[Ace] WGLC comments on draft-ietf-ace-oauth-authz and draft-ietf-ace-params

Ludwig Seitz <ludwig.seitz@ri.se> Fri, 23 November 2018 10:31 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6E2812008A for <ace@ietfa.amsl.com>; Fri, 23 Nov 2018 02:31:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QAYYReW-yHMi for <ace@ietfa.amsl.com>; Fri, 23 Nov 2018 02:31:31 -0800 (PST)
Received: from smtp-out11.electric.net (smtp-out11.electric.net [185.38.181.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C68B81277BB for <ace@ietf.org>; Fri, 23 Nov 2018 02:31:30 -0800 (PST)
Received: from 1gQ8kC-000Azn-TV by out11c.electric.net with emc1-ok (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gQ8kC-000B0p-UD for ace@ietf.org; Fri, 23 Nov 2018 02:31:28 -0800
Received: by emcmailer; Fri, 23 Nov 2018 02:31:28 -0800
Received: from [194.218.146.197] (helo=sp-mail-2.sp.se) by out11c.electric.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128) (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gQ8kC-000Azn-TV for ace@ietf.org; Fri, 23 Nov 2018 02:31:28 -0800
Received: from [192.168.0.166] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Fri, 23 Nov 2018 11:31:27 +0100
To: "ace@ietf.org" <ace@ietf.org>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <ff75be9e-2d0d-e1c8-34d8-5ab5bdcab87b@ri.se>
Date: Fri, 23 Nov 2018 11:31:27 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-1.sp.se (10.100.0.161) To sp-mail-2.sp.se (10.100.0.162)
X-Outbound-IP: 194.218.146.197
X-Env-From: ludwig.seitz@ri.se
X-Proto: esmtps
X-Revdns:
X-HELO: sp-mail-2.sp.se
X-TLS: TLSv1.2:ECDHE-RSA-AES128-SHA256:128
X-Authenticated_ID:
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
X-PolicySMART: 14510320
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/zh89ec4o6ZKE_OSmJEnkqGEJj8o>
Subject: [Ace] WGLC comments on draft-ietf-ace-oauth-authz and draft-ietf-ace-params
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Nov 2018 10:31:33 -0000

Hello ACE,

I have now addressed all WGLC comments (Jim Schaad's, Mike Jones' and 
Stefanie Gerdes') except for this one:

"Do we need to write something about how a RS should handle the presence 
of multiple tokens for the same client? Perhaps a security consideration?

I see two options:

1. Multiple tokens complement themselves i.e. if token A gives you right 
R1 and token B right R2 then you have R1+R2.

2. The newer token always overwrites the old one, which means if you 
want to extend your access rights as a client, when you already have A 
-> R1 you need to ask the AS for B*->R1+R2.
"
(see https://github.com/ace-wg/ace-oauth/issues/147).


AFAIK the common usage in OAuth is option 2, however Jim has pointed out 
use cases for option 1 and refers to it in
https://datatracker.ietf.org/doc/draft-schaad-cnf-cwt-id/


Jim has expressed a preference for 1. while Olaf has (in the Jabber at 
IETF 103) expressed a preference for 2.

I would need some guidance from the WG on how to proceed here.

/Ludwig

-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51