Hello,
To bring a different view, I wanted to mention Kantara UMA (User Managed
Access) approach to this problem. (I participated in the UMA v2.0
development this year, so had the chance to be more familiar with the new
drafts.)
In UMA, the resource server must respond to a client's tokenless
(u
Ludwig,
I do believe that this would reveal too much information to an attacker,
especially if IoT devices are being deployed in “hostile environments.” While
this may be appropriate in a home and potentially industry setting, it is
certainly not appropriate in a more contested setting.
The UM
How does the RS make an informed decision about who the client is given that it
is a tokenless access request?
From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Cigdem Sengul
Sent: Wednesday, October 25, 2017 7:28 AM
To: Ludwig Seitz
Cc: ace@ietf.org
Subject: Re: [Ace] Question about
I don’t think that this is going to reveal any more information to an attacker
than would be available to an attacker that just asks the resource server for a
resource w/o a token. Currently that is expected to return the same
information.
One approach that would be good to note is that i
UMA assumes that resource server knows “which authorization server to
approach for the permission ticket and on which resource owner's behalf”
deriving “the necessary information using cues provided by the structure of
the API where the resource request was made, rather than by an access
token. “
So you would be doing based on something like the address of the requestor or
the content of the request. I would complete understand the first half. Is
there any way to prevent a rouge requestor from asking for information – or are
you just relying on a closed system?
From: Cigdem Sengul
