IETF Logo Mail Archive

Re: [core] Conclusion -- Endpoint Client Name / Endpoint Name in RD draft

Peter van der Stok <stokcons@bbhmail.nl> Mon, 18 June 2018 09:52 UTC

Return-Path: <stokcons@bbhmail.nl>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAFEA130E8D for <core@ietfa.amsl.com>; Mon, 18 Jun 2018 02:52:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.694
X-Spam-Level:
X-Spam-Status: No, score=-2.694 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.795] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QQvdpOfOk5Sy for <core@ietfa.amsl.com>; Mon, 18 Jun 2018 02:52:39 -0700 (PDT)
Received: from smtprelay.hostedemail.com (smtprelay0032.hostedemail.com [216.40.44.32]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9E35130E8F for <core@ietf.org>; Mon, 18 Jun 2018 02:52:36 -0700 (PDT)
Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay02.hostedemail.com (Postfix) with ESMTP id A39D3248A4; Mon, 18 Jun 2018 09:52:35 +0000 (UTC)
X-Session-Marker: 73746F6B636F6E73406262686D61696C2E6E6C
X-Spam-Summary: 2, 0, 0, , d41d8cd98f00b204, stokcons@bbhmail.nl, :::::::, RULES_HIT:41:152:355:379:582:599:962:967:973:988:989:1152:1189:1221:1260:1313:1314:1345:1359:1436:1437:1516:1517:1518:1535:1544:1575:1588:1589:1592:1594:1711:1730:1776:1792:2194:2198:2199:2200:2527:2553:2559:2562:2894:2895:2901:3138:3139:3140:3141:3142:3355:3622:3865:3866:3867:3868:3870:3871:3872:3873:3874:4120:4250:4362:4860:5007:6119:6261:6678:7901:7903:7904:8603:8784:8957:9108:10004:10226:10848:11658:11914:12043:12291:12295:12438:12683:12895:13095:13144:13161:13229:13230:13439:13548:13972:14093:14096:14110:14180:14721:14824:21060:21063:21080:21433:21451:21627:30012:30029:30030:30054:30070:30076:30090, 0, RBL:216.40.42.5:@bbhmail.nl:.lbl8.mailshell.net-62.8.55.100 66.201.201.201, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:fn, MSBL:0, DNSBL:neutral, Custom_rules:0:0:0, LFtime:25, LUA_SUMMARY:none
X-HE-Tag: coat22_50be50a316b24
X-Filterd-Recvd-Size: 9425
Received: from mail.bbhmail.nl (imap-ext [216.40.42.5]) (Authenticated sender: webmail@stokcons@bbhmail.nl) by omf03.hostedemail.com (Postfix) with ESMTPA; Mon, 18 Jun 2018 09:52:34 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_9c0c098e0b9a46b8d6394f7fa5d6ce2c"
Date: Mon, 18 Jun 2018 11:52:34 +0200
From: Peter van der Stok <stokcons@bbhmail.nl>
To: consultancy@vanderstok.org
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>, core@ietf.org
Organization: vanderstok consultancy
Reply-To: consultancy@vanderstok.org
Mail-Reply-To: consultancy@vanderstok.org
In-Reply-To: <3b2ad29ec49c83c31646b38e856c0ae7@xs4all.nl>
References: <VI1PR0801MB2112B9A4410DA3EDE39183BEFA9B0@VI1PR0801MB2112.eurprd08.prod.outlook.com> <9970c70fea6ea457c74c8ae3ca303f76@xs4all.nl> <4EBB3DDD0FBF694CA2A87838DF129B3C01F48F8A@DEFTHW99EL4MSX.ww902.siemens.net> <VI1PR0801MB2112CCC0F54274336BFE3EB7FA930@VI1PR0801MB2112.eurprd08.prod.outlook.com> <3b2ad29ec49c83c31646b38e856c0ae7@xs4all.nl>
Message-ID: <29a9636a3703e43947fce2f4cb900825@bbhmail.nl>
X-Sender: stokcons@bbhmail.nl
User-Agent: Roundcube Webmail/1.2.7
X-Originating-IP: [90.0.129.53]
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/RW8r3vBa32-FhWTh478TsO9bKhc>
Subject: Re: [core] Conclusion -- Endpoint Client Name / Endpoint Name in RD draft
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2018 09:52:51 -0000

HI Hannes, Matthias,

After some additional discussions, I think it is best to write an extra
section into the resource-directory draft.
Please have a look at my suggestion below.

@Hannes, can you comment on the correctness and sufficiency of the text?
thanks,

Peter

________________________________________________________
Ietf-core-resource-directory text proposal. 

Suggestion to add a new section x on Authorization. 

Section x, use of Authorization Server. 

When threats may occur as described in section 8.1, an Authorization
Server (AS) as specified in ietf-ace-oauth-authz SHOULD be used. A
request to the Resource Directory is accompanied by an Access Token that
validates the access of the client to the RD. The URI of an authorized
request cannot contain the ep= or the d= parameters. When these
parameters are present, the request is rejected with CoAP response code
4.00 (bad request). The identifier part of the security context in the
Access Token is used to assign a value to the endpoint name of the
endpoint to be registered. Three possibilities are supported: 

 	* For PSK-based credential, the Endpoint Name becomes the PSK Identity
 	* For raw-public keys, the Endpoint Name becomes the
SubjectPublicKeyInfo structure (or a hash of it).
 	* For certificates, the Endpoint Name becomes the leftmost CN
component of subject name or the SubjectAltName of the certificate,
depending on what is used.

An access token MAY include one of the two following new claims: 

"epn" endpoint name with value the identifier part of one of the 3
possible identifier parts of the security ccontext. 

"dnm" domain name with value "name of the domain" 

Three scenarios for registration in the RD MUS be supported. 

Section x.1 endpoint registers with RD 

The endpoints sends a Request to the RD accompanied by a CBOR Web Token
(CWT). The identifier part of the security context is used to assign the
endpoint name. 

Section x.2 3rd party Commissioning Tool (CT) registers endpoint with
RD. 

The CT sends a Request to the RD accompanied by a CBOR Web Token (CWT).
The identifier part of the CWT refers to the security context of the CT.
The CWT validates the registration by the CT. The CWT MUST contain the
"epn" claim to assign a value to the endpoint that is registered. The
CWT MAY contain the "dnm" claim to assign a domain name. 

Section x.3 Updating multiple links 

Section 5.4.4 of RD specifies that multiple links can be updated with a
media format to be specified. The updating endpoint sends a Request to
the RD accompanied by a CBOR Web Token (CWT). The identifier part of the
CWT refers to the security context of the updating endpoint. The
updating endpoint is authorized to change all links of all existing
registrations but MUST NOT delete or add registrations. 

IANA regsitration.

Two new parameters need to be registered in the OAuth Parameter
Registration with names ""epn" and "dnm". The last paragraph in section
8.1 is to be replaced:
OLD
"Therefore, Endpoints MUST include the
Endpoint identifier in the message, and this identifier
MUST be checked by a resource directory to match the Endpoint identifier
included in the Registration message."
NEW
"Therefore, Endpoints SHOULD follow the guidelines of section x."

v2.23.0 | Report a Bug | By Email