Re: [core] Resource Directory Authorization Problems
Peter van der Stok <stokcons@bbhmail.nl> Mon, 09 July 2018 07:53 UTC
Return-Path: <stokcons@bbhmail.nl>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2845E1277CC for <core@ietfa.amsl.com>; Mon, 9 Jul 2018 00:53:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gGv-9ui-NFwY for <core@ietfa.amsl.com>; Mon, 9 Jul 2018 00:53:38 -0700 (PDT)
Received: from smtprelay.hostedemail.com (smtprelay0139.hostedemail.com [216.40.44.139]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 224BE130E10 for <core@ietf.org>; Mon, 9 Jul 2018 00:53:36 -0700 (PDT)
Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay05.hostedemail.com (Postfix) with ESMTP id D8A4F18024A68; Mon, 9 Jul 2018 07:53:34 +0000 (UTC)
X-Session-Marker: 73746F6B636F6E73406262686D61696C2E6E6C
X-Spam-Summary: 2, -10, 0, , d41d8cd98f00b204, stokcons@bbhmail.nl, :::, RULES_HIT:41:72:152:355:371:372:379:582:599:800:960:962:967:973:983:988:989:1152:1189:1208:1212:1221:1260:1313:1314:1345:1359:1431:1436:1437:1516:1517:1518:1535:1544:1575:1588:1589:1592:1594:1711:1712:1730:1776:1792:2068:2069:2198:2199:2525:2528:2553:2559:2564:2682:2685:2692:2693:2859:2894:2901:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3355:3622:3865:3866:3867:3868:3870:3871:3872:3873:3874:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4120:4250:4321:4470:4860:5007:6117:6119:6261:6657:6659:6678:7875:7903:7904:8603:9010:9025:9177:10004:10848:11232:11657:11658:11914:12043:12291:12295:12296:12379:12438:12663:12683:12740:12895:13139:13141:13144:13230:13439:13846:13972:14093:14095:14096:14180:14181:14721:21060:21080:21324:21433:21451:21627:30029:30030:30054:30060:30076:30090, 0, RBL:216.40.42.5:@bbhmail.nl:.lbl8.mailshell.net-62.8.55.100 66.201.201.201, CacheIP:none, Bayesian:0.5, 0.5, 0.5, Netcheck:
X-HE-Tag: snow00_76843b0968c5c
X-Filterd-Recvd-Size: 9124
Received: from mail.bbhmail.nl (imap-ext [216.40.42.5]) (Authenticated sender: webmail@stokcons@bbhmail.nl) by omf07.hostedemail.com (Postfix) with ESMTPA; Mon, 9 Jul 2018 07:53:34 +0000 (UTC)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_b505ce2498315dd4e6e85c0d04bf0907"
Date: Mon, 09 Jul 2018 09:53:33 +0200
From: Peter van der Stok <stokcons@bbhmail.nl>
To: Stefanie Gerdes <gerdes@tzi.de>
Cc: core@ietf.org
Organization: vanderstok consultancy
Reply-To: consultancy@vanderstok.org
Mail-Reply-To: consultancy@vanderstok.org
In-Reply-To: <3d39562b-5a57-6fd6-03f7-9d13d2c58ffd@tzi.de>
References: <3d39562b-5a57-6fd6-03f7-9d13d2c58ffd@tzi.de>
Message-ID: <6a6095b3681e9d3da32eb98c14ec2239@bbhmail.nl>
X-Sender: stokcons@bbhmail.nl
User-Agent: Roundcube Webmail/1.2.7
X-Originating-IP: [82.95.140.48]
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/aI6bITgfaLb3sIwQETHDHQvmfRA>
Subject: Re: [core] Resource Directory Authorization Problems
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Jul 2018 07:53:42 -0000
Hi Steffi, Many thanks for reading and sharing your impressions from another background. I react below. Stefanie Gerdes schreef op 2018-07-06 11:52: > Hi all, > > I just read through the security considerations of > draft-ietf-core-resource-directory-14 and have some comments. > > I have some difficulties to understand the security considerations, in > particular sections 8.1 and 9. > > Section 8.1: > > "An Endpoint is determined to be unique.." -> is supposed to be unique? > should/must be unique? > <pvds> > Correct; the (ep-name, sector-name) pair MUST be unique within the set of endpoints specified within the RD. > (will rephrase) > </pvds> > > "Consider the following threat: two devices A and B are managed by a > single server" I don't really understand the scenario, are A and B > endpoints (btw, the definition of the term endpoint in the document is > not really intuitive)? What kind of server do you refer to? The RD > server? Do you describe registration, lookup, ..? > <pvds> > thanks, it is RD server. will clarify. > (FYI: endpoint definition has taken some time to agree upon) > </pvds> > > "Then, it puts the endpoint name of device B." Where does it put that? > <pvds> > Yes, this is really opaque, probably something got lost over the versions. > </pvds> > > If certain processes, e.g., the registration or the lookup, require > authorization, it may be useful to mention clearly in the security > considerations where authorization is or may be required and why. > <pvds> > Authorization to specify endpoint names > </pvds> > > Section 9.: > > "An authorized registry request to the Resource Directory (RD) is > accompanied by an Access Token that validates the access of the client > to the RD." validates -> allows? > <pvds> > This is ACE terminology; I am just guessing: authorizes? > </pvds> > > In section 9.2 you define the new CWT fields rd_epn and rd_sct. I don't > think new fields should be defined in the security considerations. > <pvds> > We agree; that is not done; Section 9 is stand alone; Section 8 refers to it; that's all. > May be I misunderstand your concern here. > </pvds> > Also, lookup and registration of RD entries do not seem to differ that > much from the access to other resources. We may not want to define new > CWT fields for every use case. That the subject of the access token is > only allowed to register for the registree-ep given in rd_epn, sounds > more like an access token scope to me. > <pvds> > scope is from client to AS? > I did not discuss that part, but indeed the client first asks the AS permission to register an endpoint name into the RD. > The AS, when happy, creates an endpoint name, and authorizes the client to register the endpoint name by specifying its value with rd_epn. > Do you have an alternative to solve the problem. Can you modify the example? > </pvds> > > The purpose is to authorize > > It might be a good idea to only point out the > security problems concerning authorization in the security > considerations and define the solution elsewhere. > > <pvds> > I thougt, I did. > </pvds> > > Viele Gruesse, > Steffi > > Many thanks. looking forward to your reaction. > > Peter > _______________________________________________ > core mailing list > core@ietf.org > https://www.ietf.org/mailman/listinfo/core
- Re: [core] Resource Directory Authorization Probl… Peter van der Stok
- [core] Resource Directory Authorization Problems Stefanie Gerdes
- Re: [core] Resource Directory Authorization Probl… Stefanie Gerdes
- Re: [core] Resource Directory Authorization Probl… Peter van der Stok