IETF Logo Mail Archive

Re: [Ace] Update of access rights

Jim Schaad <ietf@augustcellars.com> Mon, 18 May 2020 03:21 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D68C3A088C for <ace@ietfa.amsl.com>; Sun, 17 May 2020 20:21:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CQE26s7ivr19 for <ace@ietfa.amsl.com>; Sun, 17 May 2020 20:21:46 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B47AB3A0889 for <ace@ietf.org>; Sun, 17 May 2020 20:21:45 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 17 May 2020 20:21:38 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Francesca Palombini' <francesca.palombini@ericsson.com>
CC: 'Ace Wg' <ace@ietf.org>
References: <8063D003-2C48-4157-B80E-B7AF3D2099FC@ericsson.com> <20680.1588694462@localhost> <CB1396B3-5D52-422A-AFC4-0FB362C2C0F5@ericsson.com> <29287.1588780702@localhost>
In-Reply-To: <29287.1588780702@localhost>
Date: Sun, 17 May 2020 20:21:35 -0700
Message-ID: <006401d62cc3$70d795f0$5286c1d0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQHYz/rnI4HjFcemc1imkKmWhr9LqwIHn/F4Acb/RDkDYpVdMahuW8jw
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/kHftXv7QlPUnUum4oVx3PzIijYY>
Subject: Re: [Ace] Update of access rights
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2020 03:21:48 -0000

I have not had a chance to think this out and get all of the implications
right, but my understanding is that what we were trying to avoid was having
the same secret key/public key present on the RS in more than one token.
This simplifies what the RS needs to do.  However, I am now under the
impression that having the RS deal with multiple tokens with the same public
key might be less of an issue than trying to make some decisions on what
tokens are supposed to supersede other tokens.

One of the ways that this might be avoided is to push the problem to where
it, in some sense, belongs.  The AS should be able to make this type of
decision if a token is supposed to replace an existing token or not and it
has more knowledge about what tokens are associated with what keys.  If we
go back and say - the AS should include a CWTID in the token and then define
a new claim which says - This token supersedes the token(s) with CWTID
values of "x", "y" and "z".  

Jim

v2.23.0 | Report a Bug | By Email