Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-architecture-05
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 20 November 2015 16:27 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3287F1B36E2 for <oauth@ietfa.amsl.com>; Fri, 20 Nov 2015 08:27:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bSVwZyBoJKgU for <oauth@ietfa.amsl.com>; Fri, 20 Nov 2015 08:27:11 -0800 (PST)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC8F61B36D1 for <oauth@ietf.org>; Fri, 20 Nov 2015 08:27:10 -0800 (PST)
Received: by wmec201 with SMTP id c201so27893549wme.1 for <oauth@ietf.org>; Fri, 20 Nov 2015 08:27:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=pQh+rCw0dJqYQyGodFGbg5gZTqJNKgJLREnU+CGvsEE=; b=aX37yRdQNBqSD6YEvKnW7pUgjed79/+QjZYBA8uYYN2zDaNXIxWLudykvR1ZwENwxD BavY5GQek/ymg9EB9PeM0BAyTc2L60KbzoQ1MMsX8AYDJUHsn75SH4TbNZpNz0n6NsYP QUuq7R6ff7q7O3sSSpADZP05fT0SmfSHb/fEYEMQK21mBALNFfvuQKU9uYWOhXFlGJdt KMcpi0pZ1FbzbmqDcb1dZIxIyopty3VY/YrQZwytJjh8YDeI3v/dMp5sFSyEADUnLyRX FvqWb2oUGX1mzjMbzCxVEeEfRevKevoRNQhNywbdDR1biyEScsiCA+ynJHS3czjvux73 6BTw==
MIME-Version: 1.0
X-Received: by 10.194.179.71 with SMTP id de7mr15362019wjc.119.1448036829220; Fri, 20 Nov 2015 08:27:09 -0800 (PST)
Received: by 10.28.52.130 with HTTP; Fri, 20 Nov 2015 08:27:09 -0800 (PST)
In-Reply-To: <2DC07A54-BA80-48EE-9CC3-7BDE4CAA0AD7@nexusgroup.com>
References: <ogcawk0n3xg6qmm80oh907tq.1447957121278@email.android.com> <2DC07A54-BA80-48EE-9CC3-7BDE4CAA0AD7@nexusgroup.com>
Date: Fri, 20 Nov 2015 11:27:09 -0500
Message-ID: <CAHbuEH7jW0=P2BhxQyrLPLfkRpn6+Gz-Cup_-ARLtNb45bnDJg@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Erik Wahlström neXus <erik.wahlstrom@nexusgroup.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/lctUHEEvJlsrsXwExYhhqwcb88o>
Cc: Justin Richer <ietf@justin.richer.org>, "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-architecture-05
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Nov 2015 16:27:13 -0000
I'm re-reading to make sure this would be okay at this stage and have some suggestions. Could 3.2 cover TLS and DTLS? Then you don't need to state COSE/CBOR specifically in this section but it hints at applicable IoT use cases and isn't a big change since OAuth could be used in scenarios with DTLS and IoT. Since 3.3 refers to a web client, I'd leave it alone. It's just a use case. And I don't think 3.4 is a good example for IoT with discussions of load balancers. In section 4, the client is listed generically without definition, Maybe stating constrained and devices that are not constrained are clients would be enough in the Token manufacture/modification threat scenario? That would be on first use in this section for clients. Section 6.2 calls out 2 examples with TLS, but doesn't restrict the selection to these two, so I think the text there is fine as-is, especially since "available infrastructure" is one of the considerations. I think that would be enough and wouldn't be too much to change at this stage to include IoT under this draft. I would not add in explicit mention of CBOR or COSE as the draft doesn't mention JSON or JOSE anywhere. Does that should like a good approach? This just means 2 minor changes to make the generic text also explicitly include constrained devices. Thanks, Kathleen On Thu, Nov 19, 2015 at 2:29 PM, Erik Wahlström neXus <erik.wahlstrom@nexusgroup.com> wrote: > Fair enough. Was way to late to the game here. All and all, it’s a very good > document. > / Erik > > > On 19 Nov 2015, at 19:18, Justin Richer <jricher@MIT.EDU> wrote: > > I agree with added "For example" in a few places. It's not normative it's > informational here. > > > > < div=""> > -- Justin > > / Sent from my phone / > <> > > > -------- Original message -------- > From: Phil Hunt <phil.hunt@oracle.com> > Date: 11/19/2015 11:28 AM (GMT-06:00) > To: Erik Wahlström neXus <erik.wahlstrom@nexusgroup.com> > Cc: "<oauth@ietf.org>" <oauth@ietf.org>, Justin Richer > <ietf@justin.richer.org> > Subject: Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-architecture-05 > > I think your point that maybe the architecture doc be generic enough to > support both json and cbor tokens is worth consideration. > > I am just not sure of process and consensus now that we are past WGLC. Would > the cose group prefer this? > > Happy to do it if desired. Also understand if we are too far down the road. > > Phil > > On Nov 19, 2015, at 08:39, Erik Wahlström neXus > <erik.wahlstrom@nexusgroup.com> wrote: > > Just a note then. I did not see anything that prohibited the usage of pop > tokens for IoT so shipping it as is works. > > Sent from my iPhone > > On 19 Nov 2015, at 17:18, Phil Hunt <phil.hunt@oracle.com> wrote: > > On the subject of making the spec(s) less JWT specific, it was a > foundational assumption and (I think) in the charter. However COSE wasn't > around yet. > > I suppose the more generic architecture doc could be altered to cover IoT > cases, but it may be problematic for the other specs that are more specific. > > Another issue is I assume the COSE based tokens will have a different type > (eg cpop) to differentiate between jwt and COSE web tokens (what are we > calling them now?). > > As this generalization change could be seen as substantial, I would like to > have the chairs and AD comment. Is this a good idea? Or is COSE better to > write their own parallel arch draft? > > I'm happy to bend to the will of the group(s) on this. > > Phil > > On Nov 19, 2015, at 01:17, Erik Wahlström neXus > <erik.wahlstrom@nexusgroup.com> wrote: > > Hi, > > I have been reviewing draft-ietf-oauth-pop-architecture-05. In ACE WG we > have a draft that uses PoP tokens for IoT and the architectures defined here > so my review was done with that IoT perspective. I’m a bit late with the > review and some of the comments might already be mentioned by others. > > > > —————— > > 3.1. Preventing Access Token Re-Use by the Resource Server > > If a symmetric key is used it’s possible to re-use the key for a resource > server. The section talks about the importance of scopes, but I feel it > should also mention the importance for the resource server to verify the > audience (“aud”) claim in the token to disable missuse. > > —————— > > The draft in ACE WG > (https://tools.ietf.org/html/draft-seitz-ace-oauth-authz-00) relies heavily > on this work. The main reason for this is the way PoP tokens can establish > key material, with the help of the authorization server, on both the client > and resource server. PoP tokens is also a very good fit for constrained IoT > devices that can be offline and it’s also possible to use hardware key > storages to handle asymmetric pop keys. > > There could be a place for a new "Use Case" under section 3 that talks about > scenarios where PoP keys are a really good match for offline IoT devices. I > could help out ironing out a text for that with the help of the docs authors > if that’s of interest. > > ——— > > s/a bogus tokens/a bogus token > > —— > > In the document only references are made to JSON, JWT and JOSE. More exactly > in the following two sections: > > A number of the threats listed in Section 4 demand protection of the > access token content and a standardized solution, in form of a JSON- > based format, is available with the JWT [RFC7519]. > > > > With the JSON Web Token (JWT) [RFC7519] a standardized format for > access tokens is available. The necessary elements to bind symmetric > or asymmetric keys to a JWT are described in > [I-D.ietf-oauth-proof-of-possession]. > > > Constrained IoT devices uses other access token and messages formats > (according to our draft). It does not only use signed/encrypted JWT’s but > also COSE protected CBOR Web Tokens. See > https://tools.ietf.org/id/draft-wahlstroem-oauth-cbor-web-token-00.txt > > I totally agree that JWT is the correct examples to have in this document > due to the fact that they are RFC’s, they are well known and should be used > in as many places as possible, but it would be good to open up for other > types of message formats. For example like this: > > > A number of the threats listed in Section 4 demand protection of the > access token content and a standardized solution in form of, for example, > a JSON- > based format, is available with the JWT [RFC7519]. > > > > —— > > For that > purpose the client will have to authenticate the resource server > before transmitting the access token. > > > > I’m missing a description about how this is handled in an end-to-end > security scenario. > > ——— > > The resource server queries the authorization server for the > symmetric key. This is an approach envisioned by the token > introspection endpoint [I-D.ietf-oauth-introspection]. > > > > Not a question for this draft maybe, but in what draft is the introspection > response claim defined? It’s not defined in > https://tools.ietf.org/html/rfc7662#section-2.2 and I don’t know in what > other draft it can be defined. > > —— > > In ACE WG the draft seitz-ace-oauth-authz have a profile for an access > request to make it work over CoAP. CoAP is the HTTP equivalent for > constrained devices, and it has limitations, for example it can’t send large > tokens in options (headers in "http-speak"). This means that the draft > defines a way to first send the PoP token to an new endpoint on the resource > server to establish a security context. Then the real request against the > resource server can be done once the security context is established. See > more details here > https://tools.ietf.org/html/draft-seitz-ace-oauth-authz-00#section-5.2. > > An open question; should a flow like that be added to the architecture > section? That means a new section 7.5. > > —— > > Thanks for writing this. I think it’s very important work. > > / Erik > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Best regards, Kathleen
- [OAUTH-WG] A review of draft-ietf-oauth-pop-archi… Erik Wahlström neXus
- Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-a… Phil Hunt
- Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-a… Erik Wahlström neXus
- Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-a… Phil Hunt
- Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-a… Justin Richer
- Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-a… Erik Wahlström neXus
- Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-a… Kathleen Moriarty
- Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-a… Kathleen Moriarty
- Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-a… Phil Hunt