Re: [OAUTH-WG] OSCORE

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 07 February 2018 17:33 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8E1E12D850; Wed, 7 Feb 2018 09:33:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.395
X-Spam-Level:
X-Spam-Status: No, score=-0.395 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.506] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PREYc4NT8KUh; Wed, 7 Feb 2018 09:33:53 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40064.outbound.protection.outlook.com [40.107.4.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C3BA1270AC; Wed, 7 Feb 2018 09:33:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=YaGUtkSvStApnr8e1tO35AO36gj5v6CRGQXjwF3NDY4=; b=c549oedyzYJizpfI/2LRZQ1bzbVKHU7bv9WcUrEogviXK2D1vka5wq8BONeN3ue/5SSLsY4i122UAci9vS5BT5merhg3jcA0Z6f0BwCD0r2ODazBvKAuRepUjRjhqFNn1046wlTsO11K4/bzusVDJpqiQCRVCKfqskm76qURkcI=
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com (10.167.90.148) by AM4PR0801MB1505.eurprd08.prod.outlook.com (10.168.5.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.485.10; Wed, 7 Feb 2018 17:33:49 +0000
Received: from AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::b863:80d:692b:e64b]) by AM4PR0801MB2706.eurprd08.prod.outlook.com ([fe80::b863:80d:692b:e64b%14]) with mapi id 15.20.0485.009; Wed, 7 Feb 2018 17:33:49 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Dave Thaler <dthaler@microsoft.com>, =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander@ericsson.com>, "OAuth@ietf.org" <OAuth@ietf.org>
CC: "draft-ietf-core-object-security@ietf.org" <draft-ietf-core-object-security@ietf.org>
Thread-Topic: [OAUTH-WG] OSCORE
Thread-Index: AdOf+vC9Bo7oOstGSpuGdOgV/ndnFaOZAgKAo5ii+kC4zr6MAIAAGDiA////7JA=
Date: Wed, 7 Feb 2018 17:33:49 +0000
Message-ID: <AM4PR0801MB270663CA68EA4C8ABD59C8CDFAFC0@AM4PR0801MB2706.eurprd08.prod.outlook.com>
References: <AM4PR0801MB2706E520121559D478FB6D99FAFC0@AM4PR0801MB2706.eurprd08.prod.outlook.com> <35cc46fe-3453-e458-af55-a6acb2905e44@ri.se> <D6A0C60E.9EC6E%goran.selander@ericsson.com> <AM4PR0801MB2706EAF074A35A93ABC729BAFAFC0@AM4PR0801MB2706.eurprd08.prod.outlook.com> <D6A0D0B4.9ECB5%goran.selander@ericsson.com> <CY4PR21MB0856AB93802EE4EEFE915797A3FC0@CY4PR21MB0856.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB0856AB93802EE4EEFE915797A3FC0@CY4PR21MB0856.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [88.214.160.174]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM4PR0801MB1505; 7:+a14XmhNBzbpn0zhd+d97KM2Cn7G9y7zgZnuUpOaDMum0RbRQH+d3MMjoPmMr6JMAExGBKvpKzD3Xo2Mg4deelxj/mr3ey+rvRLlrdCGFjp3v8ZaxciHkW1/emxFiecxp2pqcI1TD9ztAWi5rMJaShYhS2lh7KI+F769PX+At8TEh8gFghO/EsP8vX1WgjvbGDXcPJ/1usOSRQifYBjdk3Njn1J2yxTmSi8ymUEjpNQp0uJKNp5tkhlj53TIsIle
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: ce9d3b92-87f2-4b28-e953-08d56e50f305
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:AM4PR0801MB1505;
x-ms-traffictypediagnostic: AM4PR0801MB1505:
x-microsoft-antispam-prvs: <AM4PR0801MB15057376E7296B2983005AD5FAFC0@AM4PR0801MB1505.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(28532068793085)(180628864354917)(278428928389397)(89211679590171)(192374486261705)(189930954265078)(219752817060721);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(3231101)(2400082)(944501161)(10201501046)(3002001)(93006095)(93001095)(6055026)(6041288)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(6072148)(201708071742011); SRVR:AM4PR0801MB1505; BCL:0; PCL:0; RULEID:; SRVR:AM4PR0801MB1505;
x-forefront-prvs: 0576145E86
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39860400002)(396003)(376002)(39380400002)(346002)(13464003)(377424004)(51914003)(199004)(189003)(40434004)(5660300001)(478600001)(72206003)(2906002)(4326008)(45080400002)(2950100002)(99286004)(53936002)(2501003)(1511001)(74316002)(6246003)(305945005)(7736002)(33656002)(14454004)(966005)(575784001)(3660700001)(86362001)(2900100001)(6306002)(9686003)(55016002)(97736004)(25786009)(229853002)(66066001)(8666007)(6436002)(68736007)(93886005)(110136005)(81166006)(8676002)(81156014)(3846002)(6116002)(3280700002)(5250100002)(8936002)(106356001)(316002)(5890100001)(6506007)(186003)(53546011)(59450400001)(102836004)(26005)(105586002)(76176011)(7696005); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR0801MB1505; H:AM4PR0801MB2706.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: RfdUZ+kK38Kjc44DyLhNrLmPnLBWqz24NJ2tiQbXeCUwG45c3ZRTRL49WXmDdRky1Hk/6QFvcjES9AVwCfxzlQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ce9d3b92-87f2-4b28-e953-08d56e50f305
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2018 17:33:49.5545 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR0801MB1505
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-Wjlvfl986m6ppPaexeCWPYbmH4>
Subject: Re: [OAUTH-WG] OSCORE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 17:33:55 -0000

Is there any implementation / prototyping experience with this work, Dave?

Here is what we have been working on in the context of OAuth: With OAuth 1.0: https://tools.ietf.org/html/rfc5849 one of the problems there was the fields we computed the digest over were changed by proxies, and other middleware. Needless to say that the verification failed and for developer it was not clear which field caused the digest verification to fail.

In https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-01 we followed a different design approach where we apply the digest selectively over field and they are repeated in the newly defined parameter.

Ciao
Hannes

-----Original Message-----
From: Dave Thaler [mailto:dthaler@microsoft.com]
Sent: 07 February 2018 17:27
To: Göran Selander; Hannes Tschofenig; OAuth@ietf.org
Cc: draft-ietf-core-object-security@ietf.org
Subject: RE: [OAUTH-WG] OSCORE

As Göran said, yes the original rationale was end-to-end communication through proxies where each leg might be CoAP or might be HTTP,
the most common case being a single COAP-to-HTTP or HTTP-to-COAP proxy.   For the subset of HTTP that is mappable to CoAP
(i.e., simple RESTful calls), I'm not aware of any reason it wouldn't work with a simple HTTP proxy where all legs are HTTP.
It would be good if someone could try that and verify it though... maybe a hackathon project.

-----Original Message-----
From: Göran Selander [mailto:goran.selander@ericsson.com]
Sent: Wednesday, February 7, 2018 8:00 AM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>om>; OAuth@ietf.org; Dave Thaler <dthaler@microsoft.com>
Cc: draft-ietf-core-object-security@ietf.org
Subject: Re: [OAUTH-WG] OSCORE

Hi Hannes,

Including Dave who may want to provide some background to the use case.

As I said, this was a proposed construction and was straightforward to include in the draft. I’m not the right person to answer whether this is useful for OAuth, but I’m interested in the answer.

Göran


On 2018-02-07 15:47, "Hannes Tschofenig" <Hannes.Tschofenig@arm.com> wrote:

>Hi Göran,
>
>Maybe you can then answer the question whether this is useful /
>applicable to a HTTP. Asked differently, under what conditions does the
>OSCORE not work for HTTP. This would help the folks in the group,
>including me, to determine whether this actually something we should be
>looking into at all. Note that typical applications that use OAuth do
>not use CoAP -- only HTTP.
>
>In OAuth we had for several years tried to get HTTP message protection
>working and we have, unfortunately, failed to find a suitable solution.
>
>Ciao
>Hannes
>
>
>-----Original Message-----
>From: Göran Selander [mailto:goran.selander@ericsson.com]
>Sent: 07 February 2018 15:37
>To: Hannes Tschofenig; OAuth@ietf.org
>Cc: draft-ietf-core-object-security@ietf.org
>Subject: [OAUTH-WG] OSCORE
>
>
>Hi Hannes, and all
>
>Thanks for the announcement.
>
>To be a little bit more precise, the statement is that a CoAP-mappable
>HTTP message can be mapped to CoAP (using RFC 8075), protected with
>OSCORE (as specified in the referenced draft) and transported with HTTP
>(as exemplified in the referenced draft). The main use case is in
>conjunction with an HTTP-CoAP translational proxy (RFC 8075), and the
>mapping would with this construction result in a CoAP-mappable HTTP
>request being protected by an HTTP client and verified by a CoAP server.
>
>This functionality was proposed by OCF for their end-to-end REST use
>cases. Happy to hear any comments on the construction as described in
>the draft.
>
>
>Note that Hannes referenced the wrong version of the draft, here is the
>latest:
>
>https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.
>ietf.org%2Fhtml%2Fdraft-ietf-core-object-security-08&data=04%7C01%7Cdth
>aler%40microsoft.com%7C0c70175ce7634698e06a08d56e43f36c%7Cee3303d7fb734
>b0c8589bcd847f1c277%7C1%7C0%7C636536160483223433%7CUnknown%7CTWFpbGZsb3
>d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sda
>ta=Qgb2gvkV5uBIj36ogAYluaN08PS9YuyXz%2FlJzls1U9g%3D&reserved=0
>
>
>Göran
>
>
>On 2018-02-07 11:06, Hannes Tschofenig wrote:
>> Hi guys,
>>
>> You may be interested to hear that a group of people working on
>> Internet of Things security believe they have found a solution to
>> deal with the challenges we had in protecting HTTP requests/responses.
>>
>> Here is the draft:
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftool
>> s.ietf.org%2Fhtml%2Fdraft-ietf-core-object-security-07&data=04%7C01%7
>> Cdthaler%40microsoft.com%7C0c70175ce7634698e06a08d56e43f36c%7Cee3303d
>> 7fb734b0c8589bcd847f1c277%7C1%7C0%7C636536160483223433%7CUnknown%7CTW
>> FpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3
>> D%7C-1&sdata=k4MlHEBM0YayRoq%2B0KjIBdzShfXMSW2EQDK03%2FMCJ%2B0%3D&res
>> erved=0
>>
>> (The draft is mostly focused on CoAP but it is supposed to be
>> applicable also to HTTP.)
>>
>> Ciao
>> Hannes
>>
>> IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose
>> the contents to any other person, use it for any purpose, or store or
>> copy the information in any medium. Thank you.
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
>> ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cdthaler%40micros
>> oft.com%7C0c70175ce7634698e06a08d56e43f36c%7Cee3303d7fb734b0c8589bcd8
>> 47f1c277%7C1%7C0%7C636536160483223433%7CUnknown%7CTWFpbGZsb3d8eyJWIjo
>> iMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwifQ%3D%3D%7C-1&sdata=KYCV
>> h3AxIuXfGoA0R4W6poXbhN%2B1jKDAkQgNygIYhmM%3D&reserved=0
>>
>
>
>
>
>IMPORTANT NOTICE: The contents of this email and any attachments are
>confidential and may also be privileged. If you are not the intended
>recipient, please notify the sender immediately and do not disclose the
>contents to any other person, use it for any purpose, or store or copy
>the information in any medium. Thank you.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.