IETF Logo Mail Archive

Re: [Ace] [EXTERNAL] Re: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)

Seitz Ludwig <ludwig.seitz@combitech.se> Thu, 12 March 2020 08:06 UTC

Return-Path: <ludwig.seitz@combitech.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 177A73A12D8; Thu, 12 Mar 2020 01:06:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vo3BZql7yEVo; Thu, 12 Mar 2020 01:06:33 -0700 (PDT)
Received: from weald2.air.saab.se (weald2.air.saab.se [136.163.212.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CED943A12D7; Thu, 12 Mar 2020 01:06:20 -0700 (PDT)
Received: from mailhub2.air.saab.se ([136.163.213.5]) by weald2.air.saab.se (8.14.4/8.14.4) with ESMTP id 02C85qR7023514 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 12 Mar 2020 09:05:52 +0100
Received: from corpappl16256.corp.saab.se (corpappl16256.corp.saab.se [10.12.13.175]) by mailhub2.air.saab.se (8.13.8/8.13.8) with ESMTP id 02C85Rd6020438 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 12 Mar 2020 09:05:27 +0100
Received: from corpappl16593.corp.saab.se (10.12.12.125) by corpappl16256.corp.saab.se (10.12.13.175) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Thu, 12 Mar 2020 09:05:27 +0100
Received: from corpappl16593.corp.saab.se ([fe80::b4c9:ca69:a80d:fa3]) by corpappl16593.corp.saab.se ([fe80::b4c9:ca69:a80d:fa3%7]) with mapi id 15.01.1847.007; Thu, 12 Mar 2020 09:05:27 +0100
From: Seitz Ludwig <ludwig.seitz@combitech.se>
To: Chuck Mortimore <charliemortimore@gmail.com>, Mike Jones <Michael.Jones@microsoft.com>
CC: Ludwig Seitz <ludwig_seitz@gmx.de>, "drafts-expert-review@iana.org" <drafts-expert-review@iana.org>, "cwt-reg-review@ietf.org" <cwt-reg-review@ietf.org>, "chuck.mortimore@visa.com" <chuck.mortimore@visa.com>, "draft-ietf-ace-oauth-authz@ietf.org" <draft-ietf-ace-oauth-authz@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [EXTERNAL] Re: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)
Thread-Index: AQHV9/5TBAEZsCgi4k++oGgwGUuBE6hEBROAgACN7KA=
Date: Thu, 12 Mar 2020 08:05:27 +0000
Message-ID: <51f4eaa508c74bd6afc067bdcd7bcb94@combitech.se>
References: <RT-Ticket-1158953@icann.org> <03f0f73f-4c82-9089-0a81-471a5fb54ba8@gmx.de> <d23d83eb-44ef-bece-cfcc-61ee5d951cd8@gmx.de> <rt-4.4.3-14831-1579299068-1542.1158953-37-0@icann.org> <rt-4.4.3-21646-1582059958-678.1158953-37-0@icann.org> <BY5PR00MB06762A9651316668A1290016F5110@BY5PR00MB0676.namprd00.prod.outlook.com> <rt-4.4.3-21645-1582065742-299.1158953-37-0@icann.org> <rt-4.4.3-11175-1582675119-1846.1158953-37-0@icann.org> <4788cad0-d1dc-2947-9e17-cad4f2147a7b@gmx.de> <DM6PR00MB0684B6E29343D9A1D2CAC62CF5FC0@DM6PR00MB0684.namprd00.prod.outlook.com> <CAKzGp_6xk6nXU3q9qU0Pj+fMu8EqQ8FA7y7vCOajKEuicQc98Q@mail.gmail.com>
In-Reply-To: <CAKzGp_6xk6nXU3q9qU0Pj+fMu8EqQ8FA7y7vCOajKEuicQc98Q@mail.gmail.com>
Accept-Language: en-SE, sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.12.13.198]
Content-Type: multipart/alternative; boundary="_000_51f4eaa508c74bd6afc067bdcd7bcb94combitechse_"
MIME-Version: 1.0
X-Saab-MailScanner-Information: Please contact the ISP for more information
X-Saab-MailScanner-ID: 02C85Rd6020438
X-Saab-MailScanner: Found to be clean
X-Saab-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.997, required 5, autolearn=not spam, ALL_TRUSTED -1.00, HTML_MESSAGE 0.00, SURBL_BLOCKED 0.00, URIBL_BLOCKED 0.00)
X-Saab-MailScanner-From: ludwig.seitz@combitech.se
X-Saab-MailScanner-Watermark: 1584605128.55256@I0ZzcBRxr6iFlqG9TX01fw
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (weald2.air.saab.se [136.163.212.4]); Thu, 12 Mar 2020 09:05:52 +0100 (CET)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/-NOJBgmPBWYGirKqbhxlxs5HEFo>
Subject: Re: [Ace] [EXTERNAL] Re: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 08:06:36 -0000

Hello Mike, Chuck,

Thank you for clarifying your assessment Mike, thank you Chuck for weighing in.

Mike you say: “the scope claim is specific to the ACE OAuth protocol”

This is not entirely correct, since the scope claim is defined  in  RFC 8693 for Token Exchange, which is not an ACE protocol. Thus if any other protocol decides to use CWT and Token Exchange they would inherit the CWT abbreviation for that claim we are discussing here.
I would therefore argue that this claim abbreviation has a wider set of applications than just ACE.

As for the sparseness of 1 byte abbreviations: The range goes from -24 to 23. The CWT RFC uses 0-8 and none other are currently registered, so we have a few ones left.

Regards,

Ludwig


From: Chuck Mortimore <charliemortimore@gmail.com>
Sent: den 12 mars 2020 01:12
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: Ludwig Seitz <ludwig_seitz@gmx.de>; drafts-expert-review@iana.org; cwt-reg-review@ietf.org; chuck.mortimore@visa.com; draft-ietf-ace-oauth-authz@ietf.org; ace@ietf.org
Subject: Re: [EXTERNAL] Re: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)

Agree with Mike's assessment.   (One caveat to that is that I'm not close enough to CWT to understand how scare the single byte identifiers actually are.)

On Wed, Mar 11, 2020 at 4:39 PM Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote:

[Adding correct e-mail addresses for Chuck, who recently joined Visa]



There are two reasons that I believe not using up one of the scarce one-byte claim identifiers for "scope" is appropriate:

  1.  The claim values for scopes are not short themselves.  They are sets of ASCII strings separated by spaces. So the percentage difference in the total claim representation from adding a single byte will typically be small.
  2.  The single-byte claim identifiers already registered at https://www.iana.org/assignments/cwt/cwt.xhtml are claims that are likely to be useful to diverse sets of applications, and therefore merit the short identifiers; whereas, the scope claim is specific to the ACE OAuth protocol and not applicable to diverse sets of applications.  It’s reasonable to give protocol-specific claim identifiers 2-byte representations.



I’d be interested to hear from the two other designated experts on my assessment of the situation: Hannes and Chuck.



                                                       -- Mike



-----Original Message-----
From: Cwt-reg-review <cwt-reg-review-bounces@ietf.org<mailto:cwt-reg-review-bounces@ietf.org>> On Behalf Of Ludwig Seitz
Sent: Saturday, February 29, 2020 6:25 AM
To: drafts-expert-review@iana.org<mailto:drafts-expert-review@iana.org>; cwt-reg-review@ietf.org<mailto:cwt-reg-review@ietf.org>
Cc: draft-ietf-ace-oauth-authz@ietf.org<mailto:draft-ietf-ace-oauth-authz@ietf.org>; ace@ietf.org<mailto:ace@ietf.org>
Subject: [EXTERNAL] Re: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)



On 2020-02-26 00:58, Amanda Baber via RT wrote:

> Ludwig, Hannes,

>

> Can you confirm that you can make the CBOR Web Token Claim change

> requested below?

>

> We also have Chuck Mortimore listed as an expert for this registry,

> but our message to his Salesforce address bounced.

>

> Best regards,

>

> Amanda Baber Lead IANA Services Specialist

>



I strongly disagree with the assessment that the scope claim should be pushed into the two-byte range.



The reason we introduced the scope claim is that an ACE RS typically does not have a direct connection to the AS, and is therefore unable to retrieve the scope of an access token from other sources than the access token itself.  I therefore assert that ACE access tokens would often need to contain this claim in order to inform the RS.

Since one of the major drivers of the ACE work has been to reduce the authorization overhead (otherwise we could just have used vanilla OAuth 2.0), I find it strange to needlessly add to the overhead by making the encoding of a frequently used claim longer than necessary.



I am willing to listen to the arguments that have lead the expert reviewer to denying a value in the one-byte range, and discuss the reasoning further on list.



Regards,



Ludwig





> On Tue Feb 18 22:42:22 2020, Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com> wrote:

>> I'm mostly OK with these registrations, however, DO NOT assign the

>> value 9 to "scope".   Rather, please put it in the two-byte range

>> - for instance, with the value 41.

>>

>> -- Mike

>>

>> -----Original Message----- From: Cwt-reg-review

>> <cwt-reg-review-bounces@ietf.org<mailto:cwt-reg-review-bounces@ietf.org>> On Behalf Of Sabrina Tanamal via RT

>> Sent: Tuesday, February 18, 2020 1:06 PM Cc:

>> cwt-reg-review@ietf.org<mailto:cwt-reg-review@ietf.org> Subject: [EXTERNAL] [Cwt-reg-review] [IANA

>> #1158953] Requested review for IANA registration in

>> draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)

>>

>> Hi all,

>>

>> Resending this request for draft-ietf-ace-oauth-authz.

>>

>> Thanks,

>>

>> Sabrina Tanamal Senior IANA Services Specialist

>>

>>> On Sat Dec 21 11:37:11 2019, ludwig_seitz@gmx.de<mailto:ludwig_seitz@gmx.de> wrote:

>>>> Hello CWT registry reviewers,

>>>>

>>>> the IESG-designated experts for the CWT claims registry have asked

>>>> me to send a review request to you about the claims registered

>>>> here:

>>>>

>>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft

>>>> o

>>>>

>>>>

ols.ietf.org<http://ols.ietf.org>%2Fhtml%2Fdraft-ietf-ace-oauth-authz-29%23section-

>>>> 8.13&a

>>>> mp;data=02%7C01%7CMichael.Jones%40microsoft.com<http://40microsoft.com>%7Ce23f64ac1ad74269c

>>>> 3

>>>>

>>>>

c408d7b4b65d45%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63717656

>>>> 7656665548&amp;sdata=r01W5Bx0gJh9ZPH8eNS%2BY765CnGq11DkknsHYQ751Dk%

>>>> 3

>>>>

>>>>

D&amp;reserved=0

>>>>

>>>> Thank you in advance for you review comments.

>>>>

>>>> Regards,

>>>>

>>>> Ludwig

>>>>

>>

>> _______________________________________________ Cwt-reg-review

>> mailing list Cwt-reg-review@ietf.org<mailto:Cwt-reg-review@ietf.org>

>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww

>> .ietf.org<http://ietf.org>%2Fmailman%2Flistinfo%2Fcwt-

>>

>>

reg-

>> review&amp;data=02%7C01%7CMichael.Jones%40microsoft.com<http://40microsoft.com>%7Ce23f64ac1ad

>> 74269c3c408d7b4b65d45%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63

>> 7176567656675543&amp;sdata=XxBhQmqxGkCRiBxh0PdhX2IJD8TnbwWl%2Feo8VUsH

>> Osg%3D&amp;reserved=0

>



_______________________________________________

Cwt-reg-review mailing list

Cwt-reg-review@ietf.org<mailto:Cwt-reg-review@ietf.org>

https://www.ietf.org/mailman/listinfo/cwt-reg-review

v2.23.0 | Report a Bug | By Email