Re: [Ace] [EXTERNAL] Éric Vyncke's No Objection on draft-ietf-ace-oauth-authz-38: (with COMMENT)

Seitz Ludwig <ludwig.seitz@combitech.se> Thu, 25 March 2021 09:42 UTC

Return-Path: <ludwig.seitz@combitech.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00E5E3A17EA; Thu, 25 Mar 2021 02:42:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MY5nNsRHeW2e; Thu, 25 Mar 2021 02:42:31 -0700 (PDT)
Received: from weald.air.saab.se (weald.air.saab.se [136.163.212.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7687B3A17EB; Thu, 25 Mar 2021 02:42:30 -0700 (PDT)
Received: from mailhub1.air.saab.se ([136.163.213.4]) by weald.air.saab.se (8.14.7/8.14.7) with ESMTP id 12P9gN7p125159 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 25 Mar 2021 10:42:23 +0100
Received: from corpappl17782.corp.saab.se (corpappl17782.corp.saab.se [10.12.196.89]) by mailhub1.air.saab.se (8.13.8/8.13.8) with ESMTP id 12P9gEqG025018 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=OK); Thu, 25 Mar 2021 10:42:14 +0100
Received: from corpappl17773.corp.saab.se (10.12.196.80) by corpappl17782.corp.saab.se (10.12.196.89) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Thu, 25 Mar 2021 10:42:14 +0100
Received: from corpappl17773.corp.saab.se ([fe80::20a9:e9fa:54a3:2afd]) by corpappl17773.corp.saab.se ([fe80::20a9:e9fa:54a3:2afd%17]) with mapi id 15.02.0792.010; Thu, 25 Mar 2021 10:42:14 +0100
From: Seitz Ludwig <ludwig.seitz@combitech.se>
To: =?utf-8?B?w4lyaWMgVnluY2tl?= <evyncke@cisco.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-ace-oauth-authz@ietf.org" <draft-ietf-ace-oauth-authz@ietf.org>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: =?utf-8?B?W0VYVEVSTkFMXSDDiXJpYyBWeW5ja2UncyBObyBPYmplY3Rpb24gb24gZHJh?= =?utf-8?Q?ft-ietf-ace-oauth-authz-38:_(with_COMMENT)?=
Thread-Index: AQHXHyuZU/A3KOOoPkeRpDWfQb0fYKqUYRwg
Date: Thu, 25 Mar 2021 09:42:13 +0000
Message-ID: <133ef81b68af4ee0ae5d573b51b9aa48@combitech.se>
References: <161642497935.28459.6337296577160925255@ietfa.amsl.com>
In-Reply-To: <161642497935.28459.6337296577160925255@ietfa.amsl.com>
Accept-Language: en-SE, sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [136.163.101.121]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Saab-MailScanner-Information: Please contact the ISP for more information
X-Saab-MailScanner-ID: 12P9gEqG025018
X-Saab-MailScanner: Found to be clean
X-Saab-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.294, required 5, BAYES_00 -0.50, HELO_NO_DOMAIN 0.00, RDNS_NONE 0.79)
X-Saab-MailScanner-From: ludwig.seitz@combitech.se
X-Saab-MailScanner-Watermark: 1617270134.89418@WUNABVvSjqusM8tvwucNLA
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/FT8hPAiQyXVqCpRjo2pOVkco3AY>
Subject: Re: [Ace] =?utf-8?q?=5BEXTERNAL=5D_=C3=89ric_Vyncke=27s_No_Objection?= =?utf-8?q?_on_draft-ietf-ace-oauth-authz-38=3A_=28with_COMMENT=29?=
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2021 09:42:35 -0000

Hello Éric,

Thank you for your review. I plan to submit an update of the draft to address your comments (and others') by the end of the week.
I have some comments inline.

/Ludwig

> -----Original Message-----
> == COMMENTS ==
> 
> -- Section 3 --
> Should references/expansions be added for "HTTP/2, MQTT, BLE and QUIC"
> ?
Fixed

> 
> -- Section 3.1 --
> Suggest to review the order of the definitions, notably popping up
> "introspection" as it is used by most of the other terms.
>
Done

 
> -- Section 4 --
> Mostly cosmetic, any reason why figure 1 is so far away from its mention in
> §1 ?
> 
I moved the figure and its explanations up in the section. The figure does not have a strong dependency on the text blocks that were moved down in the process.


> In "ensure that its content cannot be modified, and if needed, that the
> content is confidentiality protected", I wonder why the confidentiality is only
> optional ? As far as I understand it, the possession of an access token grants
> access to a ressource, so, it should be protected against sniffing. What did I
> miss ?
> 
Actually you also need the proof-of-possession key. If that is only referenced in the token, or if the token only contains the public key part of an asymmetric key pair you could get away with only integrity protecting an access token.


> In "If the AS successfully processes the request from the client" may look
> ambiguous because processing correctly (per protocol) an invalid credential is
> also "successfully processed". Suggest to mention something about "positive
> authentication" ;)
> 
Fixed

> -- Section 5 --
> As a non-English native speaker, I cannot see the verb in the second
> proposition in "For IoT, it cannot be assumed that the client and RS are part
> of a common key infrastructure, so the AS provisions credentials or
> associated information to allow mutual authentication.". While I obviously
> understand the meaning, could it be rephrased ?
> 
Rephrased


> -- Section 5.1.1 --
> Could the word "unprotected" be better defined in "received on an
> unprotected channel" ? E.g., is it only about TLS ? Else, I like the implicit lack
> of trust.
> 
I'd like to avoid restricting the scope to protected/unprotected channels here, since we have profiles that use object security on the individual messages (oscore).

> -- Section 5.1.2 --
> I must admit that I have failed to understand the semantic of "audience"...
> Can you either explain its meaning or provide a reference ?
> 
Added a reference

> -- Section 5.5 --
> In "Since it requires the use of a user agent (i.e., browser)" is it "i.e." or "e.g."
> ?
This comment seems to refer to an older version of the draft. 

> 
> -- Section 5.6 --
> s/the semantics described below MUST be/the semantics described in this
> section MUST be/ ?
Fixed
> 
> In "The default name of this endpoint in an url-path is '/token'" should
> "SHOULD" normative language be used ?
> 
This is inherited from OAuth 2.0, where I was given to understand that this is not even a SHOULD requirement.

> -- Section 5.6.4.1 --
> In figure 11, would you mind adding the section ID in addition to RFC 6749 ? I
> failed to spot them in RFC 6749.
> 
Done (they are really well hidden in 6749)

> -- Section 5.7.2 --
> It is a little unclear to me which profile must be used as 'profile' is optionnial?
> Should a default or any profile be used ?
Added some guidance

> 
> -- Section 5.8.1 --
> Suggest to use the BCP14 "SHOULD" in the text "The default name of this
> endpoint in an url-path is '/authz-info'"
I would like to maintain the alignment here with OAuth 2.0 were default endpoint names are not even a SHOULD.

> 
> -- Section 10.2 --
> Is RFC 7049 really an informative reference as CBOR appears as the default
> encoding ?
This was updated to RFC 8949, which now is a normative reference. 

> 
> == NITS ==
> 
> s/application layer protocol/application-layer protocol/ ?
FIXED
> 
> Should multi-words message names (e.g.,  AS Request Creation Hints) be
> enclosed by quotes ?
> 


> -- Section 2 --
> Please introduce "authz-info" before first use.
> 
There is a reference to the section where authz-info is defined in -38. Are you suggesting some other approach?

> -- Section 3.1 --
> "PoP" is expanded twice in this section ;-)
Fixed

> 
> "CBOR encoding (CWT) " the "CWT" acronym does not match the expansion
> :-)
Rephrased this.
> 
> -- Section 4 --
> 
> Sometimes "Client" is used and sometimes "client" is used...
> 
Fixed

> s/reference to a specific credential/reference to a specific access credential/
> ?
This actually refers to the proof-of-possession credential. I'll add some clarification.

> 
> -- Section 5.1.2 --
> Can you introduce to "kid" acronym ? It too me a while to understand that it
> is
> (probably) key-id... :-)
In -38 this section now says: "A "kid" element containing the key identifier ...". Does that address your issue?

> 
> Unsure whether "nonce: h'e0a156bb3f'," is the usual IETF way to introduce
> an hexadecimal number.
It is CBOR diagnostic notation as indicated in the reference to the figure.

> 
> typo in "5.8.4.  Key Expriation" :-)
Fixed.