Hello, Thanks, Jim, this was helpful, and it also triggered that I go back and read the introspection section of the core draft again.
> > > [JLS] For introspection, but not for a published token, the token could be > “revoked” by the RS. In this case a new introspection check would lead to > that information. There may be ways to deal with this in the introspection > dialog and not need to be called up here. The question would be does the > exi field mean – recheck the token or discard the token. > Understood. We definitely need to clarify here what we do with exi field if it exists, and if it doesn't exist. The MAY language we used in the draft is not appropriate if exi does not exist. We considered the expiration time in the introspection response as a revocation signal and hence RS discards the token. (The basic flow was: RS receives a token, introspects it, caches the result and then when it expires, it revokes the token - which may next lead to different steps depending on the version of the MQTT.) But if introspection is done to handle the case of dynamic authorisation decisions, and exi would signal a recheck indeed. Will clarify. Thanks, --Cigdem > > > Jim > > > > > > 7. That is correct. Will add the clarification. > > > > Thanks, > > --Cigdem > > > > > > > > > > On Wed, May 22, 2019 at 10:58 PM Jim Schaad <[email protected]> > wrote: > > Thanks for the updates from my last message. This has helped quite a bit.. > > 1. A discussion of the use of raw public keys rather than certificates for > the server may be in order. This can refer to the same RPK issues from the > current DTLS document. It may also be that this just uses normal > certificate processing and that should be noted as well, but some > discussion > of deciding if the subject name/alt name matches the token returned from > the > AS. > > For the connect message there are a couple of issues that need to be > thought > about. > > 2. What items are required to be in the connect message. The response to > my last message suggested that a client identifier is required to be > present > but that is not documented. > > 3. It is not completely clear what portions of the CONNECT message are > being covered by the signature/MAC value. As an example, is the password > field omitted entirely or is it set to a zero length password. In addition > to this, from the couple of implementations that I have looked at the > entire > packet is not passed out of the base server code for authentication > purposes. This might need to be taken into account in terms of what is > used > for the body and how it is constructed. (As a side note, the > implementations that I have looked at so far also think that the password > is > a text string rather than a binary value which is going to be a short term > issue as well.) > > 4. I must admit that I am disappointed that there is no challenge response > mechanism in the MQTT specifications. I don't know that anything can be > done at this point about it but there are some security issues that need to > be highlighted because of this in the security considerations section. > Only > the v3 seems to have this problem. Also doing the channel binding would > deal with this problem as well. Might just need some general discussions > around the channel binding text. > > 5. Is there an intention to provide a "standard" format for the scope > field > or just to leave it as ad hoc? > > 6. It might be reasonable in section 2.1.3 to note that even if a result > is > cached, that cached check should be limited for a specific amount of time > to > recheck if the token is still active. More of an issue in terms of how > long > to cache for introspection. > > 7. In section 2.1.4 - I would presume that the last paragraph should be > extended to say that the token is stored only for the length of the > connection. That is the token always needs to be supplied every time a > connect message is sent. > > Jim > > > _______________________________________________ > Ace mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ace > >
_______________________________________________ Ace mailing list [email protected] https://www.ietf.org/mailman/listinfo/ace
