IETF Logo Mail Archive

Re: [core] Endpoint Client Name / Endpoint Name in RD draft

Christian Amsüss <christian@amsuess.com> Fri, 13 April 2018 15:11 UTC

Return-Path: <christian@amsuess.com>
X-Original-To: core@ietfa.amsl.com
Delivered-To: core@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2DD4126CF6 for <core@ietfa.amsl.com>; Fri, 13 Apr 2018 08:11:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.414
X-Spam-Level:
X-Spam-Status: No, score=-0.414 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FAKE_REPLY_C=1.486] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rye9ilZGEwku for <core@ietfa.amsl.com>; Fri, 13 Apr 2018 08:11:35 -0700 (PDT)
Received: from prometheus.amsuess.com (alt.prometheus.amsuess.com [IPv6:2a01:4f8:190:3064::3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39A96124BE8 for <core@ietf.org>; Fri, 13 Apr 2018 08:11:34 -0700 (PDT)
Received: from poseidon-mailhub.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bd]) by prometheus.amsuess.com (Postfix) with ESMTPS id 37EA349789; Fri, 13 Apr 2018 17:11:32 +0200 (CEST)
Received: from poseidon-mailbox.amsuess.com (unknown [IPv6:2a02:b18:c13b:8010:a800:ff:fede:b1bf]) by poseidon-mailhub.amsuess.com (Postfix) with ESMTP id DC8DA74; Fri, 13 Apr 2018 17:11:30 +0200 (CEST)
Received: from hephaistos.amsuess.com (hephaistos.amsuess.com [IPv6:2a02:b18:c13b:8010::db8]) by poseidon-mailbox.amsuess.com (Postfix) with ESMTPSA id C62A531; Fri, 13 Apr 2018 17:11:28 +0200 (CEST)
Received: (nullmailer pid 27932 invoked by uid 1000); Fri, 13 Apr 2018 15:11:23 -0000
Date: Fri, 13 Apr 2018 17:11:23 +0200
From: Christian Amsüss <christian@amsuess.com>
To: consultancy@vanderstok.org, Carsten Bormann <cabo@tzi.org>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, core@ietf.org
Message-ID: <20180413151121.GC20765@hephaistos.amsuess.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="S1BNGpv0yoYahz37"
Content-Disposition: inline
In-Reply-To: <CB28DFEA-5F9E-4C35-BD86-A37AC5C122C9@tzi.org> <ca2b6038e911d93e15e57763836a1d09@xs4all.nl>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/core/zCs316HiprIk6iUL2CNbdQ4ydzU>
Subject: Re: [core] Endpoint Client Name / Endpoint Name in RD draft
X-BeenThere: core@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Constrained RESTful Environments \(CoRE\) Working Group list" <core.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/core>, <mailto:core-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/core/>
List-Post: <mailto:core@ietf.org>
List-Help: <mailto:core-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/core>, <mailto:core-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Apr 2018 15:11:38 -0000

On Mon, Apr 09, 2018 at 10:04:07AM +0200, peter van der Stok wrote:
> > I am curious what we lose if we remove this identifier altogether. The
> > only thing that comes to my mind is a debugging capability where you
> > might want to test your system without any security protocol.
> 
> Probably, I completely misunderstand your suggestion.
> Registrations in the RD need identification so that they can be changed,
> removed , updated, etc...

Well, the manipulation (change, removal, update) already happens
independently of the endpoint name or domain; that is just bound to the
registration resource.

In the current text, we allow that the endpoint name is not given at
registration time if it is explicitly configured and the RD can
recognize the endpoint by its security context.

> Registrations are identified by the (ep, d) pair, unique within a given RD.
> Removing ep identifier will force you to find another identifier for a
> registration.........
> and you are back to square 1 it seems.

In any authenticated context, that can identifier can be the security
context. How that can be expressed at lookup is an open question.
An endpoint name string can be what glues those together.

On Mon, Apr 09, 2018 at 10:14:54AM +0200, Carsten Bormann wrote:
> The argument seems to be that if a client holds an authorization to
> register at an RD, that authorization may imply a specific endpoint
> name.  (I’m not sure that is always true, as the authorization may be
> based on a claim that does not happen to provide an obvious candidate
> for that.)
> 
> To discuss this further, we’ll need to discuss authorization models
> for RD access.  Maybe high time in any case…


Could everybody maybe sketch how they'd express the permissions they
would like to set on their RDs?


I'll start with some arbitrary ones that might be useful (at least with
some help from Cunningham's Law):

TrustTheWebCAs: "This RD accepts any registration, provided who
registers can present a X509 certificate chain to my system certificates
that carries a Common Name or Subject Alternative Name that matches the
host name they give in their con".

RequireEKU: "Like TrustTheWebCAs, and if it wants to set an endpoint
type (et=), that must be justified by an Extended Key Usage in the
certificate."

EPFromACE: "This RD uses /reg/${domain}/${endpoint} as registration
URIs. An endpoint can only register if it holds an ACE-AIF token to POST
to that resource issued by my Authorization Server (AS)."

PNFromACE: "This RD allows registration of arbitrary endpoints, but
advertising an at=... (registration) or ol=... (link) attribute (see
core-protocol-negotiation) requires that that value is contained in an
ACE token from my AS."


Best regards
Christian

-- 
To use raw power is to make yourself infinitely vulnerable to greater powers.
  -- Bene Gesserit axiom

v2.23.0 | Report a Bug | By Email