3JZZ1vnA?= =?us-ascii?Q?hPtAVMg6aRx+pHm4KSdiRES+UAgmrx627QSNbKCS5eW3gvZEvVgzoWRgpa49?= =?us-ascii?Q?tzajusUFQ8UhBiuNqrBH4j0BU1a3T7csArBipaoU4iACYAwJDRS7eIL97EKQ?= =?us-ascii?Q?a4mreFFAQ38OXoP4IwLA40YX1j1pi5pAF4PGt2DziQ+JiZAGGLCEHOxcqVyu?= =?us-ascii?Q?HE/+Qyy0+Exmkn3gyRwVHDIraPh+jAOyoIDGRjJXrsZ8jFMh05tk7xX/F+w7?= =?us-ascii?Q?7bGV5+sTDux2aUz6QVrTC7Vs2SFew+xpa4xGG/5apU28sJK1Cr7EPvLlsa1a?= =?us-ascii?Q?daNlErkpuufI0xk1grrI6zPFhH+yVJXvflaiNapE191GqgU0DHW4/Zf8ZFeG?= =?us-ascii?Q?HXipruEw02yB7PZRKd8Rtjkpa6z0sVVSKsmaJGCmOm4mmoRmRGhsqfVRTPih?= =?us-ascii?Q?QZ/M6LsRZJFnbNDVY47lKwyUVokZNapCVLiovLL/hyE1SAEAo1ECg3adTtrp?= =?us-ascii?Q?neBtPHiVynkzH7Tt4hJZ9E2ogC6Er86MHINjLXpDtOKO1rHVL3S3dFapIKvS?= =?us-ascii?Q?tKwOpmHvuokUD0RyKdR7DL1UGvJO2zoDdBSw2Fc3kLQ8tqtFJAjKqObh/QHb?= =?us-ascii?Q?67HkPB+EH2zNDZFsnON207cibhc8VBxOqa6tXoG0hgO8K3bPo1VvBsQ7oOiJ?= =?us-ascii?Q?mK7yEAs3cITkO8RtGnHJee6k2Kz8/Hl/pYKp+pc6dJQ7OYeXgMHTt5p2zmLp?= =?us-ascii?Q?BZ5rA1sYbVcqX+glZg4hV7EAzN/dSzo8/SSfGBHTW8J2PGIkuI5yZxxHHiWN?= =?us-ascii?Q?dmV1kSTZm8JYEwNHlqc4IA0ESOISmIbFQsJmIkBzrywofCyQ+5IGHj/mAdR9?= =?us-ascii?Q?JhYG+E4MRBhactaydtmP29XrHhEU6iclZVPP/IjMrsYNL3LYOcoJC7v6NvhD?= =?us-ascii?Q?bielQZBJlhe67NtyTyWHn4k49v0ZrzmFSkAo2jrV72AjgC1xZkqXg+K+6l9d?= =?us-ascii?Q?M8kVmLtqlWZvWAerNFs/GEM0qbYfKSH+sYsHhD53fMhN27/ErJGoXKqy6ZDM?= =?us-ascii?Q?PVkWqKar/O1UN3mmmHhBGlOKagvqJS51kLjLlNFIftxOpBiNhmYhy9Or724r?= =?us-ascii?Q?AhpOetoib1NJzk8K7h1qzg3TEKvdWyDoyUeCVhgQkEqQ7DCqgTeNHrd9x4Jp?= =?us-ascii?Q?rpd456nKzZbveYEogLCSKYMRO5Ae7NvewlgsZo5LjeWtoWNVdw072zIn0?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: 1LQ8xn1e55ciaxbjRnqM593ADlk0VhQN/mmlrpSsr1e3CbEbs3bHyI1j8nbDyxX1aOi9fcEjj3EcuwXCx56HCLfKxDmqHfrphHlUmmR0YZoH+Mh5sXzoMHDrB0Kz3BzxxiW0TeHKSc7tf9VPAy8QHcVp9oN9yepaA9gICjk5XG7mrIQ2vVLMJZ3ilYLWc930972JNFGNKvDhR72Q4k8kCaVJnTu/IJiBMktPK32NHre5eGqkGKSwhLM28fm2W7SjW0hZMrws/reTREl5sVyBk74sylu6B5WATLMjSYCjFyFCV+Gr+NysJzUh0vVZLw0WyBtVmHfjmN22VhIGVbeZGawfhwcD4A65YgS4EK88nBMYPeUUdPPC3mELIbTOegjaBJxnl+lCzY5DbOyl/49/STOuQGOzna7gEWDeIToHBx0=
X-Microsoft-Exchange-Diagnostics: 1; VI1P18901MB0111; 6:YZ/mmcGvZ1OR2b3HOSP5R4L2D32h72M8OQME27janMGVs3PmVvyJGULYp5b18SKYJ5SzOz7tw4UAMioPj9pnwJvlLy8lT3fdkzn2c2DNBFCAFwdWvQ4Rw2IqKkMo7b8UgusyNp84NGNMdWiteMuOnx3njwM8CtT+/RvDUo58Cyp+ZaP8MpbbXTZo0uupiJsHUNJj6Wi6uVLfiQnXm5vpHV2rUvkttcSjJ1J7xKR0+w8gYCi/fp9YKKh4QGuMJkx9qO/RmJUwwe3NZk+sHyMdinG4Ru5uYE+PN9QFlQhwVQr/++gnlDqnxmHHZGayeujbRHHLFnLK90cAqs1W4c7ZbibyYEEDUKSmmN3xHW6Nwo90TCTCDtkV4fDAzdP4ThwsDPg5c3yF9jF7vj4b+PLvIcM3S8UcfslG24vRPseKbt6Jnjgz0WLisFxVJQxrNNaovqxKobOtihBLUmU+3c6Q1A==; 5:gl08Np7NJcrGkdWClDhgFnXaa0WYgmqtaEH2CPfPnFzNvD6z6hQPapnvO4ExkNvtfJVZlmqO/PyGgUfAWu+ggbw5/o0uOc0dF/ICwD4dva+DzsuWZKmYQFUvufdrVuxtJz7hBsdmAJmYgupxgbeB/bE+QHpgPmmcso3ixF/yrHfTOvIG86/FUnfh++0gq7fvhBzcvEKRwV+9pFFS0xl6fQ==; 7:6+Wy3sRAQCc8fvGKzVJe/UsGidRf7T6SEQO5BfsnzIX0xWLfKMRs6HZWBKwpYFgS4hUDTX901Vy+sLMK1SOcr1A7lHyj88CXkx7aSf2ATONHqIMDW9tz/Fmeoc7N90+jy0h8B/lVNtcJHSb2F9jqrA==
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Feb 2019 14:23:12.9038 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4620e974-2975-4e9d-04e1-08d6902c74ab
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P18901MB0111
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/fmv3gJVbR21Or3rNh4ubj8XXU1E>
Subject: [Ace] Unresolved issue blocking progress for draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2019 14:23:20 -0000

Hello all,

I would like to call the group's attention to this message of mine
(it was probably drowned out in the shepherd's review thread):

On 31/01/2019 10:40, Ludwig Seitz wrote:
> Hello,
> 
> we have an unresolved review comment by Steffi that got lost in the 
> holiday season:
> 
> https://mailarchive.ietf.org/arch/msg/ace/CBTkVUBzYrfC55zH3_UJDngiy9U
> https://mailarchive.ietf.org/arch/msg/ace/NrQWetugoy0TWp9eg3lwtSictc8
> 
> 
> The issue is the following (my words):
> 
> The AS provides the client with key material used by the RS. This can 
> either be a common symmetric pop-key, or an asymmetric key used by the 
> RS to authenticate towards the client.
> 
> Since there is (currently) no metadata associated to those keys, the 
> client has no way of knowing if these keys are still valid. This may 
> lead to situations where the client sends requests containing sensitive 
> information to the RS using a key that is expired and possibly in the 
> hands of an attacker, or accepts responses from the RS that are not 
> properly protected and could possibly have been forged by an attacker.
> 
> 
> The options to resolve this that I currently see are this:
> 
> 
> 1. If the client has no additional data it MUST assume that the key is 
> valid as long as the access token together with which it received that 
> key. Since the access token is opaque to the client, the client MUST now 
> determine how long the token is valid:
> 
> Option 1.1 The client is provisioned in advance with a default validity 
> time for tokens issued by the AS. This could be done when the client is 
> registered at the AS.
> 
> Option 1.2 The AS informs the client using the "expires_in" parameter in 
> the Access Information.
> 
> This means that we need to implement a check whether the client knows a 
> default validity, and if that is not the case reject an access token 
> that does not come together with an "expires_in" parameter.
> 
> 2. We can define a new parameter that informs the client specifically 
> about the validity of the keys the RS uses, if that differs from the 
> validity of the token. Note that this is a realistic use case, since the 
> RS might use an asymmetric key for authentication that is valid for a 
> significantly longer period than some access token.
> 
> 
> I would need some feed-back from the group to proceed here.
> 
> /Ludwig
> 


/Ludwig

-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51