Ludwig, I do believe that this would reveal too much information to an attacker, especially if IoT devices are being deployed in “hostile environments.” While this may be appropriate in a home and potentially industry setting, it is certainly not appropriate in a more contested setting.
The UMA approach presented by Cigdem is an option, given that the RS is able to verify with the AS that the request comes from a client that is currently paired to the AS. However, I do agree that reachability to the AS may not always be possible. If this is included as an option, the security considerations would need to be clearly noted. * Grace ______________________________________________ Grace A. Lewis, Ph.D. Principal Researcher Carnegie Mellon Software Engineering Institute Software Solutions Division (SSD) Tactical Technologies Group (TTG) 4500 Fifth Ave. Pittsburgh, PA 15213 Phone: (412) 268-5851 http://www.sei.cmu.edu/staff/glewis From: Ace <[email protected]> on behalf of Cigdem Sengul <[email protected]> Date: Wednesday, October 25, 2017 at 10:27 AM To: Ludwig Seitz <[email protected]> Cc: "[email protected]" <[email protected]> Subject: Re: [Ace] Question about the response to an unauthorized request Hello, To bring a different view, I wanted to mention Kantara UMA (User Managed Access) approach to this problem. (I participated in the UMA v2.0 development this year, so had the chance to be more familiar with the new drafts.) In UMA, the resource server must respond to a client's tokenless (unauthorized) access attempt by obtaining a permission ticket from the authorization server. If RS is able to obtain a permission ticket from the AS, RS returns this ticket to the client also with the AS uri to aid AS discovery. UMA handles resources (resource sets, permissions etc.) differently but the permission requests (from RS to AS) can be considered as signaling to the AS what audience/scope RS expects. In ACE, there are limitations of course - i.e., RS may not always reach AS etc. Nevertheless, it may be useful to think how other groups approach similar problems. Best, --Cigdem On Mon, Oct 23, 2017 at 2:38 PM, Ludwig Seitz <[email protected]<mailto:[email protected]>> wrote: Hello ACE, Jim Schaad has brought up an interesting question [1] on draft-ietf-ace-oauth-authz [2]: Currently when a client makes an unauthorized request to a resource server, it gets back the address of the authorization server and optionally a nonce (to prevent replay attacks). Jim is suggesting to add hints to the audience and scope the resource server expects for accessing this resource. I'm not sure whether that would not reveal too much information to a potential attacker. What does the group think of this issue? /Ludwig [1] https://github.com/ace-wg/ace-oauth/issues/124 [2] https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-08#section-5.1.2 -- Ludwig Seitz, PhD Security Lab, RISE SICS Phone +46(0)70-349 92 51<tel:%2B46%280%2970-349%2092%2051> _______________________________________________ Ace mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/ace
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
