Re: [Ace] [OAUTH-WG] Resource, Audience, and req_aud

Benjamin Kaduk <kaduk@mit.edu> Sat, 09 February 2019 22:31 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E7DC130E09; Sat, 9 Feb 2019 14:31:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTjqrpmRIR6w; Sat, 9 Feb 2019 14:31:41 -0800 (PST)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-eopbgr790139.outbound.protection.outlook.com [40.107.79.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF4CB130DC8; Sat, 9 Feb 2019 14:31:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pM33reUN/XxMLhTQVn//SrvSvrhDTpQRGDgFCV7kMSo=; b=I7KzZ05zkGdzK5ph8v6uVk+v/j8/Kn9PVwE6rrs64Vvsf69Ul4DaczMWco++hBLo7ilqcrDUKPqnOrGssG3Ev/LFeKpfknUSIk5q4EUvt6Jfm0mkNqFWp6ut+TLPPB6cYNcrVFGzniVn9CLNBQmu9zQsaYkDiqLz/xq21wVG1fc=
Received: from CY4PR0101CA0021.prod.exchangelabs.com (2603:10b6:910:3c::34) by SN6PR01MB3760.prod.exchangelabs.com (2603:10b6:805:17::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.17; Sat, 9 Feb 2019 22:31:38 +0000
Received: from CO1NAM03FT055.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e48::201) by CY4PR0101CA0021.outlook.office365.com (2603:10b6:910:3c::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.17 via Frontend Transport; Sat, 9 Feb 2019 22:31:38 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by CO1NAM03FT055.mail.protection.outlook.com (10.152.81.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.10 via Frontend Transport; Sat, 9 Feb 2019 22:31:37 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x19MVXhQ011772 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 9 Feb 2019 17:31:35 -0500
Date: Sat, 9 Feb 2019 16:31:33 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Brian Campbell <bcampbell@pingidentity.com>
CC: Filip Skokan <panva.ip@gmail.com>, Eric Rescorla <ekr@rtfm.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Message-ID: <20190209223132.GB23225@kduck.mit.edu>
References: <VI1PR0801MB21126944E558E53992EB7FD3FA680@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CALAqi_9YUWBcUWtaG2g=mXQLJoq1X=dgm72exDU9akqxuhK_HQ@mail.gmail.com> <CA+k3eCQtPXQaY1E9t6CmQh8eb2kUeFxvsj1WLeY8Yfhpzpkm9Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CA+k3eCQtPXQaY1E9t6CmQh8eb2kUeFxvsj1WLeY8Yfhpzpkm9Q@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(396003)(136003)(39860400002)(346002)(376002)(2980300002)(189003)(199004)(76176011)(486006)(26826003)(476003)(126002)(14444005)(88552002)(336012)(86362001)(97756001)(4326008)(305945005)(2906002)(246002)(8676002)(7696005)(50466002)(53416004)(47776003)(478600001)(426003)(55016002)(956004)(1076003)(11346002)(446003)(106466001)(75432002)(54906003)(229853002)(26005)(106002)(316002)(16586007)(6246003)(8936002)(104016004)(186003)(36906005)(356004)(786003)(46406003)(23726003)(33656002)(58126008)(6916009)(18370500001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR01MB3760; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; MX:1; A:1;
X-Microsoft-Exchange-Diagnostics: 1; CO1NAM03FT055; 1:gslkPoeMcM+vroMgnYtrX5eA4WJI5JnzzsCUwK5nLva96D8MrL8pzcT8rFtZPWlTvyHlBKxG9i9H9W3Q8N5ECsPU4tTrKOeXzpZQCKhOSWYDTeEP0XgzyIcwT0rmc2xilW+8Uwfj0+07twbY6CWwqJRxhG4gW57ArJkXl7VRnD4=
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c2aafd70-4646-4d2c-c4e5-08d68ede5ae7
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4608076)(4709027)(2017052603328)(7153060); SRVR:SN6PR01MB3760;
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB3760; 3:QpDiLzptppwdOh1AFd//vpwSHNzM3zi1Oz7EVdZq8Qzw35BzWsPKww5SnVvelx6SZjC8Z9reSLYalPK/nGMBLXjGTwpM8geQfxe3qRpW8l+im450ovgkIEKI7bbIpVo0Mr0kURrWYF8kgaBmfDAj5AI1bP03IzTwPLghjh8XKVZuxWWzQzViixOM7nbo1Almh7xhrTTFBWQgXTeJrpbgNhl0P/vPfOIdpySvMhFMEAUZUPo7PlIN6v+Gn57iP2HyXDPWWCVTDrxH3BN9hwCXWRxGE3pto8dRu1dlTDyu+QMTqMkUj7hwoOn1xITzBjKG6ON2WZ5AgoC+5Z0SvMvDxwSD0Qj9hx/ZH9ifbT6j9lbk2PvU+hQw+x1nGWpe0CbB; 25:D28RiH06dyhqpZtzxOfPblVMHnxhgxpKezuispB2EOsdo4xFYs8LdRCausvZG+HgvyxYe+NRAeTq26Jnzsgf4vJblxWajogdYMKglmPBag3ELboP8Twh80DfI+B4puv/qVjtdTje6X9bwWmOgB3qHM5Z2Ab8VBwcXK2hXBzniKnYFqlmY49HN+C8rPTsSP8xiKw0dS8ItJd6d1ekMqhqhgf9YlOvlx6iT8oToqMURwvgq/cfifXce42k/iaxBu8b9BXhdXmEHFeBNg/ICL8JdGvShPWXDsqhU85wthk7/lVAbXPEDZkWZUj8eRMSdsyHDAXFVAmVr/w+uW5OHdg2Ag==
X-MS-TrafficTypeDiagnostic: SN6PR01MB3760:
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB3760; 31:oar2NNh50t3hf88BeFbPa1j+vuoYKEHDe9t38Swcj1UGofbZH4XkT7JRmlkK/I6EfGdg9ysgGqZ6EwojdjkipUB3px5qiB287mSE0OKHY+ZOH2DkcYvyOBSg8UQ9FtxYjk53r0m83mnlQWilOoJvfzXdigHMor86KgKmusblx+XewiCL+UOG3BSJGmnTeTEm/owQSan5WUJ9PASo8sK2PhriHQbi5dhJ18AHnUk/3N0=; 20:hucQfnK6IKs4DHcYcF8SST8zomcoHMG2MBKZZlicFb0aOy/4w0Zl3rV8UlFYL60xHnsPDpJ3wCTnCSzVa9iYrAqfwCU0YnF5OAyMZfrIcqfbkb/rwNp40Lo4TKA7v8XY1dgKZZhCbxWD0+E8iDlm1zy5/To3YLQv5hyxhtu+11VC6V10fGVt9IbzFeUXCw6xJRXGnow2tbEefQy5Ebf7cx+vmA+5sLbG2obTve+F3E7vjo1DWcAlFc1NLOJP/3vYHBBdzCv2apNmRt7FXwvOaPQFErfshAE9K/K3tgK0PnTnlvI6L9etq/fCScth3RKkNuvVc9OmxXtSb3o0yFkY8Bb13umyGSsSkdloIeJ9LOhGVBZn8uJOfOsznjwc1yew2LE5C5xgnvYkKpvyHxl5fHH6suB9r6Zw6q//N5Ucmbe/6/UWqWyB924MHc0uouDvYQtdtYAj6wD1A2OlT4zTuJAgCg+jZGl5dNGTRboGlegtQP5ZrbXXlHuJUX2/YaJM//bmCGCDh0ARrVEvYgQF2KUgmR6lmfkOzP8lbM3qbcT0+7JQq1GIIj4nP3oQlBypjfQ7JFK2Zh6fRAca1XivYhk0g2aSoMOCeHJ8URRqofw=
X-Microsoft-Antispam-PRVS: <SN6PR01MB37609E89ED78F7EC10805959A06A0@SN6PR01MB3760.prod.exchangelabs.com>
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB3760; 4:7IJVGr595dfZl1jdCFQ3AHsMlx9e92cEXF4K2X+RBS2+o403jZvhyyVqnwelWlxNpuexTrAbT4fQRBXsVqEv3gTKoQmog8n6vTrBjVlCuTCeMFpGTNlloFYeVqIb+HuPyqvYzWXnozl+0flW7X5T6zlLD4xY/57WdOeMBXrpqzTrsAX+wTrUnra435Ea1iUscDqlx+BQBvXQKU7KfnT/yrFjhHk7a/0TBMVugjCEgYsbpHhxNy6GOcFAeRJf8+dqCKMq/qN2iagGmjzYssflJ7AnRJVG4Ytc0nxn/5EieyF6ggENxWW8AB6E9xvOyAhw
X-Forefront-PRVS: 09435FCA72
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; SN6PR01MB3760; 23:4A+b+/vp/cn8I1ngJ5TufTKRn6A9sODHmVBEXOgxn?= =?us-ascii?Q?qLafP8Sx3VJEg9pfb1Qd6klpZOIvEwGgSqWDLeRgiMMVSewvaQsDh9nrdCpQ?= =?us-ascii?Q?XCRSvUBXu2ZWhHZrVY/KIPoDu79iNmY22+awW1f8LajZonCXxmEfhoKHJYzw?= =?us-ascii?Q?Wu6Jk/naMh/ItwToMqygPP9J8JfivIHT7aASMJxyPdBEmdD0brdHd4b1PtIK?= =?us-ascii?Q?rtrsEM2V199tuE4t2WLPNg/Vj4+rtaxvrFZm898XF9ETzaOQBKduCDdbmSbu?= =?us-ascii?Q?eGxBivP3pgKkMKw2xj0SgUWNwWPmQAPty/DeCYgr8Zsq0cttALlCn/M8hHGM?= =?us-ascii?Q?7VYOPS9WUth0MR/mfGjUHBTL2dc8DBmFQcsQ7E/ICY3OLIrIObiQ+2q3OF/y?= =?us-ascii?Q?I7RQFcl1nZzO/JSY36j6MlKlfAKKcvxzmReOiQRUfLp4Adm1W8gFUtC7Wrmt?= =?us-ascii?Q?9BWQcmIbuIVj7ktDStbtjHKmW7EyJbDVHngs1wrvuv2o9BwOzLP4Hy0BGyqB?= =?us-ascii?Q?0moGY9i2GqIbTEO27gNN8hELI6q3FamEjss8Q6jIMAIMQ8iUxKHrYc+eIJsF?= =?us-ascii?Q?eqvbFeNHnf++ruX/QxucPIbpWh9zcQmH+AAomiOCv423/EEa+oStIbT0QH6P?= =?us-ascii?Q?Pn7WL1+1TA4JsDvL5RyDBxo87uuMKQYS99p8imm/5LmSXjF22FoTr6nKlRAD?= =?us-ascii?Q?kC4og0eiM6Ui87rhNBd/lNYN2tJ5e/6iBvARvDewbUl3CHQZVb0KtsDfTkgV?= =?us-ascii?Q?Gx1fZxfZa6b0ZndfGIXrM5Gy4bNLkfvA5tYaKAsHxXoD/WyQVZNNGf9lDV10?= =?us-ascii?Q?ZDKDuzlThrpuNNQjWDkVxEF2pqV4ly0zkuqy9b0K9C3uRC+foXUr+0UG9Fk/?= =?us-ascii?Q?+Dx72qNWW59Uo0gI7cDUAB6GkVTespoOY03vommj6ZiGtwVd7Qx703uxjPY4?= =?us-ascii?Q?Uif6p+Y4hPfpAfwKFF44QjfyOmLRRueCgAaKpV4z0hN4eDJijmmPZ9LyzLb9?= =?us-ascii?Q?a7thMghUKm/JPBFQKAmg26dVzr2QAmTuhC9d2dadYwg1P2u6H98yr0qcDH0g?= =?us-ascii?Q?tOpzPhxEHLqeOHZ6p3befZ2EQpk7pveKOqQxCs6cKLEED+HOxU3kob1Pfr0z?= =?us-ascii?Q?jIsbAk7cZCReDurpfYT2SXIZI344Ng6e+CwJ1jdnVz5NQ88SJHQMDU9vFVOy?= =?us-ascii?Q?m9IzQd0GkgeJt1nBN21XBruE+748ZpOmQMD?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: YYzKO0qni+lEiltWYwSM2/HoUGawcEGq8+zsgPh6SvqPqJUkiGSMKDdrAwrZQ54FfuP2/bRbk8JCLvP3miH+bLNcVvdtWuaRZDZ5nkVYeS9Gi4LEjilxiKz4MxL2OXHGPt84TW4WSFCUHMEu4YoEGKKKE4BUYPN+bqwU9Q0UMyVixHBNKw4JeU6U+nKiQxosY6udDa0TtLwJmnllbWI3ABmwdLUNgB99qcmWKgjWeVmhJ2ARadGjrdXAAKCHwCfzBpC8+Wijryxs9PptegkmDUsfR9tKQrNcr5QwF7pe/G1evxKspcjuFhr13lUncHxJLRcAZiHUeoUb0vuYWu5swsJbLzyacXqpYkBs5ZI/+TV2HLenDah280phVqMsE8pSv75jZbZuRODkrwSE+ZmUpTpBT4Ct6DEg2M4Hi5+jNXQ=
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB3760; 6:wmZlgMyT+In1scteVX34BBMvfR3HjY6Du8HMmwC4FhSCfaaAu7dKbzMIkLJ3CuQqlJPVbMI2MuvFUfxbe4E5hpA/Yg/vNsjMU1sMD20w2DXnrquzo4lVWO+VvaxK8uYGWhqzDbENm+1yMhPFcC2ChWDtEEPQKN7TzysCK+XSOQ2wrHD36cUPwvB3MkJWAGTzr0+vSlqd9mOF982hrl5BehXsTPRCb7v86JGRJ1Uz+YF7X3/slUQjmlL0MRRBI8ch3cHafuGNlBGDsu3P+1kVhiQrY9kAxuXI4YReW5EEayhovCQFiv9jwKI0gc+sz2iBTXtTCk91P1scwMjL80S02VYDtZ8Fk5gMpM0+pdf9uDgX80PrcdkpyYgLpnSqcFZj6urUCYqXutgnHD6A/LA1MoGXTdCz5VYDV8wuuW5V7iUEQk8armOMiwgrsPBkpCMzpLANDy167D5MIwVmXXtopA==; 5:aUe5sM/pazzq0aAVGCjRRs2r8sdIAVVBbm18ArHJg6syEHybKsIWuu0w5s39fhHVjs7AICscF3PaKxInE9sW60C0DMtAsHgTsOROHFHHNdq9qxgEps2iUe5Ru8FHvkd3XnkfPoCqNT3fPxs0b5ub+lOulJWWY/WXuqHPUTrnkWXgAoji/7t/gx8sOKlHrOLToN1DDi965JVTHHpU2igEUw==; 7:5/ZQlFcFX4YD8TH+j3ejHJYPNRb46jXVRVv2gsdu+VNcm7CkjiqiJDLlqnnXxuPmVYG9f4KfPdpK+rO33esHr/SlUWDEHIy0KjrN+DO1xPkdSUKFV4gcB01ukDnOEUHRAsFLDFhqtCNbNhOuq0LxGQ==
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Feb 2019 22:31:37.5261 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c2aafd70-4646-4d2c-c4e5-08d68ede5ae7
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB3760
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/5VwH5D2vYMoySYVANAfbl6I-qwM>
Subject: Re: [Ace] [OAUTH-WG] Resource, Audience, and req_aud
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Feb 2019 22:31:43 -0000

On Thu, Feb 07, 2019 at 02:28:02PM -0700, Brian Campbell wrote:
> 
> The token-exchange draft defines both the "resource" and "audience"
> parameters for use in the context of a
> "urn:ietf:params:oauth:grant-type:token-exchange" grant type request to the
> token endpoint. There is a lot of overlap between "resource" and "audience"
> and I'm not sure there was necessarily a good reason to have the two but it
> just kind of unfolded that way (the use of a client ID as an audience is
> one case that's mentioned that isn't a URI).  That document is in IESG
> evaluation (which is towards the end of the RFC process) and had a few
> DISCUSS ballot positions raised against it. Resulting from one of those
> DISCUSSes, which was unrelated to "resource"/"audience" but rather because
> of the OAuth URIs as far as I understand, one of the IESG members steered
> us in the direction of, and facilitated, the early registration requests.

That was me.  The conclusion to go for early registration was not (AFAICT)
out of a desire to get the actual value registered more quickly than it
would have been otherwise (which should be pretty fast, since IANA
generally makes the live registries reflect changes shortly after IESG
approval, not even waiting for AUTH48 or final RFC publication), but just
from it seeming to be the least-effort way to approve and publish the
document while still following the required process.  (Basically, the I-D
sent to the IESG was "codepoint squatting", having text in the document
that claims that a specific URI value will be used, but with no guarantee
from IANA that that specific value will end up being the one registered.
I didn't think the IESG should grant its seal of approval to a document
that was jumping the process in that way, and the other options we could
think of would require fairly invasive changes to the text that would
just have to be undone by the RFC Editor.)

-Ben