Re: [Ace] [EXTERNAL] Francesca Palombini's No Objection on draft-ietf-ace-oauth-params-13: (with COMMENT)

Francesca Palombini <francesca.palombini@ericsson.com> Thu, 25 March 2021 13:35 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34CE73A21A1; Thu, 25 Mar 2021 06:35:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.352
X-Spam-Level:
X-Spam-Status: No, score=-2.352 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.251, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0VyCtWZRffh; Thu, 25 Mar 2021 06:35:50 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80057.outbound.protection.outlook.com [40.107.8.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCE0E3A2164; Thu, 25 Mar 2021 06:35:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JZUwa77DX8g+qwfb0zwKzcvcB1/2UItxvQ414gS7HqDsr8kBFuqFFCUdv4bjpVepqBhfLS8rb1d4Wxr2j2s4MhBPfjAAFbhb5mbtqFbHiR5NuG4uVub9XzaziExOEIjcGWrMfEAGyuplziCdtS2g7WzkTaZvCnzcZk19P7vKs1l668wrCaGo6nR5jxkmzg3wljBSccuf7SZyb/+f7AccC29jplir7dexgvkhCGKDIAQziTcB5k9g0D/jdOQrJbCEbc6ST7Rw0koLDElgksQVqUFkkdXXdF/Icle8Rav4F+or78prGU/EuQLp7+B7aRQOLTyEmGcUNnTvrB+FzPulgQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=meqkICG6PIsICHd57LxVBW/e7Qzx8U7csG42d6qp4k0=; b=XWM0Kn2PxgHCjHrxbhFhxl3iudea74uECF61K3x8TaghbERd4kywbHpgEjaqPzAa9GpKfI6b1FglMOYvv9dhlB3woVOYe3YsaRU6CCrywe2vz54DdjZ4gOJP2FMuCbHcUqfskYcEixm4yYDJFFZRmw4UdnT1FsYhoj7jfs3N9zgMO/c/xaZPY+tQ+SLfh7T8DnThn7F4/e/wqgmQgfYImWDqh0k3eWd1zbsZK7qnFAJ9Bqt2DyJS9LY3ahQQ2bGFoyZQ9iaDkWr/ekRTX51TZOtRVp81UBcIU7kddO6keIsO63TK3fo1UeZ/lo5TBem2XJNeKlZnTAccRWnIY4xWHQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=meqkICG6PIsICHd57LxVBW/e7Qzx8U7csG42d6qp4k0=; b=ncmOLr2LZvw4WVl1baSJGiC9pyr48391b/+MSAfgLSOJcMFVgGQ3YkB+0G+ouc+NwseMif74EYl3/91s8wO5bChMGpSifqhE1ytUdFQ2jgDDZQv+8s8bqRXj0+qFrDc7h25J14ay+xUQT38QVy/u62VSvTIuXnQ7f2qy5RlcUNM=
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com (2603:10a6:7:96::33) by HE1PR0702MB3817.eurprd07.prod.outlook.com (2603:10a6:7:86::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3999.16; Thu, 25 Mar 2021 13:35:47 +0000
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::e922:5ae8:48bb:b796]) by HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::e922:5ae8:48bb:b796%3]) with mapi id 15.20.3977.024; Thu, 25 Mar 2021 13:35:47 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Seitz Ludwig <ludwig.seitz@combitech.se>, The IESG <iesg@ietf.org>
CC: "draft-ietf-ace-oauth-params@ietf.org" <draft-ietf-ace-oauth-params@ietf.org>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [EXTERNAL] Francesca Palombini's No Objection on draft-ietf-ace-oauth-params-13: (with COMMENT)
Thread-Index: AQHXIUeaYJIHTwd2o0S7bEeqgXDeUKqUxbiA
Date: Thu, 25 Mar 2021 13:35:46 +0000
Message-ID: <3D778E20-87EB-4AEC-BFA6-A4AFF4D2F0B3@ericsson.com>
References: <161659911162.32056.3549884311217842987@ietfa.amsl.com> <2a4a0298f646400d9843f13ddf4f4f2b@combitech.se>
In-Reply-To: <2a4a0298f646400d9843f13ddf4f4f2b@combitech.se>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21031401
authentication-results: combitech.se; dkim=none (message not signed) header.d=none;combitech.se; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:1ba8:147a:c100:c0fd:b92b:926e:4d77]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 53689536-d245-425d-6492-08d8ef92e5bd
x-ms-traffictypediagnostic: HE1PR0702MB3817:
x-microsoft-antispam-prvs: <HE1PR0702MB3817056805804DBD268492E698629@HE1PR0702MB3817.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: imzOndDyDqUpEr7OFXjCdLe8T/ByJDzAEtUY8rsU/YqByHLq76SRxFRZA7+9jJc7L/x47pTyvzAC1C5xGhJHjMGuGkW6xR1jqpLy4xhPsdzYrF6o0wDFOHn4XAmjtjLpS4wS7WM5n0PCjw4we6DNqaywvKcVL89HQk5WK9nAxMvnmqTWsahGYPZrVlUhLM00gDNd2Rnm5x36HiTJ5EY8BAuiuQMF7B0bIi++6ZNpMqR7/Ld8kIPnsuSp7ganBdMSRrAaZ/H5oidrA4sG5lrvWeAztvjPvoT7bukWJwwrx/yFL0NGKzMT5tn2564pjrAsUlxkBSs/u7yW21Mqz0jMQeG4Q/QRMZ2FnpNW3cWzLstxeUj6khaF2O5GkE3pliUoa9FSgYLvfqMdtpPnhCEI84qmUYkCSjDCjD2HCF+1ZuszXnuVDnHw/mAN+u6uEon/ibaOtKeC4qOz3Rq1MVM7e63NnjFcGr0mAcbZrXeaOYnJ54QsfoNhUC26aBpllAkOMtRprfY7HfdX37LFCnV+1nrCQtXJVSZpRgtxG6hLyjWhRafJa7/vcnlyyUNrW8NRa8/uergcEdCbO+Aqv2QT+C+fpD8lJn90CBR/rUz5HC7POkN+E930QlwTa3zXSSNiuyovRFVAdqwKlgjMu33ruOduP4T6ts4vRqcAeqe5LGEpzMFu5yg76sGhhaYNFEwu
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4217.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(136003)(366004)(376002)(39860400002)(76116006)(66946007)(36756003)(83380400001)(66446008)(33656002)(110136005)(316002)(54906003)(186003)(5660300002)(6506007)(44832011)(2616005)(6486002)(71200400001)(478600001)(8676002)(38100700001)(2906002)(4326008)(66476007)(66556008)(64756008)(6512007)(86362001)(8936002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: KviQrjp/HFyEyoD8Wd1qHZmjZxNY/v7nHCeKaen0J1/ow1C561fmXkETOezBO7rVKSZ92PTAP86sRUrDk6rQSkBOvHN8jPbSrFTQ/pZCY+rK2HZwz+npWVK2ow7fB2udCOcnQi/9Pc4zVFUYdMAw1z5KPtDOGikv+oJboZZ68ANW+SpTUDj9RTfaYouapZS2qX0K1kTARHCwpo4z2MoHq7RgO2KjTtei13Xoiv63+94WO2ZVJgmasz8n1YjGzKNvH2gEB2o2C91cW5kGWY79KlDIunHI01PwpuR5TPlPY6z2dJ4G0ACtzcWTx5rchthLGf5LXOAPVF2MI+D8XYr9WXGNu8VVRGDnEkp4e84qZ6Jy80Ps40DjGwn+OvecZvysBBe5HeSOid5o+WIi4vfM69wmnDzrlZDTD3VHrJPjZDxP1r1QoFms5gpKKaKM78VgMCm+kEDQJ3/dOXRlUdBemsITDkT72HpauWqUhiGzJ6/I6O3mJrGHA/GwDWbeDRAJ4NqnFs0JLfPKPNSsPsy7QJ62wyr0oWBl4NiHuOEsCK5+KaOAa8ZuDYG3sfwCzZkukajtSbxrn1qH0EoOt2XTAHhBkboyBK9Y2q+kLrHZEC1VZIC5KIOe+YC/zcI76z3DAdmr9ZeZcb08REC2df1DOmT4o5ZXh56dSPrc/UvWbyiXPF0sEpGM2HupS0ByIHuH9c+6+Q/wtD8aH65S3WrXtXLSwOh03x3lqG6NzXwB/8osoSLCRjTgkj8Lu3018k/GiZmhkbi6r9OvGHnCnaUxjrp6BAvYnJCDbLk5pyX75OrrYEqzYuXov8YenPr3WsYziFwvpOsw82BtjyDlXzil5CwAK7eTMudjKNc/QHGJSRxHgxjU3vc0HmdrfuQ4ghtOOknLqTUucb/UP0unhzjaMBTSZ8QghtjBKyAgv40ay/Z4z1hTKBiZG6i5TQf7UOSEUgzwRj/3/vi+oFcNR4EvfCv7SCMPJ4pW/UNIb2vkgAYS677n7gzCnojwOnFTduUdM7YePZiPJxX8CS/N3Fu9++xZRf6FHSnMqve2/yac4d6nuAtQEmzyDimfjnZyIHG2L9trhufBa/ejdI7nVqqk1KDOAymwHvRT7J8A8OhprtZmhLetrOQRF7cQPDxmkkdLefgDiilhmyusS49zZzhSPnjtvQAJbF1dyHfgS7lLc6+kCT+6vOa7W1OwT4o0jRvs8gPNVutkDE8FSGU285HgEqjF2O/R5dzbibMM7ntV3a8GtjyRPbtilLf8iSgCF20RcGusLpD65u0/hwxSb44WSa0Gjn3XSyhh7S9SwUNtwrFZtDxYbHCBV/sZ1i25S+wvm4ehuYf0l5MPjeMnMpdXrmSmwr+SVZ2iuo3ILkkb9rcxhytod3iDb4SqxNiN6VGZuM0VsLIIevZOd3lJrtSzkw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <9018C49537D6624785BDF038435611A9@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4217.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 53689536-d245-425d-6492-08d8ef92e5bd
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2021 13:35:46.9534 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZE0h1vITKbY98vsNcDLWBPzI93inZGGXTZOVmAckc2ygoKX/UIxI1fco+46npjriNoe9TbtG6j5YYbxvzhcbtL/hM52yK2TRaNtO48Oc4BcUXlX4QgnmemcXGGbz2a4f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3817
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/zVoKYkqBwLiGBss8iF6qzvzjnSc>
Subject: Re: [Ace] [EXTERNAL] Francesca Palombini's No Objection on draft-ietf-ace-oauth-params-13: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2021 13:35:58 -0000

Hi Ludwig,

Thanks for the quick reply! Both updates sound good and address my comments. 

Francesca

On 25/03/2021, 08:22, "Seitz Ludwig" <ludwig.seitz@combitech.se> wrote:

    Hello Francesca,

    Thank you for your review. I have some comments inline.

    /Ludwig

    > ----------------------------------------------------------------------
    > COMMENT:
    > ----------------------------------------------------------------------
    > 
    > Thank you for this document. A couple of minor comments below.
    > 
    > Francesca
    > 
    > 1. -----
    > 
    >       better symmetric keys than a constrained client.  The AS MUST
    >       verify that the client really is in possession of the
    >       corresponding key.  Values of this parameter follow the syntax and
    > 
    > FP: I think it would have been helpful to give some details about how this is
    > done "by verifying the signature ..." or a reference to where this is described.
    >
    I believe this would expand the scope of this document in a way I'd rather leave to the profiles.
    The AS can verify possession of a key in various ways, some of which may be provided by the 
    security protocol used between the client and the AS, which in turn would be defined in the profiles.

    Would you be ok with the following addendum: "Profiles of [framework] using this specification MUST define the proof-of-possession method used by the AS, if they allow clients to request the use of asymmetric keys as proof-of-possession key."? 


    > 2. -----
    > 
    >    parameters.  An RS MUST reject a proof-of-possession using such a
    >    key.
    > 
    > FP: Is any error message supposed to be sent in such a case?

    I suggest to update to add a 4.00 (Bad Request) here.