Re: [Ace] WGLC for draft-ietf-ace-authz

Ludwig Seitz <ludwig.seitz@ri.se> Wed, 31 October 2018 09:08 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4052F129AB8 for <ace@ietfa.amsl.com>; Wed, 31 Oct 2018 02:08:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OH5kRIIagRzJ for <ace@ietfa.amsl.com>; Wed, 31 Oct 2018 02:08:31 -0700 (PDT)
Received: from smtp-out10.electric.net (smtp-out10.electric.net [185.38.180.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2A5D129619 for <ace@ietf.org>; Wed, 31 Oct 2018 02:08:31 -0700 (PDT)
Received: from 1gHmUG-0002Dn-VX by out10d.electric.net with emc1-ok (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gHmUH-0002Gd-Te; Wed, 31 Oct 2018 02:08:29 -0700
Received: by emcmailer; Wed, 31 Oct 2018 02:08:29 -0700
Received: from [194.218.146.197] (helo=sp-mail-2.sp.se) by out10d.electric.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128) (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gHmUG-0002Dn-VX; Wed, 31 Oct 2018 02:08:28 -0700
Received: from [192.168.0.166] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Wed, 31 Oct 2018 10:08:28 +0100
To: Mike Jones <Michael.Jones@microsoft.com>, "ace@ietf.org" <ace@ietf.org>
References: <065b01d45f4e$b8d372a0$2a7a57e0$@augustcellars.com> <SN6PR00MB0301580A2D802AB0F559A170F5F70@SN6PR00MB0301.namprd00.prod.outlook.com> <5eb071c6-1a9e-e86a-a7d1-cc0fb8cbac42@ri.se> <SN6PR00MB03017E27B15E777091EDFD31F5CC0@SN6PR00MB0301.namprd00.prod.outlook.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <0f81494a-de97-791b-789b-bdbade52aa3b@ri.se>
Date: Wed, 31 Oct 2018 10:08:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <SN6PR00MB03017E27B15E777091EDFD31F5CC0@SN6PR00MB0301.namprd00.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-1.sp.se (10.100.0.161) To sp-mail-2.sp.se (10.100.0.162)
X-Outbound-IP: 194.218.146.197
X-Env-From: ludwig.seitz@ri.se
X-Proto: esmtps
X-Revdns:
X-HELO: sp-mail-2.sp.se
X-TLS: TLSv1.2:ECDHE-RSA-AES128-SHA256:128
X-Authenticated_ID:
X-PolicySMART: 14510320
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/-nuKP52AAZB33WDCn3_FPs_fEcc>
Subject: Re: [Ace] WGLC for draft-ietf-ace-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2018 09:08:34 -0000

On 30/10/2018 19:52, Mike Jones wrote:
> Thanks for your responses, Ludwig.
> 
...
>
>  I could live with "access_token" having a single-byte
> representation, since as you point out, it is needed for every ACE
> OAuth interaction.  An "error" value is only needed when something
> goes wrong, so that doesn't seem like a case that needs to be
> optimized for space.  A two-byte "error" representation will only be
> used when errors have occurred, so shouldn't be a problem.
> 
> -- Mike
> 
> -----Original Message----- From: Ace <ace-bounces@ietf.org>; On Behalf


Thank you for the quick and comprehensive answer Mike!

I conclude the following:

We are in agreement about giving "profile", "error", "token_type" and 
"grant_type" two-byte abbreviations in CBOR.

"scope" and "access_token" will get a one-byte abbreviation aligned with 
the unused numbers from CWT claims.

At IETF 103 I will propose the solution of registering all parameter 
abbreviations in the CWT claim registry in order to align abbreviations 
and avoid duplicate assignments.

If a signed request (and response) format is needed I am all for using 
CWT in the context of ACE access token requests, responses and 
introspection requests and responses. I will take up that discussion at 
IETF 103.

I will propose to make "token_type" and "grant_type" OPTIONAL, deviating 
from the OAuth 2.0 specs and defining the default token type to be "PoP" 
and the default grant_type to be "client_credentials".
This will avoid having to send grant_type with every access token 
request and token_type with every successful access token response.


Regards,

Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51