IETF Logo Mail Archive

Re: [Ace] [Jwt-reg-review] Requested review for IANA registration in draft-ietf-ace-oauth-authz

Seitz Ludwig <ludwig.seitz@combitech.se> Sat, 11 January 2020 16:16 UTC

Return-Path: <ludwig.seitz@combitech.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31024120059; Sat, 11 Jan 2020 08:16:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id flDneQU2gkuh; Sat, 11 Jan 2020 08:16:22 -0800 (PST)
Received: from weald.air.saab.se (weald.air.saab.se [136.163.212.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31F81120026; Sat, 11 Jan 2020 08:16:21 -0800 (PST)
Received: from mailhub2.air.saab.se ([136.163.213.5]) by weald.air.saab.se (8.14.4/8.14.4) with ESMTP id 00BGFfTn032334 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 11 Jan 2020 17:15:41 +0100
Received: from corpappl16589.corp.saab.se (corpappl16589.corp.saab.se [10.12.12.95]) by mailhub2.air.saab.se (8.13.8/8.13.8) with ESMTP id 00BGFRnr021392 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 11 Jan 2020 17:15:27 +0100
Received: from corpappl16593.corp.saab.se (10.12.12.125) by corpappl16589.corp.saab.se (10.12.12.95) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Sat, 11 Jan 2020 17:15:26 +0100
Received: from corpappl16593.corp.saab.se ([fe80::b4c9:ca69:a80d:fa3]) by corpappl16593.corp.saab.se ([fe80::b4c9:ca69:a80d:fa3%7]) with mapi id 15.01.1847.003; Sat, 11 Jan 2020 17:15:26 +0100
From: Seitz Ludwig <ludwig.seitz@combitech.se>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Ludwig Seitz <ludwig_seitz@gmx.de>
CC: Roman Danyliw <rdd@cert.org>, "jwt-reg-review@ietf.org" <jwt-reg-review@ietf.org>, Jim Schaad <ietf@augustcellars.com>, The IESG <iesg@ietf.org>, "ace@ietf.org" <ace@ietf.org>, "drafts-lastcall@iana.org" <drafts-lastcall@iana.org>, Benjamin Kaduk <kaduk@mit.edu>
Thread-Topic: [Ace] [Jwt-reg-review] Requested review for IANA registration in draft-ietf-ace-oauth-authz
Thread-Index: AQHVx/itFokTZysKCk+AI7dgOCua26flotpw
Date: Sat, 11 Jan 2020 16:15:26 +0000
Message-ID: <14a3c79d23e94d938be4a173a6c8256d@combitech.se>
References: <9c32d171-9a4a-ba71-c989-92a177d9e989@gmx.de> <dc02aa6c-5cfc-bfb1-9672-facf7eb17ad7@gmx.de> <CA+k3eCSnNdvZAZZmequkLdcU_OkgD2au7+yFZOMJT3w0CLsrOQ@mail.gmail.com>
In-Reply-To: <CA+k3eCSnNdvZAZZmequkLdcU_OkgD2au7+yFZOMJT3w0CLsrOQ@mail.gmail.com>
Accept-Language: en-SE, sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.12.13.198]
Content-Type: multipart/alternative; boundary="_000_14a3c79d23e94d938be4a173a6c8256dcombitechse_"
MIME-Version: 1.0
X-Saab-MailScanner-Information: Please contact the ISP for more information
X-Saab-MailScanner-ID: 00BGFRnr021392
X-Saab-MailScanner: Found to be clean
X-Saab-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-0.92, required 5, autolearn=not spam, ALL_TRUSTED -1.00, HTML_MESSAGE 0.00, SURBL_BLOCKED 0.00, TW_JW 0.08, URIBL_BLOCKED 0.00)
X-Saab-MailScanner-From: ludwig.seitz@combitech.se
X-Saab-MailScanner-Watermark: 1579364128.27414@5nz+9RlS4hF1YOksgLLgKg
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (weald.air.saab.se [136.163.212.3]); Sat, 11 Jan 2020 17:15:42 +0100 (CET)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/4iiXFxmfq79sitI4zrXu8-bEsGo>
Subject: Re: [Ace] [Jwt-reg-review] Requested review for IANA registration in draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jan 2020 16:16:24 -0000

Hello Brian,

Thank you for this review!
I have added text to clarify the formatting of these parameters and claims when used in JSON-based interactions.
More comments inline.

Regards,
Ludwig

From: Ace <ace-bounces@ietf.org> On Behalf Of Brian Campbell
Sent: den 10 januari 2020 21:57
To: Ludwig Seitz <ludwig_seitz@gmx.de>
Cc: Roman Danyliw <rdd@cert.org>; jwt-reg-review@ietf.org; Jim Schaad <ietf@augustcellars.com>; The IESG <iesg@ietf.org>; ace@ietf.org; drafts-lastcall@iana.org; Benjamin Kaduk <kaduk@mit.edu>
Subject: Re: [Ace] [Jwt-reg-review] Requested review for IANA registration in draft-ietf-ace-oauth-authz

I'm really struggling with understanding what the value of an "ace_profile" claim actually would be in a JWT. A JSON string that's the profile name (though 5.6.4.3 maybe prohibits
that)?  A JSON number that's an integer matching the CBOR Value? Something else?

[LS] For JSON the string representation is ok, I reworded 5.6.4.3 to clarify this.

Is the value of "exi" in a JWT a JSON number? Seems likely but it's something that should probably be made explicit.

[LS] Now explicit

Also for "exi", the requirement in 5.8.3. to "keep track of the identifiers of tokens containing the "exi" claim that have expired (in order to avoid accepting them again)" seems problematic in that it sounds like it's mandating an unbounded growth of memory use.

Section 6.6. proposes a mitigation for the unbounded growth of memory use problem. Does that resolve your reservations?

The draft says that the "cnonce" claim (value) uses binary encoding. What does that mean for JSON based JWT?

[LS] Now Base64 encoded binary for JSON.

On Sat, Dec 21, 2019 at 4:35 AM Ludwig Seitz <ludwig_seitz@gmx.de<mailto:ludwig_seitz@gmx.de>> wrote:
Hello JWT registry reviewers,

the IESG-designated experts for the JWT claims registry have asked me to
send a review request to you about the claims registered here:

https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-29#section-8.12

Thank you in advance for you review comments.

Regards,

Ludwig

_______________________________________________
Jwt-reg-review mailing list
Jwt-reg-review@ietf.org<mailto:Jwt-reg-review@ietf.org>
https://www.ietf.org/mailman/listinfo/jwt-reg-review

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email