In short this draft focuses on the C to AS connection and draft-gerdes-ace-dtls-authorize focuses on the C to RS connection.
This draft details on how to use RPK or PSK as client credentials to setup the (D)TLS between C and AS while draft-gerdes-ace-dtls-authorize provides details for how to use the RPK or PSK bound to an access token to setup the connection between C and RS. //Samuel On Sun, May 14, 2017 at 10:18 PM, Jim Schaad <i...@augustcellars.com> wrote: > How is this draft supposed to interact with draft-gerdes-ace-dtls- > authorize? > > > > Jim > > > > > > *From:* Ace [mailto:ace-boun...@ietf.org] *On Behalf Of *Samuel Erdtman > *Sent:* Friday, May 12, 2017 1:03 AM > *To:* <oauth@ietf.org> <oauth@ietf.org>; ace <a...@ietf.org> > *Cc:* Ludwig Seitz <ludwig.se...@ri.se> > *Subject:* [Ace] New OAuth client credentials RPK and PSK > > > > Hi ACE and OAuth WGs, > > I and Ludwig submitted a new draft yesterday defining how to use Raw > Public Key and Pre Shared Key with (D)TLS as OAuth client credentials, > https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/. > > > > We think this is valuable to the ACE work since the ACE framework is based > on OAuth, but client credentials as defined in the OAuth framework are not > the best match for embedded devices. > > We think Raw Public Keys and Pre Shared Keys are more suitable credentials > for embedded devices for the following reasons: > > * Better security by binding to transport layer. > > * If PSK DTLS is to be used a key need to be distributed any way, why not > make use of it as credential. > > * Client id and client secret accommodates for manual input by a humans. > This does not scale well and requires some for of input device. > > * Some/many devices will have crypto-hardware that can protect key > material, to not use that possibility would be a waste. > > * There are probably more reasons these was just the once on top of my > head. > > > > This is not the first resent initiative to create new client credential > types, the OAuth WG adopted a similar draft for certificate based client > credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html). > That work is also valuable to ACE but not all devices will be able to work > with certificates or even asymmetric cryptos . > > Please review and comment. > > Cheers > > //Samuel > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
