Re: [Ace] Mail regarding draft-tiloca-ace-revoked-token-notification-00
Ludwig Seitz <ludwig.seitz@ri.se> Mon, 18 November 2019 02:15 UTC
Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5256E12011F; Sun, 17 Nov 2019 18:15:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UJhy-SG9jR-N; Sun, 17 Nov 2019 18:15:13 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-ve1eur03on0627.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe09::627]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8680120048; Sun, 17 Nov 2019 18:15:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Suo4ElCK7BDsNX2Dbih3sGJOBJJtdXizh5+bouYFN9JC/d1X5g9zIgthtHW3x6Jm34uVWQZQCxwofR20h072lmOs8re0Gv9Hk7cIVFZofh0Msk9pAc6PFIRkTDB4wVrnGcN5ZX4S/lz+N17zR5hTlEJGyhRmCbbFQfITYGyuVJ+iDCb17eiLeGgMDcN5IavUDfJYCGBBxfDrINrJ7vYrNU36q62u369KIKa+4fOvl5Mj83DCAGRtNZz9WoLH44E3sJiPM7QeoB23+FxmHxUMORqzOE/pLbR74R26JmkJJN3A3P4RF+M+rxK0e/xJZkmJc8end5qwhITkZhOEQo4s9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LLRNYrGokwLwOhiKztDDq8d0TAPZMBvi8+G9OUTLGRQ=; b=e4R8ADn/A1d7z5Wnuup8W5ikgGLZXSIAUtqL1wnT50dfpCwYze2HlpO/Xh3auwHrijkEq9wSUsszVfPZPcG6WzNzqnNuXheX4ajGvBRVpeLQBs+uAizp5zRPPMT1+ek9vLZOBPXpVmsJfv+B7ZY/DDnNr+erDUpleTmSYJs9nQMRM6ibJZ74Obitl+TxIBeRMR90TkH7BH35YT858ClQ8/XAsRRdmzYWRNI3ovPoFfWgzcWZPEnVB749mz/K3gPnBjNSafiTNEGB78AeqDzx/z9MbVpvkZEC1QxGUE7SvOy4+4jHB9eMh7wlVEGmFRszc5SqYM/IIDiVv1i8QHShXA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 194.218.146.197) smtp.rcpttodomain=ietf.org smtp.mailfrom=ri.se; dmarc=pass (p=none sp=none pct=100) action=none header.from=ri.se; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-RISEcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LLRNYrGokwLwOhiKztDDq8d0TAPZMBvi8+G9OUTLGRQ=; b=Hge/KkUz8UWHXoEGvvN+/Qw/QB+N8Yo/x6ktytUyLNilKGgLXNtweF6MTFilXesjr5TL7mxKR5umkAe8rG8e8xi0+Cl7AN4oiLRLBl2WGS8wZOr+JVc6qe3qfvQd42O7rLJiy9ipd+LnBDiXX4GcUunGl7x/Q2TvUPE/tZG+il0=
Received: from VI1P189CA0001.EURP189.PROD.OUTLOOK.COM (2603:10a6:802:2a::14) by HE1P189MB0587.EURP189.PROD.OUTLOOK.COM (2603:10a6:7:56::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.23; Mon, 18 Nov 2019 02:15:10 +0000
Received: from VE1EUR02FT064.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e06::208) by VI1P189CA0001.outlook.office365.com (2603:10a6:802:2a::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2451.23 via Frontend Transport; Mon, 18 Nov 2019 02:15:10 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=pass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by VE1EUR02FT064.mail.protection.outlook.com (10.152.13.199) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2451.23 via Frontend Transport; Mon, 18 Nov 2019 02:15:09 +0000
Received: from [31.133.157.25] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1779.2; Mon, 18 Nov 2019 03:15:06 +0100
To: Jim Schaad <ietf@augustcellars.com>, draft-tiloca-ace-revoked-token-notification@ietf.org
CC: ace@ietf.org
References: <002301d59d07$50df48c0$f29dda40$@augustcellars.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <5f2c5fdd-a845-531d-2709-34636e8c3575@ri.se>
Date: Mon, 18 Nov 2019 03:14:44 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <002301d59d07$50df48c0$f29dda40$@augustcellars.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms050007070708070009010503"
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(39850400004)(346002)(376002)(189003)(199004)(386003)(31696002)(31686004)(44832011)(22756006)(81156014)(229853002)(6116002)(8676002)(3846002)(336012)(568964002)(6666004)(2906002)(33964004)(186003)(305945005)(16526019)(71190400001)(356004)(6706004)(7736002)(4326008)(76176011)(14444005)(5024004)(86362001)(53546011)(26005)(70206006)(486006)(8936002)(81166006)(70586007)(65956001)(22746008)(65806001)(5660300002)(6246003)(2616005)(446003)(126002)(16586007)(16576012)(956004)(106002)(15650500001)(478600001)(58126008)(110136005)(36756003)(40036005)(476003)(316002)(235185007)(11346002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1P189MB0587; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c04b60d2-e3d3-439b-c6d9-08d76bcd233e
X-MS-TrafficTypeDiagnostic: HE1P189MB0587:
X-Microsoft-Antispam-PRVS: <HE1P189MB05874A3AFAA479AFDCDE634C824D0@HE1P189MB0587.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-Forefront-PRVS: 0225B0D5BC
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Iz5e0K70d9kpBTHJVGtj/CmZ0LCfP3yM7MhlTx+v7o9BvT4bKESwC9Frbny6ObWGDN7CRtcVweO2p1ZxlR9K0kcU5q4Jy1o7qa4woLBwKWZhck/cVFLY7C1+Z5cQ1HNJAnwfcZTOI0zLw0oxBZLPQXCMjKgrqYwxA/6cXyiq+p+8LFYGpgNlvkSHwIzOZTc0e0SXTOXeey1jqjKI6FTYT2zZRS1rAcFYuPJzrWNhtuHLEpFN92LOpfMlroHf57Jdb7Nt5T0OtaSc4RrUfdjePupGgtYo6nDmBRsWEMxIPNOPg35RqErK6Vbg/eEiAbMw7hDoeU9O3wHLALfvjjPZ86XT/6zd7ebR+aLLEE2app5n02ii8G+RgpZiup0IIhMdNMxCooP//Y5sZm7gpRqS43Ed2dtoDwmxHp3nmd+xrkZy1OLYJejL9sYBxOlNMjmy
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Nov 2019 02:15:09.9258 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c04b60d2-e3d3-439b-c6d9-08d76bcd233e
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1P189MB0587
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/IPTv4BcDfiYAyXeUbTU9VPyj2Yg>
Subject: Re: [Ace] Mail regarding draft-tiloca-ace-revoked-token-notification-00
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 02:15:17 -0000
On 17/11/2019 06:24, Jim Schaad wrote: > If you use JSON to transport a token > then it will be the raw bytes for a JWT, but it would be a base64url encoded > value for a CWT. This means that the hash might not get the correct answer. The problem here is that the client wouldn't know the format of the token and therefore not be able to retrieve the correct binary representation (I'm assuming both the RS and the AS would know). I think the best solution is to define that the data getting hashed is to be the binary representation of what is in the 'access_token' parameter of the access token response, since that is what everyone (AS, Client, RS) sees. For a CBOR transport that would just be the byte-string value of 'access_token' as is, while for JSON transport this be the binary representation of the String value of 'access_token', which would of course depend on the charset. Side-note: Do we want/need to cater for such a weird corner-case? Who in their right mind would use JSON in a CoAP message? /Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51