Hi all,
Please, see below my comments to
draft-ietf-ace-revoked-token-notification-00.
Best,
Marco
1. Unhandled cursor value out of bounds
In Appendix B.4.3, there is one unhandled case:
The AS receives a request with P > MAX_INDEX, where MAX_INDEX is the index
of the latest TRL update for the requester.
That is, the requester specifies an out-of-bound index.
I believe that this should be treated as a malicious activity as the
requester deliberately chooses an index value with no rationale at all.
Differently —and as already addressed in B.4.3— if the requester specifies
as cursor value a positive integer L lower than the minimum index that the
AS has available, we may assume that the series with index L has been
removed from the history of updates for that requester.
This request is considered legit and is handled elegantly (‘diff’: empty
CBOR array; ‘cursor’: Null; ‘more’: True).
However, if P > MAX_INDEX, I see two options for the AS response:
1. Send a 4.00 BAD REQUEST Response to the requester; or
2. Send a 2.05 CONTENT Response, specifying within the CBOR map the
parameters:
- ‘diff’: empty CBOR array;
- ‘more’: False.
Since the requester specified a cursor value on no basis, I believe an
error should be returned.
The 4.00 Response could have the content format application/ace-trl+cbor
and include:
- ‘error’: with value an integer indicating the class of error, e.g.,
INVALID_CURSOR_PARAMETER
- ‘error_description’: optional, with value a text string giving more
details
- ‘cursor’: with value a positive integer indicating the index of the
latest trl update for the requester (MAX_INDEX), or Null if the history of
updates for the requester is empty.
This would require registering ‘error’ and ‘error_description’ as
additional parameters under the content format application/ace-trl+cbor.
2. Off-by-one error
Again, in Appendix B.4.3, I think I found two corner cases that have to be
addressed. Let the requester specify P as cursor value:
i) The oldest TRL update at the AS for the requester is the series item
having value P+1.
The AS should consider this request legit and return the series items
starting from P+1.
ii) The latest TRL update at the AS for the requester (MAX_INDEX) is the
series item having value P.
The AS should consider this request legit and return a combination of
parameters to signal the requester that it does not have series more recent
than P to send.
3. Messages format
In the third mode (Appendix B), the AS returns a CBOR map within 2.05
Responses, while in full query mode (Section 5.1) and diff query mode
(Section 5.2) the AS returns a CBOR array.
However, if the third mode is used, the 2.05 Content Responses to both full
query and diff query mode requests are CBOR maps (Appendix B.2 and B.4).
Consider having a 2.05 payload in any mode to be a CBOR map under the
content format application/ace-trl+cbor independently of the support of the
third mode.
If the AS (and/or the requester) does not support the third mode, the 2.05
Content Response to a full query request could be a CBOR map containing
only the ‘trl’ parameter with value the CBOR array of token hashes (the
‘cursor’ parameter is not included).
The same applies to the diff query mode, where the CBOR map would contain
the ‘diff’ parameter with value the CBOR array of diff entries.
This results in two bytes overhead compared to the current solution, i.e.,
the transmission of the CBOR array only.
Note that error handling would introduce a reason to support a content
format based on maps. If so, the requester should already be capable of
processing CBOR maps.
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
