Jim now I see, thanks for explaining. Yes, we do need to send roles with the public keys, that makes sense. It also makes sense to have this formatted with 2 arrays as Marco suggests. I’d also make use of CBOR sequences:
<<( [ key1, key2, key3] , [role1, role2, [role1, role2] ] ) >> where ( , ) denotes CBOR sequence and << >> bstr wrapping. Key1 has role1, key 3 has roles 1 and 2. I believe ace-key-groupcomm should define the above formatting (in 4.1.2.1. parameter pub_keys, possibly renaming it if you think it’s necessary). Ace-key-groupcomm does not need to discuss roles formatting, as that is left to application profiles. Ace-key-groupcomm-oscore should define roles formatting and possibly give shortened values to use for those defined. Also I do not believe they should be registered in IANA as you Marco seem to imply. Thanks, Francesca From: Ace <ace-boun...@ietf.org> on behalf of Marco Tiloca <marco.til...@ri.se> Date: Thursday, 27 February 2020 at 13:52 To: Jim Schaad <i...@augustcellars.com>, Ace Wg <ace@ietf.org> Subject: Re: [Ace] Jim's Proposal on legal requestor Hi Jim, On 2020-02-26 18:59, Jim Schaad wrote: From: Ace <ace-boun...@ietf.org><mailto:ace-boun...@ietf.org> On Behalf Of Marco Tiloca Sent: Wednesday, February 26, 2020 6:08 AM To: Michael Richardson <mcr+i...@sandelman.ca><mailto:mcr+i...@sandelman.ca>; Jim Schaad <i...@augustcellars.com><mailto:i...@augustcellars.com>; ace@ietf.org<mailto:ace@ietf.org> Subject: Re: [Ace] Jim's Proposal on legal requestor Hi! Jim, I think now I understand your idea and it makes sense to me. Some comments in line below. Best, /Marco On 2020-02-26 14:17, Michael Richardson wrote: clarifying question. Jim Schaad <i...@augustcellars.com><mailto:i...@augustcellars.com> wrote: > I do not seem to have been doing a good job of explaining the issue > that I am raising here, so I am going to go scenario based for a > description. > (1) I get an access token from an AS with a scope of [ > "coap://multicast-01", ["responder"]] > (2) I join the group associated > with that address > (3) I then decide to send the message below out > encrypted with the group symmetric key and signed with the public key I > registered during the join > GET coap://multicast-01/resource1 .... (I numbered the steps) I believe that (1) was intended to allow you to become a responder for this resource. ==>MT Step (1) is intended to allow access to the group-membership resource at the Group Manager (GM), to get the keying material for communicating in the group. Practically, the roles are currently used only at the GM to determine which public keys is relevant to return to a node upon its joining. <== [JLS] When implies that the only roles of interest are “monitor” vs not “monitor”. > It then processes the get request > because it does not know that this is a violation of the scope assigned > to me by the AS. ! ==>MT As above, the original idea for that scope was to have it applied to the group joining itself and the resource at the GM to access for joining. But I agree that we should inform the other group members of that role, i.e. "allowed to send requests" and/or "allowed to send responses". <== > The only way that I know for the server TimeX to enforce the allowable > operations is for that information to be propagated along with the > signature public key from the KDC to the server. ==>MT This can be one more parameter in the Joining Response or in the Public Key Response, when request public keys of group members are included. Together with the array of public keys, we can have a same-ordered array of roles echoing the roles from the scope of the Access Token above. Each element of the array can possibly be an array of roles. How does it sound? <== [JLS] Yes this makes sense. The only potential issue is what happens if the set of roles becomes in some sense unbounded for an application. However, in that case I would expect that the list of roles would be known to the joining clients. The one thing that comes up here is should there be a compression of these values since we are sending them to a larger group of people. ==>MT Yes, I think so. One integer per role should work, registered by the profile or application defining that role. Other that the wider distribution you mention above, compression is good anyway considering the recently discussion on 'scope' covering multiple groups, each with its role(s) indicated. <== Best, /Marco One can create a > similar scenario on the other side where a client sends a response when > it is only authorized as a "requester". ==>MT Right, if it's "requester"-only. <== It seems to me that if the access control to the group is a group-shared symmetric key + asymmetric signature, that each responder requires the list of valid signers. Or, we need LAKE to turn the group key into 1:1. ==>MT What I understand from Jim's proposal is essentially enabling at each group member a list of valid request signers and valid response signers. <== ==>MT Just to complement, this is all fine for this level of "filtering", i.e. "this group member can send requests/responses or not". We have a separate draft at [1], defining a new Group OSCORE profile of ACE, to enforce access control within the group, i.e. to access group members' resources after having joined, i.e. as a group member towards another group member. That is, that profile considers a granularity of exact REST methods and resources, i.e. as fine-grained as ACE can be. Also, it enables having together ACE-based access control and Group OSCORE, which is so far not possible with other profiles. The current version -01 in the datatracker defines a "full mode" where both OSCORE and Group OSCORE are considered as security protocols between Client and RS. We plan to submit soon an updated version, focusing more on a lighter, intended-to-be main mode, that focuses on using only Group OSCORE as security protocol between Client and RS. [1] https://tools.ietf.org/html/draft-tiloca-ace-group-oscore-profile-01 <== Best, /Marco -- Michael Richardson <mcr+i...@sandelman.ca><mailto:mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- _______________________________________________ Ace mailing list Ace@ietf.org<mailto:Ace@ietf.org> https://www.ietf.org/mailman/listinfo/ace -- Marco Tiloca Ph.D., Senior Researcher RISE Research Institutes of Sweden Division ICT Isafjordsgatan 22 / Kistagången 16 SE-164 40 Kista (Sweden) Phone: +46 (0)70 60 46 501 https://www.ri.se _______________________________________________ Ace mailing list Ace@ietf.org<mailto:Ace@ietf.org> https://www.ietf.org/mailman/listinfo/ace -- Marco Tiloca Ph.D., Senior Researcher RISE Research Institutes of Sweden Division ICT Isafjordsgatan 22 / Kistagången 16 SE-164 40 Kista (Sweden) Phone: +46 (0)70 60 46 501 https://www.ri.se
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
