Re: [Ace] Keeping the same key identifier for groups
Peter van der Stok <stokcons@bbhmail.nl> Tue, 20 August 2019 09:18 UTC
Return-Path: <stokcons@bbhmail.nl>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD75012091E for <ace@ietfa.amsl.com>; Tue, 20 Aug 2019 02:18:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bbhmail.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qK2-4Ipg0wtW for <ace@ietfa.amsl.com>; Tue, 20 Aug 2019 02:18:40 -0700 (PDT)
Received: from smtprelay.hostedemail.com (smtprelay0069.hostedemail.com [216.40.44.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30107120024 for <ace@ietf.org>; Tue, 20 Aug 2019 02:18:39 -0700 (PDT)
Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay06.hostedemail.com (Postfix) with ESMTP id 8B9F518225E1D; Tue, 20 Aug 2019 09:18:38 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bbhmail.nl; h= mime-version:content-type:date:from:to:cc:subject:reply-to :in-reply-to:references:message-id; s=key; bh=0q7OitqPf0pcqWcv7x 5yhJgPSgnjG5j92Rrw2bl2A9E=; b=ibNlO+Eu2DPAAQ+gzI4MHO05nJLmusdAvc xZcXiHUVvZlOyoHitHc9iPNIWltRyeCBUoReRodgTcmpcEyBxPhtgJe2WUi+RjsT r8mM2R5MmNF9GPp+33zGy4f601JeZZ/5LFdPp7EjYDlgGXDdWn3Pt+Sf58nh9iYe OiPt8N14k=
X-Session-Marker: 73746F6B636F6E73406262686D61696C2E6E6C
X-Spam-Summary: 2, -10, 0, , d41d8cd98f00b204, stokcons@bbhmail.nl, :::, RULES_HIT:1:2:41:72:152:355:379:582:599:800:962:967:973:983:988:989:1152:1189:1208:1212:1221:1260:1313:1314:1345:1359:1431:1436:1437:1516:1517:1518:1575:1588:1589:1592:1594:1730:1777:1792:2068:2069:2198:2199:2525:2527:2528:2559:2564:2682:2685:2692:2859:2903:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3355:3865:3866:3867:3868:3870:3871:3872:3873:3874:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4049:4250:4321:4860:5007:6117:6119:6261:6657:6659:6678:7875:7903:7904:8603:9010:9025:9036:9177:10004:10848:11232:11658:11914:12043:12291:12379:12438:12679:12683:12740:12895:13139:13439:13846:14095:14096:21080:21324:21433:21451:21627:30041:30054:30060, 0, RBL:216.40.42.5:@bbhmail.nl:.lbl8.mailshell.net-62.8.55.100 66.201.201.201, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:fn, MSBL:0, DNSBL:neutral, Custom_rules:0:0:0, LFtime:27, LUA_SUMMARY:none
X-HE-Tag: scene41_688329d52fc1c
X-Filterd-Recvd-Size: 10344
Received: from mail.bbhmail.nl (imap-ext [216.40.42.5]) (Authenticated sender: webmail@stokcons@bbhmail.nl) by omf19.hostedemail.com (Postfix) with ESMTPA; Tue, 20 Aug 2019 09:18:38 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_d7c15ac00c89f4534d4346c4f9570ff1"
Date: Tue, 20 Aug 2019 11:18:37 +0200
From: Peter van der Stok <stokcons@bbhmail.nl>
To: Ludwig Seitz <ludwig.seitz@ri.se>
Cc: ace@ietf.org
Organization: vanderstok consultancy
Reply-To: consultancy@vanderstok.org
Mail-Reply-To: consultancy@vanderstok.org
In-Reply-To: <01a391d0-8e6d-82cf-8f59-5a3e4d9f5605@ri.se>
References: <01fc01d556ce$69f73cc0$3de5b640$@augustcellars.com> <01a391d0-8e6d-82cf-8f59-5a3e4d9f5605@ri.se>
Message-ID: <c2712fce6d29f50d5c7868b3d11420a4@bbhmail.nl>
X-Sender: stokcons@bbhmail.nl
User-Agent: Roundcube Webmail/1.2.7
X-Originating-IP: [5.206.216.229]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/x08wnDu_tXkuVHJJ0PwvSPumtM8>
Subject: Re: [Ace] Keeping the same key identifier for groups
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2019 09:18:43 -0000
Example: If you have a CWT authorizing A for audience Z and you now also need authorization B for audience Z, you should request a CWT for A+B for audience Z, that replaces your previous one. Do I understand? two possibilities: A and B are members of audience Z; no new CWT needed B is a new member of audience Z; then audience Z becomes audience Z-prime and a new CWT seems reasonable. Peter Ludwig Seitz schreef op 2019-08-20 11:09: > On 19/08/2019 22:40, Jim Schaad wrote: > >> As Ludwig pointed out during the F2F, it makes far more sense to try and >> keep an entity using the same key identifier for as long as possible. This >> is in part to make sure that signing keys do not need to be retrieved if >> they can be easily cached. In looking at this deeper during my >> implementation I ended up with the following question: >> >> The way that I have set things up in my implementation it is simple to >> ensure that the same kid value is going to be used with the same CWT, >> however it might make more sense to use the signing key as the continuity >> identifier instead. The issue that arises in this case is that there might >> be two different active CWT objects that are associated with the same >> signing key. That is there are two CWTs but the same signing key was used >> while doing a join operation. I already do some matching between different >> CWTs by assuming that if the bearer key in the CWT is the same then they are >> sufficiently equivalent to threat them as the same. This lead to some >> interesting discussions in Montreal about if this meant just the "secret" or >> if it meant all of the elements provided by the AS which are used in the key >> derivation process. (I have gone back and forth on this and currently am >> sitting on the "just the secret" side of the fence.) >> >> Does anyone have any opinions? > Could you please expand the explanation of your use case a bit? > > Are you thinking of a scenario where someone would be using the counter-signature key from group-OSCORE as a proof-of-possession (pop) key in serveral CWTs? > > What would these CWT authorize? > > Why would an entity hold several CWTs for the same audience? > > Side-note: > My stance on multiple CWTs linked to the same pop-key and for the same audience is that the latter one should supersede the previous ones. > Example: If you have a CWT authorizing A for audience Z and you now also need authorization B for audience Z, you should request a CWT for A+B for audience Z, that replaces your previous one. > > /Ludwig > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace
- [Ace] Keeping the same key identifier for groups Jim Schaad
- Re: [Ace] Keeping the same key identifier for gro… Ludwig Seitz
- Re: [Ace] Keeping the same key identifier for gro… Peter van der Stok
- Re: [Ace] Keeping the same key identifier for gro… Ludwig Seitz
- Re: [Ace] Keeping the same key identifier for gro… Jim Schaad
- Re: [Ace] Keeping the same key identifier for gro… Marco Tiloca
- Re: [Ace] Keeping the same key identifier for gro… Jim Schaad