Re: [Ace] New OAuth client credentials RPK and PSK

[Jim Schaad]

How is this draft supposed to interact with draft-gerdes-ace-dtls-authorize?

 

Jim

 

 

From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Samuel Erdtman
Sent: Friday, May 12, 2017 1:03 AM
To: <oa...@ietf.org> <oa...@ietf.org>; ace <Ace@ietf.org>
Cc: Ludwig Seitz <ludwig.se...@ri.se>
Subject: [Ace] New OAuth client credentials RPK and PSK

 

Hi ACE and OAuth WGs,

I and Ludwig submitted a new draft yesterday defining how to use Raw Public Key 
and Pre Shared Key with (D)TLS as OAuth client credentials, 
https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.

 

We think this is valuable to the ACE work since the ACE framework is based on 
OAuth, but client credentials as defined in the OAuth framework are not the 
best match for embedded devices.

We think Raw Public Keys and Pre Shared Keys are more suitable credentials for 
embedded devices for the following reasons:

* Better security by binding to transport layer.

* If PSK DTLS is to be used a key need to be distributed any way, why not make 
use of it as credential.

* Client id and client secret accommodates for manual input by a humans. This 
does not scale well and requires some for of input device.

* Some/many devices will have crypto-hardware that can protect key material, to 
not use that possibility would be a waste.

* There are probably more reasons these was just the once on top of my head.

 

This is not the first resent initiative to create new client credential types, 
the OAuth WG adopted a similar draft for certificate based client credentials 
(https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html). That work is also 
valuable to ACE but not all devices will be able to work with certificates or 
even asymmetric cryptos .

Please review and comment.

Cheers

//Samuel

 

___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace

[Ace] New OAuth client credentials RPK and PSK

[Samuel Erdtman]

Hi ACE and OAuth WGs,

I and Ludwig submitted a new draft yesterday defining how to use Raw Public
Key and Pre Shared Key with (D)TLS as OAuth client credentials,
https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.

We think this is valuable to the ACE work since the ACE framework is based
on OAuth, but client credentials as defined in the OAuth framework are not
the best match for embedded devices.

We think Raw Public Keys and Pre Shared Keys are more suitable credentials
for embedded devices for the following reasons:
* Better security by binding to transport layer.
* If PSK DTLS is to be used a key need to be distributed any way, why not
make use of it as credential.
* Client id and client secret accommodates for manual input by a humans.
This does not scale well and requires some for of input device.
* Some/many devices will have crypto-hardware that can protect key
material, to not use that possibility would be a waste.
* There are probably more reasons these was just the once on top of my head.

This is not the first resent initiative to create new client credential
types, the OAuth WG adopted a similar draft for certificate based client
credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html).
That work is also valuable to ACE but not all devices will be able to work
with certificates or even asymmetric cryptos .

Please review and comment.

Cheers
//Samuel
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace