Hi Steffi, I anticipate that the use of tokens with IoT devices works similar to OAuth deployments today. As such, if you distribute self-contained tokens then you sign or mac them. We have registered the necessary claims already, which includes the expiry. As such, I expect it to be used as well.
If we forgot to mention explicitly that we follow the best current practices in OAuth then we should add that reference. I will check the text... Ciao Hannes -----Original Message----- From: Ace <ace-boun...@ietf.org> On Behalf Of Stefanie Gerdes Sent: Freitag, 14. Dezember 2018 16:15 To: Ludwig Seitz <ludwig.se...@ri.se>; Jim Schaad <i...@augustcellars.com>; ace@ietf.org Subject: [Ace] Token (In)Security Hi all, as I understand the current proposal of the ACE framework, an attacker can send an access token to the RS that only contains a scope and is not signed or otherwise protected. Section 5.8.1.1 (titled verifying an access token) does not state that RS must check the authenticity of the token, therefore RS can accept it. Since the token does not contain an exp field, it is infinitely valid. The attacker thus gains infinite unconditional access. Is this really what we want from a security framework? I would expect section 5.8.1.1 to provide information if and when RS must check that the token stems from an authorized AS to prevent this scenario. Viele Grüße Steffi _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
