[Ace] Re: Iotdir telechat review of draft-ietf-ace-revoked-token-notification-08
Marco Tiloca <marco.tiloca@ri.se> Wed, 11 September 2024 21:04 UTC
Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0BB63C169438; Wed, 11 Sep 2024 14:04:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ri.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xP_soT4_hMOY; Wed, 11 Sep 2024 14:04:11 -0700 (PDT)
Received: from GV3P280CU006.outbound.protection.outlook.com (mail-swedencentralazon11020076.outbound.protection.outlook.com [52.101.75.76]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BBD8C151091; Wed, 11 Sep 2024 14:04:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Fei9XbyiKRJv0G4vMPP9vAPF0tSjU5rIXbY5lHGbPU8UUCdq3Zfy3VcVxwb2gNBYPouaOZ4W7uBfRnaD0A7P8FBnUQOFz8ahPwiNT+PqGyyXcjY+1Qp7M40pwCk+Iqczb6QwBqsZ56hLYd0G9mGKe3Y+FLQpcpESvrOz4oaH2PmcTFSxFsoMkr0Pq3OFMrL25XjsYxhF2eY6ZnnjEUP3kuVTbXPOTAasKhCgjJBMgs7dG+ozG7UTOjEsnsJChGMsFkGyHpU7nWCaEsUUaSRuKXfqm99bB8b8qaba4xRQO6GGRIiCZZwLATrr5lq9gRzgb+DLfCpSnrYtx/Kp0IkcqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xW7FZAKvLwEAIYXZJO7TC1+WrCWLVAVdgrAiGgOPYog=; b=OllB6wMt4GZYhfRMnPBhVOD69KoTHiGXtiyAS0e/7uSirEVaiLGwQz6ybw0fcfk/YaPm8Hl16ugB9Z6YSF58pqMkk+5DKhg2qICxbeKXueFvPSUVC7fjOb104DP/eMtOpJniKl9vb0fH3xAs1bG91BZ2mAaXQqKORY/MWr7J4Zq61TiDqANf0ZhWvEOYQWtl1h/gLjTlaEfv1n4eOZbZNoL+04tOAXlETqb1vm+3Gog/d8ueUrRMU/9FbiNkNn81kwZF0+PF66x5lWuxY1A492Dji+pxg/RSQCOSPpcjnPeygcl58rIj2+Cs505PJ4soZ0x39nFHW9aFKqTJTE05Vw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xW7FZAKvLwEAIYXZJO7TC1+WrCWLVAVdgrAiGgOPYog=; b=sooROkLHqtUt/W7RgCuKDsb5JtVvg0fAgKrDUmrVm0YsZPfsYgLsadX4LjcMDCh6SE6LbDFvh7QOnIxXHO47WzL+FuueBJqJd2a2lu3yoYQtRx7Qq3X8EXyp63zWzm74xOceDqElsvu2qW5bX7uGNdySdnwlNwiWSQgYHx6fIj4KkXVvn7k251AH9DkItJ3/6tcQ62gDah9WvcgHKqHMUetSfTB0o+7I+WQNx+yfLE+81KTh7UsjBZYhQCIhsMhSShhyrC6ofriW+zA3U9jfbQ+aRfzoieT2dpWp7cmwV7HnQLyjdm8LdALY59togVDe+fMyalTtffwNTQHcmViVPw==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17) by MM0P280MB0614.SWEP280.PROD.OUTLOOK.COM (2603:10a6:190:15::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7939.25; Wed, 11 Sep 2024 21:04:05 +0000
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::b1d3:d63d:ce0b:3f70]) by GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::b1d3:d63d:ce0b:3f70%6]) with mapi id 15.20.7962.017; Wed, 11 Sep 2024 21:04:05 +0000
Message-ID: <2a97b05f-2b45-482e-b50e-9b576791b719@ri.se>
Date: Wed, 11 Sep 2024 23:04:02 +0200
User-Agent: Mozilla Thunderbird
To: Niklas Widell <niklas.widell@ericsson.com>, iot-directorate@ietf.org
References: <172010375819.1179369.10630024956562419538@dt-datatracker-5f88556585-g8gwj>
Content-Language: en-US
From: Marco Tiloca <marco.tiloca@ri.se>
Autocrypt: addr=marco.tiloca@ri.se; keydata= xsBNBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAHNNk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPsLAdwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzzsBNBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAHCwF8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
In-Reply-To: <172010375819.1179369.10630024956562419538@dt-datatracker-5f88556585-g8gwj>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------Qb7l05LztDCkqBve1jqFQLvu"
X-ClientProxiedBy: AM0PR03CA0081.eurprd03.prod.outlook.com (2603:10a6:208:69::22) To GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GVYP280MB0464:EE_|MM0P280MB0614:EE_
X-MS-Office365-Filtering-Correlation-Id: f84054de-05f9-4aad-909c-08dcd2a54510
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|1800799024;
X-Microsoft-Antispam-Message-Info: Q1dZoDpJqp2m20J2SOCVaEzpu2dgJJqBwW3JJQAqls0sQbVCWOTn6dJKb/omdOW3Hos1iUYn5xS0WJr03awa5VlqD5202O6CwWrbgktPOHCSU0FA0l6wjCRjxi+weFyXwwYcb/GhGlTzfFxqHkMSDFvBQ44QGj5awQrhKlW6QIRL0VlxbX7sJdjZS2wn0OuH9jf9mvN+9z9ZQKLKzMh6OPmebd/8mRUigHA7LzfeIcyj34C4ij/iEqjXGw2iuOm5ytOdFx8i08gIZCuT9oUAZECbLTTXJ+g64+fCzToj3NYRXkwphzeVkukj/rwqPSXhD++EvBn4pPCERgQt8MvapI2vt+v8/+nym1gXLtbL9eizYTcYmK021VGnbeKRVqQ0gybF0RdF3l7KvjzWXhTynEV1cOpILWNxiKhUpLt2XTE/ZiiewGsMvPcobmGGtjhUN1LbP8Uyzx+wsVd3yPXt33xJAnS9ecR8IBid59kg3tC4V0OkfkFLG3fAdLjZKXqEn5yyJ9KlbdE2jdLC2YXVqmaJ6YD/Jc0sQAYFQhOUP9oPaM1jKKnon/wLPeY6Du9a5IzC+AIBX8PTqEJMB0khvSxlT3HQ+pvp88EXshNZTtMgwfIvBlEtKYYLwASO09luLK3gCqd8BNA8Ous8CxMnB+NlPS8/BXk6xbSWFPMTCZo6sXapaXFF+vorwcA+SEQ0yK44oub/OynOfsWAB1hQeMzP0K9z5bDL/1BnbnZls7FkVo8pTxdbUf92poy7vIMJkslVlt244MFlrzb4zdHGta4q2I1KBJF8m/fb3W//LOyID8EFlgHSDJ+D+VE4akO4XC+5jWl89I+eojT8vWmp711UGUwZ5Y+iTJ2OhhKpYXwVx+8wgU+b3uBAQIDVFlN+wuqbOADFglwfl3rYrHKPZ14wrWTwPrYg8VmY4xAJwciF3c8IrmKfovi2c7Qyun68w5I76gpEjf16Z2JDr6iq+AMWjoxO02lfLIeGUQgtkS7A3RxoZ2wzZ3HCoQPa3zNVGcTZlbm8ndm13EmGXTLn5ZW6ThSTf/LUejPQcP7N8xT+xzWSFt9Hg1CLZsKeFgNK1aT04oTUlqIkzQ7KNGjN8lN5oet5L4MKtqa0ZavGm390u3Z+CF3Z8zLctnP8FDWKEEM+0VnnlUg0TTqk215OMl8wahnaQetc+GSZv1Zy+Uv1lUhEK2yVjsBm/XyQkkTTY1PpdquEdpp28ahA9zzaqLyyazo0j4kvSQiEwPyTkeObL7wfdzdLWWFH1uMQkBa7llUYvT2KhgbKgks1C73TyobHA0CkJhMIGe9sOzY5qh8=
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 7dxj8Q+VAzviRmunxFJEkPwmHdOPeCvvE6Cw9PBBUmNiFBjCO6la348RbdE/TCsuYJgTdLo6/PxtXV76E1r/WyiodcYQoL3tYzsKFtJkcSAWo0WjCVn65PcbUckWtWDj04RMD5aV/K55q5XP+mCduYprvNqU9jnamK5J3k+fJGiHa5Ta0ts2Je2oFJOYPBi9lx2Ki1prwvMrLbDGV5/vDU7JPguKaQfbdH2jwDubpOxkv4LkVelfrD1wrG2pl2s7MeFXAft3zmfHOGojF9AOfamWm9IQwyXUbx30NJ/qc7pxxQohBOdHsRQ+0FPsiOWw163RpTGha+K/TZ78/bBhfvkMiMPuFrrKQ/n0Sds3Tofp92LfA+fplMme18metI0TRbnWwqbUG86SPakLgpAt5W7sRwqGwbz5t5rNfLnMP0kvGJQPGE7oSk4/yMhnCIOJr5NqTP7gyzZ9YqzOvDT0GCE9yt9/folwpM3gVNfXJGuHMxBEUFUxww1F5QCMzYuTdTPffm896rrplfRpFtiWRG/6G9nzX6U0C+lRvOQWfHxzSdc+/BndnW6HUE2b/Pqy3ojrTRtyhMBXr7HF5c8NviZkbrCkm0N7CIKKKJnh11yV74hgtTFC67oMPAGwF/LSJpqJZboPSPABhSxCO6QWYnyRnMUT78+cvXsAWp6M9ej8g1ylyhL8vab5nJ5C3yBsoYI6ZxQaO+8W4B2XGoRjiHtCEQbMORC3x71m+kHhPj3YZ/3DRFrCC5Tor2vWRlj7ufMd7Gp+Uoq+1xpP2ct6UBprOf6XCx654ieIG+tkwf4qAyLMD94KuWKnLqpEWLmEzBMv/1Wyw8ymJuAd+ypJttUfJxTaL/UpB8DWQFcLH+pQgzL0iyZt5qfQ26HVEClMv9kNfRqwtCpZ2Dt8RPa+hZcdyNn3Urkoz2n9ubn9fPnwo08NBO3K1vTIkymZsmqei7jWxs4NV3Je2/Rfa5M56ZlsQsNvk56WDI7xHE2JfPHvyNc+grNKJXmWDBPhvHFhSqgC6mdx3z4zfCCoooAkJiqV0gzVK8RtWRk3aRSej6yAgMjNgBan4mGGx8Ujk/dYd3kTHtlc3z6dpzkODzjDiDlem09e3RKtu3ZMMajujP9ipRxihukw065f8QGUNDRh6jIRJBk/9SioWGM9P3CAsEjKbrTmGbezVSzMVOvxfeudkZfHnVKwGQ87sKXObFdGEQadt1QXY97rdyadREQFkR31nACI2iBDo5ZMO7pe0ssheD+rynVmpz2Ra/YG2BEEu5MNaMRelFJrcQnLCf94scDclkHZr9FNMcRlEu+FYX/7Dngt6sTlOivVN62jJZY2aQSKPmrpeNKHXQxEy22TrdkAnl5rA7nOCl+qmBCKBzTVSvhGPDxztuwfmkPlHvthdi0bZ6HC4Vpd8Me/FXErOyb4wZfI7RqndTkv14/cfXinHGAO0cOVjZ76zJBp6iEloCImFCrjsIeryVb5S0w7CPWEjRikt6HQ/LBhOlsCuM8BytNY2AeUpXYnu60kZHLwfliM1tAQqAcQ4EoNMKOE7rOAAzO7VDxsdhPF0HwbuDqAPm12yc+Cu7BN/gBrtwoP
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: f84054de-05f9-4aad-909c-08dcd2a54510
X-MS-Exchange-CrossTenant-AuthSource: GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Sep 2024 21:04:05.0874 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: xe9j0yk2a2A6+BOyGwOIEai0vrX3pqmBf6ciA7+ySh0dXH2orfcXa2fYQlqXCj/FIiPpvUTBARn/0z0MphDFwg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MM0P280MB0614
Message-ID-Hash: JIX3RMUG2OTFP5SLH4GXR4B7IMFQYCC2
X-Message-ID-Hash: JIX3RMUG2OTFP5SLH4GXR4B7IMFQYCC2
X-MailFrom: marco.tiloca@ri.se
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ace.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: ace@ietf.org, draft-ietf-ace-revoked-token-notification.all@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Ace] Re: Iotdir telechat review of draft-ietf-ace-revoked-token-notification-08
List-Id: "Authentication and Authorization for Constrained Environments (ace)" <ace.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/lSE5vTfkzJueqmpGXKWvy5lCkRg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Owner: <mailto:ace-owner@ietf.org>
List-Post: <mailto:ace@ietf.org>
List-Subscribe: <mailto:ace-join@ietf.org>
List-Unsubscribe: <mailto:ace-leave@ietf.org>
Hello Niklas, Thanks a lot for your review! Please find in line below our detailed replies to your comments. A Github PR where we have addressed your comments is available at [PR]. Unless any concern is raised, we plan to soon merge this PR (and the other ones related to other received reviews), and to submit the result as version -09 of the document. Thanks, /Marco [PR] https://github.com/ace-wg/ace-revoked-token-notification/pull/16 On 2024-07-04 16:35, Niklas Widell via Datatracker wrote: > Reviewer: Niklas Widell > Review result: Ready with Nits > > IoT directorate review of Notification of Revoked Access Tokens in the > Authentication and Authorization for Constrained Environments (ACE) Framework > > Reviewer: Niklas Widell > > Review result: Ready with Nits > > I have reviewed draft-ietf-ace-revoked-token-notification-08 from IoT point of > view, as part of IoT directorate document reviews. > > The document is well-written, complete, and appears to be Ready (with > non-blocking comments/reflections & Nits below). > > The document defines a mechanism for an Authorization server (AS) in the ACE > framework to notify Clients and Resource Servers (RS) when access tokens are > revoked. This can be useful in IoT environments as depending on token > expiration is not always practical. > > The mechanism is designed for, but not limited to, IoT, and I did not find any > directly IoT related issues in the document. > > ----- > > Comments: > > - General: The token revocation mechanism complements token expiration as a way > to handle access. Are there any thoughts on system operator assumptions on how > to balance short token expiration times vs. revocation with notification as > ways to maintain the population of active access tokens? ==>MT Building on the last paragraph of Section 6.1 of RFC 9200, most ACE RSs are expected to be constrained, intermittently connected devices. With that in mind, a system operator in charge of the AS should actually issue access tokens with a relatively long lifetime. Of course, the specific lifetime has to be consistent with application- and system-specific requirements and with the wishes of the Resource Owner owning the RS that has to consume the issued access token in question. Essentially, the expiration time of an access token is determined upon issuing the access token, by scheduling its retirement as deemed appropriate in the light of the specific RS and of the application and system requirements. On the contrary, the revocation of an access token is not something expected to schedule in advance. If that was possible, scheduling the expiration to occur earlier in time is the right thing to do. Instead, a revocation is something triggered by an event that requires retiring the access token earlier than originally expected per its expiration time. Examples of such (typically unpredictable) events are listed in the second paragraph of Section 1. That is, the current "population of active access tokens" should include all the issued tokens such that: i) they have not reached the end of their planned lifetime as per the originally intended expiration time; and ii) there has been no reason for triggering their revocation. Yet, there is one aspect related to balancing, which is discussed in the security considerations of Section 13.2 "Size of the TRL". While, as discussed above, the lifetime of access tokens in ACE is expected to be relatively long, the AS should still avoid excessively long lifetimes in order to limit the amount of revocation information to be possibly provided, especially to devices for which several access tokens are simultaneously active. <== > > - (1.1 Administrator) The document specifies an Administrator role who's only > (as far as I can tell) function is to retrieve the Token Revocation List (TRL) > from the AS. Is the intent to specify other admin functions elsewhere? > Furthermore, it is not clear what the value of the Administrator role is: the > TRL is a list of token hashes, each of which an hash identifier derived from an > actual access token. From this, I can't tell if the administrator can derive > much useful information from those hashes themselves, like does client X have > an access token for RS Y etc. ==>MT On the first part of the comment, this document is not introducing further admin functions. However, the very same administrator entity might in general be entitled and authorized to perform other operations at the AS, e.g., registering/unregistering Clients and RSs, or installing/updating/removing access policies. On both the first and second part of the comment, until now ACE has not defined a full-fledged admin interface to perform admin operations at the AS. Hoping that such an interface will exist one day, it was fair for the sake of completeness to define already in this document how an administrator could specifically interact with the TRL endpoint. Regarding the value of fully accessing the TRL as an administrator, it is true that fetching the token hashes alone does not especially help the administrator infer any particular information. However, again building on a future full-fledged admin interface, we can consider the following example case. When issuing an access token, the AS can also have dedicated means to provide an administrator with the token hash corresponding to the access token, as well as with the identifiers of the Client and RS for which the access token is issued. (Further information might be shared, depending on the target level of privacy in the system.) This can rely, e.g., on the methods exported by a full-fledged admin interface at the AS. Later on, by querying/observing the TRL endpoint and obtaining the full TRL content, the administrator can become aware of when accesses are revoked, and specifically for which Clients and RSs. At the same time, it remains possible to not share with the administrator information such as the exact scope specified in the revoked access tokens. Consistent with the above, we have extended the definition of administrator in Section 1.1 "Terminology" as follows, by adding a second paragraph within the same bullet point. OLD: > * Administrator: entity authorized to get full access to the TRL at the AS, and acting as a requester towards the TRL endpoint. An administrator is not necessarily a registered device as defined above, i.e., a Client requesting access tokens or an RS consuming access tokens. NEW: > * Administrator: entity authorized to get full access to the TRL at the AS, and acting as a requester towards the TRL endpoint. An administrator is not necessarily a registered device as defined above, i.e., a Client requesting access tokens or an RS consuming access tokens. > > An administrator might also be authorized to perform further administrative operations at the AS, e.g., through a dedicated admin interface that is out of the scope of this document. By considering the token hashes retrieved from the TRL together with other information obtained from the AS, the administrator becomes able to derive additional information, e.g., the fact that accesses have been revoked for specific registered devices. <== > > - (4.4 TRL) The TRL of the AS is a CBRO array of CBOR byte strings, each of > which a token hash. At the same time, every time a non-administrator registered > device accesses the AS TRL it should only see its own hashes, which of course > requires the AS to keep track of registered devices so as to filter properly. > Is it up to the implementation to handle that? ==>MT As long as a registered device is in fact registered at the AS, then the AS indeed keeps track of its active registration. Of course, the **way** by which the AS keeps track of currently registered devices is implementation-specific. In this respect, this document is not adding anything to RFC 9200 as to the AS keeping track of its registered Clients and RSs. If the AS receives a request to the TRL endpoint from a requester that is not recognized as a registered device (or an administrator), then the AS would not proceed with processing the request. This is consistent with the second paragraph of Section 13.1 "Content Retrieval from the TRL": > The AS MUST ensure that, other than registered devices accessing their own pertaining subset of the TRL, only authorized and authenticated administrators can retrieve the full TRL (see Section 9). In terms of what is **required** to provide a registered device only with the token hashes corresponding to its pertaining access tokens, the AS has to be able to unambiguously identify the requester. This is always possible by leveraging the mutually authenticated secure communication between the requester and the AS, just like it is the case when processing requests from Clients for issuing an access token, or requests from RSs for introspecting an access token. This is consistent with the first paragraph of 13.1 "Content Retrieval from the TRL": > The AS MUST ensure that each registered device can access and retrieve only its pertaining subset of the TRL. To this end, the AS can always perform the required filtering based on the authenticated identity of the registered device, i.e., a (non-public) identifier that the AS can securely relate to the registered device and the secure association that they use to communicate. ... and with the paragraph below from Section 9 "Registration at the Authorization Server" > When communicating with one another, the registered devices and the AS have to use a secure communication association and be mutually authenticated (see Section 5 of [RFC9200]). In the Pull Request addressing this review, we have extended Section 9 "Registration at the Authorization Server", by adding one new paragraph right before the paragraph "When communicating with one another, the ...". The result is as follows: NEW: > Once completed the registration process, the AS maintains the registration and related information until a possible deregistration occurs, hence keeping track of active administrators and registered devices. The particular way to achieve this is implementation-specific. Such a mechanism to maintain registrations is enforced in any case at the AS, in order to ensure that requests sent by Clients to the /token endpoint (see Section 5.8 of [RFC9200]) and by RSs to the /introspect endpoint (see Section 5.9 of [RFC9200]) are processed as intended. > > When communicating with one another, the ... <== > > - General: Given that the notification is now the way to tell a registered > device that one of its tokens is revoked - how is the device suppose to handle > the actual revocation? ==>MT This is precisely what Section 10.1 "Handling of Access Tokens and Token Hashes" explains in detail. In order to clearly suggest it upfront, we have updated the title of Section 10.1 to be more specific, i.e., "Handling of Revoked Access Tokens and Token Hashes". <== > > ----- > > Nits: > > - 1. Introduction/first paragraph : add abbreviation (RS) to Resource Server > first time it is used (3rd line), remove from later usage in same paragraph. ==>MT We have fixed the text as below. OLD > Authentication and Authorization for Constrained Environments (ACE) [RFC9200] is a framework that enforces access control on IoT devices acting as Resource Servers. In order to use ACE, both Clients and Resource Servers have to register with an Authorization Server (AS) and become a registered device. Once registered, a Client can send a request to the AS, to obtain an access token for a Resource Server (RS). NEW > Authentication and Authorization for Constrained Environments (ACE) [RFC9200] is a framework that enforces access control on IoT devices acting as Resource Servers (RSs). In order to use ACE, both Clients and RSs have to register with an Authorization Server (AS) and become a registered device. Once registered, a Client can send a request to the AS, to obtain an access token for an RS. <== > > - 2. Protocol overview/first paragraph: s/ about pertaining revoked access > tokens/ about revoked access tokens/ ==>MT We prefer to keep the current phrasing. Quoting the full sentence as-is: > This protocol defines how a CoAP-based Authorization Server informs Clients and Resource Servers, i.e., registered devices, about pertaining revoked access tokens. The use of "pertaining" is intentional and consistent with following paragraphs in the same section. Even though details of the protocol are defined later in the document, this sentence already highlights that a registered device can obtain from the TRL only information about access tokens pertaining to itself, consistent with the definition of "pertaining access token" in Section 1.1 "Terminology". <== > -- Marco Tiloca Ph.D., Senior Researcher Phone: +46 (0)70 60 46 501 RISE Research Institutes of Sweden AB Box 1263 164 29 Kista (Sweden) Division: Digital Systems Department: Computer Science Unit: Cybersecurity https://www.ri.se
- [Ace] Iotdir telechat review of draft-ietf-ace-re… Niklas Widell via Datatracker
- [Ace] Re: Iotdir telechat review of draft-ietf-ac… Marco Tiloca