Re: [Ace] WGLC for draft-ietf-ace-oauth-params

Ludwig Seitz <ludwig.seitz@ri.se> Mon, 29 October 2018 14:45 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD31F130E29 for <ace@ietfa.amsl.com>; Mon, 29 Oct 2018 07:45:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dbi8w03Xn33U for <ace@ietfa.amsl.com>; Mon, 29 Oct 2018 07:45:05 -0700 (PDT)
Received: from smtp-out10.electric.net (smtp-out10.electric.net [185.38.180.36]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61A1112F18C for <ace@ietf.org>; Mon, 29 Oct 2018 07:45:05 -0700 (PDT)
Received: from 1gH8mq-000TC2-UX by out10a.electric.net with emc1-ok (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gH8mq-000TDK-VR for ace@ietf.org; Mon, 29 Oct 2018 07:45:00 -0700
Received: by emcmailer; Mon, 29 Oct 2018 07:45:00 -0700
Received: from [194.218.146.197] (helo=sp-mail-2.sp.se) by out10a.electric.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128) (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gH8mq-000TC2-UX for ace@ietf.org; Mon, 29 Oct 2018 07:45:00 -0700
Received: from [192.168.0.166] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Mon, 29 Oct 2018 15:45:00 +0100
To: <ace@ietf.org>
References: <065d01d45f4e$bc227690$346763b0$@augustcellars.com> <SN6PR00MB0301ABCD934F20361EB6A02DF5F60@SN6PR00MB0301.namprd00.prod.outlook.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <8b5d13a3-6d04-650e-0f05-d72d33937d50@ri.se>
Date: Mon, 29 Oct 2018 15:44:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <SN6PR00MB0301ABCD934F20361EB6A02DF5F60@SN6PR00MB0301.namprd00.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-Outbound-IP: 194.218.146.197
X-Env-From: ludwig.seitz@ri.se
X-Proto: esmtps
X-Revdns:
X-HELO: sp-mail-2.sp.se
X-TLS: TLSv1.2:ECDHE-RSA-AES128-SHA256:128
X-Authenticated_ID:
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
X-PolicySMART: 14510320
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/P2kzG5xjBYiVikowUiP9WU_bnCQ>
Subject: Re: [Ace] WGLC for draft-ietf-ace-oauth-params
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Oct 2018 14:45:09 -0000

On 24/10/2018 22:49, Mike Jones wrote:
> 3.1, 3.2, and 4.1, parameter definitions: None of these parameter 
> definitions specify the syntax of the parameters defined, making 
> understanding these quite confusing.  Yes, this is talked about later in 
> the doc but there are not even forward references to where the 
> definitions are completed in most cases.  Please fully specify the 
> parameters when they are defined.
> 
> 3.1 req_aud: Doesn’t this duplicate the “resource” parameter defined by 
> https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-01?  If 
> so, please delete this parameter.  If not, say how it is different and 
> why the differences are necessary.
> 
> 5 cnf in the introspection response: Which token is being referred to by 
> the phrase “bound to the token”.  The access token?  The refresh token?  
> Another kind of token?  Please make this more specific.
> 
> 6 CBOR Mappings.  The table contains the magic numbers 8, 17, 18, and 
> 19.  From what space are these numbers being allocated and what registry 
> are they in?  Per my earlier reviews of the ace-authz spec, I believe 
> that the ACE OAuth parameters should all be registered in the CWT Claims 
> registry because of the possibility of them being used in signed 
> requests in a manner analogous to 
> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17.  The parameters 
> need to be registered to avoid claim number conflicts.
> 
> Missing Examples:  The best thing you could do to help developers 
> understand what these values are and how they use them is to add 
> examples, just as was done in RFC 7800.  Please add examples of each of 
> the parameters using the JSON representations of them.  Optionally, also 
> add CBOR examples if you believe that they will convey important 
> information to developers that the JSON example’s don’t.
> 
>                                                            Thank you,
> 
>                                                            -- Mike

Hello Mike,

thank you for your review. I've added issues to the tracker here:
https://github.com/ace-wg/ace-oauth-params
and will address your comments.

/Ludwig

-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51