IETF Logo Mail Archive

Re: [Ace] Review of draft-ietf-ace-oauth-authz -12

Samuel Erdtman <samuel@erdtman.se> Sat, 23 June 2018 20:23 UTC

Return-Path: <samuel@erdtman.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3C62130ED7 for <ace@ietfa.amsl.com>; Sat, 23 Jun 2018 13:23:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PNU2-89yd0lX for <ace@ietfa.amsl.com>; Sat, 23 Jun 2018 13:23:31 -0700 (PDT)
Received: from mail-pg0-x230.google.com (mail-pg0-x230.google.com [IPv6:2607:f8b0:400e:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 238D9130ED4 for <ace@ietf.org>; Sat, 23 Jun 2018 13:23:30 -0700 (PDT)
Received: by mail-pg0-x230.google.com with SMTP id n2-v6so957776pgq.6 for <ace@ietf.org>; Sat, 23 Jun 2018 13:23:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZFXrx1mroYNZZ+Jm9SMnugMVl5KvJLjmSS+72vS34FY=; b=G5CgaolDViOCexXs1vHxneKAheQL7C/4YfasQfGMEumcD9YUE/AEJAnYJbUWJFbOB/ LSVWfAjrZ8Mg2ik9IS0LD+GtmxySWB27xPnTLgURL7VLDjjnpAhUzmXgK9bWvgMBr8uA syHwhYVzqc/vcNbJM7QQxnJhV7b+uJ7O8I71zsH6JIiAJnt4aaLZ7BCuuiXgqBapb6mN NEzwGFBwtVdwzZAP3MvCkTHxUiJsCvkHYoQ1NMCGWUz1w1cvWsda+oPUbEAwa8GAc/37 4Cq/gs6iNd+tUGDgwWztfJIJ/lH7BJTr+WIFHeLggNDFCF0KZ9ggyN62trAAbmSU8+My +RPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZFXrx1mroYNZZ+Jm9SMnugMVl5KvJLjmSS+72vS34FY=; b=TJZdfQj8LXbmv46F5p0/l3nsSNRpZtO79mo1NWpM83sxSXvIWmhC+8EjWTfTYCKOGW Q1qNR8C2kKeFkOqTROeSXVJhbL1zyLafkgA6aXuYZ5ljoMzDGugtxSuk79u0tNmfrMc2 hShYTMsQvsiu2NRW8hxus8gySUYeqaJ8uUjkH7N1hqZTVB5wfxQI+MDU6AM9knyFc6VN FD8oyC2yFmDveMWl68XW7zeZ47lwP5fhCs1Ce98OKmC6OnOjm8sa7hs/XWAjZhISDJUA 6XwzsItL0P/rIjVENHqj8MN0R4xRuaRIWT1RAy9V39rkVAG5c+sALrrNO9BDWwPCozPM nLrg==
X-Gm-Message-State: APt69E2EQmnV9WmBcZ/nKdCgHPEpemvtl8qZUruBPVnVu9swrspJHlEE AnohbUeh8vaNWQnepso+ouHPVjgglb7anLnd8TY8SQ==
X-Google-Smtp-Source: ADUXVKKlcPhHxbP3Mw5DVsyWAGaGoEaGVVTvhSlp1dgWV/fuAVIepu9mSK3SOD4PQ5T5lHSxDCGhh+9Wi2cAyhcHDSU=
X-Received: by 2002:a65:42c3:: with SMTP id l3-v6mr105384pgp.398.1529785410368; Sat, 23 Jun 2018 13:23:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:b28c:0:0:0:0 with HTTP; Sat, 23 Jun 2018 13:23:29 -0700 (PDT)
In-Reply-To: <010501d40978$b3e609f0$1bb21dd0$@augustcellars.com>
References: <01c601d407f8$16621ec0$43265c40$@augustcellars.com> <CAF2hCbbe=r7eas82UwxLeE4rxonYc3scAS7UkV73h5bFPTSnhg@mail.gmail.com> <010501d40978$b3e609f0$1bb21dd0$@augustcellars.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Sat, 23 Jun 2018 22:23:29 +0200
Message-ID: <CAF2hCbY1rgTwk=45ji3q0xVh9hxFROUXh47_DX0osj=g-ELjSA@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: draft-ietf-ace-oauth-authz@ietf.org, ace <ace@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f7ceca056f54ebd6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/qgM-L0dsJ9MRzeB8OphMCmCP_p0>
Subject: Re: [Ace] Review of draft-ietf-ace-oauth-authz -12
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jun 2018 20:23:35 -0000

see inline

On Thu, Jun 21, 2018 at 5:58 PM, Jim Schaad <ietf@augustcellars.com> wrote:

> I sent this review early by accident (I thought I was sending a different
> mail).
>
>
>
> However a couple things below.
>
>
>
>
>
> *From:* Samuel Erdtman <samuel@erdtman.se>
> *Sent:* Thursday, June 21, 2018 8:15 AM
> *To:* Jim Schaad <ietf@augustcellars.com>
> *Cc:* draft-ietf-ace-oauth-authz@ietf.org; ace <ace@ietf.org>
> *Subject:* Re: [Ace] Review of draft-ietf-ace-oauth-authz -12
>
>
>
> Thanks for reviewing, some answers inline
>
>
>
> On Tue, Jun 19, 2018 at 8:05 PM, Jim Schaad <ietf@augustcellars.com>
> wrote:
>
> Based on where I currently am, here is another review of the document.
>
> 1.  In section 4 for Figure one:  Is the term "RS Information" your term or
> an OAuth term.  When I see this I think of it as information for not about
> the RS which I do not believe is the intent.
>
>
>
> No, the intent is information about the RS for the client. It is described
> in "2. Terminology".
>
> Not sure if "client information" would be preferable.
>
>
>
> [JLS] Yeah I agree that ‘client information’ is not really any better.  I
> wonder if ‘Access Information’ might be a better term?
>

I have create an issue so that it is not forgotten at least.


>
>
>
>
>
> 2.  In section 5.1 - I am unclear what the second paragraph is supposed to
> be doing here.  I think that you want state this different.  Rather than
> talking about the "desired resource" you may want to talk about the AS.
> That would better match the title of the section.
>
>
>
> The focus could maybe be different but the text is about how to find the
> AS but the method for that is quite RS focused.
>
>
>
> [JLS] This is not clear to me from what is stated.  Does this mean that
> there is going to be AS pointers that are contained on the RD entry for the
> resource that one is interested in?  If that is the case then a pointer to
> where those fields are (going) to be defined would be useful.  I read this
> as searching the RD for an AS directly.
>

I did some more reading and I agree the text implies that there is a AS
pointer in the RD. I could not find such registration in this document.
I have created a github issue to either add this information or remove the
text that implies so.


>
>
>
> 3.  In section 5.1 - There is a note in this section that does not seem to
> be extremely useful.  Where is this discussion go on?  Is it still going
> on?
> I am not even sure if the statement about a common understanding of time is
> correct?  It seems that one can either add or not add the nonce as an RS
> depending on if you think you understand a common time.
>
>
>
> I have not heard anything on the time discussion for a while.
>
>
>
>
> 4.  In section 5.3 - There is a reference to I-D.erdtman-ace-rpcc.  Given
> the use of POP tokens, what is the reason for this draft and the text about
> client credential types?  (Put it this way.  I did not need to implement
> this for anything yet.  Why is it here?)
>
>
>
> Not sure what profile you have implemented.
>
> I-D.erdtman-ace-rpcc defines how the client can use Raw Public Key or Pre
> Shared Key with (D)TLS to authenticate it self to the AS. It is not a
> strange operation so you might have implemented it without thinking about
> it (Ludwig kind of did). I-D.erdtman-ace-rpcc is similar to
> draft-ietf-oauth-mtls that defines what was already done in the wild when
> it comes to x509 certificates and client authentication.
>
> Or you might have used default client credentials (client_id/username and
> client_secret/password).
>
>
>
> I think writing about client credentials is needed since the ACE use cases
> so far has been client centric, i.e. the client is often described to
> authenticate as it self to get a token and not as is common i OAuth the
> user is authenticated and authorizes the client to get a token.
>
> With that said the reference to I-D.erdtman-ace-rpcc should maybe be
> removed since interest in I-D.erdtman-ace-rpcc has been very limited.
>
>
>
> [JLS] I am implementing all of my credentials as being something that is
> either a) cooked in to the device or b) as a COSE Key which is part of a
> database which is read up by the program.  As such I do not believe I am
> using anything from this draft.  Part of what I am trying to figure out
> here is what the status of this document is and what dependencies the Authz
> document has one it.  Is it really informational?  What does it do for the
> Authz document to have it referenced?  Should this document be pushed up to
> a WG document because it is really needed?   My understanding from RFC6749
> is that these are client credentials that are being used in the HTTP
> authentication rather then the TLS client auth layer below HTTP.   On the
> other hand this is not completely clear.
>

The draft (erdtman-ace-rpcc) is not concerned about how the key is stored.
Id describes how to use the key as a client credential with (D)TLS
Raw-Public-Key or Pre-Shared-Key. (depending on the key type).
The reference is informational as far as I can tell, it is used to
exemplify how the OAuth client authentication can be extended.
RFC6749 (The OAuth 2.0 Authorization Framework) describes one type of
client credentials and that is (client_id/username and
client_secret/password). In my opinion that is not a great fit for the IoT
use case with limited user interactions and interfaces. Therefore I created
the draft (erdtman-ace-rpcc) to describe how to use Raw-Public-Key or
Pre-Shared-Key to authenticate the client, i.e. I think there is value in
the document.
With that said there is no absolute need for it from
draft-ietf-ace-oauth-authz point of view.


>
>
>
>
> [JLS] These are not finished questions – not surprised you did not respond.
>
> :-)

>
>
> Jim
>
>
>
> Given 15 different introspection tokens, how do I decide which is the one
> to
> present to the AS - enumerate them?
>
> 'authorization code' vs 'decode code' grants
>
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>
>
>

v2.23.0 | Report a Bug | By Email