Re: [Ace] Ace Digest, Vol 29, Issue 12
Ludwig Seitz <ludwig@sics.se> Tue, 19 April 2016 08:10 UTC
Return-Path: <ludwig@sics.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7769612DAF0 for <ace@ietfa.amsl.com>; Tue, 19 Apr 2016 01:10:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sics-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zip-kPIqHdyp for <ace@ietfa.amsl.com>; Tue, 19 Apr 2016 01:10:35 -0700 (PDT)
Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 292F612D91D for <ace@ietf.org>; Tue, 19 Apr 2016 01:10:35 -0700 (PDT)
Received: by mail-lf0-x22b.google.com with SMTP id j11so9667361lfb.1 for <ace@ietf.org>; Tue, 19 Apr 2016 01:10:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sics-se.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=pfMHMKISVklwt9k0Hsx98lEMHWU+YIatyqAyLwy2NZc=; b=azKMSNVDHjS/6O4h0y4IJ0izZs7Blw17EY3iPHYSUVovV2PYzPycVMPZuop7cvYSfG vP/DbdOwYBl7RYK2t2dHqfb6lebNxRyE24cFDVEaJjrPrn2Jsf5C+HTMP9nEl5kOorYm 8WdA/irpglJZaSVSpGycUmUXHLpP3RRExVWEVXo3MKtqkILlGvycXcFeINmfJ1qTeuW4 O0Osi19/QBZgwzXZpDiMYheeCcp+tVaM3EpzVA5ycsnJt7pyju7HJha5a5RZvEwkC4qB 5b9t3WGhGjP/6soUcpsukuL4Njik5EwU+3rffus1kPbJSteswstL7Rwovo5i9Dd0hoEh lvaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=pfMHMKISVklwt9k0Hsx98lEMHWU+YIatyqAyLwy2NZc=; b=I4DkcI4yJF3UYYPwSIStBJCTtBD+WPaldMuuDkrhnkPVRDqYdHsDa9Tz3xlWythujI PDvnvgG4bELUhB6TUMjvd6dd22BTapKknMPDC5BhXQi1MTtLDxIoQNekWb1GuqddEOP2 se7UI1/eJVA228paEMVLGNmuqVIahaooLNXecWncmPHAC9kBgQ//Qrc4N94Lu9xFPpt3 O3XbvpUAOJYwY/NzsxGmWb8C9N7OC7N4/25kg+9t72U2M13XppootDXDSVV2UEFSHh2U ivztZJOBRnmaKxyCFtM+6lGzqg2jj3VS3Uxprx4qpuZM6kVdHzl6hX9ixLNR0PTEGsd7 1kCA==
X-Gm-Message-State: AOPr4FUovyXg/UZTWMVS7bSKC/KmEbY0NPfpoDeHJNOZrz0xaWssD6gV1D0d0JJ4T2Pc86Gk
X-Received: by 10.112.141.40 with SMTP id rl8mr788153lbb.0.1461053433077; Tue, 19 Apr 2016 01:10:33 -0700 (PDT)
Received: from [192.168.0.166] ([85.235.10.186]) by smtp.gmail.com with ESMTPSA id a197sm2786253lfe.23.2016.04.19.01.10.32 for <ace@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Tue, 19 Apr 2016 01:10:32 -0700 (PDT)
To: ace@ietf.org
References: <mailman.46.1461006006.23559.ace@ietf.org> <D6EBB546995C064A9492E8E27F62D90D0AA2B875@blreml509-mbb.china.huawei.com>
From: Ludwig Seitz <ludwig@sics.se>
Message-ID: <5715E7F7.80604@sics.se>
Date: Tue, 19 Apr 2016 10:10:31 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <D6EBB546995C064A9492E8E27F62D90D0AA2B875@blreml509-mbb.china.huawei.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms030306080300090409030305"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ace/sxUClmQMIp2ePIafqAxQnV7d3uY>
Subject: Re: [Ace] Ace Digest, Vol 29, Issue 12
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2016 08:10:38 -0000
On 2016-04-19 08:58, Vasu Kantubukta wrote:
> Hi Ludwig Seitz,
>
> I have a quick look on your draft. We are happy even to discuss about
> our draft and can collaborate.
>
> Plz find my few inline comments below:
>
> Actually that draft is not so much about pre-configuring endpoints
> with tokens, the idea behind OAuth is that you supply these tokens on
> demand, i.e. when a client tries to access a resource on a server.
>
> Btw: The reference is wrong, it's now draft-ietf-ace-oauth-authz
>
> ----> Thanks for bringing me to notice the new draft
> "draft-ietf-ace-oauth-authz-01"
----> Yes, these tokens are not
> configured at the endpoints, those are at AS, my doubt is about how
> AS can make dynamic configuration of security policies about RS, and
> clients. Does there be any frequent updates about policies from RS to
> AS.
>
The RS is not supposed to manage policies at the AS. Managing access
control policies at the AS is the job of the Resource Owner RO (i.e. the
entity in charge of RS). Since the AS and RO are not considered to be
constrained devices, normal web tools can be used for that. Furthermore
since the AS is not constrained it is considered to be connected at all
times, thus frequent access control policy updates are possible.
How AS are implemented in detail is not in scope for ACE, you might be
able to get some feedback on that from people at the OAuth WG.
> I'm not sure what you mean with those points. Priority of requests
> and QoS could be parameters that have a bearing on what kind of
> access token you get, but they are certainly out of scope for ACE.
> The operations that clients can perform on the resource are supposed
> to either be encoded in the token, or available through introspection
> by ways of the "scope" of an OAuth token.
>
> ---> Authorization server provides resource access to client by
> giving access tokens to client that includes only security context,
> and kind of protocol access.
The token only includes very few parameters indeed, but the policies the
AS uses to determine what token a client can get in a specific situation
can be as complex as you like (e.g. depending on requested QoS or
whatever else).
Btw: I really don't know what exactly you mean with 'security context'
and 'protocol access', in order to avoid misunderstandings it would be
good to get to a common understanding on the terms we use.
---> Suppose RS cannot handle any
> request at that time, and some other similar resource can handle the
> request. Does the RS will update to AS?. If not, then request should
> not be allowed.
You are aware that in some usecases the RS is not even be able to
communicate with AS?
Note however that an access token might be valid for more than just one
specific RS, so in the case you describe above, where several RS could
satisfy the client's request, the AS could issue such a token to the
client, and the client could contact all the matching RS using the same
token until it finds one that can satisfy its request.
> Here the check is not happened based on the resource
> management. Only protocol operations like (PUT,POST,GET etc) may not
> be sufficient to distinguish the resource access. Resource oriented
> operations are more appropriate for resource control (for ex. for
> resource IP Camera, the operations allowed are {"turn it up", "turn
> it down", "play", "pause"}).
Such resource oriented operations can be encoded in an access token as
well using a different set of OAuth scopes. The ACL defined in
draft-bormann-core-ace-aif is just one example specific to protocol
operations. This will probably pan out for IoT the same way it has for
Web OAuth: There will be many different application specific uses scope,
that define resource oriented permissions similar to those you listed
above.
See https://www.brandur.org/oauth-scope for an overview of how people
have used scopes differently to implement application/resource specific
permissions.
> Centralized resource control is required
> to admit client request. On what basis these tokens assigned is very
> important in constrained environments. only based on security context
> is not sufficient to authorize the resource. Authorization should
> include both admission and resource control. There should be some
> decision making required to provide access controls on resource
> access not only just by the security context.
Again it is hard for me to discuss your points unless I know what you
mean with 'security context', 'admission control' and 'resource
control'. Could you please clarify these terms?
Note that there is centralized control today in OAuth through the AS.
--> Admission control
> does not have to consider about resource management, but resource
> control should consider. And, any access control mechanism should
> include both admission and resource control. Permission to access a
> resource is an authorization. So, managing and monitoring of access
> controls of a resource is also a part of resource access.
>
> Moreover, other few queries about draft-ietf-ace-oauth-authz-01:
>
--->resource server is involved in processing the access token which
> is supplied as payload from client request. Or in other case, it has
> to construct new introspection request to AS and verify the access
> token of client. Which burdens the resource heavily due to limited
> memory.
--->why can't this be delegated to some intermediate server
> that do access token verification on behalf of RS.
The RS would still have to get the results from the intermediate server
in a secure way and verify that they are correct.
a.) In some usecases this does not work at all because the RS has no
connectivity
b.) In most cases I expect that verifying the intermediate servers
assertions and maintaining a secure connection to this intermediate
server is going to be at least as burdensome for the RS as just
verifying token itself.
Note that the idea is that the AS makes an access control decision,
which is a heavyweight process, it encodes this decision into an access
token. The RS then only enforces the decision made by the AS, and for
that it has to verify the token, which is supposed to be a lightweight
process.
--->Does the RS
> has to do this verification of access request for each client and
> resource request?.
>
Access requests are verified by the AS, the RS only matches the resource
request against the token to see if the token authorizes this resource
request.
Regards,
Ludwig
--
Ludwig Seitz, PhD
SICS Swedish ICT AB
Ideon Science Park
Building Beta 2
Scheelevägen 17
SE-223 70 Lund
Phone +46(0)70-349 92 51
http://www.sics.se
- Re: [Ace] Ace Digest, Vol 29, Issue 12 Vasu Kantubukta
- Re: [Ace] Ace Digest, Vol 29, Issue 12 Ludwig Seitz