IETF ACE – Authentication & Authz for Internet of Things / Scenarios & Solutions

From IIW

IETC ACE Authentication & Authorization for Internet of Things

Tuesday 4C

Convener: Thomas, Eve, Erik, Hannes Notes-taker(s): Eve

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The goals of the session were:

  • Interest people in getting involved in the IETF ACE (Authentication and Authorization for Constrained Environments) group: http://datatracker.ietf.org/wg/ace/charter/ (To this end, we collected the names and email addresses of nine people, and we'll be sharing them with each other and asking them to get involved.)
  • Gather ideas for adapting OAuth and UMA for responding to the authorization challenges identified by the ACE group.


In the session, we discussed the following topics:

  • Having access to multiple authorization servers is of interest. A cloud AS is desired for "sharing" functions, and a local AS is desired for "backup" and privacy functions.
  • Local token introspection is of interest. However, if the resource owner has revoked access in the meantime, there may be "entitlement latency", which in some use cases could be a severe problem.
  • "Fail open" scenarios are of more interest in IoT scenarios than web scenarios, which typically prize strong security. If a car dies on the highway because an access token has expired, it's a big problem!
  • A system design view of challenges is especially important in IoT, where, e.g., physical security and life-and-limb considerations tend to come into play.
  • The question of federated login comes up depending on use case. We examined a "door lock" scenario. If the person is an employee vs. a consumer, they will expect different login options.

This is a lighter-weight way of distributing keying material than Kerberos, which would be valuable in IoT scenarios.