Discussion:
[OAUTH-WG] New OAuth client credentials RPK and PSK
Samuel Erdtman
2017-05-12 08:03:28 UTC
Permalink
Hi ACE and OAuth WGs,

I and Ludwig submitted a new draft yesterday defining how to use Raw Public
Key and Pre Shared Key with (D)TLS as OAuth client credentials,
https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.

We think this is valuable to the ACE work since the ACE framework is based
on OAuth, but client credentials as defined in the OAuth framework are not
the best match for embedded devices.

We think Raw Public Keys and Pre Shared Keys are more suitable credentials
for embedded devices for the following reasons:
* Better security by binding to transport layer.
* If PSK DTLS is to be used a key need to be distributed any way, why not
make use of it as credential.
* Client id and client secret accommodates for manual input by a humans.
This does not scale well and requires some for of input device.
* Some/many devices will have crypto-hardware that can protect key
material, to not use that possibility would be a waste.
* There are probably more reasons these was just the once on top of my head.

This is not the first resent initiative to create new client credential
types, the OAuth WG adopted a similar draft for certificate based client
credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html).
That work is also valuable to ACE but not all devices will be able to work
with certificates or even asymmetric cryptos .

Please review and comment.

Cheers
//Samuel
Torsten Lodderstedt
2017-05-13 09:58:01 UTC
Permalink
Hi Samuel,

as far as I understand your draft, it utilizes results of the (D)TLS client authentication for authentication towards the tokens endpoint - similar to https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html. Do you intend to also utilize the binding of the access token to a certain key pair as described in oauth-ietf-mtls?

best regards,
Torsten.

> Am 12.05.2017 um 10:03 schrieb Samuel Erdtman <***@erdtman.se>:
>
> Hi ACE and OAuth WGs,
>
> I and Ludwig submitted a new draft yesterday defining how to use Raw Public Key and Pre Shared Key with (D)TLS as OAuth client credentials, https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.
>
> We think this is valuable to the ACE work since the ACE framework is based on OAuth, but client credentials as defined in the OAuth framework are not the best match for embedded devices.
>
> We think Raw Public Keys and Pre Shared Keys are more suitable credentials for embedded devices for the following reasons:
> * Better security by binding to transport layer.
> * If PSK DTLS is to be used a key need to be distributed any way, why not make use of it as credential.
> * Client id and client secret accommodates for manual input by a humans. This does not scale well and requires some for of input device.
> * Some/many devices will have crypto-hardware that can protect key material, to not use that possibility would be a waste.
> * There are probably more reasons these was just the once on top of my head.
>
> This is not the first resent initiative to create new client credential types, the OAuth WG adopted a similar draft for certificate based client credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html). That work is also valuable to ACE but not all devices will be able to work with certificates or even asymmetric cryptos .
>
> Please review and comment.
>
> Cheers
> //Samuel
>
>
> _______________________________________________
> OAuth mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
Samuel Erdtman
2017-05-14 10:12:22 UTC
Permalink
Hi Torsten,

That is a possibility, I excluded it to keep the scope limited and because
I donÂŽt think it is as applicable with these credential types.

I think these credential types will mostly be used in IoT deployments using
the ACE framework, in that case the token will have its own key that will
most likely be used in the (D)TLS handshake between the client and resource
server see e.g.
https://tools.ietf.org/html/draft-gerdes-ace-dtls-authorize-01.

However if the token would not be a PoP token then it could make sense. Do
you fore see such use cases where it would be useful?

One thing that I did not mention in my earlier email that could be a
possible path forward would be to merge this draft into the mtls one.

//Samuel


On Sat, May 13, 2017 at 11:58 AM, Torsten Lodderstedt <
***@lodderstedt.net> wrote:

> Hi Samuel,
>
> as far as I understand your draft, it utilizes results of the (D)TLS
> client authentication for authentication towards the tokens endpoint -
> similar to https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html. Do
> you intend to also utilize the binding of the access token to a certain key
> pair as described in oauth-ietf-mtls?
>
> best regards,
> Torsten.
>
> Am 12.05.2017 um 10:03 schrieb Samuel Erdtman <***@erdtman.se>:
>
> Hi ACE and OAuth WGs,
>
> I and Ludwig submitted a new draft yesterday defining how to use Raw
> Public Key and Pre Shared Key with (D)TLS as OAuth client credentials,
> https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.
>
> We think this is valuable to the ACE work since the ACE framework is based
> on OAuth, but client credentials as defined in the OAuth framework are not
> the best match for embedded devices.
>
> We think Raw Public Keys and Pre Shared Keys are more suitable credentials
> for embedded devices for the following reasons:
> * Better security by binding to transport layer.
> * If PSK DTLS is to be used a key need to be distributed any way, why not
> make use of it as credential.
> * Client id and client secret accommodates for manual input by a humans.
> This does not scale well and requires some for of input device.
> * Some/many devices will have crypto-hardware that can protect key
> material, to not use that possibility would be a waste.
> * There are probably more reasons these was just the once on top of my
> head.
>
> This is not the first resent initiative to create new client credential
> types, the OAuth WG adopted a similar draft for certificate based client
> credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html).
> That work is also valuable to ACE but not all devices will be able to work
> with certificates or even asymmetric cryptos .
>
> Please review and comment.
>
> Cheers
> //Samuel
>
>
> _______________________________________________
> OAuth mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
Jim Schaad
2017-05-14 20:18:14 UTC
Permalink
How is this draft supposed to interact with draft-gerdes-ace-dtls-authorize?



Jim





From: Ace [mailto:ace-***@ietf.org] On Behalf Of Samuel Erdtman
Sent: Friday, May 12, 2017 1:03 AM
To: <***@ietf.org> <***@ietf.org>; ace <***@ietf.org>
Cc: Ludwig Seitz <***@ri.se>
Subject: [Ace] New OAuth client credentials RPK and PSK



Hi ACE and OAuth WGs,

I and Ludwig submitted a new draft yesterday defining how to use Raw Public Key and Pre Shared Key with (D)TLS as OAuth client credentials, https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.



We think this is valuable to the ACE work since the ACE framework is based on OAuth, but client credentials as defined in the OAuth framework are not the best match for embedded devices.

We think Raw Public Keys and Pre Shared Keys are more suitable credentials for embedded devices for the following reasons:

* Better security by binding to transport layer.

* If PSK DTLS is to be used a key need to be distributed any way, why not make use of it as credential.

* Client id and client secret accommodates for manual input by a humans. This does not scale well and requires some for of input device.

* Some/many devices will have crypto-hardware that can protect key material, to not use that possibility would be a waste.

* There are probably more reasons these was just the once on top of my head.



This is not the first resent initiative to create new client credential types, the OAuth WG adopted a similar draft for certificate based client credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html). That work is also valuable to ACE but not all devices will be able to work with certificates or even asymmetric cryptos .

Please review and comment.

Cheers

//Samuel
Samuel Erdtman
2017-05-15 08:49:02 UTC
Permalink
In short this draft focuses on the C to AS connection and
draft-gerdes-ace-dtls-authorize focuses on the C to RS connection.

This draft details on how to use RPK or PSK as client credentials to setup
the (D)TLS between C and AS while draft-gerdes-ace-dtls-authorize provides
details for how to use the RPK or PSK bound to an access token to setup the
connection between C and RS.

//Samuel


On Sun, May 14, 2017 at 10:18 PM, Jim Schaad <***@augustcellars.com> wrote:

> How is this draft supposed to interact with draft-gerdes-ace-dtls-
> authorize?
>
>
>
> Jim
>
>
>
>
>
> *From:* Ace [mailto:ace-***@ietf.org] *On Behalf Of *Samuel Erdtman
> *Sent:* Friday, May 12, 2017 1:03 AM
> *To:* <***@ietf.org> <***@ietf.org>; ace <***@ietf.org>
> *Cc:* Ludwig Seitz <***@ri.se>
> *Subject:* [Ace] New OAuth client credentials RPK and PSK
>
>
>
> Hi ACE and OAuth WGs,
>
> I and Ludwig submitted a new draft yesterday defining how to use Raw
> Public Key and Pre Shared Key with (D)TLS as OAuth client credentials,
> https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.
>
>
>
> We think this is valuable to the ACE work since the ACE framework is based
> on OAuth, but client credentials as defined in the OAuth framework are not
> the best match for embedded devices.
>
> We think Raw Public Keys and Pre Shared Keys are more suitable credentials
> for embedded devices for the following reasons:
>
> * Better security by binding to transport layer.
>
> * If PSK DTLS is to be used a key need to be distributed any way, why not
> make use of it as credential.
>
> * Client id and client secret accommodates for manual input by a humans.
> This does not scale well and requires some for of input device.
>
> * Some/many devices will have crypto-hardware that can protect key
> material, to not use that possibility would be a waste.
>
> * There are probably more reasons these was just the once on top of my
> head.
>
>
>
> This is not the first resent initiative to create new client credential
> types, the OAuth WG adopted a similar draft for certificate based client
> credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html).
> That work is also valuable to ACE but not all devices will be able to work
> with certificates or even asymmetric cryptos .
>
> Please review and comment.
>
> Cheers
>
> //Samuel
>
>
>
Adrian Imach
2017-05-15 11:27:56 UTC
Permalink
Please unsubscribe me from your mailing list. Thank you ,

Adrian Imach

On 15 May 2017, at 09:52, Samuel Erdtman <***@erdtman.se<mailto:***@erdtman.se>> wrote:

In short this draft focuses on the C to AS connection and draft-gerdes-ace-dtls-authorize focuses on the C to RS connection.

This draft details on how to use RPK or PSK as client credentials to setup the (D)TLS between C and AS while draft-gerdes-ace-dtls-authorize provides details for how to use the RPK or PSK bound to an access token to setup the connection between C and RS.

//Samuel


On Sun, May 14, 2017 at 10:18 PM, Jim Schaad <***@augustcellars.com<mailto:***@augustcellars.com>> wrote:
How is this draft supposed to interact with draft-gerdes-ace-dtls-authorize?

Jim


From: Ace [mailto:ace-***@ietf.org<mailto:ace-***@ietf.org>] On Behalf Of Samuel Erdtman
Sent: Friday, May 12, 2017 1:03 AM
To: <***@ietf.org<mailto:***@ietf.org>> <***@ietf.org<mailto:***@ietf.org>>; ace <***@ietf.org<mailto:***@ietf.org>>
Cc: Ludwig Seitz <***@ri.se<mailto:***@ri.se>>
Subject: [Ace] New OAuth client credentials RPK and PSK

Hi ACE and OAuth WGs,
I and Ludwig submitted a new draft yesterday defining how to use Raw Public Key and Pre Shared Key with (D)TLS as OAuth client credentials, https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.

We think this is valuable to the ACE work since the ACE framework is based on OAuth, but client credentials as defined in the OAuth framework are not the best match for embedded devices.
We think Raw Public Keys and Pre Shared Keys are more suitable credentials for embedded devices for the following reasons:
* Better security by binding to transport layer.
* If PSK DTLS is to be used a key need to be distributed any way, why not make use of it as credential.
* Client id and client secret accommodates for manual input by a humans. This does not scale well and requires some for of input device.
* Some/many devices will have crypto-hardware that can protect key material, to not use that possibility would be a waste.
* There are probably more reasons these was just the once on top of my head.

This is not the first resent initiative to create new client credential types, the OAuth WG adopted a similar draft for certificate based client credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html). That work is also valuable to ACE but not all devices will be able to work with certificates or even asymmetric cryptos .
Please review and comment.
Cheers
//Samuel


_______________________________________________
OAuth mailing list
***@ietf.org<mailto:***@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
Loading...