Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01

Ludwig Seitz <ludwig.seitz@ri.se> Thu, 07 February 2019 15:29 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 620B5124C04; Thu, 7 Feb 2019 07:29:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QdQCDqiVM_kI; Thu, 7 Feb 2019 07:29:23 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60062.outbound.protection.outlook.com [40.107.6.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB92912008F; Thu, 7 Feb 2019 07:29:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nxpc5HVOjuZv3ciduIOWD4+99P423G0p4AocwyDsy1g=; b=k5rGFttUqkSRVToukJMNciMGTXNkRdpmJsbfBI3btvHgf/uPkida+AJr6zKIg5Nn29a8Lh9++Jwb29pvjlo8neM9LvvJcUzHSVkJLP5BAPmLCxUZ4+fKu5msIZiV/JNH//y41BS+t+AYsPYieoHQyBUz6RsTmopB2QBANz/F4ng=
Received: from HE1P18901CA0023.EURP189.PROD.OUTLOOK.COM (2603:10a6:3:8b::33) by VI1P189MB0336.EURP189.PROD.OUTLOOK.COM (2603:10a6:802:35::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.21; Thu, 7 Feb 2019 15:29:20 +0000
Received: from HE1EUR02FT017.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e05::204) by HE1P18901CA0023.outlook.office365.com (2603:10a6:3:8b::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.19 via Frontend Transport; Thu, 7 Feb 2019 15:29:19 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by HE1EUR02FT017.mail.protection.outlook.com (10.152.10.73) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1580.10 via Frontend Transport; Thu, 7 Feb 2019 15:29:19 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Thu, 7 Feb 2019 16:29:19 +0100
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "ace@ietf.org" <ace@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
References: <CAGL6epKeGW195z2SJdcXU-MyVBwTBDnsvGeo7mNJvn8UkAWmnw@mail.gmail.com> <4eb4ea45-c3f2-7991-9544-612d055809ba@ve7jtb.com> <DM5PR00MB0293B214D198F4D9DBD08814F5990@DM5PR00MB0293.namprd00.prod.outlook.com> <CAO_FVe6CecdCxtJ78FcZ6pFJZwu6dudomjFgVeLr_cHNFbUZXQ@mail.gmail.com> <199fa6bd-8103-b1b3-12a3-08b5e3aad925@aol.com> <CAGL6epKismmWSnNcca41HWHEGhaJG7XhOULUwAz9jd5AemvuOg@mail.gmail.com> <BL0PR00MB02920F6A16D28D1652F21B2DF59A0@BL0PR00MB0292.namprd00.prod.outlook.com> <CAGL6epKjUJQNZdyHjrsJYvXE_p8QvjqxhcxXVnax2_VJ3qMO6g@mail.gmail.com> <CA+k3eCT-dU96D+_LdCtZGMA2TJij2Jzc=BgzCDkbkBGf=jKWnA@mail.gmail.com> <55a0362e-e588-bce5-f65f-856a1e21e88e@aol.com> <BL0PR00MB029262B150B2D8F3C3792302F5960@BL0PR00MB0292.namprd00.prod.outlook.com> <CA+k3eCT+ndfChx1-tqsxyqg8kX5Sc=BDw6UJyu2VQU3MDs1ssQ@mail.gmail.com> <65a8e83e-c72f-bbf5-77fd-ea8540b7ddc3@aol.com> <848e0ab3-f95f-2885-d24e-69925ed7ab1c@ri.se> <VI1PR0801MB21121E2B483FE0ACD87C6F34FA680@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <884da75e-8f45-7810-0563-8592d0298dd8@ri.se>
Date: Thu, 7 Feb 2019 16:29:18 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <VI1PR0801MB21121E2B483FE0ACD87C6F34FA680@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms000109090707080107020008"
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(136003)(396003)(346002)(39860400002)(376002)(2980300002)(189003)(199004)(6246003)(81156014)(8676002)(316002)(81166006)(97736004)(508600001)(2616005)(486006)(336012)(11346002)(76176011)(69596002)(476003)(126002)(446003)(84326002)(36756003)(44832011)(33896004)(33964004)(53936002)(68736007)(31686004)(74482002)(356004)(7736002)(71190400001)(229853002)(305945005)(53546011)(386003)(40036005)(104016004)(22756006)(186003)(77096007)(106002)(26005)(65956001)(22746008)(235185005)(106466001)(16526019)(65806001)(93886005)(64126003)(568964002)(6116002)(31696002)(58126008)(3846002)(2201001)(65826007)(2906002)(16576012)(86362001)(8936002)(16586007)(110136005)(14444005)(5000100001)(5024004)(2501003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1P189MB0336; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-Microsoft-Exchange-Diagnostics: 1; HE1EUR02FT017; 1:UnV/fIFlZDGKdRE5ejTBF86z7sVikAfPzAbyv1XEfKTHGGWz2CAbXbMmMwlGHqpWX0oP1L/2r0gKKv9oxGJyqgj7+Gsbx9n7THK9t9AHvIZrU09YKwuEN+RqtNhV/nmXPy22qxxIZaY17p1P/ny381wrKxJV2i/vx7cAT86jWcc=
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f81ecf21-abff-4b2a-91b8-08d68d110754
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4608076)(4709027)(2017052603328)(7153060)(7193020); SRVR:VI1P189MB0336;
X-Microsoft-Exchange-Diagnostics: 1; VI1P189MB0336; 3:WF2A3t8lL3G7btdH2I3ntDVkZXPwCck/eTPrmPCBsakdXqq2h99A9euxgS1AKanJvlvWY+pGdq4LHLdrp/VSErzj7kxGFx0PoSEeA5KdPAiKD8r4EfoD6ArpzCITWWcDl3QQTZXise0CxSe0zdg5uwNP1Nmru+c6N00PSw6UkLzD9mcNoDyv06SYgHSO2pYiVzW1yZNPTD7ST62+AAQ6PNgll6F3iny0Fyefzgw+iiJyDqtBOSo1dWIXeo6RUcjbY0mWu/rWQNqB2AsZdsrgDuKmYUFS4XYtoN/kN7m2LrWWjBa3nh5WrJAw0VHCPy27F0TXIKpAQMVStlNzb3T3MuyBElZOdactcI3YrijLb6E1NryOXH2nq607DvQbBOvd; 25:Q+1TCJC+DB9pL8cYRfOcI8Cjwn2bYCIPxuk1gdnzlmgoRgu1AA8xzO7hNKui2hzs6rk4Efl8pAJhNm3SzPPy7UiEUfHRuGk6fxCU2HSxyRHD3/Y3l9jBv7txCHaq7A2MhTJpMcR5RzEFOtpOUZsOgQ5CFdlYh7eVoR/3Iss9KnWPQn/wTIdVBv0ylVsI5B7IMY9NJJANTM/CslNxBuyu12O2WlK4jfflSeH9LHMAOwmEBVaz7vFxAdzN0JmZ2KoeE5bgFCmbSHRoyGtmCfqzFYozvL8gwRcEbpPDcI7KF4xogImKwJ6yr5NBXLf+MCTNneg3Hccs4qJZoKTFZPiH+Q==
X-MS-TrafficTypeDiagnostic: VI1P189MB0336:
X-Microsoft-Exchange-Diagnostics: 1; VI1P189MB0336; 31:GP6lsM3oLcAGq21mPL17KGM9zYKQZvBoJtWjANxwYEWzkuW2znCzflxPxXMQtiDjqZlB0rcCuk9EWw7vGLLWMk8whogFgKTqDn3lJ2r7BcLW7psMtJAHwgOSg6ZDukNQbv9W9E+Dp9XhKwZZVg+KzejlYu50MwhnntYu4qxK93+bq4CTJGQJzbWSzxQp+VClCyyqK3HhNxYs1Wwc4xgCpPqlsUpSeGM9b3gB785o9QQ=; 20:ShYZwGdSU400h+KO6zPbQg6lfb1cx7nQYChklL0SIYQev90cFexJhRK2iFJoW5uTK0Dyr/mXDYA0egjvqG21bcG9O6GQFzKXMwiR5r/mhttpJ0zIP6mW7c0Egd20Chmqiu88XGxoGCnx9+NJzJ6mqjewzObfmrNbb1G2VO/Ri5VjzAqPdC4JJFwq3UOt5d1ugVh7XQJsFqnmTJ+CQyd/ZRs4w7e6rrRrs5w5L2uUWU7XhFNPX37nXZKGbq5M11vB; 4:YO1Pw/3A1FsBVYTKAYMwrO9njiGCRrmR9kax7NyZTcrKu0hYBt8Fy2sPeZvI8RGeUNQrbhYqZimh/CDMXE5BfEKReJQy4ybpfowxe2aXi7VcsGHRVvHJVFgoa6km+9fF0lORGfW6+DrI7bbbCQOkBJZLvEuNkoZwed8zgAhZ2K28na044KPItzOueN03ErtZWecjZR0G0aIdIEdXauC6nkRq0SRXmrB8gFuCZJ18JUj/751ToRSQEvnIafC8zLFa8g75J+/mb8EVWrjk3mIE5C3CpqcgstGyw2zaSxyE32E=
X-Microsoft-Antispam-PRVS: <VI1P189MB0336FB9BE8EF3D51637D92BA82680@VI1P189MB0336.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 0941B96580
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; VI1P189MB0336; 23:pBQn6fq5m9HQICyMAkCHL30b+Sn0aQx+mbRdhvWSc?= =?us-ascii?Q?9vcgvPYqa+3IzdLDXr+7ReeM2HcKEUB34a9JIMo6OojZeTOvBouGr1eXg8Vp?= =?us-ascii?Q?SXrNAb9soS69ezz2aRZVzInds6XhUKO3ndXQXArrR7+s6uBUExF7FO2lVFIS?= =?us-ascii?Q?JKE7LCrdJ+SkJz6BTpTnKuFIpAzDFdxAQsuhEkmnqV0G/fRFKBTbK/7ap8px?= =?us-ascii?Q?4ra7Nqu5XzadhKSEa0FaVusc+jeeMVmdGfaCnADfA2mF0Nvl5Wf1KFDKOPG3?= =?us-ascii?Q?+NOA78Id2MT1lbtSz4Dj9/eKzHVmi3I9hu55+it0uT87PFygj1431thoFfKu?= =?us-ascii?Q?ENfH+yxE/ypPx8jz78hVctYyO7Xd7Iov7K+L6MrIwBnslA5B1L4E9IquipxR?= =?us-ascii?Q?DLXnRS3ju9uEX448bGb8et9Kl2cwyrklbRjZ/QSYBIsFta3GZZde3jYdJJCa?= =?us-ascii?Q?EwF+4kAkyw4wIM5+uOD1K6JyLVEomsSZ9AfjMACrbErsUzZP8jPkdSDx4Zha?= =?us-ascii?Q?aZZY0QxXqNT3ANTCeBUR7M+ZsohPgmP4aOVd8yzVr1e2Wf0HHpKtQaUGQds9?= =?us-ascii?Q?ZMGqEYuavWs2rCetWmvYjIICKnfhgqSbqbZeOu49dQxPE3JnUmqw39/Kgion?= =?us-ascii?Q?UnkoN1PyqfsGAwaDT8dgS1NMRzjG2h2G1pnqRtoOZiyMSBjxiqj9dhkVGrCN?= =?us-ascii?Q?XtjbG6/PdlJIRLZN1dqT2oz+zVaGV21zanlO0G+pcml+CSXoZ9WpK8WNUwuS?= =?us-ascii?Q?6JwEv2ScCSrKElOS+DqV3la87HCfUeAYII4zptygWYGl6ny2SCW8Fzuiip4D?= =?us-ascii?Q?Uq6YqfDxlww2ZzxyaTWw2+E0CtlXB+34KuANJKxtz0CTuiPdUUoQ8jsgoeS6?= =?us-ascii?Q?gowpGEzozcHhvu8eY141iigmgvvPA/X1rywlHSkPqym72HV/e03IOXfs06zi?= =?us-ascii?Q?j8a29PhyFH2pTr0G7+P8YNfzsx4dKVtZ+flrovX7EW6/mqAjgZERKIMrurDN?= =?us-ascii?Q?kGVrc3kmQ1QVVDRhCcPuBlhedUqmJsnsOH0JGVx+G0y4ypvYutd0DyRJMQOY?= =?us-ascii?Q?mbPIF4YPlZzV7OAdOcjs2Qf7mOlmLuDAbmwHmVLbABTyGx+pkg+aDc4zc9NY?= =?us-ascii?Q?Zon807Pk0aC898aVSZfaRk0OD6Dybe7x5RD0BQ1pnDBwAwijaROTmZ3hTVQi?= =?us-ascii?Q?8xdqetF9OsyvLJ/iebmQJMNs1nlBiaiHewSDNnfFp9Jqw0wPwkMP0ljk5MZK?= =?us-ascii?Q?2ibMQLE/SzUxGoqTazNlKej9n6jpY0wl1yqkiD4mMIObW8lD6Ao2s+5UYyOG?= =?us-ascii?Q?gzGDnI/CwNolAP572M7Nud5FCZ0qa6eH5kjeRkqMwVuAwYu2soSRJXu1UuaR?= =?us-ascii?Q?fjWQgHtDUtdoG2TKxaWptl238qXutuqdB+DH4PXBZMTDSMwGDVLvtgIya4Sd?= =?us-ascii?Q?KV19GmLX9x/m2irEYwIWUdj+6VYu/Gf84+3y4+OeVzOvXwoo0zWC3nW4Vr8G?= =?us-ascii?Q?5CrsVHl6RpNuE4hfTnTxTmyV5FxToWRmGeCSa5HqiOSnzaWLiW8u0nubQZp4?= =?us-ascii?Q?GRBmgxOly6FZ44rU9rystXgqIvYAyW0sGAGn50=3D?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: 1NQ3O6yVA21Waqqe0uRfmi+KHvVIOLHZzNMgEqTk5CxLOs2H0zcb7GhzPMYSXAugbPaNpcofqz0Hlwq5JRVJo1GALF8s0PiITYAg4IiZjV+alC3mKg99yQNZnzFKV4BuSrEa1CGKPFYao9YLzwlZ8mW3Ut+NCBsiC16tj8Z3HOqxtFvk4Y8IdODjknzSy0cQeSCv2qr1Ak5E/NPdh1BwCAIVEBcSa50NKdYhasPtCDZKS4Ytb1c9HvDUX2Ypt1mX5zpWVPHJK349AvSNzCu+4ZcKRKojTRQh01Z4SNVp3WBllIUFhbDYHRXH7Y4k5QiB+aIa9Zf7q08EoaUn7KwhrxDngTre5IQduCTKsWJ3U2gLqqGGUkIza9pdh+FkxaWk+2otT7G8gI6GSJ05F68dJAwylHjvbHnnWbkDW6R3aS8=
X-Microsoft-Exchange-Diagnostics: 1; VI1P189MB0336; 6:SLhN8L3SOvJb8PKI3b4MfN1pYk66Ad2UhrUXcYmrlmRNYQnfP7zCSePgGQ75fPXDuG1gk0QcaBHQrNgE1/8ICzOykQ/Zs9N1FsJIOAAGY1NFtQT5pawJvHfh/tuTTreLoPtgZPTCoaQHRydOT0FoNKsOJfC4Gh4YnKYno1HPXNgFPGiwhdbHgcCmA3w2NhF2p8BYZZmOSyjbWRmpD1xB7mUuLrl2skznlXPx4TiHlXubgqjLsM51EG9FauJPYjkYF7VG7dXAmOexMDdc4xS/a2EmEL4mjx4CrZIVwo1DXVd/b3j6W66tXxxysYYRM1ykknW/RsW3Gcni0uZJXwVFG7P76oGiQffpC2nKst0iQ3EDQIqxYUS+5Wwl9OaH8GemLRq9uOyVU0O7sWz14FMWe/eupB/9cSkqH4zsWJ3tJIZRkNU1yviQv2DU6xAHUUa08rfJ7gTnepljPF9KI9bMtg==; 5:iEjoWrP6/qrI/mmc4WjLIdinrT2oXih3o8TUA1ZSZYnBHV8xMTbp7N6sKMcTP+/zVI3xRrjVQvhwhC3PlERSVFONcySXGkbl1khgamCiLGussDJYnocrqTxGroChbuNplAZLcT/Vx0h6nhasWtr/eEqHWps5YV5Zc0z944AZEqEyvrr5STQOpv4OGH2NGQy71QUewYD2JOFedl2pnfGytQ==; 7:3BHGY5FnQpm3qW0k5bbwZj+6MCSgc85kGN9HsOapMSwt9uVN2L29A9xxSZSS0mFITvuBD9hOodWf/NIHjodF4WNG+lwKzBAxP1fB+ACZNVA+T+2/5h75MFBsgBHcMiRULeA+6uNSbticTxy/3o1E4g==
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Feb 2019 15:29:19.4775 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f81ecf21-abff-4b2a-91b8-08d68d110754
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P189MB0336
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/4UdlKbZ2gFA0FcGovPLgRTY4-Bc>
Subject: Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2019 15:29:26 -0000

On 07/02/2019 16:15, Hannes Tschofenig wrote:
> Hi Ludwig,
> 
>> My interpretation of this is that "resource" refers to a single resource
> 
> No. Here is the text from token exchange (see last sentence):
> 
>     resource
[...]
> Multiple "resource" parameters may be used to indicate
>        that the issued token is intended to be used at the multiple
>        resources listed.
> 

Enumerating the audience is not the same as addressing it by a group name.

I agree that without too much stretching of the definition of the 
resource parameter I could use URIs as group identifiers, however the 
audience claim is defined to be "StringOrURI" so if someone defines an 
audience identified by a String that is not an URI how does a client ask 
for that with the resource parameter?

Or in short: Why don't you make your resource parameter mirror the "aud" 
claim?

/Ludwig

-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51