Re: [Ace] draft-ietf-ace-oauth-authz
Jim Schaad <ietf@augustcellars.com> Tue, 05 May 2020 15:39 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 332CA3A0878 for <ace@ietfa.amsl.com>; Tue, 5 May 2020 08:39:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EkVML-g1mgks for <ace@ietfa.amsl.com>; Tue, 5 May 2020 08:39:22 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D4963A085E for <ace@ietf.org>; Tue, 5 May 2020 08:39:22 -0700 (PDT)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 5 May 2020 08:39:16 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Carsten Bormann' <cabo@tzi.org>
CC: 'Benjamin Kaduk' <kaduk@mit.edu>, 'Olaf Bergmann' <bergmann@tzi.org>, 'Peter van der Stok' <stokcons@bbhmail.nl>, 'peter van der Stok' <consultancy@vanderstok.org>, 'Ace' <ace@ietf.org>
References: <56d31e581571721e176b59db20e08c23@bbhmail.nl> <00f101d61f03$a26bb920$e7432b60$@augustcellars.com> <0873a3115cab89036002cf42b1c97608@bbhmail.nl> <87mu6o6u8t.fsf@wangari> <20200505040917.GM27494@kduck.mit.edu> <02f001d62299$56718830$03549890$@augustcellars.com> <CE04D437-8906-4C0D-BE35-6C1A643C383C@tzi.org>
In-Reply-To: <CE04D437-8906-4C0D-BE35-6C1A643C383C@tzi.org>
Date: Tue, 05 May 2020 08:39:13 -0700
Message-ID: <034001d622f3$5606eca0$0214c5e0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJvvEQrX2wOjMB2/s9A8vau6YKJYgFtua5lAwDjVtQCw58eHwIqARfCAhrUIdYCSb3ZUqb4ZlYA
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/x5TG9081y3mN-s5eXY2EniX2tKM>
Subject: Re: [Ace] draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 May 2020 15:39:25 -0000
I don't see how the four-corner model solves the issue that I highlighted. If the client does not have a key for any local AS, then nothing helps. The four-corner model deals with the issue of the client and the RS not trusting the same AS, but the different AS entities trust each other on the back side. Getting trust in a local AS seems to be a bootstrapping problem. Jim -----Original Message----- From: Carsten Bormann <cabo@tzi.org> Sent: Monday, May 4, 2020 10:38 PM To: Jim Schaad <ietf@augustcellars.com> Cc: Benjamin Kaduk <kaduk@mit.edu>; Olaf Bergmann <bergmann@tzi.org>; Peter van der Stok <stokcons@bbhmail.nl>; peter van der Stok <consultancy@vanderstok.org>; Ace <ace@ietf.org> Subject: Re: [Ace] draft-ietf-ace-oauth-authz On 2020-05-05, at 06:54, Jim Schaad <ietf@augustcellars.com> wrote: > > I have much the same problem. While a client could find an AS which > would authenticate the client, I don't know how the client would > establish any degree of trust in the AS which is going to give it tokens. Hence the four-corner model [1]. Grüße, Carsten [1]: https://tools.ietf.org/html/draft-ietf-ace-actors
- [Ace] draft-ietf-ace-oauth-authz Peter van der Stok
- Re: [Ace] draft-ietf-ace-oauth-authz Jim Schaad
- Re: [Ace] draft-ietf-ace-oauth-authz Peter van der Stok
- Re: [Ace] draft-ietf-ace-oauth-authz Seitz Ludwig
- Re: [Ace] draft-ietf-ace-oauth-authz Carsten Bormann
- Re: [Ace] draft-ietf-ace-oauth-authz Peter van der Stok
- Re: [Ace] draft-ietf-ace-oauth-authz Olaf Bergmann
- Re: [Ace] draft-ietf-ace-oauth-authz Seitz Ludwig
- Re: [Ace] draft-ietf-ace-oauth-authz Benjamin Kaduk
- Re: [Ace] draft-ietf-ace-oauth-authz Jim Schaad
- Re: [Ace] draft-ietf-ace-oauth-authz Carsten Bormann
- Re: [Ace] draft-ietf-ace-oauth-authz Peter van der Stok
- Re: [Ace] draft-ietf-ace-oauth-authz Jim Schaad
- Re: [Ace] draft-ietf-ace-oauth-authz Jim Schaad
- Re: [Ace] draft-ietf-ace-oauth-authz Peter van der Stok
- Re: [Ace] draft-ietf-ace-oauth-authz Michael Richardson
- Re: [Ace] draft-ietf-ace-oauth-authz Jim Schaad
- Re: [Ace] draft-ietf-ace-oauth-authz Carsten Bormann
- Re: [Ace] draft-ietf-ace-oauth-authz Michael Richardson