IETF Logo Mail Archive

Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-architecture-05

Phil Hunt <phil.hunt@oracle.com> Fri, 20 November 2015 17:00 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 451B91B3848 for <oauth@ietfa.amsl.com>; Fri, 20 Nov 2015 09:00:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.786
X-Spam-Level:
X-Spam-Status: No, score=-4.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9mkv8bywnq6j for <oauth@ietfa.amsl.com>; Fri, 20 Nov 2015 09:00:07 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C0BE1B392A for <oauth@ietf.org>; Fri, 20 Nov 2015 08:59:57 -0800 (PST)
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id tAKGxtx9008521 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 20 Nov 2015 16:59:56 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0022.oracle.com (8.13.8/8.13.8) with ESMTP id tAKGxsmW003699 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 20 Nov 2015 16:59:54 GMT
Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by userv0122.oracle.com (8.13.8/8.13.8) with ESMTP id tAKGxsXq013604; Fri, 20 Nov 2015 16:59:54 GMT
Received: from [192.168.1.27] (/174.7.250.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 20 Nov 2015 08:59:54 -0800
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (13B143)
In-Reply-To: <CAHbuEH7jW0=P2BhxQyrLPLfkRpn6+Gz-Cup_-ARLtNb45bnDJg@mail.gmail.com>
Date: Fri, 20 Nov 2015 08:59:52 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <807F71A5-3C01-437C-8187-8A4349D7DF46@oracle.com>
References: <ogcawk0n3xg6qmm80oh907tq.1447957121278@email.android.com> <2DC07A54-BA80-48EE-9CC3-7BDE4CAA0AD7@nexusgroup.com> <CAHbuEH7jW0=P2BhxQyrLPLfkRpn6+Gz-Cup_-ARLtNb45bnDJg@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Source-IP: aserv0022.oracle.com [141.146.126.234]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/3Y-oCBOmWgzqODoY6dj3Rv3lbpM>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, Justin Richer <ietf@justin.richer.org>
Subject: Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-architecture-05
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2015 17:00:12 -0000

+1. I will post an update monday. 

Ps. Did you see my original responses to your first comments?

Phil

> On Nov 20, 2015, at 08:27, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
> 
> I'm re-reading to make sure this would be okay at this stage and have
> some suggestions.
> 
> Could 3.2 cover TLS and DTLS?  Then you don't need to state COSE/CBOR
> specifically in this section but it hints at applicable IoT use cases
> and isn't a big change since OAuth could be used in scenarios with
> DTLS and IoT.
> 
> Since 3.3 refers to a web client, I'd leave it alone.  It's just a use
> case.  And I don't think 3.4 is a good example for IoT with
> discussions of load balancers.
> 
> In section 4, the client is listed generically without definition,
> Maybe stating constrained and devices that are not constrained are
> clients would be enough in the Token manufacture/modification threat
> scenario? That would be on first use in this section for clients.
> 
> Section 6.2 calls out 2 examples with TLS, but doesn't restrict the
> selection to these two, so I think the text there is fine as-is,
> especially since "available infrastructure" is one of the
> considerations.
> 
> I think that would be enough and wouldn't be too much to change at
> this stage to include IoT under this draft.  I would not add in
> explicit mention of CBOR or COSE as the draft doesn't mention JSON or
> JOSE anywhere.
> 
> Does that should like a good approach?  This just means 2 minor
> changes to make the generic text also explicitly include constrained
> devices.
> 
> Thanks,
> Kathleen
> 
> 
> 
> 
> 
> 
> 
> On Thu, Nov 19, 2015 at 2:29 PM, Erik Wahlström neXus
> <erik.wahlstrom@nexusgroup.com> wrote:
>> Fair enough. Was way to late to the game here. All and all, it’s a very good
>> document.
>> / Erik
>> 
>> 
>> On 19 Nov 2015, at 19:18, Justin Richer <jricher@MIT.EDU> wrote:
>> 
>> I agree with added "For example" in a few places. It's not normative it's
>> informational here.
>> 
>> 
>> 
>> < div="">
>> -- Justin
>> 
>> / Sent from my phone /
>> <>
>> 
>> 
>> -------- Original message --------
>> From: Phil Hunt <phil.hunt@oracle.com>
>> Date: 11/19/2015 11:28 AM (GMT-06:00)
>> To: Erik Wahlström neXus <erik.wahlstrom@nexusgroup.com>
>> Cc: "<oauth@ietf.org>" <oauth@ietf.org>, Justin Richer
>> <ietf@justin.richer.org>
>> Subject: Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-architecture-05
>> 
>> I think your point that maybe the architecture doc be generic enough to
>> support both json and cbor tokens is worth consideration.
>> 
>> I am just not sure of process and consensus now that we are past WGLC. Would
>> the cose group prefer this?
>> 
>> Happy to do it if desired. Also understand if we are too far down the road.
>> 
>> Phil
>> 
>> On Nov 19, 2015, at 08:39, Erik Wahlström neXus
>> <erik.wahlstrom@nexusgroup.com> wrote:
>> 
>> Just a note then. I did not see anything that prohibited the usage of pop
>> tokens for IoT so  shipping it as is works.
>> 
>> Sent from my iPhone
>> 
>> On 19 Nov 2015, at 17:18, Phil Hunt <phil.hunt@oracle.com> wrote:
>> 
>> On the subject of making the spec(s) less JWT specific, it was a
>> foundational assumption and (I think) in the charter. However COSE wasn't
>> around yet.
>> 
>> I suppose the more generic architecture doc could be altered to cover IoT
>> cases, but it may be problematic for the other specs that are more specific.
>> 
>> Another issue is I assume the COSE based tokens will have a different type
>> (eg cpop) to differentiate between jwt and COSE web tokens (what are we
>> calling them now?).
>> 
>> As this generalization change could be seen as substantial, I would like to
>> have the chairs and AD comment. Is this a good idea?  Or is COSE better to
>> write their own parallel arch draft?
>> 
>> I'm happy to bend to the will of the group(s) on this.
>> 
>> Phil
>> 
>> On Nov 19, 2015, at 01:17, Erik Wahlström neXus
>> <erik.wahlstrom@nexusgroup.com> wrote:
>> 
>> Hi,
>> 
>> I have been reviewing draft-ietf-oauth-pop-architecture-05. In ACE WG we
>> have a draft that uses PoP tokens for IoT and the architectures defined here
>> so my review was done with that IoT perspective. I’m a bit late with the
>> review and some of the comments might already be mentioned by others.
>> 
>> 
>> 
>> ——————
>> 
>> 3.1. Preventing Access Token Re-Use by the Resource Server
>> 
>> If a symmetric key is used it’s possible to re-use the key for a resource
>> server. The section talks about the importance of scopes, but I feel it
>> should also mention the importance for the resource server to verify the
>> audience (“aud”) claim in the token to disable missuse.
>> 
>> ——————
>> 
>> The draft in ACE WG
>> (https://tools.ietf.org/html/draft-seitz-ace-oauth-authz-00) relies heavily
>> on this work. The main reason for this is the way PoP tokens can establish
>> key material, with the help of the authorization server, on both the client
>> and resource server. PoP tokens is also a very good fit for constrained IoT
>> devices that can be offline and it’s also possible to use hardware key
>> storages to handle asymmetric pop keys.
>> 
>> There could be a place for a new "Use Case" under section 3 that talks about
>> scenarios where PoP keys are a really good match for offline IoT devices. I
>> could help out ironing out a text for that with the help of the docs authors
>> if that’s of interest.
>> 
>> ———
>> 
>> s/a bogus tokens/a bogus token
>> 
>> ——
>> 
>> In the document only references are made to JSON, JWT and JOSE. More exactly
>> in the following two sections:
>> 
>>   A number of the threats listed in Section 4 demand protection of the
>>   access token content and a standardized solution, in form of a JSON-
>>   based format, is available with the JWT [RFC7519].
>> 
>> 
>> 
>>   With the JSON Web Token (JWT) [RFC7519] a standardized format for
>>   access tokens is available.  The necessary elements to bind symmetric
>>   or asymmetric keys to a JWT are described in
>>   [I-D.ietf-oauth-proof-of-possession].
>> 
>> 
>> Constrained IoT devices uses other access token and messages formats
>> (according to our draft). It does not only use signed/encrypted JWT’s but
>> also COSE protected CBOR Web Tokens. See
>> https://tools.ietf.org/id/draft-wahlstroem-oauth-cbor-web-token-00.txt
>> 
>> I totally agree that JWT is the correct examples to have in this document
>> due to the fact that they are RFC’s, they are well known and should be used
>> in as many places as possible, but it would be good to open up for other
>> types of message formats. For example like this:
>> 
>> 
>>   A number of the threats listed in Section 4 demand protection of the
>>   access token content and a standardized solution in form of, for example,
>> a JSON-
>>   based format, is available with the JWT [RFC7519].
>> 
>> 
>> 
>> ——
>> 
>> For that
>>   purpose the client will have to authenticate the resource server
>>   before transmitting the access token.
>> 
>> 
>> 
>> I’m missing a description about how this is handled in an end-to-end
>> security scenario.
>> 
>> ———
>> 
>>      The resource server queries the authorization server for the
>>      symmetric key.  This is an approach envisioned by the token
>>      introspection endpoint [I-D.ietf-oauth-introspection].
>> 
>> 
>> 
>> Not a question for this draft maybe, but in what draft is the introspection
>> response claim defined? It’s not defined in
>> https://tools.ietf.org/html/rfc7662#section-2.2 and I don’t know in what
>> other draft it can be defined.
>> 
>> ——
>> 
>> In ACE WG the draft seitz-ace-oauth-authz have a profile for an access
>> request to make it work over CoAP. CoAP is the HTTP equivalent for
>> constrained devices, and it has limitations, for example it can’t send large
>> tokens in options (headers in "http-speak"). This means that the draft
>> defines a way to first send the PoP token to an new endpoint on the resource
>> server to establish a security context. Then the real request against the
>> resource server can be done once the security context is established. See
>> more details here
>> https://tools.ietf.org/html/draft-seitz-ace-oauth-authz-00#section-5.2.
>> 
>> An open question; should a flow like that be added to the architecture
>> section? That means a new section 7.5.
>> 
>> ——
>> 
>> Thanks for writing this. I think it’s very important work.
>> 
>> / Erik
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> -- 
> 
> Best regards,
> Kathleen
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.14.0 | Report a Bug | By Email