Re: [Ace] Relaxing OAuth-ACE profiles
Carsten Bormann <cabo@tzi.org> Mon, 18 December 2017 13:14 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BC9E129C6A for <ace@ietfa.amsl.com>; Mon, 18 Dec 2017 05:14:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.3
X-Spam-Level:
X-Spam-Status: No, score=-2.3 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8PYSt6WQ1aRp for <ace@ietfa.amsl.com>; Mon, 18 Dec 2017 05:14:55 -0800 (PST)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E278F1242F7 for <ace@ietf.org>; Mon, 18 Dec 2017 05:14:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::b]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id vBIDEm83015619; Mon, 18 Dec 2017 14:14:48 +0100 (CET)
Received: from [192.168.217.102] (p5DC7E04D.dip0.t-ipconnect.de [93.199.224.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 3z0hMr1kRwzDX0L; Mon, 18 Dec 2017 14:14:48 +0100 (CET)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <AM4PR0801MB27061CC885236367556ABBB2FA0E0@AM4PR0801MB2706.eurprd08.prod.outlook.com>
Date: Mon, 18 Dec 2017 14:14:46 +0100
Cc: "ace@ietf.org" <ace@ietf.org>
X-Mao-Original-Outgoing-Id: 535295686.585325-4c8c60bae6607032f72c1646c4a81441
Content-Transfer-Encoding: quoted-printable
Message-Id: <05CFF2B1-9E19-40B9-9F40-A8C066BAAA21@tzi.org>
References: <AM4PR0801MB27061CC885236367556ABBB2FA0E0@AM4PR0801MB2706.eurprd08.prod.outlook.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/pT-G19CWYRRRxgXvmlSPVyxiqJ4>
Subject: Re: [Ace] Relaxing OAuth-ACE profiles
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2017 13:14:57 -0000
On Dec 18, 2017, at 14:01, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote: > > Hence, I created a pull request that relaxes the OAuth-ACE profiles in the following way: > * It allows profiles to specify what protocols and encodings they use on the client to AS interface (in addition to the client to RS interface). > * It allows the use of HTTPS and JSON encoding on the client to AS interface. Hence, this allows a client to request a CWT-based PoP token using HTTPS from an RS. Sure. draft-ietf-ace-actors tells you that aceclient-AS is a less-constrained interface, so it doesn’t need to be limited to protocols for constrained devices. aceclient-RS is a constrained interface. (And at some point the client authorization manager CAM will escape from the aceclient and we get back the more rational four-legged architecture.) Not sure why you need JSON to use HTTP, but of course this can be opened up because it is the less-constrained CAM-SAM interface. More generally, the CAM-SAM interface (aceclient-AS in current terminology) really is about business logic, so go ahead and do XMLDSig and BPEL and SOAP and whatever makes the software architect happy. Grüße, Carsten
- [Ace] Relaxing OAuth-ACE profiles Hannes Tschofenig
- Re: [Ace] Relaxing OAuth-ACE profiles Carsten Bormann
- Re: [Ace] Relaxing OAuth-ACE profiles Hannes Tschofenig