Re: [OAUTH-WG] [Ace] New OAuth client credentials RPK and PSK

Adrian Imach <adrianimach@hotmail.com> Mon, 15 May 2017 11:31 UTC

Return-Path: <adrianimach@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4998127011; Mon, 15 May 2017 04:31:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.146
X-Spam-Level:
X-Spam-Status: No, score=-1.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i1J35wytyzoI; Mon, 15 May 2017 04:31:53 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-oln040092068105.outbound.protection.outlook.com [40.92.68.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D18A012957A; Mon, 15 May 2017 04:27:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=F6NZnywjVGc9lquINQWy3LzM0XSzDIvy2bYKKhvuuUo=; b=Hm3sSY2smJuRR8PihP9tfyXbtHGdj934a0Xp9t67JNtvh1qKr5CgFHxxRqAX62G82QKc231e7gD2K6/Zjs1e+zKEOJsIrodHKsNuRL/tqv2hKX6AZhu/xoKyD0dG7gpcjbJYd/JQik5PYSoEdVDmhdEYIFSnmIKjA8kF7aNYokI9W6p5TweGydriuFP4blW3o7kB0ozPLN6LmNIziLrBDRNlAODp2rPkFp4GZrGLaj+k/r7mJNDxlGze09UzU9uZQ/MSRLtLPdPYYzE1xO/8F7Fy77ZYjPMSuACvksyypasaMyoC9WVqvS1Ux1L9wt3Rsz16wA3w30X4vqxOV9J+MQ==
Received: from HE1EUR02FT030.eop-EUR02.prod.protection.outlook.com (10.152.10.51) by HE1EUR02HT211.eop-EUR02.prod.protection.outlook.com (10.152.11.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1075.5; Mon, 15 May 2017 11:27:57 +0000
Received: from AM4PR09MB0627.eurprd09.prod.outlook.com (10.152.10.51) by HE1EUR02FT030.mail.protection.outlook.com (10.152.10.165) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1075.5 via Frontend Transport; Mon, 15 May 2017 11:27:56 +0000
Received: from AM4PR09MB0627.eurprd09.prod.outlook.com ([fe80::b562:3:99a7:9530]) by AM4PR09MB0627.eurprd09.prod.outlook.com ([fe80::b562:3:99a7:9530%14]) with mapi id 15.01.1084.029; Mon, 15 May 2017 11:27:56 +0000
From: Adrian Imach <adrianimach@hotmail.com>
To: Samuel Erdtman <samuel@erdtman.se>
CC: Jim Schaad <ietf@augustcellars.com>, "<oauth@ietf.org>" <oauth@ietf.org>, ace <Ace@ietf.org>
Thread-Topic: [OAUTH-WG] [Ace] New OAuth client credentials RPK and PSK
Thread-Index: AQF2pOMAEHj6tEKs9s8Af1VsoCYHA6KslJawgADR1wCAACxkKg==
Date: Mon, 15 May 2017 11:27:56 +0000
Message-ID: <AM4PR09MB0627E138F244480420AD4949B0E10@AM4PR09MB0627.eurprd09.prod.outlook.com>
References: <CAF2hCbZpWTCMg617dK7D+F+0w=hxrz4VNdsFZHPGM1rZy+K3TA@mail.gmail.com> <000501d2ccef$398d0940$aca71bc0$@augustcellars.com>, <CAF2hCbY0p=kN3FHWk8+GaQa4drPa8batV9cqLqmehEbBwTnSqw@mail.gmail.com>
In-Reply-To: <CAF2hCbY0p=kN3FHWk8+GaQa4drPa8batV9cqLqmehEbBwTnSqw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: erdtman.se; dkim=none (message not signed) header.d=none;erdtman.se; dmarc=none action=none header.from=hotmail.com;
x-incomingtopheadermarker: OriginalChecksum:EE7621ACA0A9762E1B554070139F5CE68D3A53794B47A2C2FB867CA046B9E5E3; UpperCasedChecksum:06D0C4D13DF55FE168E6C789AF3743D3DA673CBFE176A3A94506B358FD949017; SizeAsReceived:8509; Count:46
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [XCWKhpD+KPT/DFLzYEwjPAxDKuT/jMM1]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1EUR02HT211; 5:kb3tqbEtYUdi0h+FXVRzMegPfnuDz2yQnQqTL6TE0IitrtL0MzziT6WlXt6eQHQmdZHGF/XcMtLarvrEtVrmo5v29o4fttQk5y7rUYaa5iK/r14WAogNOp0jG9kBcmdbMRP0dJVewIGDWewnwY59qQ==; 24:swL5xt43+9J4qFJ1GY6QwZHdlVuhk6MEfl2p8wxq61HuitHYXezMv57C/vtq3xZRYGHpkXRX3x06ZRgItCXeKddCPgfsISlHqbuJwj/Xzkw=; 7:a4NoOtzaz3JKDbaf+WiOA1FDZbRYM2AQGCwtDMae7D+XCXi1VYDpFkcCiXvci7GnxMEQUBc58GNhxq4A4dEb5rTjopHrBmdXod9TIXz2W0pm4wAC+Ss6s0x/L9zwFIS+WHpBMuUlTUqZnmHEP97VRsqAgxqz+jKyqs8PWOf/TmHZq8yfSXf1fvFJQB7hLkycweyBV9UiQ9ppILUoI2T7P1xgdBS0Q6VAk6r0RfbDBgU/XyHXkguuZ67uWnpOSg6B0QmmyAKGy/cp0fyP35Zk6zoxWI19KxK1pBY9f5y2Ikp4Pb1Rl6epoPNCMSdOhDlO
x-incomingheadercount: 46
x-eopattributedmessage: 0
x-forefront-antispam-report: EFV:NLI; SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:HE1EUR02HT211; H:AM4PR09MB0627.eurprd09.prod.outlook.com; FPR:; SPF:None; LANG:en;
x-ms-office365-filtering-correlation-id: c63e5c8f-c3da-4599-e7bf-08d49b856f60
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322274)(1601125374)(1603101448)(1701031045); SRVR:HE1EUR02HT211;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:HE1EUR02HT211; BCL:0; PCL:0; RULEID:; SRVR:HE1EUR02HT211;
x-forefront-prvs: 0308EE423E
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_AM4PR09MB0627E138F244480420AD4949B0E10AM4PR09MB0627eurp_"
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2017 11:27:56.5858 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR02HT211
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kEY3IcALTaCTVjZbs3FfyhADIRU>
Subject: Re: [OAUTH-WG] [Ace] New OAuth client credentials RPK and PSK
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 11:31:56 -0000

Please unsubscribe me from your mailing list. Thank you ,

Adrian Imach

On 15 May 2017, at 09:52, Samuel Erdtman <samuel@erdtman.se<mailto:samuel@erdtman.se>> wrote:

In short this draft focuses on the C to AS connection and draft-gerdes-ace-dtls-authorize focuses on the C to RS connection.

This draft details on how to use RPK or PSK as client credentials to setup the (D)TLS between C and AS while draft-gerdes-ace-dtls-authorize provides details for how to use the RPK or PSK bound to an access token to setup the connection between C and RS.

//Samuel


On Sun, May 14, 2017 at 10:18 PM, Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>> wrote:
How is this draft supposed to interact with draft-gerdes-ace-dtls-authorize?

Jim


From: Ace [mailto:ace-bounces@ietf.org<mailto:ace-bounces@ietf.org>] On Behalf Of Samuel Erdtman
Sent: Friday, May 12, 2017 1:03 AM
To: <oauth@ietf.org<mailto:oauth@ietf.org>> <oauth@ietf.org<mailto:oauth@ietf.org>>; ace <Ace@ietf.org<mailto:Ace@ietf.org>>
Cc: Ludwig Seitz <ludwig.seitz@ri.se<mailto:ludwig.seitz@ri.se>>
Subject: [Ace] New OAuth client credentials RPK and PSK

Hi ACE and OAuth WGs,
I and Ludwig submitted a new draft yesterday defining how to use Raw Public Key and Pre Shared Key with (D)TLS as OAuth client credentials, https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.

We think this is valuable to the ACE work since the ACE framework is based on OAuth, but client credentials as defined in the OAuth framework are not the best match for embedded devices.
We think Raw Public Keys and Pre Shared Keys are more suitable credentials for embedded devices for the following reasons:
* Better security by binding to transport layer.
* If PSK DTLS is to be used a key need to be distributed any way, why not make use of it as credential.
* Client id and client secret accommodates for manual input by a humans. This does not scale well and requires some for of input device.
* Some/many devices will have crypto-hardware that can protect key material, to not use that possibility would be a waste.
* There are probably more reasons these was just the once on top of my head.

This is not the first resent initiative to create new client credential types, the OAuth WG adopted a similar draft for certificate based client credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html) That work is also valuable to ACE but not all devices will be able to work with certificates or even asymmetric cryptos .
Please review and comment.
Cheers
//Samuel


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth