Re: [Gen-art] Gen-ART Last Call review of draft-ietf-ace-dtls-authorize-12
Olaf Bergmann <bergmann@tzi.org> Thu, 17 September 2020 08:09 UTC
Return-Path: <bergmann@tzi.org>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 482203A07F2; Thu, 17 Sep 2020 01:09:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Na8buqfXCWZ2; Thu, 17 Sep 2020 01:09:16 -0700 (PDT)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B0423A07BD; Thu, 17 Sep 2020 01:09:15 -0700 (PDT)
Received: from wangari.tzi.org (p508a4e5d.dip0.t-ipconnect.de [80.138.78.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4BsV3t3DCcz10HJ; Thu, 17 Sep 2020 10:09:14 +0200 (CEST)
From: Olaf Bergmann <bergmann@tzi.org>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
Cc: draft-ietf-ace-dtls-authorize.all@ietf.org, General Area Review Team <gen-art@ietf.org>
References: <8c2725a3-f89f-7ea1-dda9-681edd463a32@alum.mit.edu> <87y2muo6ix.fsf@wangari> <87v9gomsf4.fsf@wangari> <b0e2088b-ab24-3d35-c98a-161955d3fc7a@alum.mit.edu>
Date: Thu, 17 Sep 2020 10:09:13 +0200
In-Reply-To: <b0e2088b-ab24-3d35-c98a-161955d3fc7a@alum.mit.edu> (Paul Kyzivat's message of "Fri, 11 Sep 2020 16:49:01 -0400")
Message-ID: <87v9gcg6za.fsf@wangari>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/rztJgFoock7-9OWeOifZ_MurkeE>
Subject: Re: [Gen-art] Gen-ART Last Call review of draft-ietf-ace-dtls-authorize-12
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 08:09:19 -0000
Hi Paul, Responding to you remaining comments please see inline. Paul Kyzivat <pkyzivat@alum.mit.edu> writes: >>>> * Also in section 3.3: >>>> >>>> All CBOR data types are encoded in CBOR using preferred serialization >>>> and deterministic encoding as specified in Section 4 of >>>> [I-D.ietf-cbor-7049bis]. This implies in particular that the "type" >>>> and "L" components use the minimum length encoding. The content of >>>> the "access_token" field is treated as opaque data for the purpose of >>>> key derivation. >>>> >>>> IIUC the type of serialization and encoding is a requirement. Will >>>> need some rewording to make it so. >>> >>> I take it that you and Ben have agreed that the example description does >>> not necessarily need normative language as the description of this key >>> derivation procedure is meant as an example how the authorization server >>> and the resource server can securely agree on a shared secret to be used >>> between the client and the resource server. > > This still confuses me. IIUC preferred serialization and deterministic > encoding are *optional* in CBOR. The text hear seems to require it, > but doesn't use normative language to do so. > > If these are required for things to work then you make a normative > statement about it. E.g., "The "type" and "L" components MUST use the > minimum length encoding." > > Or do you intend that some other (non-minimum-length) MAY be used? (In > which case both sides would need a side agreement on what encoding is > used.) The text here just gives an example how key derivation may be used by the authorization server and the resource server to agree on a shared secret (that is used to encrypt the traffic between the resource server and the to-be-authorized client). To that regard, the text is not really normative. The only normative language we need here would be to avoid security issues. Commenting on the data representation here is to be understood as a suggestion to use, e.g., preferred CBOR serialization according to 7049bis. [...] >>> OLD: >>> >>> New access tokens issued by the authorization server are supposed to >>> replace previously issued access tokens for the respective client. >>> >>> NEW: >>> >>> New access tokens issued by the authorization server replace >>> previously issued access tokens for the respective client. > > The above is still non-normative. Perhaps: > > New access tokens issued by the authorization server MUST replace > previously issued access tokens for the respective client. Following Section 5.8.1 of the framework document, this should be a SHOULD (the text there reads as: "This specification RECOMMENDS that an RS stores only one token per proof-of-possession key, meaning that an additional token linked to the same key will overwrite any existing token at the RS." The text then would read as follows (changes are the new SHOULD and "needs a common understanding" instead of "must have": OLD: According to Section 5.8.1 of [I-D.ietf-ace-oauth-authz], there should be only one access token for each client. New access tokens issued by the authorization server replace previously issued access tokens for the respective client. The resource server therefore must have a common understanding with the authorization server how access tokens are ordered. The authorization server may, e.g., specify a "cti" claim for the access token (see Section 5.8.3 of [I-D.ietf-ace-oauth-authz]) to employ a strict order. NEW: According to Section 5.8.1 of [I-D.ietf-ace-oauth-authz], there should be only one access token for each client. New access tokens issued by the authorization server SHOULD replace previously issued access tokens for the respective client. The resource server therefore needs a common understanding with the authorization server how access tokens are ordered. The authorization server may, e.g., specify a "cti" claim for the access token (see Section 5.8.3 of [I-D.ietf-ace-oauth-authz]) to employ a strict order. Grüße Olaf
- [Gen-art] Gen-ART Last Call review of draft-ietf-… Paul Kyzivat
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Jim Schaad
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Benjamin Kaduk
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Paul Kyzivat
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Paul Kyzivat
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Benjamin Kaduk
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Seitz Ludwig
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Stefanie Gerdes
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Seitz Ludwig
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Benjamin Kaduk
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Olaf Bergmann
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Olaf Bergmann
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Paul Kyzivat
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Olaf Bergmann
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Paul Kyzivat
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Göran Selander
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Göran Selander
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Benjamin Kaduk
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Paul Kyzivat
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Olaf Bergmann
- Re: [Gen-art] Gen-ART Last Call review of draft-i… Paul Kyzivat