Re: [Ace] [EXTERNAL] Francesca Palombini's Discuss on draft-ietf-ace-oauth-authz-38: (with DISCUSS and COMMENT)

Francesca Palombini <francesca.palombini@ericsson.com> Thu, 25 March 2021 13:53 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED8BE3A21D4; Thu, 25 Mar 2021 06:53:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.352
X-Spam-Level:
X-Spam-Status: No, score=-2.352 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.251, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZGKQbX1UlB9J; Thu, 25 Mar 2021 06:53:09 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80049.outbound.protection.outlook.com [40.107.8.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01E543A21D3; Thu, 25 Mar 2021 06:53:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HriR2HxULS9pS8PxZzm6omVwGJ2snye3l7EXbzqgoxWL1tPMGwKQECBUnsOb0/Rud0KyX+bPeDWrSV2IWYyC6W46Dvjl1AgZ6IH8Y4qLpu4+QtH1UiV32kZQZr0xETo3nfkH9603b9vqP7FH1NtX8crivT+8AbmFZ1hwlluw0NMoIKtsLyiqAAH020HZ/UTZrL5dLCuObOjdaJ6RXQP1xlCN/9Rl8iaTni1BgDveszYZeXSdVXq+CPZVoG2y3ORRoLcjijm3DlGTz3jGrP0gEc6W19wF8WHwMbext5lymNgrnjozBd7VcFhYUiJrrlqaxiua8O7aQBhVrjAcuiFphg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1ez5SAgoSD2HPqb8w46dGIXIXgwY1Byhs/1/Fy589p0=; b=RPmod6+xC3Au+nClPR89Ul392TdfE01xRAQsmvYbkRuTHEdE/5ECgc7MFaGYHkAELrJ+j4FaqI8zWRWCXDhwq104MBcsCz3+bTdSG2pESLzdPzNNOwoUggzhrRzYodyxrQogOyaUuwwIQV1keVlCkefM7T5+bsjeVS7LuwZNj2QNmcoUOZ61rEIwen2kgvueSclnAUKOtx8X+eUMU26ahb/GBsCCgDAxblkkr0gsg/m+NnjuwPA1c2T5gy1WMZ9Rlz1bjh1iDTIXSJ9T1H07d/g/0Dl0xQoWxvMgLu0e60/yYC4RRMhvCnjVHxkoGLbuCkAiXDrBhkHLh5nVsTegpg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1ez5SAgoSD2HPqb8w46dGIXIXgwY1Byhs/1/Fy589p0=; b=IWh/5QJy4OFRBsH0ccb0DqTBVfOETbtifBHqy3bQQ0XcFEA2BGeeDbWYFUTlNB16TmNRcXhyv4bYUk096dpfEmaTJ8B/PpFa0nIVw73YMal0W6Zmv77aEXlxuwujKC0rGKxUrXC4vmOkLK0N7hZ6MihQc0FeeMorXE8YFHwA4RE=
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com (2603:10a6:7:96::33) by HE1PR07MB3228.eurprd07.prod.outlook.com (2603:10a6:7:37::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.16; Thu, 25 Mar 2021 13:53:05 +0000
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::e922:5ae8:48bb:b796]) by HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::e922:5ae8:48bb:b796%3]) with mapi id 15.20.3977.024; Thu, 25 Mar 2021 13:53:05 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Seitz Ludwig <ludwig.seitz@combitech.se>, The IESG <iesg@ietf.org>
CC: "art-ads@ietf.org" <art-ads@ietf.org>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "draft-ietf-ace-oauth-authz@ietf.org" <draft-ietf-ace-oauth-authz@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [EXTERNAL] [Ace] Francesca Palombini's Discuss on draft-ietf-ace-oauth-authz-38: (with DISCUSS and COMMENT)
Thread-Index: AQHXILzzVZOkJ2C2XkOPQBkiqfeG0KqUVU4AgAB2VYA=
Date: Thu, 25 Mar 2021 13:53:05 +0000
Message-ID: <C4B30675-2945-4295-A24A-803219F04C08@ericsson.com>
References: <161659738410.3239.3955409176349739508@ietfa.amsl.com> <fd47667ea52e432e947a35a886157865@combitech.se>
In-Reply-To: <fd47667ea52e432e947a35a886157865@combitech.se>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21031401
authentication-results: combitech.se; dkim=none (message not signed) header.d=none;combitech.se; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:1ba8:147a:c100:c0fd:b92b:926e:4d77]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8e164dd2-9eb5-42e6-16e1-08d8ef9550be
x-ms-traffictypediagnostic: HE1PR07MB3228:
x-microsoft-antispam-prvs: <HE1PR07MB32286DF18506F2251393220298629@HE1PR07MB3228.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: VZeGkQB+p4bcBaDG60YAg+PbssGAR8nURDd233YJOghh7X8R5f0/ZXAUturoFC1GzoUBZJX5eO2JV9HotUb8vM9GeBjqpOPJeRHHWaM3zbN7e7ZVdNo5WWhtF7XZFg6mmFcEJpT+CbDbTqxRJo2Ju/1fGo/RS3SjVHR3I6Vr3IaznKNyDyJ/EIUHdP+d6cjrN3KR11TSQm2qYLxOu7txhk6USfPRs5u3jP8lN/NRH5FrT1q6gop5mGcH+BeRmz69u2Y4TTaBT+smsmQHzLeqx0H+QLEjIPtD5xv1d0csW8N6MZjgMgKI0hvlOOOwUYE3v65g4oB0K6KP3WDLBcFq21g4fYg1vGbVGeG4MVeORaswXzKmsWE5A7NGqECoBgdK0Hw9s20uAFoXE9KlEYayjZnQQeFmO8Q2/yfmaxKLZ6mGrHihtcMXUtKr1yr3lPIQ5arEXZTgYAKNx3U4c9ESoTlB75M1YEX74rhHBeZcocwydIqjVWJdjHjcaiX+Fy/a4Cg2zmvvY+fVspnmyobjFs+Z2zqEb71igCNGKj0sXHGdW1lDapPU1BS1P+UWufDK+617ccjIiO5nBX3o5/Cq5q6Yj7CFWY6gCBI9pAGQ8QyvVBeCjBENOSjeW6ZF5m4FJvFwUAxT2IfFx2SRqi9Wkf7JLL3/EV6qOCxshXe2bEw/m4GVLiDmtjg3FFE5SjFeFW88wAKwzOtP6G186pjQSqosumW2PGkEHVkM79cV+jTwYcQuWBcDlOOFbkvsS6MG8BFyEzSwzTd608QDfZCV7A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4217.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(396003)(136003)(376002)(39860400002)(5660300002)(66476007)(36756003)(66446008)(2906002)(6512007)(76116006)(966005)(478600001)(110136005)(66556008)(6486002)(64756008)(66946007)(38100700001)(44832011)(83380400001)(54906003)(316002)(30864003)(86362001)(53546011)(8936002)(33656002)(186003)(71200400001)(8676002)(6506007)(2616005)(4326008)(45980500001)(559001)(579004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?bHJwVTArdndJTmxHUHdFUmdFOUxzblR3SDBaTFFuekY3TVhHYzhIcUs1UElC?= =?utf-8?B?TmtXOW5oQXJleVg4V1g2MDVZQmp5OTg5dzAyRi9rT21FTGZHS2VDVDlyNkRx?= =?utf-8?B?OTZpSnlYelpCK2ZaVXo5WEpRVm5OcnZ4WTREYWhHamw1VWsvSzdBOUJXQUxG?= =?utf-8?B?TDlRdmRkSkMzV282MmRTNjA0VEtjbmNpUGdVSHdGVEdqVU04UXQwaG1DNjA5?= =?utf-8?B?YXBzTFJ4MVlrYUx6WlBYL2k2OWdnVGxqd3BteE41WGZHdjBScWt0M2tPTUJP?= =?utf-8?B?cEtibWlVeXRSODBMaTgwZjBwQWZBRGJFYVI0NGthdWhPUlIvd2xFV0hCbGg2?= =?utf-8?B?Q1JzT3R4c00zMENQbzY0bUxIbktHOEFESUVGM3RadlNUOGZ0VWR2dWdXSFZ6?= =?utf-8?B?QlBGOGx6TjU3YU5WYzlTZUJYS0hoNEJyYnlxRTdreGFQVDBXZ2g2YXd4dHFY?= =?utf-8?B?TnozWVROdXYyNHpzdHhETnBxK0VXd2c2RjlhbHphVElIcHNFTEZ4U1MrdnBV?= =?utf-8?B?Wk9oeWZsY0taRks5c1pXQmo1eStvdnJuNlBmcW9FVTBGZHgyVHQreUR4cWR0?= =?utf-8?B?RHRBbFV2TytSU1hWeCtPMkltSkRBVGJCRlU5MW1iU3F5ay9CbzB2UkRMQnhl?= =?utf-8?B?NE9WeUw1SmJmV2lTVkRSTE9NK3pIcUkra1JvejdTeXdmWmxYbmh2cG1IeTBE?= =?utf-8?B?bmkrejJEQTdwcjZKM0krdm40TmVRWUJxZTl0eVBXcXhTMFh5MlZRdVhlZXND?= =?utf-8?B?VUZYOXlmNzZXbjdQSGRhRXZUNVpmNlhyYVU2WEhEL1dlUHgrV2RLK1BhSWd3?= =?utf-8?B?a0JDMjFQRDJmc3hCTkM5NUxMclpjeUNXc3RkS3l4MWZaSk4yN1ZycWpBcnhY?= =?utf-8?B?NVlKNWMza21yWkdPNk5ITU1YRHpZUitKSFlMOEJoMFFudkpncjE1VDFtSWtO?= =?utf-8?B?aW4xcEx4cmE0M1dGNUF1SXJBcXU3TzZSUFV5OGw1bjdkcllBVUxNMGtPTUFV?= =?utf-8?B?clBkdm9DN1VsN1FXTndoSVhiS2drei9EYzVHdjVSNHpTMXV2WUY0NTZNbjI1?= =?utf-8?B?L0JwSkpPKzAxYVQ0aUVwRkNSZ3pqNml6YzRUMXVKMG4zSENnQ0NQZ29IUnpS?= =?utf-8?B?bWxhSEJnMkM0eXBmMEt2MHhnb21qZGRqZmZaVzB2bkl3djlMOVlvTWJxMUxW?= =?utf-8?B?ajBjQ01kMDJQR0l0RjBYeC8xZmFraXpXc29OWi9jWnNKanQyMTBmYkUyKzNu?= =?utf-8?B?ZVRFd3BMTDF4SHBWL0xhdFQ2OE9ueWN0OXJjUkVjU2hjazlOWktya0xHQ0s0?= =?utf-8?B?NlRNOG5uRE5nQ0lWRmRpNXBpa0VhUUFSN1NKV3M3R1hCNGNxY3VPZDNzSzl5?= =?utf-8?B?SFI2TnZuZEpIbEdQL3F1MVhJb3NzSEppWDU0bEIrQ2ZFaktyUnpicFNFNERW?= =?utf-8?B?ZXlpa1ZGeEgvdmhKSzVwTkxJVGhaTzNlbmNHSDVDYmJiN2pRbnduMVBtMTJs?= =?utf-8?B?NlpFQUlrTkNkVWlZL3JodGpOaEFja3hTU2JQTC9ycjBtc3JrNTBwYzBpWkFR?= =?utf-8?B?L2cvZlVhU05SQkVLdGdPM05QSUxvS2xqcHY5Y2I4VHNBNFdEejZGVWE0VlB0?= =?utf-8?B?UDdSYVBaeENnTnA4UlRpaXpxMFRabzFWZ1BGUmhOeFBCbXlyeXZZNEsyNEkr?= =?utf-8?B?MHlaOS9EaVJzek5jc2tqRjRHRlN4VGdoYnZHRnd1M3J5U050eE1PZ1ZYVm9D?= =?utf-8?B?UmtUYm9rNWFTMTZHU3FqMUt1bTJOcmcyT0xnRjlLM1RUY1UzUXdIdS8vK1py?= =?utf-8?B?UlpUdGVlVnN2T21LdDVBMUlaNnNMbjBjS2hFeElkS1VCUjk1cDdwQTBEK2VD?= =?utf-8?B?dnA2MzRwY21GZlZ1RVJqdHIrUExSWDZTdGhnNUZLT2ZjY2c9PQ==?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <98AE9F9D657A334198764B0D9CD5FBDC@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4217.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8e164dd2-9eb5-42e6-16e1-08d8ef9550be
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2021 13:53:05.5066 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +Y1myDJJZzzqNh/8/THodzBAVQJWdUdLRlcOib4JeAgt+nOIrS7pLE0GQ9jshCck07vvHt52QU2SKGiL29Y7ppAn8EaIy9MyJIDWpGRZbjWPCVe9jDw3D6AX2C1C9Abb
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3228
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Sfn909AG2Zxb4iayJIIeRun1b7w>
Subject: Re: [Ace] [EXTERNAL] Francesca Palombini's Discuss on draft-ietf-ace-oauth-authz-38: (with DISCUSS and COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2021 13:53:15 -0000

Ludwig,

Thank you for the quick reply, and for the useful background information.

As I said, I think this document is important and should move forward asap, and it can do so without changing the main assumptions, with some additional clarifications in the text about CBOR vs "other" when HTTP is used (which in my opinions are necessary - see points 1, 8, 10, 11, 13, 15, 17, 22, 23, 26, 28).

What I wanted to highlight is that it would simplify the document a lot to just remove this flexibility, for which I don't understand the motivation, and say "CBOR is mandatory" even when HTTP is used. The flexibility could be added in a future document if needed. However, I understand that there is history in the working group, and I will step back and remove my DISCUSS if I am in the rough. Note however that in terms of work on the document I suspect that keeping this flexibility will require more work, not less.

Looking forward to discussing this with Ben during the telechat.
Francesca

On 25/03/2021, 08:50, "iesg on behalf of Seitz Ludwig" <iesg-bounces@ietf.org on behalf of ludwig.seitz@combitech.se> wrote:

    Hello Francesca,

    Thank you for your review. I will address your detailed comments separately, with regards to your DISCUSS:

    The option to allow both HTTP and JSON for any leg of the communication (client-AS, rs-AS, client-rs) was the result of long discussions in the WG. If I recall correctly the intent was to allow legacy OAuth 2.0 equipment (i.e. not supporting ACE) to be used in ACE interactions on those legs of the communication where no constrained devices are involved.
    I am reluctant to reopen these discussions at this point in time, and I suspect doing the necessary analysis to provide in-depth considerations on the choices between HTTP/CoAP and JSON/CBOR will significantly delay the progress of this document.

    @ace-chairs: What is your suggestion on how to best handle this?
    (Please note that I am unable to commit significant amounts of time to this work in the foreseeable future)

    Regards,

    Ludwig


    > -----Original Message-----
    > From: Ace <ace-bounces@ietf.org> On Behalf Of Francesca Palombini via
    > Datatracker
    > Sent: den 24 mars 2021 15:50
    > To: The IESG <iesg@ietf.org>
    > Cc: art-ads@ietf.org; ace-chairs@ietf.org; draft-ietf-ace-oauth-
    > authz@ietf.org; ace@ietf.org
    > Subject: [EXTERNAL] [Ace] Francesca Palombini's Discuss on draft-ietf-ace-
    > oauth-authz-38: (with DISCUSS and COMMENT)
    > 
    > Francesca Palombini has entered the following ballot position for
    > draft-ietf-ace-oauth-authz-38: Discuss
    > 
    > When responding, please keep the subject line intact and reply to all email
    > addresses included in the To and CC lines. (Feel free to cut this introductory
    > paragraph, however.)
    > 
    > 
    > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
    > for more information about IESG DISCUSS and COMMENT positions.
    > 
    > 
    > The document, along with other ballot positions, can be found here:
    > https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/
    > 
    > 
    > 
    > ----------------------------------------------------------------------
    > DISCUSS:
    > ----------------------------------------------------------------------
    > 
    > Thank you for this document. I think this is an important document which
    > should move forward, but I would like to discuss some points before it does
    > so. These might result in simple clarifications, or might require more
    > discussion, but I do hope they help improve the document.
    > 
    > General comments:
    > 
    > I found confusing to understand how optional or mandatory is the use of
    > CBOR for profiles of this specification compared to the transport used. I
    > understand the need for flexibility, but maybe it should be clarified the
    > implication of using CoAP (is CBOR mandatory then?) vs HTTP (is CBOR always
    > permitted? How is the encoding in that case? Is the same media type
    > application/ace+cbor used in that case?). Note also that while requests
    > include the content type to use, both in case HTTP or CoAP+CBOR are used,
    > the response don't seem to include this information.
    > 
    > I would like it to be clarified what requirements (or even just
    > recommendations) are there to use CoAP vs HTTP for different legs of the
    > exchange - not necessarily remove the flexibility but to clarify for
    > implementers what can be done and what would be the reasoning to do
    > that: for example if both endpoints support HTTP with the AS, most likely you
    > can have HTTP between C and RS, so does it really make sense to run this
    > instead of OAuth 2.0? Right now all is permitted, but does it all make sense? I
    > feel like this type of considerations are missing. As a note - I am not sure
    > what allowing a different encoding than CBOR for any leg of the exchange
    > adds to the specification - it makes things more confusing, and if needed it
    > could be specified in another document.
    > 
    > While going through and thinking about encodings (assuming we keep the
    > doc as is with regards to allowing more than just CBOR), I wondered if it
    > would be better to define a new media type to use when the ACE
    > framework is used with HTTP, to differentiate from OAuth 2.0, since some of
    > the endpoints used are the same (/token and /introspect at the AS). I am
    > interested to hear more from my co-AD as well if this would be an OK use of
    > a new media type - I am thinking of the case where AS is supporting both
    > OAuth 2.0 and the Ace framework - or if it is unnecessary, since the
    > encodings are the same, and the parameters are registered in OAuth 2.0
    > registry.
    > 
    > More detailed comments below.
    > Francesca
    > 
    > 
    > ----------------------------------------------------------------------
    > COMMENT:
    > ----------------------------------------------------------------------
    > 
    > Detailed comments:
    > 
    > 1. -----
    > 
    >    sufficiently compact.  CBOR is a binary encoding designed for small
    >    code and message size, which may be used for encoding of self
    >    contained tokens, and also for encoding payloads transferred in
    >    protocol messages.
    > 
    > FP: "may be used" make it seem as if CBOR is always optional (even when
    > CoAP is used). See points 11. and 13. for examples of text that seem to imply
    > that CBOR is mandatory in some cases.
    > 
    > 2. -----
    > 
    >       Refresh tokens are issued to the client by the authorization
    >       server and are used to obtain a new access token when the current
    >       access token becomes invalid or expires, or to obtain additional
    > 
    > FP: token validity - it is not clear what it means for a token to become invalid
    > (vs expiring). As this is the first time it is mentioned, it should be explained
    > here or referenced.
    > 
    > 3. -----
    > 
    >          An asymmetric key pair is generated on the token's recipient
    >          and the public key is sent to the AS (if it does not already
    > 
    >           inside the token and sent back to the requesting party.  The
    >          consumer of the token can identify the public key from the
    > 
    >  FP: "token's recipient" and "consumer of the token" - why not talk about
    > client and resource server here? It would fit better with the terminology
    > used  in the rest of the document.
    > 
    >  4. -----
    > 
    >     This framework RECOMMENDS the use of CoAP as replacement for HTTP
    > for
    >    use in constrained environments.  For communication security this
    > 
    > FP: This was already stated in the introduction in the following sentence:
    > 
    >    of processing capabilities, available memory, etc.  For web
    >    applications on constrained nodes, this specification RECOMMENDS the
    >    use of the Constrained Application Protocol (CoAP) [RFC7252] as
    >    replacement for HTTP.
    > 
    > Not sure repeating is useful.
    > 
    > 5. -----
    > 
    >    OAuth 2.0 (such as [RFC7521] and [RFC8628]).  What grant types works
    >    best depends on the usage scenario and [RFC7744] describes many
    >    different IoT use cases but there are two preferred grant types,
    >    namely the Authorization Code Grant (described in Section 4.1 of
    > 
    > FP: nit: s/works/work . I think "preferred" is probably not the right term
    > here, and should be rephrased or clarified - preferred respect to?
    > 
    > 6. -----
    > 
    >       In addition to the response parameters defined by OAuth 2.0 and
    >       the PoP access token extension, this framework defines parameters
    >       that can be used to inform the client about capabilities of the
    >       RS, e.g. the profiles the RS supports.  More information about
    > 
    > FP: I believe this is a leftover from a previous version of the document, but
    > should be "profile" and not "profiles" as the AS is only allowed to
    > communicate one profile to the client and RS - see for example the following
    > sentences:
    > 
    >       The Client and the RS mutually authenticate using the security
    >       protocol specified in the profile (see step B) and the keys
    > 
    >       The AS informs the client of the selected profile using the
    >       "ace_profile" parameter in the token response.
    > 
    > 7. -----
    > 
    >          (1) the client sends the access token containing, or
    >          referencing, the authorization information to the RS, that may
    >          be used for subsequent resource requests by the client, and
    > 
    > FP: s/may/will
    > 
    > 8. -----
    > 
    >       While the structure and encoding of the access token varies
    >       throughout deployments, a standardized format has been defined
    >       with the JSON Web Token (JWT) [RFC7519] where claims are encoded
    >       as a JSON object.  In [RFC8392], an equivalent format using CBOR
    >       encoding (CWT) has been defined.
    > 
    > FP: Would it make sense to RECOMMEND the use of JWT when HTTP is used?
    > Or is CWT always RECOMMENDED?
    > 
    > 9. -----
    > 
    >    parameters.  When profiles of this framework use CoAP instead, it is
    >    REQUIRED to use of the following alternative instead of Uri-query
    >    parameters: The sender (client or RS) encodes the parameters of its
    >    request as a CBOR map and submits that map as the payload of the POST
    >    request.
    > 
    > FP: I think it should be better defined (or at least hinted in this paragraph)
    > the mapping between the CBOR encoded parameters and the Uri-query
    > parameters:
    > are they all encoded as CBOR text strings?
    > 
    > 10. -----
    > 
    >    Applications that use this media type: The type is used by
    >    authorization servers, clients and resource servers that support the
    >    ACE framework as specified in [this document].
    > 
    > FP: I suggest adding "that support the ACE framework with CBOR encoding,
    > as specified ..."
    > 
    > 11. -----
    > 
    >    The OAuth 2.0 AS uses a JSON structure in the payload of its
    >    responses both to client and RS.  If CoAP is used, it is REQUIRED to
    >    use CBOR [RFC8949] instead of JSON.  Depending on the profile, the
    >    CBOR payload MAY be enclosed in a non-CBOR cryptographic wrapper.
    > 
    > FP: This sentence seems to add a requirement (when CoAP is used, then
    > CBOR must be used) only for communication from AS to C or RS. I could not
    > find in the rest of the specification the same type of requirement for the
    > other legs of communication (C to AS, RS to AS, C to RS). Please let me know
    > if I missed it.
    > 
    > 12. -----
    > 
    >    the AS authorization is not in scope for this document.  C may, e.g.,
    >    ask it's owner if this AS is authorized for this RS.  C may also use
    >    a mechanism that addresses both problems at once.
    > 
    > FP: nit - s/it's/its . Also "C may also use ... at once" such as? I think it would be
    > good to give an example here.
    > 
    > 13. -----
    > 
    >    valid access token.  The AS Request Creation Hints message is a CBOR
    >    map, with an OPTIONAL element "AS" specifying an absolute URI (see
    > 
    > FP: another case where CBOR seem mandatory.. Is this the case, even if
    > HTTP or other protocol is used?
    > 
    > 14. -----
    > 
    >       MUST discard the access token.  If this was an interaction with
    >       the authz-info endpoint the RS MUST also respond with an error
    >       message using a response code equivalent to the CoAP code 4.01
    >       (Unauthorized).
    > 
    > FP: This seems to imply that another endpoint could be used to receive an
    > access token. Is that the case, and if so where is this defined?
    > 
    > 15. -----
    > 
    > Section 5.8:
    > 
    >   If HTTPS is used, JSON or CBOR payloads may be supported.  If JSON
    >    payloads are used, the semantics of Section 4 of the OAuth 2.0
    >    specification MUST be followed (with additions as described below).
    > 
    > FP: I suggest to point to the specific subsection in OAuth - namely 4.1.3 and
    > 4.1.4
    > 
    > 16. -----
    > 
    >    If CBOR is used then these parameters MUST be provided as a CBOR map.
    > 
    > FP: s/as/in . I suggest to reference Figure 12.
    > 
    > 17. -----
    > 
    >    the HTTP request entity-body, as defined in section 3.2 of [RFC6749].
    > 
    > FP: Section 3.2 of OAuth 2.0 specifies:
    > 
    >    The endpoint URI MAY include an "application/x-www-form-urlencoded"
    >    formatted (per Appendix B) query component ([RFC3986] Section 3.4),
    >    which MUST be retained when adding additional query parameters.  The
    >    endpoint URI MUST NOT include a fragment component.
    > 
    > which explicitly specifies that the parameters are transported as query
    > components. I either suggest to change this reference to Appendix B of
    > RFC6749.
    > 
    > 18. -----
    > 
    >          "x" : b64'usWxHK2PmfnHKwXPS54m0kTcGJ90UiglWiGahtagnv8'
    > 
    > FP: noted here since this is the first time it appears, but same comment for
    > the rest of the document. I think it would make more sense to show
    > examples where CBOR byte strings are used instead of Base64.
    > 
    > 19. -----
    > 
    >    Figure 8 summarizes the parameters that can currently be part of the
    >    Access Information.  Future extensions may define additional
    >    parameters.
    > 
    > FP: This is useful! Why not having the same type of figure listing all
    > acceptable parameters for the request (section 5.8.1)?
    > 
    > 20. -----
    > 
    >    Header: Created (Code=2.01)
    >    Content-Format: "application/ace+cbor"
    >    Payload:
    >    {
    >      "access_token" : b64'SlAV32hkKG ...
    >       (remainder of CWT omitted for brevity;
    >       CWT contains COSE_Key in the "cnf" claim)',
    >      "ace_profile" : "coap_dtls",
    >      "expires_in" : "3600",
    >      "cnf" : {
    >        "COSE_Key" : {
    >          "kty" : "Symmetric",
    >          "kid" : b64'39Gqlw',
    >          "k" : b64'hJtXhkV8FJG+Onbc6mxCcQh'
    >        }
    >      }
    >    }
    > 
    >        Figure 9: Example AS response with an access token bound to a
    >                               symmetric key.
    > 
    > FP: Section 3.1 states:
    > 
    >       Symmetric PoP key:
    >          The AS generates a random symmetric PoP key.  The key is either
    >          stored to be returned on introspection calls or encrypted and
    >          included in the token.  The PoP key is also encrypted for the
    >          token recipient and sent to the recipient together with the
    >          token.
    > 
    > But in the example the key is not encrypted.
    > 
    > 21. -----
    > 
    >    o  When using CBOR the raw payload before being processed by the
    >       communication security protocol MUST be encoded as a CBOR map.
    > 
    > FP: I don't understand "before being processed by the communication
    > security protocol"
    > 
    > 22. -----
    > 
    >    o  The Content-Format (for CoAP-based interactions) or media type
    >       (for HTTP-based interactions) "application/ace+cbor" MUST be used
    >       for the error response.
    > 
    > FP: Does this mean that CBOR is always used for errors? However in the
    > same
    > section:
    > 
    >    o  The parameters "error", "error_description" and "error_uri" MUST
    >       be abbreviated using the codes specified in Figure 12, when a CBOR
    >       encoding is used.
    > 
    > "when a CBOR encoding is used" so not always?
    > 
    > 23. -----
    > 
    > Sections 5.8.2, 5.8.3, 5.9.1, 5.9.2, 5.9.3, 5.10.1
    > 
    > FP: I found useful that Section 5.8.1 spelled out the encoding when HTTP is
    > used (See sentence below). I think it would be as useful to have the same
    > type of phrasing in these and following sections (wherever it is missing now).
    > I think in general it is very clear in the document what format the message
    > has when CBOR is used, and it seems that CBOR can be used with HTTP
    > according to this specification (but not sure it is actually recommended, what
    > are the pros and cons). In some sections (5.8.2, 5.8.3, etc) it is left to implicit
    > references to OAuth 2.0 for the implementers to figure out what the
    > encoding is (and what media type is used), although modifications are added
    > to it.
    > 
    >    When HTTP is used as a transport then the client makes a request to
    >    the token endpoint by sending the parameters using the "application/
    >    x-www-form-urlencoded" format with a character encoding of UTF-8 in
    >    the HTTP request entity-body, as defined in section 3.2 of [RFC6749].
    > 
    > 24. -----
    > 
    >       including the error code "unsupported_pop_key" defined in
    >       Figure 10.
    > 
    >       including the error code "incompatible_ace_profiles" defined in
    >       Figure 10.
    > 
    > FP: nit - these error codes are not "defined" in figure 10.
    > 
    > 25. -----
    > 
    >    In this framework the "pop" value for the "token_type" parameter is
    >    the default.  The AS may, however, provide a different value.
    > 
    > FP: I would change the sentence to:
    > 
    >    In this framework the "pop" value for the "token_type" parameter is
    >    the default.  The AS may, however, provide a different value from those
    >    registered in [IANA registry].
    > 
    > 26. -----
    > 
    >    Clients that want the AS to provide them with the "ace_profile"
    >    parameter in the access token response can indicate that by sending a
    >    ace_profile parameter with a null value (for CBOR-based interactions)
    >    or an empty string (for JSON based interactions) in the access token
    >    request.
    > 
    >       Hints Section 5.3.  The parameter is encoded as a byte string for
    >    CBOR-based interactions, and as a string (Base64 encoded binary) for
    >    JSON-based interactions.
    > 
    > FP: OAuth 2.0 section 4.1.3 says that JSON is not used, the parameters are
    > encoded using "application/x-www-form-urlencoded"
    >  format in the request entity-body.
    > 
    > 27. -----
    > 
    >    The figures of this section uses CBOR diagnostic notation without the
    > 
    > FP: Nit - s/use
    > 
    > 28. -----
    > 
    >    A client using this method MUST make a POST request to the authz-info
    >    endpoint at the RS with the access token in the payload.  The RS
    > 
    > FP: The formatting of the request is unclear - could you clarify that it depends
    > on the access token used, and the media type (or content format) needs to
    > reflect that? I.e. if CWT is used, the media type MUST be application/cwt.
    > 
    > 29. -----
    > 
    >    o  If token or claim verification fails, the RS MUST discard the
    >       token and, if this was an interaction with authz-info, return an
    >       error message with a response code equivalent to the CoAP code
    > 
    > FP: Same comment as before, "if this was an interaction with authz-info" -
    > the alternative needs to be clarified.
    > 
    > 30. -----
    > 
    >    Errors may happen during this initial processing stage:
    > 
    >    o  If token or claim verification fails, the RS MUST discard the
    >       token and, if this was an interaction with authz-info, return an
    >       error message with a response code equivalent to the CoAP code
    >       4.01 (Unauthorized).
    > 
    >       ...
    > 
    >    Next, the RS MUST verify claims, if present, contained in the access
    >    token.  Errors are returned when claim checks fail, in the order of
    >    priority of this list:
    > 
    > FP: It seems weird to read first about errors due to claim verification, and
    > then "Next" discuss claim verification - unless this is two different claim
    > verifications, in which case I think this needs to be clarified. Also in each
    > claim:
    > 
    >       the RS MUST discard the token.  If this was an interaction with
    >       authz-info, the RS MUST also respond with a response code
    >       equivalent to the CoAP code 4.01 (Unauthorized).
    > 
    > Seems like a repeat of the sentence above.
    > 
    > 31. -----
    > 
    >    on the authz-info endpoint and on it's children (if any).
    > 
    > FP: nit - s/it's/its
    > 
    > 32. -----
    > 
    >    The POST method SHOULD NOT be allowed on children of the authz-info
    >    endpoint.
    > 
    > FP: What children? They do not seem to be defined, so I do not understand
    > this sentence.
    > 
    > 33. -----
    > 
    >          +  When creating the token, the AS MUST add a 'cti' claim ( or
    >             'jti' for JWTs) to the access token.  The value of this
    > 
    > FP: Since the use of CWT and JWT are only recommended, it might be good
    > to rephrase this as to allow for other access token's encodings too.
    > 
    > 34. -----
    > 
    >          +  When creating the token, the AS MUST add a 'cti' claim ( or
    >             'jti' for JWTs) to the access token.  The value of this
    >             claim MUST be created as the binary representation of the
    >             concatenation of the identifier of the RS with a sequence
    >             number counting the tokens containing an 'exi' claim, issued
    >             by this AS for the RS.
    > 
    >          +  The RS MUST store the highest sequence number of an expired
    >             token containing the "exi" claim that it has seen, and treat
    >             tokens with lower sequence numbers as expired.
    > 
    > FP: A question rather than a comment - I am not sure I understand this. An
    > "exi" value might be higher for a different token (with a lower sequence
    > number), so how does the counter of the tokens help? Wouldn't that make
    > the RS discard a valid token just because it has a lower sequence number?
    > 
    > 35. -----
    > 
    >    RS.  Therefore, C must not communicate with an AS if it cannot
    >    determine that this AS has the authority to issue access tokens for
    >    this RS.  Otherwise, a compromised RS may use this to perform a
    > 
    > FP: How is C supposed to determine that? Doesn't this sentence make the
    > whole AS Creation Hints response useless - either the client already knows,
    > or it doesn't and it must not communicate with it regardless of RS says?
    > 
    > 36. -----
    > 
    >    compromised.  In order to prevent this, an RS may use the nonce-based
    >    mechanism defined in Section 5.3 to ensure freshness of an Access
    > 
    > FP: please mention "cnonce" to make it easier to find.
    > 
    > 37. -----
    > 
    >    There may be use cases were different profiles of this framework are
    >    combined.  For example, an MQTT-TLS profile is used between the
    >    client and the RS in combination with a CoAP-DTLS profile for
    >    interactions between the client and the AS.  The security of a
    >    profile MUST NOT depend on the assumption that the profile is used
    >    for all the different types of interactions in this framework.
    > 
    > FP: This seems strange - maybe I just don't understand how this is supposed
    > to work, but each profile defines exactly at least C - RS communication and
    > security, if several are combined, it seems that at least the C-RS would
    > conflict.
    > 
    > 
    > 
    > _______________________________________________
    > Ace mailing list
    > Ace@ietf.org
    > https://www.ietf.org/mailman/listinfo/ace