IETF Logo Mail Archive

Re: [Ace] Review Comments on -03

Carsten Bormann <cabo@tzi.org> Mon, 16 July 2018 12:32 UTC

Return-Path: <cabo@tzi.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7662130E3D; Mon, 16 Jul 2018 05:32:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WN1150pEw5ME; Mon, 16 Jul 2018 05:32:11 -0700 (PDT)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A5AF12F1A2; Mon, 16 Jul 2018 05:32:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::b]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id w6GCVWvf027909; Mon, 16 Jul 2018 14:31:33 +0200 (CEST)
Received: from [IPv6:2001:67c:1232:144:a00d:4bc5:558:3b26] (unknown [IPv6:2001:67c:1232:144:a00d:4bc5:558:3b26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 41TjT02hFczDXS3; Mon, 16 Jul 2018 14:31:32 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <011301d41d00$2bdc9970$8395cc50$@augustcellars.com>
Date: Mon, 16 Jul 2018 08:31:30 -0400
Cc: draft-ietf-ace-dtls-authorize@ietf.org, ace <ace@ietf.org>
X-Mao-Original-Outgoing-Id: 553437089.207402-2ff3d2892214c5e47528ba167c02d992
Content-Transfer-Encoding: quoted-printable
Message-Id: <D448C355-3E6C-465D-BB51-C6F0308DA86C@tzi.org>
References: <00dc01d41c9e$af8ad9b0$0ea08d10$@augustcellars.com> <36CFDA3E-528E-4921-A433-850A99283FA2@tzi.org> <011301d41d00$2bdc9970$8395cc50$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/h_n3Q2srRtvAh0gJl3IpyTjgfsc>
Subject: Re: [Ace] Review Comments on -03
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jul 2018 12:32:13 -0000

On Jul 16, 2018, at 08:26, Jim Schaad <ietf@augustcellars.com> wrote:
> 
> In the event of an unauthorized, the RS has the ability to return a URL to the AS it knows about.  If it returns coaps://AS/token, then this might be thought of implying that one needs to use dtls to talk to the AS rather than using OSCORE.  The same might be true if you just returned coap://AS/token.  Once upon a time, I thought there was some work being done in the core group that would help clean this up.  It has not finished, nor have I seen much about it recently.

Right.  We have no way to indicate with a coaps:// URI which kind of security parameters are expected (with https://, there is a default, but that is not always right either; I am not aware of any activity to solve that problem there).  We could define a format for URI + security parameters.  The question here was always what would be good, actionable hints that don’t also provide too much information disclosure.  This is maybe a question that ACE and CoRE have in common.

Grüße, Carsten

v2.23.0 | Report a Bug | By Email