Re: [Ace] AD review of draft-ietf-ace-oauth-authz-24

Ludwig Seitz <ludwig.seitz@ri.se> Wed, 30 October 2019 12:57 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45E9512081F; Wed, 30 Oct 2019 05:57:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SY490PDNLylV; Wed, 30 Oct 2019 05:57:34 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-ve1eur02on0625.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe06::625]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24CD1120812; Wed, 30 Oct 2019 05:57:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=arOE3rHKH0XTwiqO9nr5h08qn8okX8NU3B4e6JXr770PM+/C+v11RStlTvlm46sn3z/f0B/mb3dJu9zLmpySUtuvREC7ArAJoMMEc3R82mSMUyVYHYMvx8vfidoSeqbQekx044Q9JqJ5rNzhSbMrfkz8q2kyz2bH7SYAfV47oNvBOdlx+/3dQgto/K1aLrlLSbfyZ1eNpSxc0qBW5zUDU286Rqm2oUoEFEACQZLNWtkVkAU/GXhhz6t6iWzaq28zwuVe42yesB926kptI2M/n6H5si2EO+VCd0zUQYgxG4cLFGPb8zjwClgrpNwEjeGX3UQ5i4+8ySUEhv7LaMFWhw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uzlYhk8FzNgFFVTjIQjORjQiYXZRseCbeRbp29sShZY=; b=cqcls//lw4ZXuoCIyillmGvea3FvsZBiXv5BDsXohi4BkB5ioRgkiQE6hJ12ILG6PS/ScJ3hPtKg7M1K0ZF+XmwVItTBtSvCkQDTCVCUnR62vnet2dW/GT651kznlG6JCW/f2y+tlYDpPjKyMWxhos0fd6FsafegkWd5Jxi/bg59WmzMCIZokBZ8Gc/aTYEUZmZ0h6GMA3OaX+L3qQ5BKQE4NqD5ON5zDh+Ag5CYb71BJueLCiT2BhIhLqGGkDWRfRg8kqC4aTZefxt6q1c+a7h+NdveY/CHKbk4d9I/g2DmG1xySWt//OjkVdTaxXAo+VYjzSg+mnUTboLoMNOO0Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 194.218.146.197) smtp.rcpttodomain=ietf.org smtp.mailfrom=ri.se; dmarc=pass (p=none sp=none pct=100) action=none header.from=ri.se; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-RISEcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uzlYhk8FzNgFFVTjIQjORjQiYXZRseCbeRbp29sShZY=; b=KqPtIGArdM8Q07peEDADMxVNI4uYMMG9W8NPerpHWY943QZjbIR1ev8cr/nrNOi+kunXVnUiN5hvFX8cm9XsM+w76l8IGv5AYyhX54VlPhO1ebjKeCOOufHrTEQBlFa3BRiY+IeeXJzZQWCNi1qx9OlmFxgyBBHcSSICIenwmRo=
Received: from DB6P18901CA0003.EURP189.PROD.OUTLOOK.COM (2603:10a6:4:16::13) by AM5P189MB0419.EURP189.PROD.OUTLOOK.COM (2603:10a6:206:22::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2387.22; Wed, 30 Oct 2019 12:57:31 +0000
Received: from HE1EUR02FT043.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e05::201) by DB6P18901CA0003.outlook.office365.com (2603:10a6:4:16::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2408.18 via Frontend Transport; Wed, 30 Oct 2019 12:57:31 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=pass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by HE1EUR02FT043.mail.protection.outlook.com (10.152.11.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2387.20 via Frontend Transport; Wed, 30 Oct 2019 12:57:30 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1779.2; Wed, 30 Oct 2019 13:57:30 +0100
To: Benjamin Kaduk <kaduk@mit.edu>, Jim Schaad <ietf@augustcellars.com>
CC: <draft-ietf-ace-oauth-authz.all@ietf.org>, <ace@ietf.org>
References: <20190927015154.GY6424@kduck.mit.edu> <696c7ee4-75f9-48ec-8837-ea171137e9f8@ri.se> <024201d583bf$f4a146e0$dde3d4a0$@augustcellars.com> <20191028210607.GI69013@kduck.mit.edu>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <e5aaedd8-ea5d-2d2b-6f16-a7082b11bd80@ri.se>
Date: Wed, 30 Oct 2019 13:57:29 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <20191028210607.GI69013@kduck.mit.edu>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms030702010909010408050902"
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(346002)(39860400002)(136003)(189003)(199004)(22756006)(8676002)(22746008)(65806001)(5660300002)(33964004)(476003)(26005)(110136005)(58126008)(486006)(235185007)(86362001)(54906003)(53546011)(568964002)(386003)(81156014)(81166006)(356004)(2906002)(65956001)(40036005)(3846002)(31696002)(8936002)(70586007)(70206006)(229853002)(5024004)(14444005)(446003)(11346002)(336012)(126002)(71190400001)(4326008)(106002)(2616005)(7736002)(316002)(305945005)(6116002)(36756003)(478600001)(16576012)(186003)(16526019)(31686004)(76176011)(16586007)(44832011)(2171002)(6246003); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5P189MB0419; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 8cff0a1f-1285-4aa2-9301-08d75d38b9a4
X-MS-TrafficTypeDiagnostic: AM5P189MB0419:
X-Microsoft-Antispam-PRVS: <AM5P189MB0419A056BB6EDE000CBB0A9182600@AM5P189MB0419.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-Forefront-PRVS: 02065A9E77
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Eo4LxvqZFzqrhnxQfwXnXPauQtQ4wOnDWGv7Xhma95mmcCEBLTknYhbbpBY1ja9Yv/ytqxG7Ywqh/8CgQ9vp9vuC2NKcph10xDuey94ADWv7c1fV8BolTwJFiIwxD/4k2X+csrmFZuorX1SZkF1aCAg+Mu7Fsa1fJuvibFg5qxklY76my1fDvFmtyv9MDqE4N62yVxkqqlFvh3TOVszPGsjrICoAlUlMxT285+We6J3/sOEMdkKQdAgXCpo4MmC/E72ybmYdYBuWhk4Rmtlt2dKT8GeM8IJL5CPDsRBffx7GhtBqFuKuKoOah23KXks4VpKEEU+6s83U4nMi0K7sby6CurWmdm9VF5Y25PDF9ZcU53dtz6D7mMf0btAiMbd+VnhlY2whUyu0GElnETrWz/wB4sZbprHXFyVPzDo1U69WlIjFIOlpuBh6Gsmwlu5a
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Oct 2019 12:57:30.9786 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 8cff0a1f-1285-4aa2-9301-08d75d38b9a4
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P189MB0419
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/uK7pWYvDZ8jYYqZc9KkK2hCFyXQ>
Subject: Re: [Ace] AD review of draft-ietf-ace-oauth-authz-24
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2019 12:57:37 -0000

On 28/10/2019 22:06, Benjamin Kaduk wrote:

>>> 32.)
>>> Section 5.6.1
>>>
>>>     The client sends a POST request to the token endpoint at the AS.  The
>>>     profile MUST specify how the communication is protected.  The content
>>>
>>> In the previous section we said that maybe even other transports than
>>> coaps or https would be possible; are we limited to those that have POST
>>> verbs?
>>> Also, a similar comment as above about what attributes the protection
>>> entails seems to apply.
>>
>> [LS] This will need a major rephrasing of the text.
>> I see two options here:
>>
>> 1.) We rewrite all parts to use a neutral language in general and specify
>> POST/GET etc. for transports that have these verbs.
>>
>> 2.) We state in the beginning that transports that do not use RESTful verbs
>> should use the best equivalent.
>>
>> Option 1. would get a bit cluncky, while option 2. might be a bit confusing
>> Do you have a specific preference?
>>
>> [JLS] I would suggest that this could fall under the punt to the new transport that does not have the same as these verbs in it to explain how they would map.
> 
> I agree that (1) is more effort than it's likely to be worth.  If we can
> finagle a single-sentence disclaimer like "transports that do not use these
> verbs will need to specify the requisite behavior" that would be great; if
> not, then we can consider whether to just ignore it or do something more
> complicated.

I'll go for this:

" Note that this document specifies
   protocol exchanges in terms of RESTful commands such as GET and POST.
   Future profiles using protocols that do not support these verbs MUST
   specify how the corresponding protocol messages are transmitted instead.
"

In the Overview section where we mention alternate transport protocols.

/Ludwig

-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51