Re: [Ace] WGLC for draft-ietf-ace-oauth-params

Ludwig Seitz <> Tue, 23 October 2018 07:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 121AB130EBC; Tue, 23 Oct 2018 00:50:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ML7aYqEGxrn2; Tue, 23 Oct 2018 00:50:02 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8E4D5130DDB; Tue, 23 Oct 2018 00:50:01 -0700 (PDT)
Received: from 1gErRv-000jli-TH by with emc1-ok (Exim 4.90_1) (envelope-from <>) id 1gErRv-000jml-V7; Tue, 23 Oct 2018 00:49:59 -0700
Received: by emcmailer; Tue, 23 Oct 2018 00:49:59 -0700
Received: from [] ( by with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128) (Exim 4.90_1) (envelope-from <>) id 1gErRv-000jli-TH; Tue, 23 Oct 2018 00:49:59 -0700
Received: from [] ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Tue, 23 Oct 2018 09:49:58 +0200
To: Jim Schaad <>, <>, <>
References: <065d01d45f4e$bc227690$346763b0$> <028f01d46a3a$c04bfd80$40e3f880$>
From: Ludwig Seitz <>
Message-ID: <>
Date: Tue, 23 Oct 2018 09:49:58 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <028f01d46a3a$c04bfd80$40e3f880$>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: []
X-ClientProxiedBy: ( To (
X-Proto: esmtps
X-TLS: TLSv1.2:ECDHE-RSA-AES128-SHA256:128
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
X-PolicySMART: 14510320
Archived-At: <>
Subject: Re: [Ace] WGLC for draft-ietf-ace-oauth-params
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Oct 2018 07:50:05 -0000

On 22/10/2018 21:09, Jim Schaad wrote:
> Here are my WGLC comments:
> *  I am not sure that I understand what the protocol flow is when JAR is
> being used.  Is there a potential case where a JWT would be used as the
> structure of an OAuth response?  If so then is there a problem with defining
> cnf in section 4.1?

I wouldn't think so, all the other possible parameters in the 
introspection response are defined to be the claims of the token in RFC 
7662, cnf is a claim of the token, so I don't see why it shouldn't go 
unchanged into the introspection response.
> * We need to have a OAuth CBOR integer mapping registry - the items in
> section 6 need to be registered into that registry.

That was an oversight. Issue created.

> * Review - is the 'cnf' parameter in section 3.2 ok with the OAuth group or
> does it need to be renamed as well?

I don't see how this could collide with another meaning. The AS is 
responding with the token and additional information about the token 
here. This parameter was called 'key' in 
draft-ietf-oauth-pop-key-distribution, which felt more phrone to 
misunderstandings to me ("what key?").

> * Check that cnf in 4.1 is going to be ok with
> draft-ietf-oauth-jwt-introspection-response

If I understood it correctly draft only proposes to replace the whole 
introspection response with a JWT. I don't see why this shouldn't work 
with a CWT as well. No additional data but the JWT/CWT would be sent in 
the introspection response, so there should not be any issue with the 
cnf claim here.

Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51