Re: [Ace] Correct url for draft-cuellar-ace-pat-priv-enhanced-authz-tokens source code
"Calvo Alonso, Daniel" <daniel.calvo@atos.net> Thu, 13 October 2016 09:38 UTC
Return-Path: <daniel.calvo@atos.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12AB012970F for <ace@ietfa.amsl.com>; Thu, 13 Oct 2016 02:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.216
X-Spam-Level:
X-Spam-Status: No, score=-7.216 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id abFqZxUXhaiK for <ace@ietfa.amsl.com>; Thu, 13 Oct 2016 02:38:54 -0700 (PDT)
Received: from smtppost.atos.net (smtppost.atos.net [193.56.114.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E99B2127076 for <ace@ietf.org>; Thu, 13 Oct 2016 02:38:53 -0700 (PDT)
Received: from mail1-ext.my-it-solutions.net (mail1-ext.my-it-solutions.net) by smarthost6.atos.net with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-GCM-SHA384) id 3cd6_2692_9342de36_3b6d_48ce_8d1b_64dc73496319; Thu, 13 Oct 2016 11:38:43 +0200
Received: from mail1-int.my-it-solutions.net ([10.92.32.11]) by mail1-ext.my-it-solutions.net (8.15.2/8.15.2) with ESMTPS id u9D9cfvv009412 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 13 Oct 2016 11:38:41 +0200
Received: from DEERLM99ETQMSX.ww931.my-it-solutions.net ([10.86.142.102]) by mail1-int.my-it-solutions.net (8.15.2/8.15.2) with ESMTPS id u9D9cfEt001310 (version=TLSv1 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 13 Oct 2016 11:38:41 +0200
Received: from DEERLM99EX1MSX.ww931.my-it-solutions.net ([169.254.1.118]) by DEERLM99ETQMSX.ww931.my-it-solutions.net ([10.86.142.102]) with mapi id 14.03.0294.000; Thu, 13 Oct 2016 11:38:41 +0200
From: "Calvo Alonso, Daniel" <daniel.calvo@atos.net>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Correct url for draft-cuellar-ace-pat-priv-enhanced-authz-tokens source code
Thread-Index: AdIDXo/JIWofyYeVRFyCDhU6AnzNSQUYAG8AAGyJrgACwR1PAAAvvhJQ
Date: Thu, 13 Oct 2016 09:38:40 +0000
Message-ID: <8A926B4ADC92E345A40FA5363D47FA3003381292@DEERLM99EX1MSX.ww931.my-it-solutions.net>
References: <8A926B4ADC92E345A40FA5363D47FA3003358C69@DEERLM99EX1MSX.ww931.my-it-solutions.net> <15048fce-3378-94e3-40d6-c75fc511a2cb@gmx.net> <8A926B4ADC92E345A40FA5363D47FA300336A807@DEERLM99EX1MSX.ww931.my-it-solutions.net> <613d3596-c721-7285-82ea-03176898e22a@gmx.net>
In-Reply-To: <613d3596-c721-7285-82ea-03176898e22a@gmx.net>
Accept-Language: es-ES, en-US
Content-Language: es-ES
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.86.142.12]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/tueOE5qR2NvFFvXyHluMslkOPVY>
Cc: "Kasinathan, Prabhakaran" <prabhakaran.kasinathan@siemens.com>, "Cuellar, Jorge" <jorge.cuellar@siemens.com>, "Gato, Jose" <jose.gato@atos.net>
Subject: Re: [Ace] Correct url for draft-cuellar-ace-pat-priv-enhanced-authz-tokens source code
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2016 09:38:58 -0000
Hi Hannes, Probably Jorge or Prabha could give you a more accurate answer regarding how close is draft-cuellar-ace-pat-priv-enhanced-authz-tokens-03 (and the implementation) to the ACE-Oauth framework since I am more focused on the implementation itself. We are already aware that most of devices targeted by ACE group are not able to run Java apps but our intention with this first prototype was just to start validating the draft concepts from a high-level perspective. A translation of the client and resource server functionalities to C/C++ is also in our roadmap for the incoming months so that we could demonstrate the draft benefits with real use-cases and devices. We will keep you informed about our advanced in this line. We will review these codes and projects to try to find potential overlappings with our work, thanks!! :) For your last question, I think that again Jorge or Prabha will give you a more detailed answer, but I guess that they are already working on this. Thanks and BR, Daniel Daniel Calvo Energy and Transport Market Atos Research and Innovation Tel: +34 946 66 20 82 daniel.calvo@atos.net C/Real Consulado s/n, Polígono Industrial Candina 39011 Santander www.atosresearch.eu Feel free to download our booklet at https://atos.net/en/insights-and-innovation/innovation-labs This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional. Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje. Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes. Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus. This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional. Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje. Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes. Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus. -----Original Message----- From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] Sent: Wednesday, October 12, 2016 2:41 PM To: Calvo Alonso, Daniel; ace@ietf.org Cc: Kasinathan, Prabhakaran; Cuellar, Jorge; Gato, Jose Subject: Re: [Ace] Correct url for draft-cuellar-ace-pat-priv-enhanced-authz-tokens source code Hi Daniel, thanks for the description. How close is the implementation to the ACE-OAuth framework? I am asking this question since you could have re-used lots of existing code since there are many open source implementations of OAuth authorization servers around (even in Java). The use of Java for the client only makes sense if you are planning to run it on an Android phone/tablet (which is one of the use cases, of course). If the client (or the resource server) are running on an IoT device then Java is not that common (at least not on the low end devices, which the ACE group is mostly focused on). Most IoT devices are using C (or C++ at best). Maybe there is a chance that your European funded research project contributes code to a C-implementation of COSE, where preliminary work has been done already by a student in Sweden, see https://github.com/Gunzter/COSE-C Adding proof-of-possession support to OAuth authorization servers would also be appreciated. I think that these student projects from Trier University give some insight into how existing components can be re-used. In this case the scenario was to write an Android app to interact with an authorization server to obtain an access token that can be used to gain access to a smart door lock. Code from one group: https://github.com/StudienprojektUniTrier Code from the second group: http://tschofenig.priv.at/Trier-Gruppe3.zip Ciao Hannes PS: Is there a plan to take the privacy aspects from draft-cuellar-ace-pat-priv-enhanced-authz-tokens-03 and to align them with the ACE framework? On 09/28/2016 12:42 PM, Calvo Alonso, Daniel wrote: > Hi Hannes, > > Sorry for the delayed answer but I have been travelling for a couple of days. > > This code is a first JAVA prototype that implements the actors, messages and flows that are defined in draft-cuellar-ace-pat-priv-enhanced-authz-tokens-03. > > I will try to give you an overview: > - You can find several examples that demonstrate the features of the draft/prototype in src/test/java/com/atos/ari/rerum/ace. For instance in CompleteTestSuccess.java: > - We have a ResourceServer (lines 74-86) that hosts a resource which will be used for the tests (this functionality would be implemented in a constrained device) > - We have an AuthorizationServer (lines 89-106) that will perform the authorization process on behalf of the ResourceServer and which uses a set of policies defined a JSON file. This is out of the scope of the draft, but we have followed this approach to achieve a complete test. > - A client wants to get access to the resource but as it does not have an valid access token, the resource server will return an Unauthorized response with the information about the AuthorizationServer that must be contacted (lines 127-135). > - The client uses this information to ask the AuthorizationServer an AccessToken that covers its request over the ResourceServer. In this case, a GET operation. (lines 138- 141) > - The client uses part of the ClientToken to perform an authorized resource request to the resource server (lines 143 - 152) > - The client uses part of the ClientToken to unencrypt the answer received from the ResourceServer (lines 155 -167 ) > - In the rest of the code, a similar process if followed to perform a POST operation. > - The implementation of the actors can be found under src/main/java/com/atos/ari/rerum/ace folder: AuthorizationServer, Client, ResourceAce and ResourceServer. All these classes are used in the examples like the one I mentioned before. > - In src/main/java/com/atos/ari/rerum/ace/messages, you can find the classes that implement the different messages that are exchanged as part of the protocol flow, e.g., the sam information message (SamInformationMessage), the access token request message (AccessRequestMessage), the client token (TicketTransferMessage, TicketTransferMessageFace) and the access token (AccessToken). The access token is embedded in the payload as described in the draft. We use AcePayload class for this part. As you can see, the contents of the payload are encrypted to protect data confidentiality. > In src/main/java/com/atos/ari/rerum/ace/crypto, you can find the classes that implement the different algorithms that are initially proposed in the draft. For instance: > - AEAD_CHACHA20_POLY130 for authenticat4ed encryption of payloads. > - Poly1305 to generate the verifier (part of the ClientToken > that is sent from the AuthorizationServer to the Client and used to > encrypt payload) > > The next step would be to implement the Client actor and its functionality in a real constrained device. As I explained you in Berlin, this is in our roadmap but we are going also to follow your comments and try to align first this draft with draft-ietf-ace-oauth-authz-02. > > @Jorge, @Prabha, please correct me if anything is not totally correct and feel free to add what you consider of interest. > > I hope that this explanation is useful to understand better the code but if you have more doubts, please don't hesitate in ask me again! > > BR, > > Daniel > > > Daniel Calvo > Energy and Transport Market > Atos Research and Innovation > Tel: +34 946 66 20 82 > daniel.calvo@atos.net > C/Real Consulado s/n, > Polígono Industrial Candina > 39011 Santander > www.atosresearch.eu > > > > Feel free to download our booklet at > https://atos.net/en/insights-and-innovation/innovation-labs > > This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. > As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. > > Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional. > Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje. > Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes. > Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus. > This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. > As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. > > Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional. > Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje. > Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes. > Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus. > > > -----Original Message----- > From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net] > Sent: Monday, September 26, 2016 10:24 AM > To: Calvo Alonso, Daniel; ace@ietf.org > Cc: Kasinathan, Prabhakaran; Cuellar, Jorge; Gato, Jose > Subject: Re: [Ace] Correct url for > draft-cuellar-ace-pat-priv-enhanced-authz-tokens source code > > Hi Daniel, > > could you provide a bit of info what you have implemented? > (I know that I can look at the code myself but you probably know all > the details from the top of your head.) > > Ciao > Hannes > > > On 08/31/2016 10:11 AM, Calvo Alonso, Daniel wrote: >> Dear all, >> >> As I promised during my presentation in the ACE WG meeting in Berlin, >> this is the correct link to >> draft-cuellar-ace-pat-priv-enhanced-authz-tokens prototype source code: >> >> _https://gitlab.atosresearch.eu/ari/ACE-PAT-pub_ >> >> Please, don't hesitate in contact me in case you have any doubt or problem. >> >> With my best regards, >> >> *Daniel Calvo* >> Energy and Transport Market >> Atos Research and Innovation >> Tel: +34 946 66 20 82 >> _daniel.calvo@atos.net_ <mailto:daniel.calvo@atos.net> C/Real >> Consulado s/n, Polígono Industrial Candina >> 39011 Santander >> _www.atosresearch.eu_ <http://www.atosresearch.eu/> >> >> >> *Feel free to download our booklet at* >> _http://atos.net/en-us/home/we-are/insights-innovation/research-and-i >> n >> novation.html_ >> >> >> This e-mail and the documents attached are confidential and intended >> solely for the addressee; it may also be privileged. If you receive >> this e-mail in error, please notify the sender immediately and destroy it. >> As its integrity cannot be secured on the Internet, the Atos group >> liability cannot be triggered for the message content. Although the >> sender endeavors to maintain a computer virus-free network, the >> sender does not warrant that this transmission is virus-free and will >> not be liable for any damages resulting from any virus transmitted. >> >> Este mensaje y los ficheros adjuntos pueden contener información >> confidencial destinada solamente a la(s) persona(s) mencionadas >> anteriormente y pueden estar protegidos por secreto profesional. >> Si usted recibe este correo electrónico por error, gracias por >> informar inmediatamente al remitente y destruir el mensaje. >> Al no estar asegurada la integridad de este mensaje sobre la red, >> Atos no se hace responsable por su contenido. Su contenido no >> constituye ningún compromiso para el grupo Atos, salvo ratificación >> escrita por ambas partes. >> Aunque se esfuerza al máximo por mantener su red libre de virus, el >> emisor no puede garantizar nada al respecto y no será responsable de >> cualesquiera daños que puedan resultar de una transmisión de virus. >> This e-mail and the documents attached are confidential and intended >> solely for the addressee; it may also be privileged. If you receive >> this e-mail in error, please notify the sender immediately and destroy it. >> As its integrity cannot be secured on the Internet, the Atos group >> liability cannot be triggered for the message content. Although the >> sender endeavors to maintain a computer virus-free network, the >> sender does not warrant that this transmission is virus-free and will >> not be liable for any damages resulting from any virus transmitted. >> >> Este mensaje y los ficheros adjuntos pueden contener información >> confidencial destinada solamente a la(s) persona(s) mencionadas >> anteriormente y pueden estar protegidos por secreto profesional. >> Si usted recibe este correo electrónico por error, gracias por >> informar inmediatamente al remitente y destruir el mensaje. >> Al no estar asegurada la integridad de este mensaje sobre la red, >> Atos no se hace responsable por su contenido. Su contenido no >> constituye ningún compromiso para el grupo Atos, salvo ratificación >> escrita por ambas partes. >> Aunque se esfuerza al máximo por mantener su red libre de virus, el >> emisor no puede garantizar nada al respecto y no será responsable de >> cualesquiera daños que puedan resultar de una transmisión de virus. >> >> >> >> This e-mail and the documents attached are confidential and intended >> solely for the addressee; it may also be privileged. If you receive >> this e-mail in error, please notify the sender immediately and destroy it. >> As its integrity cannot be secured on the Internet, the Atos group >> liability cannot be triggered for the message content. Although the >> sender endeavors to maintain a computer virus-free network, the >> sender does not warrant that this transmission is virus-free and will >> not be liable for any damages resulting from any virus transmitted. >> >> Este mensaje y los ficheros adjuntos pueden contener información >> confidencial destinada solamente a la(s) persona(s) mencionadas >> anteriormente y pueden estar protegidos por secreto profesional. >> Si usted recibe este correo electrónico por error, gracias por >> informar inmediatamente al remitente y destruir el mensaje. >> Al no estar asegurada la integridad de este mensaje sobre la red, >> Atos no se hace responsable por su contenido. Su contenido no >> constituye ningún compromiso para el grupo Atos, salvo ratificación >> escrita por ambas partes. >> Aunque se esfuerza al máximo por mantener su red libre de virus, el >> emisor no puede garantizar nada al respecto y no será responsable de >> cualesquiera daños que puedan resultar de una transmisión de virus. >> >> >> _______________________________________________ >> Ace mailing list >> Ace@ietf.org >> https://www.ietf.org/mailman/listinfo/ace >> > This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. > As its integrity cannot be secured on the Internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. > > Este mensaje y los ficheros adjuntos pueden contener información confidencial destinada solamente a la(s) persona(s) mencionadas anteriormente y pueden estar protegidos por secreto profesional. > Si usted recibe este correo electrónico por error, gracias por informar inmediatamente al remitente y destruir el mensaje. > Al no estar asegurada la integridad de este mensaje sobre la red, Atos no se hace responsable por su contenido. Su contenido no constituye ningún compromiso para el grupo Atos, salvo ratificación escrita por ambas partes. > Aunque se esfuerza al máximo por mantener su red libre de virus, el emisor no puede garantizar nada al respecto y no será responsable de cualesquiera daños que puedan resultar de una transmisión de virus. > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace >
- [Ace] Correct url for draft-cuellar-ace-pat-priv-… Calvo Alonso, Daniel
- Re: [Ace] Correct url for draft-cuellar-ace-pat-p… Hannes Tschofenig
- Re: [Ace] Correct url for draft-cuellar-ace-pat-p… Calvo Alonso, Daniel
- Re: [Ace] Correct url for draft-cuellar-ace-pat-p… Hannes Tschofenig
- Re: [Ace] Correct url for draft-cuellar-ace-pat-p… Calvo Alonso, Daniel
- Re: [Ace] Correct url for draft-cuellar-ace-pat-p… Kasinathan, Prabhakaran