Hi Ludwig, A few remarks inline:
-----Original Message----- From: Ludwig Seitz <ludwig.se...@ri.se> Sent: Dienstag, 18. Dezember 2018 09:27 To: Hannes Tschofenig <hannes.tschofe...@arm.com>; Stefanie Gerdes <ger...@tzi.de>; Jim Schaad <i...@augustcellars.com>; ace@ietf.org Subject: Re: [Ace] Security of the Communication Between C and RS On 15/12/2018 16:04, Hannes Tschofenig wrote: > Hi Steffi, > > ~snip~ > >> I really think you should point out that symmetric keying material >> that the AS provides to the client is valid as long as the token. > > I think that's a useful recommendation. I do, however, believe that we > are not making the same assumption for an asymmetric key bound to the > token. > Ok, I'll add text to the draft that says this. Note that this can be trouble if a client asks the AS to bind an existing symmetric pop-key to another (new) token it is requesting. Which one of the two tokens bound to that key is now steering the expiration of the key? [Hannes] Normally, the client would only request a symmetric PoP token from the AS and the AS would create the symmetric key and return the PoP token + the symmetric key. Hence, in the normal case this shouldn't be happen. >> The access information optionally can contain an expires_in field. >> It would help to prevent security breaches under the following >> conditions: > 1. the keying material is valid as long as the ticket, 2. the > expires_in field is present in the access information that AS sends to > C, 3. the client checks the expires_in field when it gets the access > information from the AS, and 4. the client checks if the keying > material is still valid each time before it sends a request to RS. > > These checks make sense to me. > Are you proposing we make the expires_in field mandatory? If so, why isn't it mandatory already in OAuth (currently only RECOMMENDED)? [Hannes] I would do the check when the field is actually there. However, it is a good question why it is not mandatory in OAuth. Let me drop a mail to the list. Ciao Hannes /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51 IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
