Re: [core] (not only) RD: Authorized servers

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 22 October 2020 22:21 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB5543A0898 for <core@ietfa.amsl.com>; Thu, 22 Oct 2020 15:21:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RGTpYkZsHbLE for <core@ietfa.amsl.com>; Thu, 22 Oct 2020 15:21:58 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2137C3A0895 for <core@ietf.org>; Thu, 22 Oct 2020 15:21:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id CD271389AF; Thu, 22 Oct 2020 18:28:16 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id qGfY9xDFx7Mf; Thu, 22 Oct 2020 18:28:16 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 70183389AD; Thu, 22 Oct 2020 18:28:16 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 909041FB; Thu, 22 Oct 2020 18:21:55 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Christian =?iso-8859-1?B?TS4gQW1z/HNz?= <christian@amsuess.com>, Core WG mailing list <core@ietf.org>
In-Reply-To: <20201021000327.GB303030@hephaistos.amsuess.com>
References: <20201021000327.GB303030@hephaistos.amsuess.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 22 Oct 2020 18:21:55 -0400
Message-ID: <25374.1603405315@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/ytngG6QH32EgV1sKunp_v7roo_U>
Subject: Re: [core] (not only) RD: Authorized servers
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2020 22:22:00 -0000

Hi, I'm not very well informed about the RD document.
I have skimmed the document at various intervals.
And these comments are rather late, I agree.

It seems to me that a fundamental problem with the whole RD concept is that
it must make the secure identities part of the result.

It's not really interested to say that 2001:db8:3::127 has a oic.d.sensor.
What's interesting is to say that principal X, (who was seen at address 2001:db8:3::127),
has an oic.d.sensor.

Section 7.1 has placed the RD in the place of trying to be a gate keeper for
accurate information, which is just can't do in a general way for arbitrary
clients with abitrary policies.

I think that it would be much simpler and more secure if we restarted and did
the security first rather than last.  That does mean that one has to pick one
(or a very small number) of security systems to work with.  This is not a
place were we can or should attempt to generalize.

I'm sorry if this is a rather depressing suggestion.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide