Re: [Ace] Mail regarding draft-tiloca-ace-revoked-token-notification-00
Jim Schaad <ietf@augustcellars.com> Mon, 18 November 2019 02:23 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB74812083E; Sun, 17 Nov 2019 18:23:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i_IUh5KrakPl; Sun, 17 Nov 2019 18:23:02 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F5B4120048; Sun, 17 Nov 2019 18:23:02 -0800 (PST)
Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 17 Nov 2019 18:22:56 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Ludwig Seitz' <ludwig.seitz@ri.se>, draft-tiloca-ace-revoked-token-notification@ietf.org
CC: ace@ietf.org
References: <002301d59d07$50df48c0$f29dda40$@augustcellars.com> <5f2c5fdd-a845-531d-2709-34636e8c3575@ri.se>
In-Reply-To: <5f2c5fdd-a845-531d-2709-34636e8c3575@ri.se>
Date: Mon, 18 Nov 2019 10:22:55 +0800
Message-ID: <006801d59db7$17e6df00$47b49d00$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJ6sPGQ2I+EfF6nSBN4YUTZ9azJgAHYad/cpjdIRPA=
Content-Language: en-us
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/3YYygq3tsQ3r6KllyH2sHp_h7w0>
Subject: Re: [Ace] Mail regarding draft-tiloca-ace-revoked-token-notification-00
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 02:23:04 -0000
-----Original Message----- From: Ludwig Seitz <ludwig.seitz@ri.se> Sent: Monday, November 18, 2019 10:15 AM To: Jim Schaad <ietf@augustcellars.com>; draft-tiloca-ace-revoked-token-notification@ietf.org Cc: ace@ietf.org Subject: Re: Mail regarding draft-tiloca-ace-revoked-token-notification-00 On 17/11/2019 06:24, Jim Schaad wrote: > If you use JSON to transport a token > then it will be the raw bytes for a JWT, but it would be a base64url encoded > value for a CWT. This means that the hash might not get the correct answer. The problem here is that the client wouldn't know the format of the token and therefore not be able to retrieve the correct binary representation (I'm assuming both the RS and the AS would know). I think the best solution is to define that the data getting hashed is to be the binary representation of what is in the 'access_token' parameter of the access token response, since that is what everyone (AS, Client, RS) sees. For a CBOR transport that would just be the byte-string value of 'access_token' as is, while for JSON transport this be the binary representation of the String value of 'access_token', which would of course depend on the charset. Side-note: Do we want/need to cater for such a weird corner-case? Who in their right mind would use JSON in a CoAP message? [JLS] You have the corner-case above backwards. The question is who would be using a CWT (or binary token) in a JSON message. I am currently using JWT tokens in a CoAP message right now for my MQTT work because it was an easier starting point than to get an HTTP server up and running. Jim /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51