Re: [core] Resource Directory Authorization Problems
Peter van der Stok <stokcons@bbhmail.nl> Thu, 12 July 2018 08:03 UTC
Return-Path: <stokcons@bbhmail.nl>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECC53130EC9 for <core@ietfa.amsl.com>; Thu, 12 Jul 2018 01:03:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NETEG1acX13K for <core@ietfa.amsl.com>; Thu, 12 Jul 2018 01:03:23 -0700 (PDT)
Received: from smtprelay.hostedemail.com (smtprelay0143.hostedemail.com [216.40.44.143]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 248F4130E0E for <core@ietf.org>; Thu, 12 Jul 2018 01:03:21 -0700 (PDT)
Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay01.hostedemail.com (Postfix) with ESMTP id 0D913100E86C3; Thu, 12 Jul 2018 08:03:20 +0000 (UTC)
X-Session-Marker: 73746F6B636F6E73406262686D61696C2E6E6C
X-Spam-Summary: 2, 0, 0, , d41d8cd98f00b204, stokcons@bbhmail.nl, :::::, RULES_HIT:41:72:152:355:379:582:599:960:962:967:973:983:988:989:1152:1189:1208:1212:1221:1260:1313:1314:1345:1431:1436:1437:1516:1517:1518:1535:1543:1575:1588:1589:1592:1594:1711:1712:1730:1776:1792:2068:2069:2198:2199:2525:2528:2553:2559:2568:2570:2634:2682:2685:2693:2703:2859:2894:2897:2901:2918:2933:2937:2939:2942:2945:2947:2951:2954:3022:3354:3622:3865:3866:3867:3868:3870:3871:3872:3873:3874:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4118:4250:4321:4362:5007:6117:6119:6261:7875:7903:8603:9025:10004:10400:10450:10455:11658:12740:13139:13144:13161:13229:13230, 0, RBL:216.40.42.5:@bbhmail.nl:.lbl8.mailshell.net-62.8.55.100 66.201.201.201, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:none, DomainCache:0, MSF:not bulk, SPF:fn, MSBL:0, DNSBL:neutral, Custom_rules:0:0:0, LFtime:25, LUA_SUMMARY:none
X-HE-Tag: event96_57414d3a48207
X-Filterd-Recvd-Size: 7742
Received: from mail.bbhmail.nl (imap-ext [216.40.42.5]) (Authenticated sender: webmail@stokcons@bbhmail.nl) by omf04.hostedemail.com (Postfix) with ESMTPA; Thu, 12 Jul 2018 08:03:19 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_f4bc3865e62880d5a4ce5d9d3687631f"
Date: Thu, 12 Jul 2018 10:03:19 +0200
From: Peter van der Stok <stokcons@bbhmail.nl>
To: Stefanie Gerdes <gerdes@tzi.de>
Cc: consultancy@vanderstok.org, core@ietf.org
Organization: vanderstok consultancy
Reply-To: consultancy@vanderstok.org
Mail-Reply-To: consultancy@vanderstok.org
In-Reply-To: <8c297b25-b38d-abc7-88c7-fabda3935482@tzi.de>
References: <3d39562b-5a57-6fd6-03f7-9d13d2c58ffd@tzi.de> <6a6095b3681e9d3da32eb98c14ec2239@bbhmail.nl> <8c297b25-b38d-abc7-88c7-fabda3935482@tzi.de>
Message-ID: <819180117a33e706b40f533fce182122@bbhmail.nl>
X-Sender: stokcons@bbhmail.nl
User-Agent: Roundcube Webmail/1.2.7
X-Originating-IP: [82.95.140.48]
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/Z_hGXPWbMeOTD-CQ8oGVJOBBVrI>
Subject: Re: [core] Resource Directory Authorization Problems
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jul 2018 08:03:27 -0000
Hi Steffi, thanks for a continued conversation. The cted text has helped me to understand better the the reach and purpose of scope parameter. Stefanie Gerdes schreef op 2018-07-11 14:00: > Hi Peter, > > <pvds> > Concerning section 9 "example" > I will put it above the "security considerations" > The Example text is meant as a warning shot to RD users, not as a normative text. > Introducing the scope, as you suggest, validates that approach. > </pvds> > The scope defines the authorization, e.g., which resource may be > accessed, and how (see [1 [1]], [2 [2]]). If I understand section 9.2 correctly, > the CWT with the new fields authorizes the CT to register the endpoint > with a certain certificate identifier and sector name. Since these > fields scope the authorization (define which endpoint the CT is allowed > to register), I wonder why you cannot use an access token scope for this > purpose. The RD would then need to validate that the scope covers the > requested resources (see [2 [2]]), i.e., that the CT is allowed to register > resources for the endpoint, which is what we aim at, right? Scopes are > defined by the application (see [3 [3]]), and therefore could be used for > this purpose. > > <pvds> > Many thanks for the concrete text portions; that helps enormously. > next step for me is to modify the example using scope. > </pvds> > > There are some more open question concerning the authorization that may > need to be considered here, e.g.: How does the RD server know the > Authorization Server (they must have a security association)? How does > the RD server know that a certain AS is authorized to issue access > tokens for a certain endpoint registration or lookup? Does the RD server > protect every lookup? If it doesn't, how does the RD server know which > resources it must protect? > > <pvds> > I fully agree with your open questions. > another one: How does the AS server know which endpoint is authorized to specify what in the RD. > Personally, I still think that an RD security draft (in ACE?) is needed in addition to example text in RD draft. > </pvds> > > Viele Gruesse > Steffi > > [1] https://tools.ietf.org/html/rfc6749#section-3.3 > [2] https://tools.ietf.org/html/rfc6749#section-7 > [3] https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-13#section-5.8 Links: ------ [1] https://tools.ietf.org/html/rfc6749#section-3.3 [2] https://tools.ietf.org/html/rfc6749#section-7 [3] https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-13#section-5.8
- Re: [core] Resource Directory Authorization Probl… Peter van der Stok
- [core] Resource Directory Authorization Problems Stefanie Gerdes
- Re: [core] Resource Directory Authorization Probl… Stefanie Gerdes
- Re: [core] Resource Directory Authorization Probl… Peter van der Stok