Re: [Ace] Review of draft-tiloca-ace-revoked-token-notification-00
Marco Tiloca <marco.tiloca@ri.se> Tue, 10 March 2020 17:24 UTC
Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD9633A17DD for <ace@ietfa.amsl.com>; Tue, 10 Mar 2020 10:24:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0m4ShaD_er-1 for <ace@ietfa.amsl.com>; Tue, 10 Mar 2020 10:24:31 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80089.outbound.protection.outlook.com [40.107.8.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B33C23A17D8 for <ace@ietf.org>; Tue, 10 Mar 2020 10:24:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GkbiXOojQiXy9v8bZV7ew2EenZkQRkY+WYulFEr4Z1o3rm678bhEKOOdGuXTrnZ8BOtLSihOtTBa8LhpkXK8vchET/gj0s+Grx07shaT6VRA7Up7sezT7DAUPZ/j80W/LXchzRmVxm7c6Bm1LSeaVYAZUiMVBH03xPC2tUiIpuZXwWnHtmqMHNb/AVqHSmEULpEzo+JxkWH4+aVmdCr4pSHma24a0kOA/hhhEyJkFtrYDxMFsTI7pjAiBzVB14F8/2QoBB/KCJtNJP6Jop0y78FwVMRnh5qWDU7UC7bKHsbU6F6ctbw9S2f0AIWzGbn9gPdSL6WbjNZeqtsiDs+Rhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=qYSI3skuQTLvQaoY8wzPj7b77AVa1RQqRjX3itdTF1A=; b=c7U9YxiG38g6dWbqiZRK1NE2vP1YNtcMReWYoZpNabIWJXwRSJC2RUuvzNXWlp5or+09Qh8tYeO1It2lQmz09Hk0lNd8tnYf9Vcz53HUQFV/KRageoNFbTY77uSW3//qC/RSECGleMunnTyoo/iWmCMkqXXgbBzGvFDc18VA/ibIu3tAVCSmfOr5hc9JBbhzMnuq2so5f9gIKFzoJ5yDZcoPil5vuywEQgJpEpXy288Z+oTKj7ps9bi4vcAMJfBjB463HjQAkQNiivYP4fBZaLqVsm4Yzos62zSeGK85OC3sFYbxGv9xt5wz5V/w4LyveR1+D1Ka79GTVg75gZlbZg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-RISEcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=qYSI3skuQTLvQaoY8wzPj7b77AVa1RQqRjX3itdTF1A=; b=SIjYDA06TxfOhKvkINbHKBp35Td/FKIHrZGDF2ds9KdcZDzKFIDrRsqmfFJtZbG4Omkrec8KexfnW3UWrYJgE7IvCtEygEzOTKKuhdfhKBTPOoSC6h7ZVP91IW82VZnvMXFTwkSYIeFOQoG67h0qUfbcZUoywU+zLSBL7fdYvU8=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=marco.tiloca@ri.se;
Received: from VI1P189MB0398.EURP189.PROD.OUTLOOK.COM (10.165.195.159) by VI1P189MB0543.EURP189.PROD.OUTLOOK.COM (10.165.195.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.17; Tue, 10 Mar 2020 17:24:28 +0000
Received: from VI1P189MB0398.EURP189.PROD.OUTLOOK.COM ([fe80::80e4:7dc7:7d4e:c9cb]) by VI1P189MB0398.EURP189.PROD.OUTLOOK.COM ([fe80::80e4:7dc7:7d4e:c9cb%4]) with mapi id 15.20.2793.013; Tue, 10 Mar 2020 17:24:28 +0000
To: Travis Spencer <travis.spencer@curity.io>, ace@ietf.org
References: <CAEKOcs2MN8Vgd8+UR76CVE1Qww0oCwev_vW0qwWVBEFsCP3YPw@mail.gmail.com>
From: Marco Tiloca <marco.tiloca@ri.se>
Autocrypt: addr=marco.tiloca@ri.se; prefer-encrypt=mutual; keydata= mQENBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAG0Nk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPokBNwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzuQENBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAGJAR8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
Message-ID: <b123b84a-1ee6-768e-4acf-84166857247e@ri.se>
Date: Tue, 10 Mar 2020 18:24:17 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1
In-Reply-To: <CAEKOcs2MN8Vgd8+UR76CVE1Qww0oCwev_vW0qwWVBEFsCP3YPw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="NRk3CCBXum5h1w27Uk5PE1CgNPVTQiSCm"
X-ClientProxiedBy: HE1PR05CA0188.eurprd05.prod.outlook.com (2603:10a6:3:f9::12) To VI1P189MB0398.EURP189.PROD.OUTLOOK.COM (2603:10a6:802:35::31)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [10.8.1.2] (185.236.42.41) by HE1PR05CA0188.eurprd05.prod.outlook.com (2603:10a6:3:f9::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.11 via Frontend Transport; Tue, 10 Mar 2020 17:24:27 +0000
X-Originating-IP: [185.236.42.41]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f9845727-4399-4af4-e804-08d7c517e305
X-MS-TrafficTypeDiagnostic: VI1P189MB0543:
X-Microsoft-Antispam-PRVS: <VI1P189MB0543BBB7E251E058A52ECE4699FF0@VI1P189MB0543.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 033857D0BD
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(396003)(39860400002)(136003)(376002)(346002)(189003)(199004)(186003)(52116002)(16526019)(966005)(15650500001)(26005)(21480400003)(36756003)(81166006)(8676002)(81156014)(31686004)(2906002)(8936002)(6486002)(16576012)(66476007)(5660300002)(33964004)(4001150100001)(235185007)(316002)(478600001)(66946007)(31696002)(6666004)(2616005)(66574012)(44832011)(66556008)(53546011)(956004)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1P189MB0543; H:VI1P189MB0398.EURP189.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
Received-SPF: None (protection.outlook.com: ri.se does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: RTLhFs9bVjMy3pfUE+k4AJcFaxV7ix+/ozm942KwqmVMxI4bTosJvdc9YYXMh7xKlva7kbZq4l7NkeyYGcYsO1Vu2ULuToWL4vM9QOQKZxGwGSN4foQwjmiWzRkuuDPnbLRTvadB1SiEwtsOPsaSWtJVQp0knquFxo8cIbM4KFpHbKw1Nis0DryH080Hj0OaMy1BEKutlzZTemS7YUN55CTqYvWdmPLugRecKlseK62Nn32Pj1vZn4PErdEH3Xyr8TVGZ4naMul9613fbpRVGne+dmPU7I0rn5+Itx5YKdNg5ajX5oRwBhHdorSCODtVwi+HQFLlIaXo9o1j7IWNGEjX/v6GAlDErup6LTF/J0gpn10hU7JPJRHJl4DwgFnRiYC200Q0RJ98OVRW7tJo3zbIqjEjq+Ar4VeHtDRCRot94PCcCuU4OdQttuElCJ59hB6BhCIRgOq1WY5mLhnpfcD6UF3kvnNdlakUFQI4QnXPTb9uCjXNUDaCZSFOZamK0cYHa92luJCfIvwH2/mVig==
X-MS-Exchange-AntiSpam-MessageData: rY3KNuRoRr3ApYQf9gLmIne1unIDnaYKI+ACH7SYz9PEsAYFLgxG/OYePvQhEVwJlB9pbh6OyQDlRiXmeWaFB6luQBLVtXbsBagDilG6guQvXEekajW8vP/RQOGeBTZ4R01MSVQa5Ognuu4GxKhnCA==
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: f9845727-4399-4af4-e804-08d7c517e305
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Mar 2020 17:24:28.1198 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: bF3ALSXnKoJoiVGyAfb7sQT7R+EW1ezN0ec6NK2EKvjdngUZivfIHIIKJj4Tcu8Z+ndmjWWBmv8fykjTYEprNQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P189MB0543
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/kfZXvEaBl4YUk3wx93kCuJjp3Hw>
Subject: Re: [Ace] Review of draft-tiloca-ace-revoked-token-notification-00
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 17:24:34 -0000
Hi Travis, Thank you very much for your review! We have addressed it in the latest submitted version -01 https://tools.ietf.org/html/draft-tiloca-ace-revoked-token-notification-01 Please, see some detailed replies inline below. Best, /Marco On 2019-11-21 08:43, Travis Spencer wrote: > Hi All, > > I wanted to submit a review of "Notification of Revoked Access Tokens > in the Authentication and Authorization for Constrained Environments > (ACE) Framework" (draft-tiloca-ace-revoked-token-notification-00). > > I am an ACE noob, but hopefully my feedback will be constructive and > helpful. If they are not, it could be because of my ignorance of ACE. > That said, I am an expert in OAuth, so that is my frame of reference. > > * The draft mixes casing and has inconsistent use of acronyms like RS, > resource server, authorization server, AS, etc. This hangs me up as a > reader. I'd appreciate if one was used for all or if none were used. ==>MT We have revised the whole text accordingly, opting for expanded identifiers instead of acronyms. <== > > * I recommend an ASCII art be added to the protocol overview. I know > that there are some good diagrams in the examples, but an overview > figure in that section would be helpful as a reader as comes to terms > with what the doc specifies and decide if it's relevant. It would also > be helpful if this section ended with a link/reference to the example > sections below (e.g., something like “see examples in section X for > more detailed flows”). ==>MT We have added the new Figure 1, in Section 2. <== > > * In my strong opinion, It should not be assumed that the TRL endpoint > is at the root of the URL path of the AS. > https://example.com/tenant1/trl should be valid; also, > https://example.com/my-good-trl should be a valid URI. This should be > included in the OAuth metadata (if the AS supports this) or > communicated to the client/RS by some undefined method (e.g., > documentation). The spec may recommend some URI and the non-normative > examples can use whatever URI, but these must not be MTI. ==>MT Now the TRL endpoint is at /revoke/trl <== > > * The doc should not make any distinction between an OAuth client and > resource server. This makes it very confusing IMHO. Instead, it should > consider the caller/client of the TRL endpoint, regardless of what > role that caller plays in an OAuth flow. This is similar to how > introspection and other OAuth-related APIs are defined. ==>MT We have put the focus on tokens pertaining to a caller of the TRL endpoint. <== > > * The TRL endpoint need not be per client/RS. The endpoint only > exposes random hashes. Disclosing these to other parties will not pose > a security issue (that I can think of). This will allow clients/RSes > to collaborate in unforeseen ways that could be useful in certain > deployments. This also means that the TRL endpoint will be global and > not have a client-specific path segment in the path of the URI. ==>MT Based also on discussions with Jim, we have now a single TRL endpoint for all the authorized callers. The AS recognizes the caller based on the security identity used in their secure communication. That way, no query parameters are needed to identify the exact caller. <== > > * The TRL endpoint should accept some method for filter based, for > example, on client ID. This could be done using a query string > argument like "client_id" which can be supplied 0..INF times. This > will allow a monitoring client (like a NOC) to subscribed to > revocation messages for multiple clients/RSes. If the "client_id" (or > whatever) parameter is supplied, the caller of the TRL endpoint should > be notified of ALL revoked tokens. ==>MT As above, the AS does identify the endpoint caller, but without using query parameters. However, query parameters are now used by a caller to distinguish between full and diff queries (see Section 5). <== > > * If the idea above is accepted and the AS requires authentication of > the TRL endpoint client, then the AS may automatically subscribe the > client to notifications for just itself (which the AS knows the > identity of the client due to authentication). This implicitly > filtering may be beyond the scope of the doc, however, and I think > that authentication in general should be dropped. If it remains > though, this identification and implicit filter can be done > irrespective of authentication scheme used. ==>MT The CoAP client has in fact to register for an observation to the CoAP server. So it should not be possible for the AS to register observers by itself. <== > > * I think that the token name term should be changed to token hash, so > that it is more intuitively obvious what it is in case the term was > skimmed over or missed. ==>MT Done. <== > > * Because the draft is only about non-revoked tokens, the RS/client > still has to manage expired token checking. If the list included > expired tokens as well, the RS/client could off-load all of this to > the AS. This would make the development of the RS/client a lot simpler > and push that complexity to the AS. This is keeping in the spirit and > aim of OAuth. I've understood from Ludwig and Marco that this does > introduce some issues in a CoAP environment, that I know nothing > about. So, please take it as a suggestion and see what's best. ==>MT The problem is that, by doing so, the TRL resource would indefinitely grow in size, as well as every portion of it pertaining to each individual C/RS. Handling of expired Access Tokens should still be handled as defined and recommended in the ACE framework document. <== > > * Clarify that the hashes in the CBOR array are unordered. CBOR has no > set, I've been told, only arrays. Arrays are ordered though, so it > should be stated that this ordering is irrelevant, and the subscriber > should treat them as a set where the order has no significant meaning. ==>MT Done, both for the representation of the TRL resource and for the payload of responses to endpoint callers. <== > > HTH! ==>MT It really does, thanks a lot again! <== > > -- > > Travis Spencer > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace -- Marco Tiloca Ph.D., Senior Researcher RISE Research Institutes of Sweden Division ICT Isafjordsgatan 22 / Kistagången 16 SE-164 40 Kista (Sweden) Phone: +46 (0)70 60 46 501 https://www.ri.se
- [Ace] Review of draft-tiloca-ace-revoked-token-no… Travis Spencer
- Re: [Ace] Review of draft-tiloca-ace-revoked-toke… Marco Tiloca