IETF Logo Mail Archive

Re: [Ace] Jim's Proposal on legal requestor

Francesca Palombini <francesca.palombini@ericsson.com> Tue, 03 March 2020 13:15 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAC8E3A21A4 for <ace@ietfa.amsl.com>; Tue, 3 Mar 2020 05:15:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ogUK4rlIehtZ for <ace@ietfa.amsl.com>; Tue, 3 Mar 2020 05:15:11 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60057.outbound.protection.outlook.com [40.107.6.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C92443A21A2 for <ace@ietf.org>; Tue, 3 Mar 2020 05:15:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KMTIj+XJg+ZSyJNxqTEwPqTFVaWxhRFCGi/hMA2TknWc04+25V5WogjV2lAlYIsZGT1Y7biQAEGfzKDPlZcnjX9jEGcG/Vns4et+AJgHRLUlfHdSckKwhBI5eYmd64R1+Uy1DFYwuhiq+Jr5FDYu84zYHFmqWJY/u6hW/tCpEDHzwPI1OGtP0j7vsJ0jf8tzy4fEAqs/Q6mi4uI9dtxB9V4skth9jbIk0OQHNP78dTPC+lke2fgHNWY93gsekdnKVZzInJIvz9pWV3c+I6TiMJGKvdaGl8J+kD8HIJDSV9EmDOxm5OowXLvm+gUibB/fegNZrcckgkKQCpPiWN9QOw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=KEcPOUJj14oNFA6n889H6+XLnuN2Ng2T8LpP/xjpPAg=; b=dafbbyIig/Juah5ts4fsY0AVXMG1s7ow4i4gmj0Lpn5cf9bRDMcLEYOpBzhvY5Gn6VHlPr3/Gq0uTNGVnLgpsdrhrX6UgFYirrqapOPh5//QFMJqno0TWeKBgHhBtcH88LvINt8VLKZlV/LdWF+Xod5ZxSBfIi5PWWoMOlYt+YmsR7NsAYidCzf8iVZRR6iJ0Iz154GFyFUsC31EGH/8+4/q2xeQ7ZfWitZ9x1KxNP8UiUUCjlIEcCwf7JpNzSAe1xpKZFJymYCFHmEeDNAiMtZHNHE3v9FRnNFoQtsy55i7RI6WBdFmaQ85R6Tp5vn5zPm/2+5V+Jcb/AgUwQUE6g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=KEcPOUJj14oNFA6n889H6+XLnuN2Ng2T8LpP/xjpPAg=; b=iC3jacz1//9HQB2eGr4zFHEYre2lN/QMPCBP9HgrSg1pF1PwWJqj7ukoEsLSqvu+mBt16su/PRCu9/xxsxCF/Tab3iVHh55AfJ8JAOkBxlnBOtwiF78GQF8PoUQ15ZVc57q2lyID/8Tw+rTIn1BYxQX29oHJWIpHJ+3VNpCcM0A=
Received: from HE1PR0702MB3818.eurprd07.prod.outlook.com (52.133.6.18) by HE1PR0702MB3561.eurprd07.prod.outlook.com (52.133.5.160) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.5; Tue, 3 Mar 2020 13:15:08 +0000
Received: from HE1PR0702MB3818.eurprd07.prod.outlook.com ([fe80::e49e:708f:4fe7:5d02]) by HE1PR0702MB3818.eurprd07.prod.outlook.com ([fe80::e49e:708f:4fe7:5d02%4]) with mapi id 15.20.2793.011; Tue, 3 Mar 2020 13:15:08 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Marco Tiloca <marco.tiloca@ri.se>, Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Jim's Proposal on legal requestor
Thread-Index: AdXsVzWimzIpNHbGTwi1hLO0NkxspAAT9PYAAAHGCYAACBXGgAAniJKAAP5iP4A=
Date: Tue, 03 Mar 2020 13:15:08 +0000
Message-ID: <8427323E-6CF3-4EE4-9C82-50BF45FC32E3@ericsson.com>
References: <025b01d5ec5e$94f85000$bee8f000$@augustcellars.com> <20646.1582723024@localhost> <0c16f230-3471-9215-e0dd-60604a1e1e02@ri.se> <02b001d5ecce$7aa32cf0$6fe986d0$@augustcellars.com> <22cfc98d-e11f-dd6d-5bd7-9f5153a43a3b@ri.se>
In-Reply-To: <22cfc98d-e11f-dd6d-5bd7-9f5153a43a3b@ri.se>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=francesca.palombini@ericsson.com;
x-originating-ip: [192.176.1.84]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 87e0b216-a08f-4f17-68d2-08d7bf74e573
x-ms-traffictypediagnostic: HE1PR0702MB3561:
x-microsoft-antispam-prvs: <HE1PR0702MB3561151E638D4DFEF88A964798E40@HE1PR0702MB3561.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 03319F6FEF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(39860400002)(346002)(366004)(376002)(396003)(199004)(189003)(8936002)(8676002)(66476007)(66946007)(66556008)(64756008)(66446008)(76116006)(91956017)(81166006)(81156014)(36756003)(53546011)(71200400001)(44832011)(66574012)(33656002)(6506007)(26005)(966005)(110136005)(316002)(186003)(2616005)(478600001)(86362001)(6486002)(5660300002)(2906002)(6512007); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0702MB3561; H:HE1PR0702MB3818.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 299WefLx9xbKulTqZsG97lFInt2erFX01i17C81LyA7eAkJJgt8dmkhKWMoQ59FVi+lBPNJOoTmtIbVxSesBNK/7mjnQoeXUDcww1WjKhNUtHBdE2HJ/qAv9eQLLW1zB5LdgTJOKWeanUspYCVVH0GRxVJ673ivO9QMtQTJT6YH4XX0zuv7Ac89cnpMndi30d1/0FFe/ZONxf3rSa+w27oWiTOoVJBvKRk9lI5fYVVJT20UgQZheNuW7hD9bLA/2jOEe27VNMQCqTQ8pLr9ORw0Jh8H3pX8LdVYLwHs/L9sW58GPPiv8ZcI4zehb1LvfHYD4FNQqLT4OxDRKCnV41Xs+Z17LSx7aioGJWPQ7Pk3y7pIM/P3VWtZ89YCfsnKF1dquqaT7gGJWpeDbkId2dGNDSOArP1+iA6DevIQ6J45JHg6jF65oDMQAZ4XdfXxUj7EW/m34F7jEkn/sKYEForDdk2uUM+jqWgU+cEgtBqvvPsibLAdWTqJsqU6A9WyNS6NUiCLsfI6ZiORekXpDeg==
x-ms-exchange-antispam-messagedata: kY/scVkhKrE2d+OKYN9FrnG519YMJkaxQoSFvG7QK9xxwk6cxJlsVecdaNZ3O+v8zl11flDa003qeYu12qCKOvk2cL0Fz3v5zNjNOIFlrjRD9OYM/k7keAgd3i4a7qVYku+7jjvR5IDHeyZlQe2tMw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_8427323E6CF34EE49C8250BF45FC32E3ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 87e0b216-a08f-4f17-68d2-08d7bf74e573
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2020 13:15:08.0923 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MuRY+208kS9MHLJRlJcBAORI8yGvb0riJIVXD0MsuRF/r56p4EPDvlJsAx1XolE9roovI8AZNjGxoTtWcXy90LKwxtdm1VunfazBDp9x8ZhlE6AadFveRbhc1RaFRPCj
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3561
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/xL2MV1yKcR7JoqGHABja2vc--xc>
Subject: Re: [Ace] Jim's Proposal on legal requestor
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 13:15:14 -0000

Jim now I see, thanks for explaining.

Yes, we do need to send roles with the public keys, that makes sense. It also makes sense to have this formatted with 2 arrays as Marco suggests. I’d also make use of CBOR sequences:

<<(  [ key1, key2, key3] , [role1, role2, [role1, role2] ] ) >> where ( , ) denotes CBOR sequence and << >> bstr wrapping. Key1 has role1, key 3 has roles 1 and 2.

I believe ace-key-groupcomm should define the above formatting (in 4.1.2.1. parameter pub_keys, possibly renaming it if you think it’s necessary). Ace-key-groupcomm does not need to discuss roles formatting, as that is left to application profiles.
Ace-key-groupcomm-oscore should define roles formatting and possibly give shortened values to use for those defined. Also I do not believe they should be registered in IANA as you Marco seem to imply.

Thanks,
Francesca

From: Ace <ace-bounces@ietf.org> on behalf of Marco Tiloca <marco.tiloca@ri.se>
Date: Thursday, 27 February 2020 at 13:52
To: Jim Schaad <ietf@augustcellars.com>, Ace Wg <ace@ietf.org>
Subject: Re: [Ace] Jim's Proposal on legal requestor

Hi Jim,
On 2020-02-26 18:59, Jim Schaad wrote:


From: Ace <ace-bounces@ietf.org><mailto:ace-bounces@ietf.org> On Behalf Of Marco Tiloca
Sent: Wednesday, February 26, 2020 6:08 AM
To: Michael Richardson <mcr+ietf@sandelman.ca><mailto:mcr+ietf@sandelman.ca>; Jim Schaad <ietf@augustcellars.com><mailto:ietf@augustcellars.com>; ace@ietf.org<mailto:ace@ietf.org>
Subject: Re: [Ace] Jim's Proposal on legal requestor

Hi!

Jim, I think now I understand your idea and it makes sense to me.

Some comments in line below.

Best,
/Marco
On 2020-02-26 14:17, Michael Richardson wrote:



clarifying question.



Jim Schaad <ietf@augustcellars.com><mailto:ietf@augustcellars.com> wrote:

    > I do not seem to have been doing a good job of explaining the issue

    > that I am raising here, so I am going to go scenario based for a

    > description.



    > (1) I get an access token from an AS with a scope of [

    > "coap://multicast-01", ["responder"]]

    > (2) I join the group associated

    > with that address

    > (3) I then decide to send the message below out

    > encrypted with the group symmetric key and signed with the public key I

    > registered during the join



    >    GET coap://multicast-01/resource1



.... (I numbered the steps)

I believe that (1) was intended to allow you to become a responder for this resource.

==>MT
Step (1) is intended to allow access to the group-membership resource at the Group Manager (GM), to get the keying material for communicating in the group.

Practically, the roles are currently used only at the GM to determine which public keys is relevant to return to a node upon its joining.
<==
[JLS] When implies that the only roles of interest are “monitor” vs not “monitor”.









    > It then processes the get request

    > because it does not know that this is a violation of the scope assigned

    > to me by the AS.



!

==>MT
As above, the original idea for that scope was to have it applied to the group joining itself and the resource at the GM to access for joining.

But I agree that we should inform the other group members of that role, i.e. "allowed to send requests" and/or "allowed to send responses".
<==








    > The only way that I know for the server TimeX to enforce the allowable

    > operations is for that information to be propagated along with the

    > signature public key from the KDC to the server.

==>MT
This can be one more parameter in the Joining Response or in the Public Key Response, when request public keys of group members are included.

Together with the array of public keys, we can have a same-ordered array of roles echoing the roles from the scope of the Access Token above. Each element of the array can possibly be an array of roles.

How does it sound?
<==
[JLS] Yes this makes sense.  The only potential issue is what happens if the set of roles becomes in some sense unbounded for an application.  However, in that case I would expect that the list of roles would be known to the joining clients.  The one thing that comes up here is should there be a compression of these values since we are sending them to a larger group of people.

==>MT
Yes, I think so. One integer per role should work, registered by the profile or application defining that role.

Other that the wider distribution you mention above, compression is good anyway considering the recently discussion on 'scope' covering multiple groups, each with its role(s) indicated.
<==

Best,
/Marco





One can create a

    > similar scenario on the other side where a client sends a response when

    > it is only authorized as a "requester".

==>MT
Right, if it's "requester"-only.
<==






It seems to me that if the access control to the group is a group-shared

symmetric key + asymmetric signature, that each responder requires the list of valid signers.

Or, we need LAKE to turn the group key into 1:1.

==>MT
What I understand from Jim's proposal is essentially enabling at each group member a list of valid request signers and valid response signers.
<==


==>MT
Just to complement, this is all fine for this level of "filtering", i.e. "this group member can send requests/responses or not".

We have a separate draft at [1], defining a new Group OSCORE profile of ACE, to enforce access control within the group, i.e. to access group members' resources after having joined, i.e. as a group member towards another group member.

That is, that profile considers a granularity of exact REST methods and resources, i.e. as fine-grained as ACE can be. Also, it enables having together ACE-based access control and Group OSCORE, which is so far not possible with other profiles.

The current version -01 in the datatracker defines a "full mode" where both OSCORE and Group OSCORE are considered as security protocols between Client and RS. We plan to submit soon an updated version, focusing more on a lighter, intended-to-be main mode, that focuses on using only Group OSCORE as security protocol between Client and RS.

[1] https://tools.ietf.org/html/draft-tiloca-ace-group-oscore-profile-01
<==

Best,
/Marco








--

Michael Richardson <mcr+IETF@sandelman.ca><mailto:mcr+IETF@sandelman.ca>, Sandelman Software Works

 -= IPv6 IoT consulting =-










_______________________________________________

Ace mailing list

Ace@ietf.org<mailto:Ace@ietf.org>

https://www.ietf.org/mailman/listinfo/ace




--

Marco Tiloca

Ph.D., Senior Researcher



RISE Research Institutes of Sweden

Division ICT

Isafjordsgatan 22 / Kistagången 16

SE-164 40 Kista (Sweden)



Phone: +46 (0)70 60 46 501

https://www.ri.se



_______________________________________________

Ace mailing list

Ace@ietf.org<mailto:Ace@ietf.org>

https://www.ietf.org/mailman/listinfo/ace



--

Marco Tiloca

Ph.D., Senior Researcher



RISE Research Institutes of Sweden

Division ICT

Isafjordsgatan 22 / Kistagången 16

SE-164 40 Kista (Sweden)



Phone: +46 (0)70 60 46 501

https://www.ri.se

v2.23.0 | Report a Bug | By Email