Re: [Ace] WGLC comments on draft-ietf-ace-oauth-authz and draft-ietf-ace-params
Jim Schaad <ietf@augustcellars.com> Fri, 23 November 2018 14:44 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99AEB130DFF for <ace@ietfa.amsl.com>; Fri, 23 Nov 2018 06:44:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzm_krBSWlvI for <ace@ietfa.amsl.com>; Fri, 23 Nov 2018 06:44:37 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CE5B130E09 for <ace@ietf.org>; Fri, 23 Nov 2018 06:44:37 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 23 Nov 2018 06:39:16 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Ludwig Seitz' <ludwig.seitz@ri.se>, ace@ietf.org
References: <ff75be9e-2d0d-e1c8-34d8-5ab5bdcab87b@ri.se> <cdd28d8d-ea22-573a-fe53-b6c4e554576a@ri.se>
In-Reply-To: <cdd28d8d-ea22-573a-fe53-b6c4e554576a@ri.se>
Date: Fri, 23 Nov 2018 06:44:07 -0800
Message-ID: <014c01d4833a$fe811040$fb8330c0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJqoo66haZj7QiAwQQjp16fKnuZhALTutSepBqSlQA=
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/vH-h3NnDS017oAv0nu2p4_RrQ80>
Subject: Re: [Ace] WGLC comments on draft-ietf-ace-oauth-authz and draft-ietf-ace-params
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2018 14:44:39 -0000
I believe the consensus in the room at the F2F was to document 2, but make sure that it is not done in a way which would forbid 1 in the future. That is the default should be 2 but a future document/solution should be able to say how 1 could be done in the future. Jim > -----Original Message----- > From: Ace <ace-bounces@ietf.org> On Behalf Of Ludwig Seitz > Sent: Friday, November 23, 2018 2:34 AM > To: ace@ietf.org > Subject: Re: [Ace] WGLC comments on draft-ietf-ace-oauth-authz and draft-ietf- > ace-params > > On 23/11/2018 11:31, Ludwig Seitz wrote: > > Hello ACE, > > > > I have now addressed all WGLC comments (Jim Schaad's, Mike Jones' and > > Stefanie Gerdes') except for this one: > > > > "Do we need to write something about how a RS should handle the > > presence of multiple tokens for the same client? Perhaps a security > consideration? > > > > I see two options: > > > > 1. Multiple tokens complement themselves i.e. if token A gives you > > right > > R1 and token B right R2 then you have R1+R2. > > > > 2. The newer token always overwrites the old one, which means if you > > want to extend your access rights as a client, when you already have A > > -> R1 you need to ask the AS for B*->R1+R2. > > " > > (see https://github.com/ace-wg/ace-oauth/issues/147). > > > > > > AFAIK the common usage in OAuth is option 2, however Jim has pointed > > out use cases for option 1 and refers to it in > > https://datatracker.ietf.org/doc/draft-schaad-cnf-cwt-id/ > > > > > > Jim has expressed a preference for 1. while Olaf has (in the Jabber at > > IETF 103) expressed a preference for 2. > > > > I would need some guidance from the WG on how to proceed here. > > > > /Ludwig > > > > Btw. I haven't uploaded a new draft yet. Please use the editor's copy and the > diff here: https://github.com/ace-wg/ace-oauth and here: > https://github.com/ace-wg/ace-oauth-params > /Ludwig > > -- > Ludwig Seitz, PhD > Security Lab, RISE > Phone +46(0)70-349 92 51 > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace
- [Ace] WGLC comments on draft-ietf-ace-oauth-authz… Ludwig Seitz
- Re: [Ace] WGLC comments on draft-ietf-ace-oauth-a… Ludwig Seitz
- Re: [Ace] WGLC comments on draft-ietf-ace-oauth-a… Jim Schaad