Re: [Ace] draft-ietf-ace-oauth-authz
Jim Schaad <ietf@augustcellars.com> Wed, 06 May 2020 02:38 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83F353A0CFE for <ace@ietfa.amsl.com>; Tue, 5 May 2020 19:38:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bEK7uY5ELdYH for <ace@ietfa.amsl.com>; Tue, 5 May 2020 19:38:48 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCEAF3A0CB5 for <ace@ietf.org>; Tue, 5 May 2020 19:38:47 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 5 May 2020 19:38:41 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Michael Richardson' <mcr+ietf@sandelman.ca>, 'Ace' <ace@ietf.org>
References: <56d31e581571721e176b59db20e08c23@bbhmail.nl> <00f101d61f03$a26bb920$e7432b60$@augustcellars.com> <0873a3115cab89036002cf42b1c97608@bbhmail.nl> <87mu6o6u8t.fsf@wangari> <20200505040917.GM27494@kduck.mit.edu> <02f001d62299$56718830$03549890$@augustcellars.com> <14777.1588702041@localhost>
In-Reply-To: <14777.1588702041@localhost>
Date: Tue, 05 May 2020 19:38:38 -0700
Message-ID: <039801d6234f$744229d0$5cc67d70$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJvvEQrX2wOjMB2/s9A8vau6YKJYgFtua5lAwDjVtQCw58eHwIqARfCAhrUIdYCU/X116b4R6Wg
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/vyc6g366LT-4uKtWk3LF0zDM_B4>
Subject: Re: [Ace] draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 02:38:50 -0000
-----Original Message----- From: Michael Richardson <mcr+ietf@sandelman.ca> Sent: Tuesday, May 5, 2020 11:07 AM To: Jim Schaad <ietf@augustcellars.com>; 'Ace' <ace@ietf.org> Subject: Re: [Ace] draft-ietf-ace-oauth-authz Jim Schaad <ietf@augustcellars.com> wrote: > I have much the same problem. While a client could find an AS which > would authenticate the client, I don't know how the client would > establish any degree of trust in the AS which is going to give it > tokens. Is your question that you don't know how to trust that the AS is the correct AS for RS-foo? [JLS] No, my question is how do I know to trust the AS period. I don't have a key to establish a secure session with the AS. I guess doing full X.509 certificate processing would be an answer, but that could be difficult in the event of a key compromise. > If you have already put a local public key for the AS into the > client, then you might as well put in a name for the AS as well. I > suppose you could get by with a shared secret but that does not seem to > be a good way to build up the system. Maybe there are redundant instances of the AS, or maybe there are multiple ways (thus different IP addresses) by which to reach the AS. [JLS] It could be that there are redundant instances of the AS, but then you have the problem of either doing key sharing between all of them or needing the ability to validate the key assigned to each of them. If you have different addresses, that might be interesting, but you are going to need to do trial connections to each possible AS found until you get one that works. Jim -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Ace] draft-ietf-ace-oauth-authz Peter van der Stok
- Re: [Ace] draft-ietf-ace-oauth-authz Jim Schaad
- Re: [Ace] draft-ietf-ace-oauth-authz Peter van der Stok
- Re: [Ace] draft-ietf-ace-oauth-authz Seitz Ludwig
- Re: [Ace] draft-ietf-ace-oauth-authz Carsten Bormann
- Re: [Ace] draft-ietf-ace-oauth-authz Peter van der Stok
- Re: [Ace] draft-ietf-ace-oauth-authz Olaf Bergmann
- Re: [Ace] draft-ietf-ace-oauth-authz Seitz Ludwig
- Re: [Ace] draft-ietf-ace-oauth-authz Benjamin Kaduk
- Re: [Ace] draft-ietf-ace-oauth-authz Jim Schaad
- Re: [Ace] draft-ietf-ace-oauth-authz Carsten Bormann
- Re: [Ace] draft-ietf-ace-oauth-authz Peter van der Stok
- Re: [Ace] draft-ietf-ace-oauth-authz Jim Schaad
- Re: [Ace] draft-ietf-ace-oauth-authz Jim Schaad
- Re: [Ace] draft-ietf-ace-oauth-authz Peter van der Stok
- Re: [Ace] draft-ietf-ace-oauth-authz Michael Richardson
- Re: [Ace] draft-ietf-ace-oauth-authz Jim Schaad
- Re: [Ace] draft-ietf-ace-oauth-authz Carsten Bormann
- Re: [Ace] draft-ietf-ace-oauth-authz Michael Richardson