Re: [Ace] Shepard review for draft-ietf-ace-oauth-authz
Ludwig Seitz <ludwig.seitz@ri.se> Wed, 30 January 2019 08:37 UTC
Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B671F130F20; Wed, 30 Jan 2019 00:37:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.043
X-Spam-Level:
X-Spam-Status: No, score=-2.043 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TWYD6yDE9oZc; Wed, 30 Jan 2019 00:37:49 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00053.outbound.protection.outlook.com [40.107.0.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4119C128CB7; Wed, 30 Jan 2019 00:37:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aYHsHRmV7xBiAeg6ARn2f0KtNiwz3x17Hb7MbphZT0g=; b=Tb9bTMVKkgBspHGdPAXPPYAkZmO/Oga31JDLcC8Gkj632/80tocpqtNn3wxuK6V8/w1KtiEAqGOQ62/tZxNMNxl7KYpJfsoRH4mAe1Qx1eV4axVA+kgRHnv6wGQV2Gh0YVvZtG/6QH6Z/+EDvioShvMFwf2PA1nklje6stfVOOw=
Received: from HE1P18901CA0005.EURP189.PROD.OUTLOOK.COM (2603:10a6:3:8b::15) by HE1P189MB0331.EURP189.PROD.OUTLOOK.COM (2603:10a6:7:58::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1558.20; Wed, 30 Jan 2019 08:37:46 +0000
Received: from HE1EUR02FT020.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e05::205) by HE1P18901CA0005.outlook.office365.com (2603:10a6:3:8b::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.17 via Frontend Transport; Wed, 30 Jan 2019 08:37:46 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by HE1EUR02FT020.mail.protection.outlook.com (10.152.10.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1580.10 via Frontend Transport; Wed, 30 Jan 2019 08:37:46 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Wed, 30 Jan 2019 09:37:45 +0100
To: Jim Schaad <ietf@augustcellars.com>, draft-ietf-ace-oauth-authz@ietf.org
CC: ace@ietf.org
References: <01e801d4b861$4d7d41e0$e877c5a0$@augustcellars.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <76f048fa-fa03-4e5b-0b60-c5674a2ddad3@ri.se>
Date: Wed, 30 Jan 2019 09:37:45 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <01e801d4b861$4d7d41e0$e877c5a0$@augustcellars.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(346002)(376002)(136003)(396003)(39860400002)(2980300002)(189003)(199004)(106002)(76176011)(305945005)(336012)(23676004)(106466001)(2486003)(81156014)(2906002)(36756003)(186003)(356004)(77096007)(26005)(16576012)(2616005)(486006)(386003)(86362001)(50466002)(31696002)(69596002)(14444005)(22746008)(58126008)(53546011)(446003)(67846002)(16526019)(4326008)(126002)(44832011)(110136005)(68736007)(33896004)(8936002)(11346002)(476003)(316002)(229853002)(3846002)(6116002)(74482002)(8676002)(6246003)(53936002)(65826007)(230700001)(65956001)(47776003)(81166006)(65806001)(478600001)(104016004)(22756006)(97736004)(31686004)(64126003)(7736002)(40036005)(21314003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1P189MB0331; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-Microsoft-Exchange-Diagnostics: 1; HE1EUR02FT020; 1:H285NopAn6HZSAU39UqGJntMwpO94YnxTL5d/ehemmyrtN7rjrkHnQwsv0CRAyr7nKr5TqQPMvwhtRLe3MbMvFJc2PHDuqQB1WjHyJ8uyk1hYSTlu8m7/1qRWEA0QyZQKwkXaGfF52ZEI0iqNIumGymOJ15sSF8FzPiEicnZdX0=
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 7c297aa2-65f1-4e92-7932-08d6868e3598
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4608076)(4709027)(2017052603328)(7153060)(7193020); SRVR:HE1P189MB0331;
X-Microsoft-Exchange-Diagnostics: 1; HE1P189MB0331; 3:qFkDtEzkC95TvhPd199b9RBPLgeY8aTkekTe21xAH/J1L7trMwh9/6Mn/83qFfKMvSQm7UUyta6UyCVRgTzpGiRHYulxn2GxndmQhVbxwNPobxBWM/qIz8qN2VZdVvxydhdGVXDFTOj4jz+71cBV1IGUtKlHTse2FjPEPw/Up7Q8hWnG4yQhTOKppfW1LmAs6/+ROHP1MADno1eFROuyd4+DF3thCCwufnMCyN2/6uz6hgOVbUfdkLayqcS1moHDM0nP3F6sHTQIsXF4St9086spzY1LFJjVxM9EbM/mQxwl0cK9Hw6ZOwA2chm0bCE/PG4Auobl41nt4BwAowaDhaj+I03RKgPUcxX1yNHnaw1O4AZUg320fhdOvUfJYS/OxE8qQgMUEmLZ6yBe6+nIjg==; 25:3hYiI0wKkvjZfvKayzBS8yZCuh1S2s9uWsyNDcEUO/ANSsZS+pXG+4zPsJiIK03hM6tsk5FmX3HGYAw9FajPktMj/N+2Vy1o9OS/tUup1ELxiuu4YO+fSSZU/dC3iALtLXQMOs4MBfUIkbE/5AC2L625HSGfC/Thsqgoks51dmEMoF5ryBnwhWIk8AYj89nK2sUtHb6M49Su1MXtJ6amGueL8KKES5IQbqbeFVo1APj4LzQPIx38mi+vAUxGwx07iz07OxHeH1l7nffGyS02+ZOm4/4hSbqfGMlFI3xPfEGg5xyK57tcikYvGTjjtGBn+FVzFNf/vf8RITW8u1vhBA==
X-MS-TrafficTypeDiagnostic: HE1P189MB0331:
X-Microsoft-Exchange-Diagnostics: 1; HE1P189MB0331; 31:nX+EjLScIu6J/cFA6tc4IMS7XZWHebIor6XsaYllwJtTayiI3lcRcJl35sAbnA+fHssB3NGXAu9VfbOBb6+4om8/Zn1g0H5c6Le+maQbi5yp2D8wYvJys4jxr2OJiZmV65nKUU4T1JY7COUl9ndGrP6/T188ek6feYfQN1NGymbQqKFNc6bytVH0FXv26ITSxMmgKCE/KSaaW9EQCKUWhnlQ+uUnyi4F623xrwjzRMY=; 20:NmK2Xq7KLnY/RdmyCxlLNULy0BNjzt/ZLJJDmQGGJzit0GQMe+hmqGUpj1cLRELEemSAnc++HNhPhPptlsJcmQ8nVa0WbSGUiHQIB9COKw+sx/BN0dJ+XxgTrBFSr7xXojbf4SAEy6Ve5Gl8XlUbu2I4qAwqf6M0/aSJPscchQxFF2sIrRG3eEBTvq2mp3wXyLhwT0YrbBDAwzOzvoh8TFgBRf1vuhKhS7NSQ+PquqCIu9s5+eh0s+5saOFXd+4p; 4:fXq7keQkYLy3D6drWJuxaXmUKIocbMS/nBsCpF7WT3jOl4b5XTVbjwCHy7oue8Ez+su58kUVpt/7NZpfzsbVZk1WMvkagLcBQJIO162CJJ/A36j3F2KQQeJkt+gAPcIMnXdGfcOsNgy0kE4P0+fMWEsmZMfrupxtNzkq6/70LiFRT/S4dCEWNw/qBolj09JH1/h8QXGOX/0hNIm/p1FBkDwMMiBTiZRCeXEHB6RxjqETC9W4o+Ij1L0q01w6323fPpcKpVFoqe/mmoHtaXJ0umJU40MvtKlGI5OxHkWD1KdWJ/tiwPKSf8gm/MmRG/V0
X-Microsoft-Antispam-PRVS: <HE1P189MB0331A232116D5CDEB3E2F55582900@HE1P189MB0331.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 0933E9FD8D
X-Microsoft-Exchange-Diagnostics: 1;HE1P189MB0331;23:OFCrUuMwknnc5ALKMdIrT2w1bNudx3MayV/xjmMkT8CD7UKy9UXyW9l+aE3jBUkAHkLOlhmpyFIDE4oqDGR7M395SIFoDqVS3z3q3lQysDDfMTlZo6iIS6AXoHrbnlx8Z2XdzqSXmm9Li+ow66W0SH65HSHQyR0La6hgu9mDwX77Ncnvo1GPu8h26BSUKOdslqmP3YyYvn1XvVlkqtyT0QgnkutdzTY/Bp7TRvYDtw4B+PDzrXSQbFWSIqnh2252kzLcKgvpnRAUtrIukwNed1UTVt0GzLk4ePGphEG9q2LmMEg/L1iogLJXCCjL2NRVyWoyY9L6mlPLozkOJwSLQp221OZ9qHe8zEvMPG9RNDS14tLZ8JF/sItcFYmAlmhJ2CBm5lBZaLrzw8J2KnbgfHnn/G4T1yFN7NjqZY0kzAxuUFLSfWe04C2w6Xj6qxd9hXIlpC4C9tGzZmYW+g+Li/1fUNKb00Ip3QvQc4AgWp7NYAqcsAjREW2nFGwFbwlQoge+IVB5eBmcCKBhZb/7b02u5kxPM34sbffcZ48KdTaCVj1SvNa1jl4C4nL0jpIofKdRP2CBTkDFqNuvuDr2OIH7aPzXzND9nF3M5YyV5DXmQl5hn3fj1ouvFEWKFeFv/h7AtinFwb1Efa251ENSDuwcnqbgoeQlrh9Mseeby4LngOgN0cpcmuEcGZvAmOEFWhDyj9z++5NG7sXyysO+OSrikvJkTTDDG8xZxVa11G4wUOF+Kt8IWcB5jOj5YT1gn2IRG6KLuhM+ipEJQFqtHo3iUcn7ZCKe9BuO9HSMOmHPcYGvi6tMp0HvPm4E9HYo1j0a8kypkj0c0heRj33BNXMtwk+Lu8Mq49ldVEW+vCSuD0ROCsB/i/eJs9q2utqN5h9sCxLz2AJUFEVOF4f1MooZLPC+GvVhcJD7MGim2ECO6LPaaNq6zI5AGC62X2KyORmrb+H53ALunXEzuv3FrxIRW1hOC3eqI9TVUrHIFP1Tu5jAGDA8qROQCdbtatGGmwyltO8xSU9OYsDgMIxP7GJ/Isf5RLdUy5DniGvsB0V2CbjU2lU3WTUnZIbWvq5U7NP4jrTEnq+bMOxxgtoIcHyUf6D5XO57UAUcc9d6Y2II0IGe76S+CKJFJf4U3X7UHI7n4WxyYiMegxt5Qvkk/wyMegO8gXkmp9SlPbhFrBKG6yEPA1aq2gfadIj55jCS2ODzbcMUyq24Qgja4FD0fpf52rbgDcTQiB76HypHY231pvo96xYBQxtIuK8CwZ4U7YNSuc0wCcBxYDft3flpaGyLazb+O4/gU5y0JKQQxPGP6yecMGqXbfHMXFAdt9rlBUfDGV59NwjQ1lxECfRS3Jqs7E9bvmyDbckpgSpMKcYUCtSxnzsuy3v8TKC/9omazDzZQsgg4zVeFIvWL1mxHRPCn3pF7rNpyg0hxnpVlGhwCejCyxAeOVL0sNGq4CkOJRVtvMHNQ13sRKd71tr4KRrqkj30m/Tm6W+o7dQsuEY=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: YZHztWyt9pmtXQkzWMZxaWl7foF1iwVd22Jlh7jMV+GOAApNT2MdSDSluMQZRAbe211aPQ532SoDjbKKFMncT0tp9lT+FPDtMXYsBHJULutiZozoc+BAXt2R2SBKhWYIOPceI755475Agm7SY5nVPdsTR9kKsiyY2tMu7GcMbwyJiq2EkMOS0RZIlpJBS3JeeLkSJwwrSLEL9cFA/TC5l13x2nGMKhVSq2dMGRFcunsQJP9rEeOE0Wp2PM1YFkjenCslXEBkBNi87mI1vtGF1c0VJ2OxOKF5MiveHUZENKk6zHQ3R9gIvXApR/LfmlSevjcPmJSy8GH4ILeRULOJKvnLAfUeY8nPBtptX6jcd1PayhdQGAn0ovWl5HR697uSPB7dYgQFsZybWiXjxvQTa/y6O2VaqGn2MUxsn6nVXzk=
X-Microsoft-Exchange-Diagnostics: 1; HE1P189MB0331; 6:emugWUr+AQHaoeMgB6OApJ4PlsOjbrS670Ogz392s+/EQzlfeLWttJcGU4ZJAcokWOZmK4WDAjgyEQcafB8Nwo7XlbUeQ13ObEJWvkHczYY+9maYhExN+qR7ueePvl3ndxYvWQVvCyvI3ykACv2vvRj3BsuM1+w68jqzWDRklU52hA0v6H5U1GAPWmxSALA4cm4DZnczcVTt+tBRLJ2fG/VZVAjUVOKgMHBTFADc9jdQumFvpKqtA8RlMsXEyeCMoPh5eL7N9QBIROE0MmF9/rUOBnuhM7WlNK1mrrQZROrGIG22bLvas+3WQE//OZ7d1ji9uMM+78nGXIKrrJeUX97S8osfG71//IHme9h3JJorilKcxDP3TPlPuc0tqpCFYlLoWRuLAfW7Z5d5RufEuDxyHzUh+H03BPqVkoDQru2w3XUC1P9iUEjbdCx0JKVE4ld+Y1NCDzXPT53ndhqD5Q==; 5:pNrat1DqDQEwgp8JA1vxZbd67+iWNVYJU6jza7lTqKRKJGpn/MtR6KfWhFA5pGUTvB22sQJuhc8Otbx/MQW+TxtFtOVB0lNwua0E+FhA1kVhqb1nf3lCzt5XLLg7+Q5Evmh0/YU5gRo37ICo/tgBT5WaTOpyomqyRfxNfA4D551kHrm8zTyqm6o2RQaT2HKzCNULix0QamIVF0jJa8u8yg==; 7:PkmV+WF5e9DRl4Q+gVFEh5y2CUVIGXZwzl3b76t0hqLV+o/6RFYGBy2hcEPFBT0hiGaGrNtmzPss89ogwfihnc11FZ5oEfwUYt9w+47vIbsJX2ZqzodPQUO9wluqH+nmFfwVOY2W8NfFVepqV+8F3w==
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jan 2019 08:37:46.0511 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7c297aa2-65f1-4e92-7932-08d6868e3598
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1P189MB0331
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/H0uxL3MlVevomOIKz7jYolF3gGc>
Subject: Re: [Ace] Shepard review for draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jan 2019 08:37:54 -0000
Thank you Jim, I'll upload a new version as soon as we have resolved my questions below. /Ludwig On 30/01/2019 07:01, Jim Schaad wrote: > 1. Update the reference from RFC 5246 to RFC 8446 in all locations > > > > Items that don't appear to be resolved: > > * Section 3.1 - Refresh Token - I don't think that refresh tokens are going > to be strings because binary is more efficient. > Unless you are going to say that this is not OAuth 2.0, then a > refresh token is still a text string. > > * I don't see any text that is addressing this. That text just describes how it is in OAuth 2.0 (where refresh tokens are strings), since we didn't see the need to specify the use of refresh tokens in ACE, we didn't mention them further. If we had we would certainly have defined them to be binary. > >> On 22/10/2018 21:09, Jim Schaad wrote: >>> * Section 5.8.2 - If the RS is going to do introspection, can it send > some >>> type of "Server Busy - try again in xxx" while it does the introspection >>> rather than just doing an ack of the request and possibly waiting a long >>> time? >> >> This is probably transport protocol specific, and we were asked not to >> link the framework to a specific protocol, thus I don't know if we can >> provide guidance here. > > I think it would be okay to say something like "some transport protocols > may provide a way to indicate that the server is busy and the client should > retry after an interval; this type of status update would be appropriate > while the server is waiting for an introspection response". Which does > provide guidance, but in a non-normative fashion that does not require or > prohibit any given transport protocol. > > * I don't see anything that I think addresses this issue. I would expect > it to be a security consideration There is text in the draft according to the suggestion above in section 5.8.1 "The Authorization Information Endpoint". Should that text be moved to security considerations? > > Comments on protection of CWT/Token: I am wondering if there needs to be > any comments on how a CWT is going to be protected. While it is ok to use > either a symmetric key or a direct key agreement operation for a single > recipient without forcing a signature operation to occur. If the token is > going to be targeted a single audience hosted on multiple RSs then a > signature operation would be required for the purposes of authentication. > Right. I'll add some security considerations on that. > ****** IANA Section Issues > > 1. None of the new registries appear to have any guidance for the DEs to > use when approving items. Is it acceptable to add a single guidance section for all of the new registries, or does it need to be separate for each of them? > > 2. The title of the registry "ACE Authorization Server Information" is not > really descriptive of what is in the registry. It makes sense in the text > but not as a stand along title. Something along the lines of "ACE > Authorization Server Request Creation Hints" seems to be closer to a solid > identification. > Would "ACE Authorization Server Discovery Hints" be better? > 3. The mapping registries should use the OAuth registry name as a prefix. > Thus "OAuth Access Token Types" and "OAuth Access Token Type CBOR Mappings". > Done. Actually quite some changes were required to align all of the mappings sections with the OAuth registry names. > 4. What is the initial registrations that need to occur for the "ACE > Profile" registry. If there are none then this needs to be stated. > It's initially empty, since draft-ieft-ace-oauth-authz doesn't define a profile. However the DTLS and OSCORE profile will provide the two initial entries. I added a sentence to that effect in the IANA section. > 5. For the CBOR Web Token Claims - how many of these should have the JWT > Claim name filled in? It would seem that all of them should. If not a > comment about this is needed. Fixed. /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51
- [Ace] Shepard review for draft-ietf-ace-oauth-aut… Jim Schaad
- Re: [Ace] Shepard review for draft-ietf-ace-oauth… Ludwig Seitz
- Re: [Ace] Shepard review for draft-ietf-ace-oauth… Benjamin Kaduk
- Re: [Ace] Shepard review for draft-ietf-ace-oauth… Jim Schaad
- Re: [Ace] Shepard review for draft-ietf-ace-oauth… Ludwig Seitz
- Re: [Ace] Shepard review for draft-ietf-ace-oauth… Ludwig Seitz
- Re: [Ace] Shepard review for draft-ietf-ace-oauth… Jim Schaad
- [Ace] Unresolved issue blocking progress for draf… Ludwig Seitz
- Re: [Ace] Unresolved issue blocking progress for … Jim Schaad
- Re: [Ace] Unresolved issue blocking progress for … Göran Selander