Re: [Ace] Missing Introspection parameter in draft-ietf-ace-oauth-authz

Ludwig Seitz <ludwig.seitz@combitech.com> Wed, 25 August 2021 06:02 UTC

Return-Path: <ludwig.seitz@combitech.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29FE63A0D6A for <ace@ietfa.amsl.com>; Tue, 24 Aug 2021 23:02:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=combitech.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RNf5FgysfH61 for <ace@ietfa.amsl.com>; Tue, 24 Aug 2021 23:02:01 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70043.outbound.protection.outlook.com [40.107.7.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E63F3A0D63 for <ace@ietf.org>; Tue, 24 Aug 2021 23:02:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L3mOydgIAQqP+WvSWpWrOykfeUX1WYXMd5ehbtaWG/uw4vPejadBb3f3H7VEHSat5Y/NzRecN6vH953Nl+gl1v/HBThD8vpXwXd8JAEReRZuIy+vuQzFYbXxNuszPh/EodbxqAX8tjO5VMhpNAFdqLsres4m6lqUYZlcZakM06Z/FftFiPyH5mc8Re1okJd7SYzEiRwnmQnRWCmOe7iHE0QPOXtKibicU5r4lQkoJQcvRCgebk2MoIw+te+JkVcTjKmkfSzK+dPErdqKarKq9BoxlfdHkWFIkVj+MefxAQZsTVw3uPYd5hCs6exH9MpyPM4c8+iWrrFf/TPQWuWQhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fkSLX2NmeRr7yxJEqEFRummfPfrKmgFDMKmgYZNU0u4=; b=fFabjeomf78X0BZTJNZnnbIUM1zWlhTXxNdRwU7CIqldCyxkfetb+HiH5JyDYl35wMpkugrB7jTjT2ESC+/4HRm2BMeQQqhixzt5ADoWmScfUdbGU9Ondrbo/TKIEwik6pTKo9ugWDyYacaEW1c6M8P1H/BCkJ6GSRaX91kx5XhojhP9ID5crzggl7AIMBJXvRM+udr7NFKkTWbqgrnp7cEuQBIJKuNVMK2htF/87etQ9ap07egZEnvk2P+7eorszRtUIBF+y/rgkHG4WlqN9JgvkcSmd5Ou84xxMNjAqaT/zqmouNoamWDBCHSpGhoqxHSKfxcbW13yXPE70KJ5KA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=combitech.com; dmarc=pass action=none header.from=combitech.com; dkim=pass header.d=combitech.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=combitech.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fkSLX2NmeRr7yxJEqEFRummfPfrKmgFDMKmgYZNU0u4=; b=pSy/ldwQN7h3hufmF2hKgIbddEMaQuJYfqYBSfhPtuDNK0oSJGFpmMMU2ZgJaTd1rfZ+iNEx2d0afJn77FwAOSQ0LuRRtmpMwnmqVjJqDpqVB478ImwqccizUPAjCBQTrA36B8uyJC4XwNiQRpMnhWO4jPaiZ6YMvn3I2aBRxuzWyVocbpgpK3QK7soWJ4+cL/I5vUsIHSk+uZD6UbcmIl4vgCgHBzRlJ05rwWtV1PtazzHPTVZwstXflKW6PUJJhc7Qq9JQX1xtHpSPzEuAxO7SUQsD3/67FqIGRUvlzBtGewaDSuuTXwD6qlMciwdPyRDFhojQPQ/d+DhBPBrpyQ==
Received: from AM0PR0302MB3363.eurprd03.prod.outlook.com (2603:10a6:208:c::21) by AM0PR0302MB3186.eurprd03.prod.outlook.com (2603:10a6:208:a::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.22; Wed, 25 Aug 2021 06:01:57 +0000
Received: from AM0PR0302MB3363.eurprd03.prod.outlook.com ([fe80::c4f8:8d18:eb58:c4f]) by AM0PR0302MB3363.eurprd03.prod.outlook.com ([fe80::c4f8:8d18:eb58:c4f%7]) with mapi id 15.20.4436.025; Wed, 25 Aug 2021 06:01:56 +0000
From: Ludwig Seitz <ludwig.seitz@combitech.com>
To: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Missing Introspection parameter in draft-ietf-ace-oauth-authz
Thread-Index: AdeTccBInk2WnXcwSwu/sx0yJihN+wAClCkAAX6esyA=
Date: Wed, 25 Aug 2021 06:01:56 +0000
Message-ID: <AM0PR0302MB3363A17E0B2F53DA9E82D21E9EC69@AM0PR0302MB3363.eurprd03.prod.outlook.com>
References: <AM0PR0302MB336360E5A74D2141173E03B49EFE9@AM0PR0302MB3363.eurprd03.prod.outlook.com> <CADZyTkmHfBAveX0DSJtdLQ2-wF_6XuULZe_w_OfAaiemgXu63g@mail.gmail.com>
In-Reply-To: <CADZyTkmHfBAveX0DSJtdLQ2-wF_6XuULZe_w_OfAaiemgXu63g@mail.gmail.com>
Accept-Language: en-US, sv-SE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_Enabled=true; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_SetDate=2021-08-25T06:01:55Z; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_Method=Standard; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_Name=Company Confidential; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_SiteId=0d11ac4a-ef5e-423a-803b-e51aacfa43d6; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_ActionId=af4ad0f8-be5f-4a7d-b491-3b2d88fbc905; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_ContentBits=0
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=combitech.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cf4bf507-de1f-40a7-1757-08d9678dd87e
x-ms-traffictypediagnostic: AM0PR0302MB3186:
x-microsoft-antispam-prvs: <AM0PR0302MB318697395B0C18178AF418759EC69@AM0PR0302MB3186.eurprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AgVfZLN9ot0J85jblY8rYShMUG526gTe/0uzcIgRs2Nm8e2B3QmrEMmk0eWuNO3KSsKzcHcsNG6kKJn9P0X5GmToPsJrt/S4eg+ZGvMoqeTPvSHhbKxzerFAkCRe+HuWsCOo+PdJ4ZrMBQURlnvdC9D+WXdEYWcpINRH5XMNuLMdnKoW4ES9pO0GKo+IeyCvanvWJa0m6npxI0dORXwpDpQ0m6MDh0jKfNYcprSuCnN3wCFSA0hfMRSyE6otQ8WXX4HK8NiZerxnL3hGU3zqoA/tcRCJu0ve6KtazS1ybyW7pi9PgoaFoFKnH/Xvngw+DFGGnlWeGhwsXHsGQzIEZ2FEwlxTtX/XpNe+4JlOYNlxaLEVlgp9Pv1YS09DBapQGw/tAH2qXFBk1+jv4YhDfMo8aJUMolOajODnFbpMQj4QUa0650GalUudQKAOCO3uh69nLGRADN2BF/L83KqN2SiVd72aFcLgvfDOp2yAj3UJD1FVt3EUnYbSZOqKr/Ku+kPBYr1azpizlp4V6Y+w/hlCc7YjWvs2kQKNW2D8Gvve4o1Z+OXbCdqQ+HkZ08sUVcZ+S8WdzFEQOd56Wh0jeDv0ojpQ/6XQmRp59gVzeUxrNLkHuy8nyKDsd9cCd2dD9dCNJPBzmPHX9i/54F0KeETftU+0+0nXOBaWVr+hZvLFnOR+y5IUQjOOkmXvh/pOn/o/l9JdJOkjXp+dO3kM8WmCU5KbrEgYiW6PsS3IoR4YR+txVIgvdX0KS7KL54h10HBN8UG2Yj939+5KYehFP9ZTvbDq4/oFdmBV8iQATHk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR0302MB3363.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(136003)(396003)(366004)(346002)(376002)(86362001)(52536014)(71200400001)(8936002)(8676002)(6916009)(44832011)(316002)(26005)(5660300002)(186003)(166002)(38070700005)(66476007)(66556008)(64756008)(66946007)(55016002)(6506007)(53546011)(66446008)(66574015)(76116006)(966005)(2906002)(478600001)(33656002)(7696005)(9686003)(83380400001)(122000001)(38100700002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?VkdzS0hydkNUWnd3MGR2Y0oybFZ1b0x6S0pmOVRCQVl6RW1iNzR3Q2ZXZUhV?= =?utf-8?B?ZkNUMW5ON25yV2hxeVB6S0NHZ2YzbmE1RmJFeU9seUZuWHhkd3hqTVhaMzF2?= =?utf-8?B?S2REOVkydVNxUXlVZU9BNHRxUW9tbFZVVUxUeE9Rb2RjbU1IS0UrUEx4dHZF?= =?utf-8?B?cWI0SStjVThPZ1N2WkFMQnhFMXlPcWpPcVBRajZjNGZkSkJrdEV3ZWEzakpM?= =?utf-8?B?WVZzb2thQ2ZEVVZ6ZlFWTE5WUGtSRi8yWFFjSjlaNHN5U0NnUHNXejhDb1JW?= =?utf-8?B?cVhFblBZdElEYi9UMlROWGZhWlMvbmh4VERhUDBSQ21XVUF2bVRqTkZaSFlQ?= =?utf-8?B?VVgyMXd0UmFzK0s0Y2gxMDNvK3RlQjA5bTltOWJHSXVSaEVuT2U1VnB1MzBH?= =?utf-8?B?RXJKZC9DSlFLbWZYMW9JSDluRnpXT0NOa1FmY1o0QTRkcXY3eFJRZUpDSHlL?= =?utf-8?B?bkpPOVVqNksyMmVUUElONGJ5UEorYi8zdU5iRFBqNmFtbm0waiszQlNobnh5?= =?utf-8?B?TFZaL2JjM2NCN3YvQ2prVExWTjF3d2R6c1daVzA2S3ZlT04xYll2NzdKcHhk?= =?utf-8?B?Wnp5cHhFNjdmN0ZCRTNoelJoaHZUUGh0THF0QnR6UmljdUg2UWNPZ292NmtZ?= =?utf-8?B?V3ppQnZaSEtibzVTdno1MmhkU1ovQ3NUblNGWmVEalZhcGxOTnVjN3NtNEJ6?= =?utf-8?B?TjlNZmZlcC91bVc4Y1VzOE5nTjFaMHQ1VFU0NlVhVDlaZFVyU2FKTi9yUGc4?= =?utf-8?B?SEZGZ3ZHYnFGUjRrYW81TjBzRnNqcXY1M1dOTEFQa3BmVWx6YS9pK2VtSm9x?= =?utf-8?B?Vng2U3BtS2Rod0xkYllHdGdiU2pjRDZNcWQ2Y2lVLzIxa2dDRjlvNWE4Tms5?= =?utf-8?B?M2IvZ2x5NGRNTFp3WXdKQXp0OHVXVGVBM0tLT1psZGFudXMxYzJhaEkrK2JX?= =?utf-8?B?OU40SjhzblF1YVk1dTFjUzc3bU9hU25DZXFtcjk1WThveWM5eWV1MkcxUnJq?= =?utf-8?B?ZjNoK2ZLN2VFdkl6N2tTUjFFeGh1bWJCSVpxTEhSdVpXaHRtSzBXVEd1TDRB?= =?utf-8?B?MGhSMW5YMks4UUg2cEsxbDcxdnNCVDVWUGZmcW9CNHduVXRmZHFEUjdwNnFw?= =?utf-8?B?QTlRMmJXcXdmdksraUV6Q2hWWHBHMmNyRWlrVmxwMytKQUtiQ1VMMFZmZGVJ?= =?utf-8?B?MnBRbHU3Vk9ZM2FyYnhjSm82RlNsTGgzMEk1ZE12c2o2V3o3Vkh2KzFTYVh3?= =?utf-8?B?ZVhaNk9CZTRBNkNrRVBldHc5VlVldUwvd0x6TklwUU9yZjRHamhzSkt4SFJv?= =?utf-8?B?RC8yMkxkekR5bGlxZ1A5bEI1d3VKakY0Y29vZlE0TVp2WGhBL3U4N0wxd1Jx?= =?utf-8?B?bXp6bktHZytpM1luOEtRN0FRWEtrYmc1L3F6dW0rU2Y0eXBsNEc1eENJRHh4?= =?utf-8?B?S25oYTQxTDRrbTlldFErakJmdEQ1MXVPQzM1LzM5ajYwZmpHendLZW4yZVZk?= =?utf-8?B?amF4TkYweWUrQng0YW5GSHFocXQrcnpXb3pRYi9tVE04OWJ0WkdrdElDOU52?= =?utf-8?B?aTdyRGhXY1FVZ20zR2hyc1ZIR3NFeFRXMllHUEVyWkN4V1AybzNOd1gxdDNr?= =?utf-8?B?UTVCM0dDamZucGVDRU1KUHBZUkVYVmIwS3BVMkZoMituY3FKUUMzNm5mMFVs?= =?utf-8?B?ZEswdElKWFN5OHVNdFMzLzFwTjEyUHYzRjllM0kzNVlscVMzQkVVVmd2K2Zr?= =?utf-8?Q?7/i8jmr6Aqz5Tf/jYs=3D?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR0302MB3363A17E0B2F53DA9E82D21E9EC69AM0PR0302MB3363_"
MIME-Version: 1.0
X-OriginatorOrg: combitech.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR0302MB3363.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cf4bf507-de1f-40a7-1757-08d9678dd87e
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Aug 2021 06:01:56.9447 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0d11ac4a-ef5e-423a-803b-e51aacfa43d6
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SmUbJLMEsv6k4+Lfz6JU07HrvNEozdIxLSP0Uwa4cqpgqBPZOBOuf5ifClL/SS0QUikj1QkddUKXdKznccPxFjHT5Pq52mTeC9zpp6AvpuI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR0302MB3186
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/QoGn4H_JTsNKWa4hi_DlnODGFR0>
Subject: Re: [Ace] Missing Introspection parameter in draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Aug 2021 06:02:09 -0000

Hello ACE,

Since I haven’t heard an objection, I will go forward and add this to the draft.

Regards,

Ludwig

From: Daniel Migault <mglt.ietf@gmail.com>
Sent: den 17 augusti 2021 17:25
To: Ludwig Seitz <ludwig.seitz@combitech.com>
Cc: ace@ietf.org
Subject: Re: [Ace] Missing Introspection parameter in draft-ietf-ace-oauth-authz

Thanks Ludwig for raising the question. If anyone has an objection, please express your concern by August 24. Expressing support is also more than welcome!

Yours,
Daniel

On Tue, Aug 17, 2021 at 10:24 AM Ludwig Seitz <ludwig.seitz@combitech.com<mailto:ludwig.seitz@combitech.com>> wrote:
Hello ACE,

I want to raise one issue for group comments that has come up in conjunction with fixing the IANA nits for draft-ietf-ace-oauth-authz:
In figure 16 we define mappings from OAuth Token introspection parameters to CBOR abbreviations. These parameters (should) correspond to the claims that could be found in e.g., a CWT.
CWT renamed one token claim, namely 'jti' (JWT ID) into 'cti' for CWT ID. However, this is not reflected in the registered Introspection parameters
(https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-introspection-response) where only 'jti' is registered. This was overlooked when we originally defined the mappings in figure 16.

I would therefore put the following question to the group:

Does anyone object to this draft adding 'cti' as an OAuth introspection parameter?

The corresponding text would go into the list of additional parameters in section 5.9.2 and be something along the lines of:
"cti  OPTIONAL.  The CWT ID parameter has the same meaning and processing rules as the "jti" parameter defined in section 3.1.2. of [RFC 7662] except that the value is a byte string. "

Regards,

Ludwig

--
Ludwig Seitz
Infrastructure Security Analyst
Combitech AB
Djäknegatan 31 . SE-211 35 Malmö . Sweden
Phone: +46 102 160 846
ludwig.seitz@combitech.com<mailto:ludwig.seitz@combitech.com> . combitech.com<http://combitech.com> This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above of any such misdirection Please consider the environment before printing this e-mail!


_______________________________________________
Ace mailing list
Ace@ietf.org<mailto:Ace@ietf.org>
https://www.ietf.org/mailman/listinfo/ace


--
Daniel Migault
Ericsson