Re: [core] Endpoint Client Name / Endpoint Name in RD draft
Christian Amsüss <christian@amsuess.com> Fri, 13 April 2018 15:11 UTC
Return-Path: <christian@amsuess.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2DD4126CF6 for <core@ietfa.amsl.com>; Fri, 13 Apr 2018 08:11:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.414
X-Spam-Level:
X-Spam-Status: No, score=-0.414 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FAKE_REPLY_C=1.486] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rye9ilZGEwku for <core@ietfa.amsl.com>; Fri, 13 Apr 2018 08:11:35 -0700 (PDT)
Received: from prometheus.amsuess.com (alt.prometheus.amsuess.com [IPv6:2a01:4f8:190:3064::3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39A96124BE8 for <core@ietf.org>; Fri, 13 Apr 2018 08:11:34 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bd]) by prometheus.amsuess.com (Postfix) with ESMTPS id 37EA349789; Fri, 13 Apr 2018 17:11:32 +0200 (CEST)
Received: from poseidon-mailbox.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bf]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id DC8DA74; Fri, 13 Apr 2018 17:11:30 +0200 (CEST)
Received: from hephaistos.amsuess.com (hephaistos.amsuess.com [IPv6:2a02:b18:c13b:8010::db8]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id C62A531; Fri, 13 Apr 2018 17:11:28 +0200 (CEST)
Received: (nullmailer pid 27932 invoked by uid 1000); Fri, 13 Apr 2018 15:11:23 -0000
Date: Fri, 13 Apr 2018 17:11:23 +0200
From: Christian Amsüss <christian@amsuess.com>
To: consultancy@vanderstok.org, Carsten Bormann <cabo@tzi.org>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, core@ietf.org
Message-ID: <20180413151121.GC20765@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="S1BNGpv0yoYahz37"
Content-Disposition: inline
In-Reply-To: <CB28DFEA-5F9E-4C35-BD86-A37AC5C122C9@tzi.org> <ca2b6038e911d93e15e57763836a1d09@xs4all.nl>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/zCs316HiprIk6iUL2CNbdQ4ydzU>
Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2018 15:11:38 -0000
On Mon, Apr 09, 2018 at 10:04:07AM +0200, peter van der Stok wrote: > > I am curious what we lose if we remove this identifier altogether. The > > only thing that comes to my mind is a debugging capability where you > > might want to test your system without any security protocol. > > Probably, I completely misunderstand your suggestion. > Registrations in the RD need identification so that they can be changed, > removed , updated, etc... Well, the manipulation (change, removal, update) already happens independently of the endpoint name or domain; that is just bound to the registration resource. In the current text, we allow that the endpoint name is not given at registration time if it is explicitly configured and the RD can recognize the endpoint by its security context. > Registrations are identified by the (ep, d) pair, unique within a given RD. > Removing ep identifier will force you to find another identifier for a > registration......... > and you are back to square 1 it seems. In any authenticated context, that can identifier can be the security context. How that can be expressed at lookup is an open question. An endpoint name string can be what glues those together. On Mon, Apr 09, 2018 at 10:14:54AM +0200, Carsten Bormann wrote: > The argument seems to be that if a client holds an authorization to > register at an RD, that authorization may imply a specific endpoint > name. (I’m not sure that is always true, as the authorization may be > based on a claim that does not happen to provide an obvious candidate > for that.) > > To discuss this further, we’ll need to discuss authorization models > for RD access. Maybe high time in any case… Could everybody maybe sketch how they'd express the permissions they would like to set on their RDs? I'll start with some arbitrary ones that might be useful (at least with some help from Cunningham's Law): TrustTheWebCAs: "This RD accepts any registration, provided who registers can present a X509 certificate chain to my system certificates that carries a Common Name or Subject Alternative Name that matches the host name they give in their con". RequireEKU: "Like TrustTheWebCAs, and if it wants to set an endpoint type (et=), that must be justified by an Extended Key Usage in the certificate." EPFromACE: "This RD uses /reg/${domain}/${endpoint} as registration URIs. An endpoint can only register if it holds an ACE-AIF token to POST to that resource issued by my Authorization Server (AS)." PNFromACE: "This RD allows registration of arbitrary endpoints, but advertising an at=... (registration) or ol=... (link) attribute (see core-protocol-negotiation) requires that that value is contained in an ACE token from my AS." Best regards Christian -- To use raw power is to make yourself infinitely vulnerable to greater powers. -- Bene Gesserit axiom
- [core] Endpoint Client Name / Endpoint Name in RD… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Jaime Jiménez
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Jim Schaad
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Jaime Jiménez
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Jim Schaad
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… Carsten Bormann
- Re: [core] Endpoint Client Name / Endpoint Name i… Christian Amsüss
- Re: [core] Endpoint Client Name / Endpoint Name i… Jim Schaad
- Re: [core] Endpoint Client Name / Endpoint Name i… Kovatsch, Matthias
- Re: [core] Endpoint Client Name / Endpoint Name i… Jim Schaad
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Kovatsch, Matthias
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… Kovatsch, Matthias
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig
- Re: [core] Endpoint Client Name / Endpoint Name i… peter van der Stok
- Re: [core] Endpoint Client Name / Endpoint Name i… Hannes Tschofenig