That language works if you assume that there is only one CWT that an RS will look to. If there are multiple CWTs then one needs coordination language between them.
> -----Original Message----- > From: Hannes Tschofenig <[email protected]> > Sent: Friday, June 22, 2018 6:36 AM > To: Jim Schaad <[email protected]>; 'Mike Jones' > <[email protected]>; draft-ietf-ace-cwt-proof-of- > [email protected] > Cc: [email protected] > Subject: Key IDs ... RE: [Ace] WGLC on draft-ietf-ace-cwt-proof-of- > possession-02 > > Hi Jim, > > I would like to comment on this issue. > > ----- > > > 14. I have real problems w/ the use of a KID for POP > > > identification. It > may > > identify the wrong key or, if used for granting access, may have > > problems > w/ > > identity collisions. These need to be spelt out someplace to help > > people tracking down questions of why can't I verify w/ this CWT, I > > know it's > right. > > > > The Key ID is a hint to help identify which PoP key to use. Yes, if a > > Key > ID is > > sent that doesn't correspond to the right PoP key, failures may occur. > > I > view > > that as usage bug - not a protocol problem. If keys aren't > > consistently > known > > and identified by both parties, there are lots of things that can go > wrong, and > > this is only one such instance. That said, I can try to say something > about the > > need for keys to be consistently and known by both parties, if you > > think > that > > would help. > > > My problem is that if there are two different people with the same Key > > ID, > either intentionally or unintentionally, then using the key ID to identify the > key may allow the other person to masquerade as the first person. I am > unworried about the instance of a failure to get a key based on a key id. > That is not the problem you are proposing to address. > > ----- > > I think we should document this issue. Here is some text proposal that could > go into a separate operational consideration section (or into the security > consideration section instead). > > " > - Operational Considerations > > The use of CWTs with proof-of-possession keys requires additional > information to be shared between the involved parties in order to ensure > correct processing. The recipient needs to be able to use credentials to verify > the authenticity, integrity and potentially the confidentiality of the CWT and > its content. This requires the recipient to know information about the issuer. > Like-wise there needs to be an upfront agreement between the issuer and > the recipient about the claims that need to be present and what degree of > trust can be put into those. > > When an issuer creates a CWT containing a key id claim, it needs to make > sure that it does not issue another CWT containing the same key id with a > different content, or for a different subject, within the lifetime of the CWTs, > unless intentionally desired. Failure to do so may allow one party to > impersonate another party with the potential to gain additional privileges. > " > > > Ciao > Hannes > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended recipient, > please notify the sender immediately and do not disclose the contents to any > other person, use it for any purpose, or store or copy the information in any > medium. Thank you. _______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
