Re: [Ace] [OAUTH-WG] Resource, Audience, and req_aud
Benjamin Kaduk <kaduk@mit.edu> Sat, 09 February 2019 22:31 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E7DC130E09; Sat, 9 Feb 2019 14:31:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GTjqrpmRIR6w; Sat, 9 Feb 2019 14:31:41 -0800 (PST)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-eopbgr790139.outbound.protection.outlook.com [40.107.79.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF4CB130DC8; Sat, 9 Feb 2019 14:31:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pM33reUN/XxMLhTQVn//SrvSvrhDTpQRGDgFCV7kMSo=; b=I7KzZ05zkGdzK5ph8v6uVk+v/j8/Kn9PVwE6rrs64Vvsf69Ul4DaczMWco++hBLo7ilqcrDUKPqnOrGssG3Ev/LFeKpfknUSIk5q4EUvt6Jfm0mkNqFWp6ut+TLPPB6cYNcrVFGzniVn9CLNBQmu9zQsaYkDiqLz/xq21wVG1fc=
Received: from CY4PR0101CA0021.prod.exchangelabs.com (2603:10b6:910:3c::34) by SN6PR01MB3760.prod.exchangelabs.com (2603:10b6:805:17::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.17; Sat, 9 Feb 2019 22:31:38 +0000
Received: from CO1NAM03FT055.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e48::201) by CY4PR0101CA0021.outlook.office365.com (2603:10b6:910:3c::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.17 via Frontend Transport; Sat, 9 Feb 2019 22:31:38 +0000
Authentication-Results: spf=pass (sender IP is 18.9.28.11) smtp.mailfrom=mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by CO1NAM03FT055.mail.protection.outlook.com (10.152.81.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.10 via Frontend Transport; Sat, 9 Feb 2019 22:31:37 +0000
Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x19MVXhQ011772 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 9 Feb 2019 17:31:35 -0500
Date: Sat, 09 Feb 2019 16:31:33 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Brian Campbell <bcampbell@pingidentity.com>
CC: Filip Skokan <panva.ip@gmail.com>, Eric Rescorla <ekr@rtfm.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "oauth@ietf.org" <oauth@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Message-ID: <20190209223132.GB23225@kduck.mit.edu>
References: <VI1PR0801MB21126944E558E53992EB7FD3FA680@VI1PR0801MB2112.eurprd08.prod.outlook.com> <CALAqi_9YUWBcUWtaG2g=mXQLJoq1X=dgm72exDU9akqxuhK_HQ@mail.gmail.com> <CA+k3eCQtPXQaY1E9t6CmQh8eb2kUeFxvsj1WLeY8Yfhpzpkm9Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CA+k3eCQtPXQaY1E9t6CmQh8eb2kUeFxvsj1WLeY8Yfhpzpkm9Q@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(396003)(136003)(39860400002)(346002)(376002)(2980300002)(189003)(199004)(76176011)(486006)(26826003)(476003)(126002)(14444005)(88552002)(336012)(86362001)(97756001)(4326008)(305945005)(2906002)(246002)(8676002)(7696005)(50466002)(53416004)(47776003)(478600001)(426003)(55016002)(956004)(1076003)(11346002)(446003)(106466001)(75432002)(54906003)(229853002)(26005)(106002)(316002)(16586007)(6246003)(8936002)(104016004)(186003)(36906005)(356004)(786003)(46406003)(23726003)(33656002)(58126008)(6916009)(18370500001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR01MB3760; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; MX:1; A:1;
X-Microsoft-Exchange-Diagnostics: 1; CO1NAM03FT055; 1:gslkPoeMcM+vroMgnYtrX5eA4WJI5JnzzsCUwK5nLva96D8MrL8pzcT8rFtZPWlTvyHlBKxG9i9H9W3Q8N5ECsPU4tTrKOeXzpZQCKhOSWYDTeEP0XgzyIcwT0rmc2xilW+8Uwfj0+07twbY6CWwqJRxhG4gW57ArJkXl7VRnD4=
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c2aafd70-4646-4d2c-c4e5-08d68ede5ae7
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4608076)(4709027)(2017052603328)(7153060); SRVR:SN6PR01MB3760;
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB3760; 3:QpDiLzptppwdOh1AFd//vpwSHNzM3zi1Oz7EVdZq8Qzw35BzWsPKww5SnVvelx6SZjC8Z9reSLYalPK/nGMBLXjGTwpM8geQfxe3qRpW8l+im450ovgkIEKI7bbIpVo0Mr0kURrWYF8kgaBmfDAj5AI1bP03IzTwPLghjh8XKVZuxWWzQzViixOM7nbo1Almh7xhrTTFBWQgXTeJrpbgNhl0P/vPfOIdpySvMhFMEAUZUPo7PlIN6v+Gn57iP2HyXDPWWCVTDrxH3BN9hwCXWRxGE3pto8dRu1dlTDyu+QMTqMkUj7hwoOn1xITzBjKG6ON2WZ5AgoC+5Z0SvMvDxwSD0Qj9hx/ZH9ifbT6j9lbk2PvU+hQw+x1nGWpe0CbB; 25:D28RiH06dyhqpZtzxOfPblVMHnxhgxpKezuispB2EOsdo4xFYs8LdRCausvZG+HgvyxYe+NRAeTq26Jnzsgf4vJblxWajogdYMKglmPBag3ELboP8Twh80DfI+B4puv/qVjtdTje6X9bwWmOgB3qHM5Z2Ab8VBwcXK2hXBzniKnYFqlmY49HN+C8rPTsSP8xiKw0dS8ItJd6d1ekMqhqhgf9YlOvlx6iT8oToqMURwvgq/cfifXce42k/iaxBu8b9BXhdXmEHFeBNg/ICL8JdGvShPWXDsqhU85wthk7/lVAbXPEDZkWZUj8eRMSdsyHDAXFVAmVr/w+uW5OHdg2Ag==
X-MS-TrafficTypeDiagnostic: SN6PR01MB3760:
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB3760; 31:oar2NNh50t3hf88BeFbPa1j+vuoYKEHDe9t38Swcj1UGofbZH4XkT7JRmlkK/I6EfGdg9ysgGqZ6EwojdjkipUB3px5qiB287mSE0OKHY+ZOH2DkcYvyOBSg8UQ9FtxYjk53r0m83mnlQWilOoJvfzXdigHMor86KgKmusblx+XewiCL+UOG3BSJGmnTeTEm/owQSan5WUJ9PASo8sK2PhriHQbi5dhJ18AHnUk/3N0=; 20:hucQfnK6IKs4DHcYcF8SST8zomcoHMG2MBKZZlicFb0aOy/4w0Zl3rV8UlFYL60xHnsPDpJ3wCTnCSzVa9iYrAqfwCU0YnF5OAyMZfrIcqfbkb/rwNp40Lo4TKA7v8XY1dgKZZhCbxWD0+E8iDlm1zy5/To3YLQv5hyxhtu+11VC6V10fGVt9IbzFeUXCw6xJRXGnow2tbEefQy5Ebf7cx+vmA+5sLbG2obTve+F3E7vjo1DWcAlFc1NLOJP/3vYHBBdzCv2apNmRt7FXwvOaPQFErfshAE9K/K3tgK0PnTnlvI6L9etq/fCScth3RKkNuvVc9OmxXtSb3o0yFkY8Bb13umyGSsSkdloIeJ9LOhGVBZn8uJOfOsznjwc1yew2LE5C5xgnvYkKpvyHxl5fHH6suB9r6Zw6q//N5Ucmbe/6/UWqWyB924MHc0uouDvYQtdtYAj6wD1A2OlT4zTuJAgCg+jZGl5dNGTRboGlegtQP5ZrbXXlHuJUX2/YaJM//bmCGCDh0ARrVEvYgQF2KUgmR6lmfkOzP8lbM3qbcT0+7JQq1GIIj4nP3oQlBypjfQ7JFK2Zh6fRAca1XivYhk0g2aSoMOCeHJ8URRqofw=
X-Microsoft-Antispam-PRVS: <SN6PR01MB37609E89ED78F7EC10805959A06A0@SN6PR01MB3760.prod.exchangelabs.com>
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB3760; 4:7IJVGr595dfZl1jdCFQ3AHsMlx9e92cEXF4K2X+RBS2+o403jZvhyyVqnwelWlxNpuexTrAbT4fQRBXsVqEv3gTKoQmog8n6vTrBjVlCuTCeMFpGTNlloFYeVqIb+HuPyqvYzWXnozl+0flW7X5T6zlLD4xY/57WdOeMBXrpqzTrsAX+wTrUnra435Ea1iUscDqlx+BQBvXQKU7KfnT/yrFjhHk7a/0TBMVugjCEgYsbpHhxNy6GOcFAeRJf8+dqCKMq/qN2iagGmjzYssflJ7AnRJVG4Ytc0nxn/5EieyF6ggENxWW8AB6E9xvOyAhw
X-Forefront-PRVS: 09435FCA72
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB3760; 23:4A+b+/vp/cn8I1ngJ5TufTKRn6A9sODHmVBEXOgxnqLafP8Sx3VJEg9pfb1Qd6klpZOIvEwGgSqWDLeRgiMMVSewvaQsDh9nrdCpQXCRSvUBXu2ZWhHZrVY/KIPoDu79iNmY22+awW1f8LajZonCXxmEfhoKHJYzwWu6Jk/naMh/ItwToMqygPP9J8JfivIHT7aASMJxyPdBEmdD0brdHd4b1PtIKrtrsEM2V199tuE4t2WLPNg/Vj4+rtaxvrFZm898XF9ETzaOQBKduCDdbmSbueGxBivP3pgKkMKw2xj0SgUWNwWPmQAPty/DeCYgr8Zsq0cttALlCn/M8hHGM7VYOPS9WUth0MR/mfGjUHBTL2dc8DBmFQcsQ7E/ICY3OLIrIObiQ+2q3OF/yI7RQFcl1nZzO/JSY36j6MlKlfAKKcvxzmReOiQRUfLp4Adm1W8gFUtC7Wrmt9BWQcmIbuIVj7ktDStbtjHKmW7EyJbDVHngs1wrvuv2o9BwOzLP4Hy0BGyqB0moGY9i2GqIbTEO27gNN8hELI6q3FamEjss8Q6jIMAIMQ8iUxKHrYc+eIJsFeqvbFeNHnf++ruX/QxucPIbpWh9zcQmH+AAomiOCv423/EEa+oStIbT0QH6PPn7WL1+1TA4JsDvL5RyDBxo87uuMKQYS99p8imm/5LmSXjF22FoTr6nKlRADkC4og0eiM6Ui87rhNBd/lNYN2tJ5e/6iBvARvDewbUl3CHQZVb0KtsDfTkgVGx1fZxfZa6b0ZndfGIXrM5Gy4bNLkfvA5tYaKAsHxXoD/WyQVZNNGf9lDV10ZDKDuzlThrpuNNQjWDkVxEF2pqV4ly0zkuqy9b0K9C3uRC+foXUr+0UG9Fk/+Dx72qNWW59Uo0gI7cDUAB6GkVTespoOY03vommj6ZiGtwVd7Qx703uxjPY4Uif6p+Y4hPfpAfwKFF44QjfyOmLRRueCgAaKpV4z0hN4eDJijmmPZ9LyzLb9a7thMghUKm/JPBFQKAmg26dVzr2QAmTuhC9d2dadYwg1P2u6H98yr0qcDH0gtOpzPhxEHLqeOHZ6p3befZ2EQpk7pveKOqQxCs6cKLEED+HOxU3kob1Pfr0zjIsbAk7cZCReDurpfYT2SXIZI344Ng6e+CwJ1jdnVz5NQ88SJHQMDU9vFVOym9IzQd0GkgeJt1nBN21XBruE+748ZpOmQMD
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: YYzKO0qni+lEiltWYwSM2/HoUGawcEGq8+zsgPh6SvqPqJUkiGSMKDdrAwrZQ54FfuP2/bRbk8JCLvP3miH+bLNcVvdtWuaRZDZ5nkVYeS9Gi4LEjilxiKz4MxL2OXHGPt84TW4WSFCUHMEu4YoEGKKKE4BUYPN+bqwU9Q0UMyVixHBNKw4JeU6U+nKiQxosY6udDa0TtLwJmnllbWI3ABmwdLUNgB99qcmWKgjWeVmhJ2ARadGjrdXAAKCHwCfzBpC8+Wijryxs9PptegkmDUsfR9tKQrNcr5QwF7pe/G1evxKspcjuFhr13lUncHxJLRcAZiHUeoUb0vuYWu5swsJbLzyacXqpYkBs5ZI/+TV2HLenDah280phVqMsE8pSv75jZbZuRODkrwSE+ZmUpTpBT4Ct6DEg2M4Hi5+jNXQ=
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB3760; 6:wmZlgMyT+In1scteVX34BBMvfR3HjY6Du8HMmwC4FhSCfaaAu7dKbzMIkLJ3CuQqlJPVbMI2MuvFUfxbe4E5hpA/Yg/vNsjMU1sMD20w2DXnrquzo4lVWO+VvaxK8uYGWhqzDbENm+1yMhPFcC2ChWDtEEPQKN7TzysCK+XSOQ2wrHD36cUPwvB3MkJWAGTzr0+vSlqd9mOF982hrl5BehXsTPRCb7v86JGRJ1Uz+YF7X3/slUQjmlL0MRRBI8ch3cHafuGNlBGDsu3P+1kVhiQrY9kAxuXI4YReW5EEayhovCQFiv9jwKI0gc+sz2iBTXtTCk91P1scwMjL80S02VYDtZ8Fk5gMpM0+pdf9uDgX80PrcdkpyYgLpnSqcFZj6urUCYqXutgnHD6A/LA1MoGXTdCz5VYDV8wuuW5V7iUEQk8armOMiwgrsPBkpCMzpLANDy167D5MIwVmXXtopA==; 5:aUe5sM/pazzq0aAVGCjRRs2r8sdIAVVBbm18ArHJg6syEHybKsIWuu0w5s39fhHVjs7AICscF3PaKxInE9sW60C0DMtAsHgTsOROHFHHNdq9qxgEps2iUe5Ru8FHvkd3XnkfPoCqNT3fPxs0b5ub+lOulJWWY/WXuqHPUTrnkWXgAoji/7t/gx8sOKlHrOLToN1DDi965JVTHHpU2igEUw==; 7:5/ZQlFcFX4YD8TH+j3ejHJYPNRb46jXVRVv2gsdu+VNcm7CkjiqiJDLlqnnXxuPmVYG9f4KfPdpK+rO33esHr/SlUWDEHIy0KjrN+DO1xPkdSUKFV4gcB01ukDnOEUHRAsFLDFhqtCNbNhOuq0LxGQ==
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Feb 2019 22:31:37.5261 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c2aafd70-4646-4d2c-c4e5-08d68ede5ae7
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB3760
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/5VwH5D2vYMoySYVANAfbl6I-qwM>
Subject: Re: [Ace] [OAUTH-WG] Resource, Audience, and req_aud
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Feb 2019 22:31:43 -0000
On Thu, Feb 07, 2019 at 02:28:02PM -0700, Brian Campbell wrote: > > The token-exchange draft defines both the "resource" and "audience" > parameters for use in the context of a > "urn:ietf:params:oauth:grant-type:token-exchange" grant type request to the > token endpoint. There is a lot of overlap between "resource" and "audience" > and I'm not sure there was necessarily a good reason to have the two but it > just kind of unfolded that way (the use of a client ID as an audience is > one case that's mentioned that isn't a URI). That document is in IESG > evaluation (which is towards the end of the RFC process) and had a few > DISCUSS ballot positions raised against it. Resulting from one of those > DISCUSSes, which was unrelated to "resource"/"audience" but rather because > of the OAuth URIs as far as I understand, one of the IESG members steered > us in the direction of, and facilitated, the early registration requests. That was me. The conclusion to go for early registration was not (AFAICT) out of a desire to get the actual value registered more quickly than it would have been otherwise (which should be pretty fast, since IANA generally makes the live registries reflect changes shortly after IESG approval, not even waiting for AUTH48 or final RFC publication), but just from it seeming to be the least-effort way to approve and publish the document while still following the required process. (Basically, the I-D sent to the IESG was "codepoint squatting", having text in the document that claims that a specific URI value will be used, but with no guarantee from IANA that that specific value will end up being the one registered. I didn't think the IESG should grant its seal of approval to a document that was jumping the process in that way, and the other options we could think of would require fairly invasive changes to the text that would just have to be undone by the RFC Editor.) -Ben
- Re: [Ace] [OAUTH-WG] Resource, Audience, and req_… Filip Skokan
- [Ace] Resource, Audience, and req_aud Hannes Tschofenig
- Re: [Ace] Resource, Audience, and req_aud Ludwig Seitz
- Re: [Ace] Resource, Audience, and req_aud George Fletcher
- Re: [Ace] [OAUTH-WG] Resource, Audience, and req_… Hannes Tschofenig
- Re: [Ace] Resource, Audience, and req_aud Hannes Tschofenig
- Re: [Ace] [OAUTH-WG] Resource, Audience, and req_… Brian Campbell
- Re: [Ace] Resource, Audience, and req_aud Ludwig Seitz
- Re: [Ace] [OAUTH-WG] Resource, Audience, and req_… Benjamin Kaduk
- Re: [Ace] Resource, Audience, and req_aud Jim Schaad
- Re: [Ace] Resource, Audience, and req_aud Hannes Tschofenig
- Re: [Ace] [OAUTH-WG] Resource, Audience, and req_… Brian Campbell
- Re: [Ace] Resource, Audience, and req_aud Ludwig Seitz