Re: [Ace] Removal of the Client Token from ACE-OAuth draft

Mike Jones <Michael.Jones@microsoft.com> Fri, 02 February 2018 02:35 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4051E12EAB0 for <ace@ietfa.amsl.com>; Thu, 1 Feb 2018 18:35:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BcPpz4aEpvnn for <ace@ietfa.amsl.com>; Thu, 1 Feb 2018 18:35:22 -0800 (PST)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0092.outbound.protection.outlook.com [104.47.42.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4AB21201FA for <ace@ietf.org>; Thu, 1 Feb 2018 18:35:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=gqucCMvFKDnpaEOjhNvo1FJPcNmN763Kop4FU+EPSf4=; b=kMGK8UblfEHiQbkwhFiQGilYLJ+Opj49Fh74cSkSYaQzHdGUoTlbmTxTH2UocnwruanFvCaRRgaKwQdQGIqzMT5gukqk65nA7EsI1Bcoe+hfQkhEgrypRzZagQlakKIBGrefBGqqCSzJE+lKryq5jqPyoLC0N4QWDHY86NHx6g8=
Received: from SN6PR2101MB0943.namprd21.prod.outlook.com (52.132.114.20) by SN6PR2101MB0973.namprd21.prod.outlook.com (52.132.114.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.485.5; Fri, 2 Feb 2018 02:35:20 +0000
Received: from SN6PR2101MB0943.namprd21.prod.outlook.com ([fe80::7068:47f5:3e1c:ce6a]) by SN6PR2101MB0943.namprd21.prod.outlook.com ([fe80::7068:47f5:3e1c:ce6a%6]) with mapi id 15.20.0485.006; Fri, 2 Feb 2018 02:35:20 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
CC: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Removal of the Client Token from ACE-OAuth draft
Thread-Index: AdObY8LeTLQDRQpHTLmnZxVwN5CDtQAahxgAAAAYkTA=
Date: Fri, 02 Feb 2018 02:35:20 +0000
Message-ID: <SN6PR2101MB094322F266CA520B48FB8B7DF5F90@SN6PR2101MB0943.namprd21.prod.outlook.com>
References: <AM4PR0801MB27062B8FD8B05971648F1E8CFAFA0@AM4PR0801MB2706.eurprd08.prod.outlook.com> <20180202023104.GZ12363@mit.edu>
In-Reply-To: <20180202023104.GZ12363@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-02-02T02:35:15.9444244Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:2::23d]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR2101MB0973; 7:ox0dTq+kA0Ph+oPmdPpvRGZ7C/IxjzuAbrL5qA8//IgfVGpnqEgEYDVkfIhNSnurQsRpBw5cKfqGcZLwZ3HWmkCzZc07DQcIwpjZUKM+sGTpYhU6zGJlP21LtjuGBuKgZYggxy5b7E2E6q/oI5HLDSb7getmLk0N012u1BS8jQzNnVSGmqRc+aIniXyzWi624qpYn8NCKhpdi2PlhONg/9QER/H4hUA95Npva6R9ZSBhSUz37/oMjG/EiTe9lsOI
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 5b93ff83-60eb-466d-beb9-08d569e59ad8
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7193020); SRVR:SN6PR2101MB0973;
x-ms-traffictypediagnostic: SN6PR2101MB0973:
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: <SN6PR2101MB0973A272D2A2C0B501F7669EF5F90@SN6PR2101MB0973.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(180628864354917)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040501)(2401047)(8121501046)(5005006)(3002001)(10201501046)(3231101)(2400082)(944501161)(93006095)(93001095)(6055026)(61426038)(61427038)(6041288)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(20161123562045)(6072148)(201708071742011); SRVR:SN6PR2101MB0973; BCL:0; PCL:0; RULEID:; SRVR:SN6PR2101MB0973;
x-forefront-prvs: 05715BE7FD
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(396003)(346002)(376002)(39860400002)(366004)(189003)(199004)(40434004)(13464003)(53754006)(6246003)(2171002)(8990500004)(86612001)(9686003)(6306002)(55016002)(81156014)(33656002)(6436002)(105586002)(8676002)(8936002)(81166006)(5250100002)(106356001)(4326008)(68736007)(3280700002)(25786009)(3660700001)(53936002)(2906002)(6116002)(53546011)(2900100001)(10090500001)(7736002)(478600001)(5890100001)(305945005)(102836004)(229853002)(2950100002)(86362001)(72206003)(966005)(110136005)(76176011)(22452003)(74316002)(7696005)(6506007)(186003)(14454004)(10290500003)(59450400001)(5660300001)(99286004)(6346003)(97736004)(316002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR2101MB0973; H:SN6PR2101MB0943.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-message-info: QO8ivep5FtULrhLPfMJ06lXZQtVd3UKYTwBIpBhMaFtE5u1WZ39Blg3GjSJXBadbriA2bijdLPHNb68BaL3UPg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b93ff83-60eb-466d-beb9-08d569e59ad8
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2018 02:35:20.8135 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR2101MB0973
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/xMbxYIyHEng1hw7LyuXH2XhUdPo>
Subject: Re: [Ace] Removal of the Client Token from ACE-OAuth draft
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2018 02:35:25 -0000

I agree with Hannes and Ben that the Client Token is speculative in nature, solving a problem that's it's not clear that we even have.  It certainly isn't OAuth.

I already made this point in my earlier comprehensive review of the spec, but I'll repeat again here.  Please remove it!

				-- Mike

-----Original Message-----
From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Benjamin Kaduk
Sent: Thursday, February 1, 2018 6:31 PM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: ace@ietf.org
Subject: Re: [Ace] Removal of the Client Token from ACE-OAuth draft

On Thu, Feb 01, 2018 at 01:59:48PM +0000, Hannes Tschofenig wrote:
> Hi all,
> 
> the Client Token is a new mechanism in the ACE-OAuth that aims to solve a scenario where the Client does not have connectivity to the Authorization Server to obtain an access token while the Resource Server does.

This sounds eerily reminiscent of the IAKERB GSS-API mechanism, where the initiator uses the acceptor as a proxy to contact the Kerberos KDC, obtain an initial ticket, and obtain the credentials needed to complete the "normal" Kerberos exchange with the acceptor.
(An early draft of) it got implemented, but the spec kind of died and we don't know of anyone actually using it.

So, I support not including it unless we have some actual use cases in mind.

-Ben

> The solution is therefore for the Client to use the Resource Server to relay messages to the Authorization Server.
> 
> While this sounds nice it does not follow the OAuth model and we, at 
> ARM, have not seen anyone requesting this feature. It is also not 
> fully specified in the spec: since I have been doing a formal analysis 
> of this protocol variant for the OAuth Security Workshop I had to 
> notice that it is not secure. (I will post the paper to the list 
> asap.)
> 
> Note that I am not saying that we should never do this work but I prefer that someone who really cares about this use case describes it in an independent document.
> 
> In summary, I am again requesting that the Client Token functionality is removed from the ACE-OAuth draft.
> 
> Ciao
> Hannes
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace