ACE Clients in Disadvantaged Networks
draft-secheverria-ace-client-disadvantaged-00

Document Type Active Internet-Draft (individual)
Last updated 2019-03-08
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                      S. Echeverria
Internet-Draft                                                   CMU SEI
Intended status: Informational                                  L. Seitz
Expires: September 9, 2019                                          RISE
                                                           D. Klinedinst
                                                                G. Lewis
                                                                 CMU SEI
                                                           March 8, 2019

                 ACE Clients in Disadvantaged Networks
             draft-secheverria-ace-client-disadvantaged-00

Abstract

   This document describes a set of recommendations to use when
   implementing ACE/OAuth 2.0 clients that are working in disadvantaged
   networks.  Issues such as token revocation have a much higher
   priority in scenarios where Resource Servers are IoT devices, and
   network connectivity is limited and intermittent.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 9, 2019.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect

Echeverria, et al.      Expires September 9, 2019               [Page 1]
Internet-Draft               DIL ACE Clients                  March 2019

   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Sample Scenario . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Recommendations . . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Use of Client Introspection for Token Revocation  . . . .   3
       3.1.1.  Procedure . . . . . . . . . . . . . . . . . . . . . .   3
       3.1.2.  Specific Recommendations  . . . . . . . . . . . . . .   4
       3.1.3.  Alternatives  . . . . . . . . . . . . . . . . . . . .   5
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   6
   7.  Normative References  . . . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   Authentication and authorization in IoT (Internet of Things) devices
   can be difficult due to constraints in terms of memory, processing,
   user interface, power and communication bandwidth.  OAuth 2.0 and
   derived standards, such as ACE, can be still applied to these
   scenarios, often with some modifications.  However, when IoT devices
   are working in disadvantaged networks, there are even greater
   constraints in terms of communication bandwidth.  Nodes in
   disadvantaged networks operate in what are called DIL environments
   (disconnected, intermittent, limited), which means that there is
   limited and unreliable connectivity between nodes with potentially
   periods of full disconnection.  This document will focus on practices
   that are recommended for clients using ACE/OAuth 2.0 while working
   with IoT devices in disadvantaged networks.

   There are cases in which a client may need to obtain further
   information about a token without communicating with a Resource
   Server (RS).  One such case is when a client needs to know the active
   status of a token that it possesses.  This is particularly useful in
   disadvantaged environments where RS impersonation and sabotage are
   likely threats.

   Section 2 describes a sample scenario and Section 3 describes
   recommendations for client implementation, including the use of
   client introspection: ensuring only authorized clients can perform
   client introspection, enabling decryption of self-contained tokens,
Show full document text