Re: [Ace] Removal of the Client Token from ACE-OAuth draft

Benjamin Kaduk <kaduk@mit.edu> Fri, 02 February 2018 02:31 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 715221270AC for <ace@ietfa.amsl.com>; Thu, 1 Feb 2018 18:31:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.231
X-Spam-Level:
X-Spam-Status: No, score=-4.231 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4I1S5slKOc4J for <ace@ietfa.amsl.com>; Thu, 1 Feb 2018 18:31:12 -0800 (PST)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 597861201FA for <ace@ietf.org>; Thu, 1 Feb 2018 18:31:12 -0800 (PST)
X-AuditID: 12074424-cafff70000004733-bd-5a73cd6dad28
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 8B.8E.18227.E6DC37A5; Thu, 1 Feb 2018 21:31:10 -0500 (EST)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w122V8Yi020486; Thu, 1 Feb 2018 21:31:08 -0500
Received: from mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w122V44x028769 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 1 Feb 2018 21:31:07 -0500
Date: Thu, 01 Feb 2018 20:31:04 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: "ace@ietf.org" <ace@ietf.org>
Message-ID: <20180202023104.GZ12363@mit.edu>
References: <AM4PR0801MB27062B8FD8B05971648F1E8CFAFA0@AM4PR0801MB2706.eurprd08.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <AM4PR0801MB27062B8FD8B05971648F1E8CFAFA0@AM4PR0801MB2706.eurprd08.prod.outlook.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKIsWRmVeSWpSXmKPExsUixCmqrZt3tjjK4MMWDYvv33qYLW7OOMXk wOSxZt4aRo8lS34yBTBFcdmkpOZklqUW6dslcGXMu/SJpeAhf8X+rtMsDYy3eLoYOTkkBEwk Tuz5yQJiCwksZpJobJXsYuQCsjcwSnxZ+50VwjnDJLHu/1M2kCoWARWJ2euvMILYbEB2Q/dl ZhBbRMBQYm/zIaAGDg5mAUWJv5dUQcLCAs4S669OAFvAK6Ajcf7zD2aIZQkSn3Y1s0LEBSVO znwCVsMsoCVx499LJogx0hLL/3GAhDkFEiUO3H0FtlVUQFlib98h9gmMArOQdM9C0j0LoXsB I/MqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXXO93MwSvdSU0k2MoBBld1HZwdjd432IUYCDUYmH l0O6OEqINbGsuDL3EKMkB5OSKK/sEaAQX1J+SmVGYnFGfFFpTmrxIUYJDmYlEd6vG4ByvCmJ lVWpRfkwKWkOFiVxXg8T7SghgfTEktTs1NSC1CKYrAwHh5IEr+EZoEbBotT01Iq0zJwShDQT ByfIcB6g4a4gNbzFBYm5xZnpEPlTjLocN168bmMWYsnLz0uVEufVASkSACnKKM2DmwNKLRLZ +2teMYoDvSXMmwdSxQNMS3CTXgEtYQJa8jO7EGRJSSJCSqqBcfuLTfWLPu9nWHtOZEvvuUVT fmSv2srpEFFtyvBO8m/9ztp1h1yX2Sx5b60mJnj1Rcs6owzVF55BjrLHZewFmWt+8jTvfyv9 u/ZJ72P2tFNqEr9N89JzvZq1lyfk1XrLat62VNlmWPyUISI5OFjyV7bYBd/P5Tl7OVrlK3/H uHjHRPJemuesxFKckWioxVxUnAgAPkyLjggDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/pYhe4bFVbcaGF1LhMPBtRe3SJeQ>
Subject: Re: [Ace] Removal of the Client Token from ACE-OAuth draft
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2018 02:31:14 -0000

On Thu, Feb 01, 2018 at 01:59:48PM +0000, Hannes Tschofenig wrote:
> Hi all,
> 
> the Client Token is a new mechanism in the ACE-OAuth that aims to solve a scenario where the Client does not have connectivity to the Authorization Server to obtain an access token while the Resource Server does.

This sounds eerily reminiscent of the IAKERB GSS-API mechanism,
where the initiator uses the acceptor as a proxy to contact the
Kerberos KDC, obtain an initial ticket, and obtain the credentials
needed to complete the "normal" Kerberos exchange with the acceptor.
(An early draft of) it got implemented, but the spec kind of died
and we don't know of anyone actually using it.

So, I support not including it unless we have some actual use cases
in mind.

-Ben

> The solution is therefore for the Client to use the Resource Server to relay messages to the Authorization Server.
> 
> While this sounds nice it does not follow the OAuth model and we, at ARM, have not seen anyone requesting this feature. It is also not fully specified in the spec: since I have been doing a formal analysis of this protocol variant for the OAuth Security Workshop I had to notice that it is not secure. (I will post the paper to the list asap.)
> 
> Note that I am not saying that we should never do this work but I prefer that someone who really cares about this use case describes it in an independent document.
> 
> In summary, I am again requesting that the Client Token functionality is removed from the ACE-OAuth draft.
> 
> Ciao
> Hannes
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace