Re: [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-params
Benjamin Kaduk <kaduk@mit.edu> Fri, 24 January 2020 01:46 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D6771200CD; Thu, 23 Jan 2020 17:46:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W3cmBjXRiF-r; Thu, 23 Jan 2020 17:46:31 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD8E1120019; Thu, 23 Jan 2020 17:46:30 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 00O1jnG6032496 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 23 Jan 2020 20:45:51 -0500
Date: Thu, 23 Jan 2020 17:45:48 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Seitz Ludwig <ludwig.seitz@combitech.se>, Ludwig Seitz <ludwig_seitz@gmx.de>, Roman Danyliw <rdd@cert.org>, "oauth-ext-review@ietf.org" <oauth-ext-review@ietf.org>, Daniel Migault <daniel.migault@ericsson.com>, Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>, "drafts-lastcall@iana.org" <drafts-lastcall@iana.org>, jwt-reg-review@ietf.org
Message-ID: <20200124014548.GE90660@kduck.mit.edu>
References: <9c32d171-9a4a-ba71-c989-92a177d9e989@gmx.de> <CA+k3eCSocYYpHQtWAfs=EnOTcOFbRSFH52FK=Ak5RiTZs4nOYA@mail.gmail.com> <77781da882414f4aae98ae2443691933@combitech.se> <CA+k3eCT0TLgUxzggV1WE-eQ8hSXGSUxXjimkp1ZPvUxXbnrAFA@mail.gmail.com> <582bfd3fbdee4cc592b92857c955721b@combitech.se> <CA+k3eCToZEQjkCGUawbWJSg51u24QOvmxBFvKS1Fk+KY4hwELA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CA+k3eCToZEQjkCGUawbWJSg51u24QOvmxBFvKS1Fk+KY4hwELA@mail.gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/lKXHaD1ps1BHPbktOKpkNjRbd9w>
X-Mailman-Approved-At: Thu, 23 Jan 2020 22:35:23 -0800
Subject: Re: [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-params
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2020 01:46:34 -0000
Thanks for putting the effort in, Brian. IANA, do you need to assign a new expert to reviewi the JWT Claims registration request from this document, or are the experts expected to be self-organizing here? Thanks, Ben On Thu, Jan 23, 2020 at 02:31:20PM -0700, Brian Campbell wrote: > Apologies, I forgot to reply-all at some earlier point and dropped the > mailing lists and other cc's off the thread. Added back now. > > And also apologies because I think I need to recuse myself from the DE > responsibility on the JWT registry request here. I've spent more time than > I'd like to admit or really have to spare on it and am still struggling to > understand. > > I appreciate you pointing out the authz-info endpoint in ACE but I still > don't follow how "rs_cnf" in an access token would really work in practice. > The client sends the token to the RS's authz-info endpoint on an insecure > connection or one that has the server auth with potentially different key > and the RS stores the access token for later use. Then on resource access > the RS looks up the access token (with respect to the cnf key in it) based > on the key the client used in establishing a new mutually authentication > connection to the RS. For the RS to choose a key for server it will use > during the handshake (and as far as I know the server key is the first in > the authn process of the handshake) based on the "rs_cnf" in the access > token, it needs to remember and associate that client and the access token > with something else (IP address?) that will be available during the > handshake. It doesn't fit together for me in a way that seems likely to > work or be interoperable but, like I said, I'm really struggling to > understand. > > On Thu, Jan 16, 2020 at 12:54 AM Seitz Ludwig <ludwig.seitz@combitech.se> > wrote: > > > Hi Brian, > > > > > > > > Comments inline. > > > > > > > > /Ludwig > > > > > > > > *From:* Brian Campbell <bcampbell@pingidentity.com> > > *Sent:* den 13 januari 2020 21:22 > > *To:* Seitz Ludwig <ludwig.seitz@combitech.se> > > *Subject:* Re: [Ace] Requested review for IANA registration in > > draft-ietf-ace-oauth-params > > > > > > > > Thanks for the response and updates Ludwig, > > > > > > > > Please bear with me while I try to wrap my head around some things. > > > > > > > > The JWT registration request for the "rs_cnf" claim points to Sec 3.3 > > <https://tools.ietf.org/html/draft-ietf-ace-oauth-params-08#section-3.3> > > saying it is "a hint [in the access token] to the RS about which key it > > should use to authenticate towards the client". But doesn't the client > > have to go through the DTLS/TLS handshake with the RS (which is presumably > > when it authenticates to the client) before it presents the access token? > > I'm not seeing how this would work as seems the RS won't see the hint until > > after it needs it. > > > > > > > > > > > > [LS] Not in the ACE flow. We use the access token to establish keys at the > > RS both for the client and the RS. We have therefore defined a new > > ACE-OAuth endpoint (authz-info) at the RS. The client can POST access > > tokens to this endpoint without prior authentication. > > > > At that point, the RS only validates the signature/MAC by the AS. > > > > > > > > Later at the time of access, the corresponding token is linked to the > > access request via the pop-mechanism and the client/access specific parts > > are validated (e.g. scope, subject). > > > > > > > > Hope that clarifies things a bit. > > > > > > > > On Sat, Jan 11, 2020 at 8:30 AM Seitz Ludwig <ludwig.seitz@combitech.se> > > wrote: > > > > Hello again Brian, > > > > > > > > Thank you for reviewing this! Indeed the handling of JWT/JSON interactions > > was handled sloppily here. I will soon issue a draft update that specifies > > that the JSON-based interactions should use the syntax from RFC7800 while > > the CBOR-based ones should use ID.ietf-ace-cwt-proof-of-possession. > > > > > > > > This correction goes for all the use of “cnf”, “req_cnf” and “rs_cnf”. > > > > > > > > Regards, > > > > > > > > Ludwig > > > > > > > > *From:* Ace <ace-bounces@ietf.org> *On Behalf Of *Brian Campbell > > *Sent:* den 10 januari 2020 22:12 > > *To:* Ludwig Seitz <ludwig_seitz@gmx.de> > > *Cc:* Roman Danyliw <rdd@cert.org>; jwt-reg-review@ietf.org; Jim Schaad < > > ietf@augustcellars.com>; The IESG <iesg@ietf.org>; ace@ietf.org; > > drafts-lastcall@iana.org; Benjamin Kaduk <kaduk@mit.edu> > > *Subject:* Re: [Ace] Requested review for IANA registration in > > draft-ietf-ace-oauth-params > > > > > > > > That "rs_cnf" claim registration request in 9.1 points to 3.3 which says > > it has 'the same syntax and semantics as defined in for the "rs_cnf" > > parameter', which I think is in 4.1. And 4.1 says that the "rs_cnf" values > > 'follow the syntax of the "cnf" claim from section 3.1 of > > [I-D.ietf-ace-cwt-proof-of-possession].' Similar to other comments I've > > made today, I don't follow what that would mean for the value of the claim > > when it's a JWT. And that seems like something that's important to > > understand for the purpose of a JWT claims registry request. > > > > > > > > > > > > On Sat, Dec 21, 2019 at 4:11 AM Ludwig Seitz <ludwig_seitz@gmx.de> wrote: > > > > Hello JWT registry reviewers, > > > > the IESG-designated experts for the JWT claims registry have asked me to > > send a review request to you about the "rs_cnf" claim registered here: > > > > https://tools.ietf.org/html/draft-ietf-ace-oauth-params-07#section-9.1 > > > > Thank you in advance for you review comments. > > > > Regards, > > > > Ludwig > > > > _______________________________________________ > > Ace mailing list > > Ace@ietf.org > > https://www.ietf.org/mailman/listinfo/ace > > > > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > > privileged material for the sole use of the intended recipient(s). Any > > review, use, distribution or disclosure by others is strictly prohibited.. > > If you have received this communication in error, please notify the sender > > immediately by e-mail and delete the message and any file attachments from > > your computer. Thank you.* > > > > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > > privileged material for the sole use of the intended recipient(s). Any > > review, use, distribution or disclosure by others is strictly prohibited. > > If you have received this communication in error, please notify the sender > > immediately by e-mail and delete the message and any file attachments from > > your computer. Thank you.* > > > > -- > _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately > by e-mail and delete the message and any file attachments from your > computer. Thank you._
- [Ace] Requested review for IANA registration in d… Ludwig Seitz
- Re: [Ace] Requested review for IANA registration … Ludwig Seitz
- Re: [Ace] Requested review for IANA registration … Brian Campbell
- Re: [Ace] [Jwt-reg-review] Requested review for I… Brian Campbell
- Re: [Ace] [Jwt-reg-review] Requested review for I… Seitz Ludwig
- Re: [Ace] [Jwt-reg-review] Requested review for I… Brian Campbell
- Re: [Ace] [Jwt-reg-review] Requested review for I… Ludwig Seitz
- Re: [Ace] [Jwt-reg-review] Requested review for I… Brian Campbell
- Re: [Ace] Requested review for IANA registration … Brian Campbell
- Re: [Ace] Requested review for IANA registration … Benjamin Kaduk
- [Ace] [IANA #1160802] Re: Requested review for IA… Sabrina Tanamal via RT
- Re: [Ace] Requested review for IANA registration … Ludwig Seitz
- Re: [Ace] Requested review for IANA registration … Brian Campbell
- Re: [Ace] [EXTERNAL] [Jwt-reg-review] [IANA #1160… Mike Jones