Re: [Ace] Comment about error responses in draft-ietf-ace-oauth-authz-21

Ludwig Seitz <ludwig.seitz@ri.se> Mon, 25 February 2019 15:15 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E4C51276D0 for <ace@ietfa.amsl.com>; Mon, 25 Feb 2019 07:15:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ZyUrxOCQXUm for <ace@ietfa.amsl.com>; Mon, 25 Feb 2019 07:15:00 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0627.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::627]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2977F1289FA for <ace@ietf.org>; Mon, 25 Feb 2019 07:14:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2/YQdSAswfgaMzNDJ/6HiVcPsSeagEUavZaFVWs8W8E=; b=eUCpBHiIBH3jW/0UkQJgbOIv0+hjAPHQkrk8uKis/cqAWyt+Hbra8iWEsT0dS0N01Ba6gEO2LIv/B3L3JjpySmMprliFw8Dv7O2kp4KabiJkYPqFeqskkMCjzrHcsi3lEtIJdekQm0woLY/WEoa0DVrkAbcmIRq0exbW4keDD0Y=
Received: from HE1P189CA0024.EURP189.PROD.OUTLOOK.COM (2603:10a6:7:53::37) by VI1P189MB0335.EURP189.PROD.OUTLOOK.COM (2603:10a6:802:35::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.21; Mon, 25 Feb 2019 15:14:57 +0000
Received: from AM5EUR02FT006.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e1e::201) by HE1P189CA0024.outlook.office365.com (2603:10a6:7:53::37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.16 via Frontend Transport; Mon, 25 Feb 2019 15:14:57 +0000
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by AM5EUR02FT006.mail.protection.outlook.com (10.152.8.77) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1580.10 via Frontend Transport; Mon, 25 Feb 2019 15:14:56 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Mon, 25 Feb 2019 16:14:56 +0100
To: <ace@ietf.org>
References: <CAE70DDC-17CA-4B68-A43A-280DB9A20328@sei.cmu.edu>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <a4acc644-b977-ee34-f201-69c1daaaa641@ri.se>
Date: Mon, 25 Feb 2019 16:14:55 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <CAE70DDC-17CA-4B68-A43A-280DB9A20328@sei.cmu.edu>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms090703060404070303020005"
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-1.sp.se (10.100.0.161) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(136003)(39860400002)(396003)(346002)(376002)(2980300002)(189003)(199004)(31696002)(305945005)(81156014)(81166006)(8676002)(33964004)(26005)(6346003)(22746008)(16576012)(58126008)(478600001)(5660300002)(44832011)(16586007)(8936002)(65826007)(65806001)(235185007)(104016004)(22756006)(65956001)(7736002)(6916009)(76176011)(316002)(386003)(71190400001)(97736004)(40036005)(53546011)(64126003)(68736007)(356004)(77096007)(86362001)(229853002)(2616005)(74482002)(11346002)(36756003)(106466001)(2351001)(14444005)(5024004)(69596002)(6246003)(53936002)(6116002)(84326002)(2906002)(186003)(16526019)(31686004)(476003)(336012)(3846002)(568964002)(126002)(486006)(106002)(446003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1P189MB0335; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0f30e991-8490-49ae-4fcf-08d69b34009a
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4608103)(4709054)(2017052603328)(7153060)(7193020); SRVR:VI1P189MB0335;
X-MS-TrafficTypeDiagnostic: VI1P189MB0335:
X-Microsoft-Exchange-Diagnostics: 1; VI1P189MB0335; 20:JyxAOVDwIuCiMDoRXs9x4V+v1D+zz4geJLh16KcY/Rwt5dxAh9lEsanrYLqYJeA0xlh4wpi0y/iyeO61J8/NQXs3b76odYJbULOGLoiXmsaG1dYJQ1I1+q45gYZoSlmq/hc2hH8wWhClok56Sx87oKKfLfuDZ2ginwkWEyA6btPSe2MbWO3ljMVVhxiJqw2CbqpzIjf4xw/jPh76ITp0J7ajLlozwdSoA9OnBanS2NRgFv8DD+i9HvKxigdR19Qs
X-Microsoft-Antispam-PRVS: <VI1P189MB03358CF5D5A2C13F557F988C827A0@VI1P189MB0335.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 095972DF2F
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; VI1P189MB0335; 23:5jrM88yJJfAKuNuA1qfIbRBlm6vVNjaFzUQQUV3AY?= =?us-ascii?Q?ao5gO8oybqkSMQjQCVj8yYHNxU/DA/Zf79i2uQQEa6dGNZUQPqBR5oV1Dp+w?= =?us-ascii?Q?rT1x2vHH7TGevLB3rU3HZ01SYfpUs9or+gRbhu7pV5bS8Ix36oNSi1/ZZ8gF?= =?us-ascii?Q?0XSpzU8w6Nvn+r+Ay+BAR7wnHEA2+ajPafb7z6vx3oTJEDnEQ1ir+fj+Lhiw?= =?us-ascii?Q?e6QdVKIT7GKZSTOJhCZ/OYvuMgivCXYVCZURRxV1xtBVY3rVH55WPaomY/XJ?= =?us-ascii?Q?YSDCfXXV+XZ1InwYm63OhEnghqlADm6zvEeYvXY41wYINvThny0sIWF2g85P?= =?us-ascii?Q?QkVWZPWUkn1mIfuqIOiK4VpYbNfBIqamYBuBUg9H4DoWu/3NCf6/KbMLt2ka?= =?us-ascii?Q?Uq8dkOmW4GMIMxag9ncqK5dgXg43S4ecq/BeediHbDhlpX58PVYnBlmICCa+?= =?us-ascii?Q?9LfFhNzJc8OH7P1D19kMkvDT6wfVzuT3dxP4CJxsz9ruZmSWn7MiPuK3u/oT?= =?us-ascii?Q?IlifXwBIOwls6Ou0qEvgpCq0IgpNKrGyXapr/sC2N3Id6dd/hFW8q8xZN3Yh?= =?us-ascii?Q?c/8I56atGabumqBzQLUmMPrrCYE3FGIqNBdp3YN4MFsiCo4fVmnud65ipTdQ?= =?us-ascii?Q?upiEwLsw4VIYsVvmjG2/PbSUgrEUjwFtCdkqOXPLuHFEK27YP9ejpoj/0Q11?= =?us-ascii?Q?L6kvZ7TfQqCDOD4M4Tmr/Gkt4qs2l46PW1K0XDgAR/qga6zXHPyPSuFOY7Q5?= =?us-ascii?Q?2eIfovjLGLkncpBzvdQvoPdGb7cVbNiuj8x4RI7/MTKjHRN/SgejskED8WeS?= =?us-ascii?Q?4Ru2TTSf11fd6KRhBBTYzO/myI84O4YZ0F0dYKyva4PVxFobwiP5Hr5/fJMq?= =?us-ascii?Q?4ffKPAVqW2Sgtivo+/kJN2xAZqoAXyZIEPhZnfb18dymrnHhOB43Le+1mur5?= =?us-ascii?Q?wwD4BlT5pPNQsT89CG3dJpLxbx7qDCcnJ3X2hGmn3v8LaQGqeH6r1Zwt/JfF?= =?us-ascii?Q?xA/HRnS+MNL5TmWZfYQ2gRX0aBN5RWabQ1XAUffqxh2+8szX9VrDDuGOZ33h?= =?us-ascii?Q?Lko2D1B+lIrVEEi4aTSU9BJeKWHJ0/zXms3rjzYqpBdh7w2HISCk+BC+WfDM?= =?us-ascii?Q?B5uSMbIFOR6yJAGYLk9/UJ1+FhH9l5LWBvvtY+5OfLpMY61umJ21xmKlRBl+?= =?us-ascii?Q?9nqZOjRLipagMPcKIBtVkSkYm/Hr5OUCh1Pv9d2g+TtvrtTBKyY2X38mpOMH?= =?us-ascii?Q?0sl5jwX4RZK0Q4WwW8xwDv+KqX867fno11t87tRihKk69DxwExuX+4uqsVi1?= =?us-ascii?Q?64bZLJSqaA0vzOc+7mr4xiSZqdP4uwOHV0+dmJWyQwhjC072anuh4I63Xy0W?= =?us-ascii?Q?d/Swwxe7umcwSzRwxAL6rYtpu8mGQQdBibHaUjKnDu8/9MXguzHoFQPfESA/?= =?us-ascii?Q?80ir5e8e1UBhVoRkLaQMvxCTs8FXR9Be34Lbten1zmxZfe3AU+NqZec1ET6f?= =?us-ascii?Q?ua3iotHyhyumkj4Haz0VOjWdNjcAX35idWDpObvB0QWrjmK43Uz0hPG?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: x9932JaJc8wjhKTeyK2gT/bAffDgG4xXWaao/FIURCp7ONc1eYb5UXn1D0vAr05HI7ShPvMD5eqXcv/puxu1AM5fLfFHfpzsfaGq6C7/pGo/emwHO6U0K0xdHAK1UC2rHbM4L2PGSkPH8dzx78xoEUi+DSKMTGVIZSlxCJa6vIXnam7oWvZmA0M+PABZoYZ6eUyU9maJrp5GSq1GvE2InhbI0U16GQNYfN5OcFnRb4q18ls7HHfXOTMwFRaQjc+CCOYBieSvK8NGqo9jHkCk53sAXqp91u5mWjgTTFQUjmS/CINxx0uXJZJyyESMi0QisRq6LJw/UE+O3Lf1TpDG1dJ5ewKtFojvKVrm/OC22001rrkgQ4M71HcZdixCXizh7q/RGZRyHUiOdMcFOGs4q0Gp3ztN6OWS7F3hOOBo90A=
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Feb 2019 15:14:56.9450 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0f30e991-8490-49ae-4fcf-08d69b34009a
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P189MB0335
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/qK9O7OvzC8NTn28wMh2qiIlcs5o>
Subject: Re: [Ace] Comment about error responses in draft-ietf-ace-oauth-authz-21
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 15:15:04 -0000

On 18/02/2019 15:59, Sebastian Echeverria wrote:
> Hello,
> 
> I have a short comment about error responses from an RS in 
> draft-ietf-ace-oauth-authz-21. More specifically, my question is about 
> section 5.8.2. In the second paragraph, it states “The response code 
> MUST be 4.01 (Unauthorized) in case the client has not performed the 
> proof-of-possession, or if RS has no valid access token for the client.” 
> I am assuming this means that if the client is trying to access a 
> resource and sending a pop key id that is not known by the RS, either 
> because the RS has never seen it or because it is associated to a token 
> that has already been removed from the RS, then this is how the RS 
> should reply.
> 
> If this is the case, I am a bit confused on how to implement this when 
> using the DTLS profile. When using this profile, a client will first try 
> to establish a DTLS session with the RS when accessing a resource. Once 
> the session is established, it will actually try to access the resource 
> over that DTLS connection. The pop key id to be used is sent when 
> establishing the DTLS connection in the DTLS handshake messages, but if 
> the RS does not have a key+token associated to that id for whatever 
> reason, then it will cancel the DTLS handshake. If the DTLS handshake is 
> never completed, then the RS can’t really send a reply at all, much less 
> a 4.01 reply.
> 
> Thanks,
> 
> Sebastian Echeverria
> 

Sebastian is right. I will change the text in the framework to allow for 
cases where no answer at all can be provided. The intent was that these 
error messages should only be sent when the access token is POSTed to 
the authz-info endpoint.

/Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51