Re: [Ace] discussion on draft-vasu-ace-core-access-privilege-provisioning-00
Ludwig Seitz <ludwig@sics.se> Wed, 20 April 2016 07:15 UTC
Return-Path: <ludwig@sics.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87FD512EBA7 for <ace@ietfa.amsl.com>; Wed, 20 Apr 2016 00:15:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sics-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 644FjblXYo1y for <ace@ietfa.amsl.com>; Wed, 20 Apr 2016 00:15:17 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97B5A12D78F for <ace@ietf.org>; Wed, 20 Apr 2016 00:15:16 -0700 (PDT)
Received: by mail-lb0-x22c.google.com with SMTP id ys16so4265069lbb.3 for <ace@ietf.org>; Wed, 20 Apr 2016 00:15:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sics-se.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=APmwrsX3Uqf4WzgmPUUawYT6Uktk2DGwEu7PHgL9FoQ=; b=a9zVXvz9RJUbXbXwR/8Kyje6Z2isex+Or9GcjlMYfxGHmsdSVscIUr+ltFvtQG62wt 7VT40EmGtbCDXeVtqCfF6q+1NnA5S/79zCTfV48C5FapJDyhDrttfQKd9LU1eS6r6tQR ZmGs12d1uBN8MBPRdkfKJA8HDLpqSAYUIVu768u8VfXhp70W2z/QdTARoX6j8VxlUdtD achLwkel4uI7R3y/f/h9jdlzvy+H86+a/Bq5SnSkxJmbslSix6GU7V7pNLuued4kG/KF 1isTKrni+PyZdMa1hXMeyAS18Xcc/ZvMGSL6Y5TSbFChzyduFNvnbQmtlxor+MNViUol Dc8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=APmwrsX3Uqf4WzgmPUUawYT6Uktk2DGwEu7PHgL9FoQ=; b=bTEJcJgiHIEeHpBBCVxm5LR7m/Gyh2KoraHi0vrJat9v+LZ2ULbquaQmW+kAfS+LGI ysoR6W9WQItfEL4JiKuUWJkLdQPK4NyYJ9g3wcduImHQr0Cg4wAW9sDg6WdQkrvISmrT eEyOmkqkNiXOTlPyxtmOu98yn8m7NHdwDPVX63IQ0LvIH9ylMFUOba1wO3eNkkaBg8Sy iHbLms5qhDwrar190YesJcOG1rSfBP1o36T+Smmh39ccYXSg5/XQUkI6oLGVRPCyhcOP 8cr9QmnfeXxzgyLey8w+xWEL3dDDN/UVNzjlox7hQC18gp9rQ6zHjGcTvILZXLVByKhJ U3vA==
X-Gm-Message-State: AOPr4FW0Tz1LTSp8a7cp1a3GUTVFYBUkUaO7UvaKE8Ego4dwWKzMiEPOhhszEHaRJYbuhpts
X-Received: by 10.112.13.130 with SMTP id h2mr2923608lbc.91.1461136514727; Wed, 20 Apr 2016 00:15:14 -0700 (PDT)
Received: from [192.168.0.166] ([85.235.10.186]) by smtp.gmail.com with ESMTPSA id um4sm817047lbb.1.2016.04.20.00.15.13 for <ace@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Wed, 20 Apr 2016 00:15:13 -0700 (PDT)
To: ace@ietf.org
References: <mailman.1171.1461053439.4402.ace@ietf.org> <D6EBB546995C064A9492E8E27F62D90D0AA2BF65@blreml509-mbb.china.huawei.com>
From: Ludwig Seitz <ludwig@sics.se>
Message-ID: <57172C7B.9010607@sics.se>
Date: Wed, 20 Apr 2016 09:15:07 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <D6EBB546995C064A9492E8E27F62D90D0AA2BF65@blreml509-mbb.china.huawei.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060205060008050105080001"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ace/sj2s8kgLkVZXOZE3-onGF0-w6KM>
Subject: Re: [Ace] discussion on draft-vasu-ace-core-access-privilege-provisioning-00
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 07:15:19 -0000
On 2016-04-20 08:10, Vasu Kantubukta wrote:
> Hi Ludwig Seitz,
>
> Plz find the below comment inline :
>
> Btw: I really don't know what exactly you mean with 'security
> context' and 'protocol access', in order to avoid misunderstandings
> it would be good to get to a common understanding on the terms we
> use.
>
> ----> A Security Context is an object that captures all
> security-related information, consider below access token example
> specified in the draft that considers only the security related
> information (i.e. security context) { "aud" :
> "tempSensorInLivingRoom", "iat" : "1360189224", "cnf" : { "jwk" : {
> "kid" : b64'1Bg8vub9tLe1gHMzV76e8', "kty" : "EC", "crv" : "P-256",
> "x" : b64'f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU', "y" :
> b64'x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0' } } }
>
> ----> protocol access such as DTLS Response-Payload : {
> "access_token" : b64'SlAV32hkKG ...', "token_type" : "pop", "csp" :
> "DTLS", "key" : b64'eyJhbGciOiJSU0ExXzUi ...' }
Ok good! We have a common understanding of security context.
If I understand you correctly you are suggesting that the token should
carry more information than just security context, right?
Note that the security context alone already makes the tokens quite
large, and thus not ideal for constrained networks, so one should be
very careful about adding even more data to this format.
I would suggest the following approach: Have a look at what is done in
the "Web" world with OAuth. If it's not done there, there is probably a
good reason for it. To my knowledge OAuth does not deal with resource
availability, service level agreements, QoS, and resource manageability.
I would venture the guess that this is simply because things would get
very messy if you mixed up access control with such resource control issues.
> You are aware that in some usecases the RS is not even be able to
> communicate with AS?
>
> Note however that an access token might be valid for more than just
> one specific RS, so in the case you describe above, where several RS
> could satisfy the client's request, the AS could issue such a token
> to the client, and the client could contact all the matching RS using
> the same token until it finds one that can satisfy its request.
>--> suppose if client is a constrained device, then also it has to send
> request to all RS's ?
--> It may be a overhead in network aend burden
> on constrained client.
That's a scheduling problem and not an access control problem and thus
out of scope for ACE. This could for example be handled by a proxy that
dispatches the client's request to the right RS.
> Such resource oriented operations can be encoded in an access token
> as well using a different set of OAuth scopes. The ACL defined in
> draft-bormann-core-ace-aif is just one example specific to protocol
> operations. This will probably pan out for IoT the same way it has
> for Web OAuth: There will be many different application specific uses
> scope, that define resource oriented permissions similar to those you
> listed above. See https://www.brandur.org/oauth-scope for an overview
> of how people have used scopes differently to implement
> application/resource specific permissions.
>
> ---> yes, scope parameters can be used to encode the resource
> specific permissions and operations.
>
>
> Again it is hard for me to discuses your points unless I know what you
> mean with 'security context', 'admission control' and 'resource
> control'. Could you please clarify these terms?
---> Admission control: admission control is realized by accepting or
> refusing the request for the resources. It has the defined policies to
> admit/deny the request. These policies might be made upon security info.
That would be 'Access Control' in the terms I've been using, this is in
scope for ACE.
---> Resource control: resource control defines extra policies based on
> resource availability, service level agreements and QoS, and resource
> manageability. (you can refer section 6.4 of
> draft-vasu-ace-core-access-privilege-provisioning-00)
>
This is not in scope for ACE. Furthermore I don't think individual
constrained devices should handle this kind of things, they are simply
not well-equipped to do so. This should be handled by back-end devices
and enforced by gateways or proxies. Perhaps this could influence the
policies governing what access tokens the AS issues.
[...]
---> In my
> opinion, RS may not have to verify the token each time the resource
> access done.
>
Depends on what you mean with "verify". The signature of a JWT/CWT has
to be verified once only, as well as the audience (i.e. which RS the
token applies to), but expiration, and scope have to be checked for each
resource access. If you don't have a secure session, you also need to
check the binding between client and token (see Proof-of-Possession in
OAuth) for every access.
/Ludwig
--
Ludwig Seitz, PhD
SICS Swedish ICT AB
Ideon Science Park
Building Beta 2
Scheelevägen 17
SE-223 70 Lund
Phone +46(0)70-349 92 51
http://www.sics.se
- Re: [Ace] Ace Digest, Vol 29, Issue 13 Vasu Kantubukta
- Re: [Ace] discussion on draft-vasu-ace-core-acces… Ludwig Seitz