IETF Logo Mail Archive

Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01

Ludwig Seitz <ludwig.seitz@ri.se> Tue, 29 January 2019 07:56 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55477130F29; Mon, 28 Jan 2019 23:56:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.043
X-Spam-Level:
X-Spam-Status: No, score=-2.043 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RO37zxhfISDC; Mon, 28 Jan 2019 23:56:21 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40085.outbound.protection.outlook.com [40.107.4.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A583130F26; Mon, 28 Jan 2019 23:56:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LOXZN/bv5QEEHtF/j7ZEY6i7d2sWoRwJ+HgTEH3flnw=; b=BLDIGLuL+L2dQpBFDoG6B6DdgnglzlPgZ5ObZlI0ia0ZD6cV0fd3zwhDU7bQ7KIELCe799whmrbOGQTC0v5SLM5jy/pQg0PcCkh22RV+/RgidjGD7Do7UgKoegWJEZqZ1XsL9W7oxrP606GHHjmr7VBmglvr0qRGtcq3vS1JuIw=
Received: from HE1P189CA0014.EURP189.PROD.OUTLOOK.COM (2603:10a6:7:53::27) by AM5P18901MB0098.EURP189.PROD.OUTLOOK.COM (2603:10a6:203:78::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1558.16; Tue, 29 Jan 2019 07:56:18 +0000
Received: from HE1EUR02FT022.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e05::206) by HE1P189CA0014.outlook.office365.com (2603:10a6:7:53::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1580.16 via Frontend Transport; Tue, 29 Jan 2019 07:56:18 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by HE1EUR02FT022.mail.protection.outlook.com (10.152.10.78) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1580.10 via Frontend Transport; Tue, 29 Jan 2019 07:56:18 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Tue, 29 Jan 2019 08:56:16 +0100
To: ace@ietf.org, oauth@ietf.org
References: <CAGL6epKeGW195z2SJdcXU-MyVBwTBDnsvGeo7mNJvn8UkAWmnw@mail.gmail.com> <CAGL6epKRkmf9YJCk7DV51vG9UgTzfxM5Da35w9CEYRuN+Js3kw@mail.gmail.com> <CAO_FVe6+2eexcqkreKnV43stoAsA8-+RMRZEK7_EhJk+OA7X_A@mail.gmail.com> <4eb4ea45-c3f2-7991-9544-612d055809ba@ve7jtb.com> <DM5PR00MB0293B214D198F4D9DBD08814F5990@DM5PR00MB0293.namprd00.prod.outlook.com> <CAO_FVe6CecdCxtJ78FcZ6pFJZwu6dudomjFgVeLr_cHNFbUZXQ@mail.gmail.com> <199fa6bd-8103-b1b3-12a3-08b5e3aad925@aol.com> <CAGL6epKismmWSnNcca41HWHEGhaJG7XhOULUwAz9jd5AemvuOg@mail.gmail.com> <BL0PR00MB02920F6A16D28D1652F21B2DF59A0@BL0PR00MB0292.namprd00.prod.outlook.com> <CAGL6epKjUJQNZdyHjrsJYvXE_p8QvjqxhcxXVnax2_VJ3qMO6g@mail.gmail.com> <CA+k3eCT-dU96D+_LdCtZGMA2TJij2Jzc=BgzCDkbkBGf=jKWnA@mail.gmail.com> <55a0362e-e588-bce5-f65f-856a1e21e88e@aol.com> <BL0PR00MB029262B150B2D8F3C3792302F5960@BL0PR00MB0292.namprd00.prod.outlook.com> <CA+k3eCT+ndfChx1-tqsxyqg8kX5Sc=BDw6UJyu2VQU3MDs1ssQ@mail.gmail.com> <65a8e83e-c72f-bbf5-77fd-ea8540b7ddc3@aol.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <848e0ab3-f95f-2885-d24e-69925ed7ab1c@ri.se>
Date: Tue, 29 Jan 2019 08:56:16 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <65a8e83e-c72f-bbf5-77fd-ea8540b7ddc3@aol.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(376002)(396003)(346002)(136003)(39860400002)(2980300002)(189003)(199004)(230700001)(7736002)(2906002)(65806001)(68736007)(22746008)(50466002)(14444005)(53546011)(386003)(31696002)(8936002)(126002)(47776003)(65826007)(305945005)(476003)(53936002)(65956001)(229853002)(8676002)(81156014)(450100002)(81166006)(356004)(478600001)(6246003)(3846002)(186003)(16526019)(336012)(446003)(64126003)(93886005)(6116002)(2616005)(104016004)(26005)(16576012)(22756006)(316002)(11346002)(69596002)(77096007)(23676004)(2486003)(31686004)(33896004)(58126008)(36756003)(106466001)(74482002)(86362001)(44832011)(110136005)(76176011)(106002)(97736004)(486006)(40036005)(67846002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5P18901MB0098; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-Microsoft-Exchange-Diagnostics: 1; HE1EUR02FT022; 1:iOWZEkDub4vodtgOVJvTQ28LSIldCerqWWDByBAUq8Njw4OWrdL5AiwiSxD/xRfgKqCTonvKYxo/2XPepnXJKOPpa2RLQQJYuUVJqrg8UbAtfnZ5COpKyAcyBQNvpTYBrcZu3wG/+BmhNI4rgzITsu8Wy/ciCKvGy1z6gSy9Ov8=
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f5f5c850-bc49-4e23-490f-08d685bf4033
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4608076)(4709027)(2017052603328)(7153060)(7193020); SRVR:AM5P18901MB0098;
X-Microsoft-Exchange-Diagnostics: 1; AM5P18901MB0098; 3:SNqhRoIZuXiooFmSz9iZqhX2offIfr2YwU6GFDSjOSKtWJQoeQrcU1YGYW34e/BGjelyaiPtY5KdbHO3Y4YlS3whMwW3iwfqYWvj9Jx2Mo8NHelt6qcSTijoWLAXm9fubRRM2Tk7hRVpIzF/z1yv4mYZxzs5bO5S0MiinYVj1Z76gbjvrkbmvVeZfuuH2h89NkXQGYQ4fIv0QVt+vI18+JGZ9ZWlrCqU0GLDUoPaNkiYUNVbmQns7cYuR7QQKuFphSAoLjd8qvDw6q8OjGKDI+0+0poYmqxXsNdhdcvASa+yr/sa0DHDSPeMu4fvy0Uq8andoJO1zXGw//3nl8X96z5KHkwPCxRDCADBiCblMT0DQFVy5yYZnVqk+xlnab+/; 25:A35rd7fGrdiozpIU4M3I8zuGB3CxwrwKxGJOxOFCvRhK8YtRw7koCeWuNjXRM9qT39YPSLZnIdOH+GXnqUJcoeAJvh1MsZzM6K2Q3F0rsgLEydl9QU6Y5qQxz6LIj2m7P70fJJGJR6YUV8Z+v0HHFufg2099S1upfndj8tkSp8xsNn/3iyWoLHNeCkMf34DA+OJWLToTc+M4U4aW8CsuOj/lDZWMJmqjG6ZjBr+V1/hOwCqodfk/A+kLhxGVnho9npKRM12fv+RVc8DAJzuRxuMvvHhvQr2kGtvncmbJEhuB8E3HPiauVoEUnyRStwx3j/15MH0Er8X2QtlWt+wRIg==
X-MS-TrafficTypeDiagnostic: AM5P18901MB0098:
X-Microsoft-Exchange-Diagnostics: 1; AM5P18901MB0098; 31:bU3k2/jyRh7tKtHLUlZEj+/ApRwUMGzNsKNPc/jABHPR4MB6TPwFfEMOnnG9OqD4Up40rikpgfTTLto3XzzC9lNpY8xKC6+JBXZ9l3XMV/Q0XzZCXSA8UT0ABDhuJt/cYwMJO2JLk33x/vi5pGG0rJ1kHhfJZD27pbhX0Fy1ejIHORiQptlvFGACUkjCHgWzslILyTyXJP76e6Wufl3qBatDzd7VE5iYmYT/dGM+MuM=; 20:HZVbTnK3kZk80XyXOggtAhXvmqxfCwsDsUPXWnLI82TDhN5zKJzaJqQbTdrBZVJTrK8eGGnk7B1LOHYvxhDQpFI77qI9P2xErymFiv+tM2qhzDkjJy37aIGbbzTielfUVnCVoXELxa148jV9AhWSnfXajl23+6wzwG1QtnQysdPkZL6gyB+2ICHltn8hzI5ytYJOHca4WsvEh8p9NU/NJb3Dqmf/F+9OCL80TcQEebcRhhsyv4u0ZKQmc10JvsEl; 4:y9eUTKMLeUNn9gbRo2L7CPMK/zp9U75Czn8mqtvVMao2Z2LdZAmRcO/UHevdTdJCtaCBD8aiFLqxkk3wJVSd156XYiiiPjQ5Vsv08VD7xS8kU9zjFzvsgtpCTde3lmcKZVwg1Qr8hZKMhJHMvqhpbPvWfWxjawUqOULFWK/AmVSleeSbmfTdy18bO07puu3dD3AWiaunf8Heby8TjoVERHTSJAfMidl+N5QJuN4aZbwi1jnMaEOERPOe5Sx1D91z2UbQqM8wRPsJkThk7B/QjhXDnCLSWUDvv8eYpLcGKRs9687wZI4grBz6XlG16o1+
X-Microsoft-Antispam-PRVS: <AM5P18901MB009840BF6A0EB836BC150E4E82970@AM5P18901MB0098.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 093290AD39
X-Microsoft-Exchange-Diagnostics: 1;AM5P18901MB0098;23:MMN/1V/wiRDbPAwh86E9Ju/UelBDNiku9hJhOxijHf2t2rWUCfSKsaIn+Bn2tD19KQLlc4UbgyvpbFBL4RL4JsL+JZyk/ZVzLOsWhdIKJ5N2B/8nyc/wj02sTUy+C5HNezJ2RbvKx4T41qycm3o/WFSQGESqCQdq3+WFlqWcQz9Jj39uI1vlw4x1Dcq/e0rMMQmoJ97p99cmXC64r/DrRsf1qqEsTQsnHcJ5UHlWOt7uaAivbpcrotrm9gVgDbLP4YUw3rsTok7fRx7IvJviha9ZjwfTEeo9JXjSmZOKC+IklEyO0oYZ+3exO8ToT71Rzj/WBPfbyEYQEw0zrRU4A+tTgfNTqzY2Rf8HA1uS+VJ02+Pmod6fyfbt8jZ65Av1bdlla5d4LxZ5fzM38unWP3Owr+XY0L3uqlvwcL4Fcyqh+VCFp32YDb01avp3WYOspc7N7B33IZZ9REZL3AwjBN1B9/j+BzpAd+fCI2lMIuSxwhyTvsZnGZY0Od48bsEcu5r+0dCDIyX/e+R4Bezvc1kkuBVCaQ+bWfnwjEaKEnJTxxfCpB5inQBMPRE/8oUHnlNRAB5mN7UBNEoTKECJzmVvOiEIHpuU2XYcI7YlcpA0gh3zUJf5g44/OJsItmnwYjJUAMkEum6LiBlb8ky1TRI8Ko7wTJ43ABRv2dMSmuLRXeTgsccAmWVNsIo7vLmpegXq0FDsSgpWElpi83AOGrr29/QHmW0+mSuDqsf4t2cDe4PZIqreNIow1of6gr4XmYhyQBe44B78nAZlLwV7f29y9rcKL4Zod5bh/6rSYtVF8JZl0cCsCP7Lee/XIDDdZRLe+qgadnn6GpScm7bxcys8Uf4r9Z4AMpKPv5yQ599W7oDo+SneYSbvQsLPagBvh4+93yrZtQRSd/Q8woWcxDB5D28UWL5N98nE8s3NUE8dQrSwzzZ85Tt39evzloFVTmbu1KwprJM+d/4ftKyL70iRbNRkJK1TCpsEbWp0SGxl3k3v9mbSDeriCi4I9ToMJoD9e5y/XARDSOcGdd2XTqQLIZG8li236pJ/syzDD31vQoyyeArS0DaQ4zyUtgV6odpU0tZIrlWZnx86tPPqHJlMjMgpSdqMSp5AYBfYRWb6mz6bUYdBiPyyveEXl6l4S3yRZ0ogL1zINM5ZEKWQ+HWIKxGRjdUyZRuHmnXdk3eou/o97Yt4B7jqLiyA5kvsgvHVw8AXEN64dQQ2xH0HSg6i15WeOgzeIzMq0hyiB7UIplZrj6ye22WBti/Vl8ezRwPuCz2X6p8abyrTxKJ3S+wCe14qCPbRsY+dXZPTr7oR/R1SDtGz9lsxmwdz1ZMPq8DqEWXpYtRtlyNnQAaLDhLmOpRp4NgtIuFRA6wLZaZFGWhfp+7C2PAupIARozGzKnlAM9e0dkTcXj7m2GBWd48hdUntdgSdxY+piavL61/zheuwTaAEY9RNlctx44zpFoletgwQauUt8BFjizJx/ol+fCqjTj/XMnJiFc2L3fg=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: bMtUKpvuYOMjUMZsaAS/xpNL/nt25d8lW2pRhX4cGDL3KJIWnB71yBfOIRrgEzb5nxKQZSygDYJivez7/O13hIjBmXyMDQDU25JQGm2Mf+mmIXoGjb8IofnY5R7rWWab2sveQnZxF6yoJbTKzJrhjrwgGi64jUkPv3hopqxjvKYaj/zG+XCUqM4D8KZDkeWIAlVJfeEoqDHqlm5y8ycP9zBl2uGt0tWCmoO5D89F2+Au2l4Hrvvy6rwCoo0zU3M88P/RFAb1TfUWdQEEJGZaSeqY1hjrNGkuOcdO81vmhecfXlSE4qLXVrCe7wbWFuH89P0oK0ESbEum77SgjXVMcIg9fMeZFifCKtAJTYWPOxkbYcRaHokRpYp/RnDaLc3OiuEnJha5Gq0Yja6oECfMF4utlIM5eWzL66/QCE0KyJY=
X-Microsoft-Exchange-Diagnostics: 1; AM5P18901MB0098; 6:UQ7utAAVtRhQGabiRcJiyFsQzaePUH2yE2AYOft8RLMolEIiv3ZVKLGNNZlpt0/mj//Gi8DX6NPxnoQml+ZWBDmDizTtFLydkol+48IsZXvzdXm8VGjVAeXrLGy+Fc4wjwVT24Lii/NnOpLVaZV4QgAE1UP9tvnyIgAD4NF/w7KenMVQJeMAmQw385g/4cMVbhf0k/lnbbtZYL/YeyNsbiqE7MJRfL5fUGpnkRoNRtCtaDwxvzxSjVxjriJcgQfHMXl4ABGoGjkLv1rehg2YenKGzzyn7fL0S4nk3tnEvmr4VbpIH4PmBTp4U+ZqQKfFTVkApjRRgPwkLQFMlkcwGq75KJVmXA0zmsSzLrlzpw8wUSzRB+gP4XXqxcMYyIFlTRJ44R7c87XlbPDozdismOZQnwNY1WX41i/DW3HLXN8x49dImvDeQiKS5TUevmCZCtD5zKVQACzqnthgedH/Aw==; 5:tJ2iMHemLT6ZrYyOQuyo1jPWDtnM21x1BChr7fzjnGmWsFh+adm/rOITPbD7qtLuJMGWSpw2eK5VjEh17/YVO04Zd34qOMTTx8bj8JUPtX8KEcGVXK8/oiAKYN8fg7RexiDi0TfnEwAkNtvkdAjM9pXKRZkmmAWqfToP8hR3YSxQOv4NqgevpMhC7PJaeliwyKIAw8qb6J0ez32pj7/Y6A==; 7:Ogxi7AMmbLxrP+cdZJh87TSuWR4THucFm05moiRSIOJE6w8Dd97kJuoH3K+ZG9MnjQCpgf2ht1asoeWQPjhPMQty+peDY7F/vZF6BVwNNxXWtiI8njsdJCdFfpb2qJumZWB7SXf02iBNKq4BsBnmrg==
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Jan 2019 07:56:18.0653 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f5f5c850-bc49-4e23-490f-08d685bf4033
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P18901MB0098
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/3oWRf9J7fWZLHZbMsJ1-dTJLQRw>
Subject: Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jan 2019 07:56:24 -0000

On 28/01/2019 23:12, George Fletcher wrote:
> I also don't know that this raises to the level of "concern" but I find 
> the parameter name of "req_aud" odd. Given that the parameter in the 
> resource-indicators spec is 'resource' why not use a parameter name of 
> 'audience'. That said, I have not read the thread on the ACE working 
> group list so there could be very good reasons for the chosen name:)
> 
> I do think that there is a lot of overlap (in most cases) between 
> 'resource' and 'audience' and having two parameters that cover a lot of 
> the same semantics is going to be confusing for developers. When calling 
> an API at a resource server, the 'audience' and the 'resource' are 
> pretty equivalent. Maybe in other use cases they are distinctly separate?
> 

To give you all the background of "req_aud" from ACE (sorry for the long 
text):

Originally in ACE we had defined the "aud" parameter for requests to the 
token endpoint with the semantics that the client was requesting a token 
for a certain audience (i.e. requesting that the AS copy the "aud" 
parameter value into the "aud" claim value of the token).
We were then told that this collided with a use of "aud" in OAuth, that 
specifies the intended audience of Authorization Servers (if I remember 
correctly), so we decided to rename our parameter to "req_aud" for 
"requested audience".
Mike Jones then made us aware of the work on resource indicators, but 
upon closer examination I found the "resource" parameter to be more 
limited than the "req_aud", since resource specifically states:

"Its value MUST be an absolute URI ... the "resource" parameter URI 
value is an identifier representing the identity of the resource"

My interpretation of this is that "resource" refers to a single 
resource, which is more constrained than the definition of the "aud" 
claim from 7519, which uses a StringOrURI value.  For example my intent 
was to use "aud" and "req_aud" for group identifiers 
("temperatureSensorGroup4711") and other non-uri strings 
(hash-of-public-key), which I cannot do with "resource".  We therefore 
decided to keep the "req_aud" parameter in draft-ietf-ace-oauth-params, 
even though is clearly overlaps with "resource".

Any comments and suggestions about that line of reasoning (especially 
from the OAuth point of view) are very welcome.

/Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51

v2.23.0 | Report a Bug | By Email