Re: [Ace] WGLC comments on draft-ietf-ace-oauth-authz and draft-ietf-ace-params

Jim Schaad <ietf@augustcellars.com> Fri, 23 November 2018 14:44 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99AEB130DFF for <ace@ietfa.amsl.com>; Fri, 23 Nov 2018 06:44:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzm_krBSWlvI for <ace@ietfa.amsl.com>; Fri, 23 Nov 2018 06:44:37 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CE5B130E09 for <ace@ietf.org>; Fri, 23 Nov 2018 06:44:37 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Fri, 23 Nov 2018 06:39:16 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Ludwig Seitz' <ludwig.seitz@ri.se>, <ace@ietf.org>
References: <ff75be9e-2d0d-e1c8-34d8-5ab5bdcab87b@ri.se> <cdd28d8d-ea22-573a-fe53-b6c4e554576a@ri.se>
In-Reply-To: <cdd28d8d-ea22-573a-fe53-b6c4e554576a@ri.se>
Date: Fri, 23 Nov 2018 06:44:07 -0800
Message-ID: <014c01d4833a$fe811040$fb8330c0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJqoo66haZj7QiAwQQjp16fKnuZhALTutSepBqSlQA=
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/vH-h3NnDS017oAv0nu2p4_RrQ80>
Subject: Re: [Ace] WGLC comments on draft-ietf-ace-oauth-authz and draft-ietf-ace-params
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2018 14:44:39 -0000

I believe the consensus in the room at the F2F was to document 2, but make
sure that it is not done in a way which would forbid 1 in the future.  That
is the default should be 2 but a future document/solution should be able to
say how 1 could be done in the future.

Jim


> -----Original Message-----
> From: Ace <ace-bounces@ietf.org> On Behalf Of Ludwig Seitz
> Sent: Friday, November 23, 2018 2:34 AM
> To: ace@ietf.org
> Subject: Re: [Ace] WGLC comments on draft-ietf-ace-oauth-authz and
draft-ietf-
> ace-params
> 
> On 23/11/2018 11:31, Ludwig Seitz wrote:
> > Hello ACE,
> >
> > I have now addressed all WGLC comments (Jim Schaad's, Mike Jones' and
> > Stefanie Gerdes') except for this one:
> >
> > "Do we need to write something about how a RS should handle the
> > presence of multiple tokens for the same client? Perhaps a security
> consideration?
> >
> > I see two options:
> >
> > 1. Multiple tokens complement themselves i.e. if token A gives you
> > right
> > R1 and token B right R2 then you have R1+R2.
> >
> > 2. The newer token always overwrites the old one, which means if you
> > want to extend your access rights as a client, when you already have A
> > -> R1 you need to ask the AS for B*->R1+R2.
> > "
> > (see https://github.com/ace-wg/ace-oauth/issues/147).
> >
> >
> > AFAIK the common usage in OAuth is option 2, however Jim has pointed
> > out use cases for option 1 and refers to it in
> > https://datatracker.ietf.org/doc/draft-schaad-cnf-cwt-id/
> >
> >
> > Jim has expressed a preference for 1. while Olaf has (in the Jabber at
> > IETF 103) expressed a preference for 2.
> >
> > I would need some guidance from the WG on how to proceed here.
> >
> > /Ludwig
> >
> 
> Btw. I haven't uploaded a new draft yet. Please use the editor's copy and
the
> diff here: https://github.com/ace-wg/ace-oauth and here:
> https://github.com/ace-wg/ace-oauth-params
> /Ludwig
> 
> --
> Ludwig Seitz, PhD
> Security Lab, RISE
> Phone +46(0)70-349 92 51
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace