Re: [Ace] [EXTERNAL] Éric Vyncke's No Objection on draft-ietf-ace-oauth-authz-38: (with COMMENT)

"Eric Vyncke (evyncke)" <evyncke@cisco.com> Thu, 25 March 2021 12:58 UTC

Return-Path: <evyncke@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2F93A20A2; Thu, 25 Mar 2021 05:58:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.896
X-Spam-Level:
X-Spam-Status: No, score=-11.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=gMK6BdwD; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=wIAfpBnG
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U7aLDCJNKHIy; Thu, 25 Mar 2021 05:58:47 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9360A3A209F; Thu, 25 Mar 2021 05:58:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8798; q=dns/txt; s=iport; t=1616677125; x=1617886725; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=z0h6nMbZQY68/XoBsia6jW+51OYqljlC881H3YhblKw=; b=gMK6BdwD1IfRpY0PwGpUh2l87f/gCgMtec99NXe3GuF5qO9HplJ6Bxmp tKXOtJdr1XDby6Ono9KXL+Iti6eIJVVscMBg4NZuq4uN+PEj1Titd5zvj zJUAJkp2PWi+oYOINzDFabHn6FwSbJGqwcJqaVj+1jZiydjt5JX+7esFO c=;
IronPort-PHdr: =?us-ascii?q?A9a23=3AqxFPJB3qHYiDXdxqsmDPUVBlVkAck7zpIg4Y7?= =?us-ascii?q?IYmgLtSc6Oluo7vJ1Hb+e4FpFTOWI/a9/9Pi6zNvvOoVW8B5MOHt3YPONxJW?= =?us-ascii?q?gQegMob1wonHIaeCEL9IfKrCk5yHMlLWFJ/uX3uN09TFZX1YFjYo2G/5j5UA?= =?us-ascii?q?RisfQZwL/7+T4jVicn/3uuu+prVNgNPgjf1Yb57IBis6wvLscxDiop5IaF3w?= =?us-ascii?q?RzM8RN1?=
IronPort-HdrOrdr: =?us-ascii?q?A9a23=3ADwF2qaMYsx/1y8BcT9Dx55DYdL4zR+YMi2?= =?us-ascii?q?QD/3taDTRIb82VkN2vlvwH1RnyzA0cQm0khMroAsi9aFvm39pQ7ZMKNbmvGD?= =?us-ascii?q?PntmyhMZ144eLZrQHIMxbVstRQ3aIIScdDIfX7B1RikILe6A63D94vzLC8gd?= =?us-ascii?q?+VrM31pk0dKj1CQadm8gt/F0K6PyRNNUl7LLA+E4eR4dcCgjKmd2geYMjTPA?= =?us-ascii?q?h6Y8HoodrXmJX6JSMcDxk85wWUyR+u4rj2Ex+Xty1uEA9n67Ek7GTDjkjF9r?= =?us-ascii?q?yu2svLiyP0+k3yy9BtmNXnwsZeH8DksKgoAxjllwrAXvUbZ5SspzYwydvfjW?= =?us-ascii?q?oCsN6JmBs4OtQ21nW5RBDInTLI+y3NlAkj8GXjz1jwuwqgneXcSCghA8RMwa?= =?us-ascii?q?J1GyGpkXYIh9133KJV02/xjfM+Znms8FWflrr1fipnmUaurX0pnfR7tQ0jba?= =?us-ascii?q?IldLRToYYDlXkldqsoISPg5IgrVMloAc3MjcwmCW+yUnHDsmFjhOGrR3Q4dy?= =?us-ascii?q?32O3Qqh8r96UkzoFlJi28jgOAPlHYJ85wwD7Ne4f7fD6hunLZSCucLcKNUHo?= =?us-ascii?q?46MI6KI12IZSiJHHOZIFzhGq1CEWnKsYTL7LI84/zvUIAUzaE1hI/KXDpjxC?= =?us-ascii?q?oPUnOrLffL8IxA8xjLTmn4dy/q0Nti659wvaC5Y7b3LyuZShQLn9G7q/sSRu?= =?us-ascii?q?3XMszDf65+MrvGFy/DCIxJ1wrxV915Mn8FSvAYvd49RhaAucTOJor2tvHKcf?= =?us-ascii?q?raKbb3eAxUA1/XMz8mZnzeNc9A5kekVjvTmx7KQU7gfUT54NZxHcHhjrAu4b?= =?us-ascii?q?lIErcJnhkeiFy/6M3OAyZFqLYKcEx3J66ilqu6oGKx7HvZ9mkBAGsHMm9lpJ?= =?us-ascii?q?HbF19arw4DNE35NZwZvc+ERGxU1HybYhllT83XFwZbr09t+b2+KoGRwSxKMa?= =?us-ascii?q?PgDkuqy18o4F6aRZYVnaOOoe3/fIkjM5ogUKttURnQGwdtggZsomdbYAoCTk?= =?us-ascii?q?vSfwme05mNvdgxPqXyZtN8iACkLYposnrZr1ybvtxqbGAcRSSSXcmehhsOSz?= =?us-ascii?q?JYikZqybIWhKONlF+UWDYCqdV9FGcJSWyMRJpaEQyOZexv68HWUTA1aV3PuB?= =?us-ascii?q?u3pFUYfHHw+0Abm2r7RBfkCc3jMx56oXBX0qHj7VVuUH6SFngANkxSgMlaCX?= =?us-ascii?q?nMvGp13KutYKe+ulHhNGcq86U6LCzPZycUL0dV4+2PkDSRmDqECBwdt8oTF+?= =?us-ascii?q?TAEbUudKzS0HuxKIuO0boLBeNQ4YwNDqGdjsYWS+6FPweaIDTkYtlZqDC9tz?= =?us-ascii?q?IrPjJ5p2Ijlu6t0Br57HKg1Hp6GvbKJk96Lotrb+20/izhR/yS1o9+gs9wte?= =?us-ascii?q?ysMn/pYtru89CcUxdTbhfSq3WxVecmtNRdur8zrqJ6G93eXSHT3H9KmBU4I8?= =?us-ascii?q?GcrjJSfI1rpLTAMJRoZcocZmZQ+Ucojs2GKA8zqRPta9VONG0FnjveJZeE8r?= =?us-ascii?q?DIob0gDgmIoxbxI0CW92lY8+3eVyWO2LYGA8sLUCtrQVl57G4n8PKJdoXWBg?= =?us-ascii?q?nvbe1F8VagOnK2cbNWSsG+aP4thwc/58vNk/6cdiL+1gyVoCByJbhW9X27Bc?= =?us-ascii?q?y1GwCBFIdzgpKHEEXJhrHv5sG9jD36E2TmL0sZgJBIbkwWYIBIjCI4gIg+zy?= =?us-ascii?q?i1Tej2ryse4ixjyCAikkSo3I6spHrfFwVBNwbSh51NRzldMnSSl63+gKCl/W?= =?us-ascii?q?W45CIAwIXJEUdbY8pHFNcRRJXmNisGE7llgJe4u640xjlZaBggD2QgmCnw0u?= =?us-ascii?q?Nv07C+wujTUYTZeAHVEENE/yVECI5yljEqrm8Fc9HW1+PJXjkq?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DWCQCyiFxg/5RdJa1aHgEBCxIMQIM?= =?us-ascii?q?jKSgHdlo2MYRCg0gDhTmIICUDjyOKEYJTA1QLAQEBDQEBMgIEAQGEUAIXgWU?= =?us-ascii?q?CJTgTAgMBAQsBAQUBAQECAQYEcYVhDYZEAQEBAwEjEQwBATcBCwQCAQgRAwE?= =?us-ascii?q?CAwImAgICMBUFAwgCBAENBYJwAYJVAw4hAaAeAooed4EygwQBAQaFGRiCEwm?= =?us-ascii?q?BDyqCdoJxUEiCNR2DciYcgUlCgRInDBCCWT6EQIMWNYIrgVkQgUkNRRgJPSg?= =?us-ascii?q?TNAMFAQQoAw4ZGpBUG4M+iA6DHZlzgQsKgwaQb4tyAx+DSIpslhqFD493gg6?= =?us-ascii?q?bbQImIIRGAgQCBAUCDgEBBoFrI4FZcBUxDyUBVR2BIylQFwINhD2JYgwWFG0?= =?us-ascii?q?BCIJDillzOAIGAQkBAQMJAXuGbgEB?=
X-IronPort-AV: E=Sophos;i="5.81,277,1610409600"; d="scan'208";a="852686818"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Mar 2021 12:58:43 +0000
Received: from mail.cisco.com (xbe-aln-007.cisco.com [173.36.7.22]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 12PCwhHB027568 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 25 Mar 2021 12:58:43 GMT
Received: from xfe-rcd-002.cisco.com (173.37.227.250) by xbe-aln-007.cisco.com (173.36.7.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Thu, 25 Mar 2021 07:58:43 -0500
Received: from xfe-rcd-002.cisco.com (173.37.227.250) by xfe-rcd-002.cisco.com (173.37.227.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3; Thu, 25 Mar 2021 07:58:43 -0500
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-002.cisco.com (173.37.227.250) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.3 via Frontend Transport; Thu, 25 Mar 2021 07:58:43 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jA0m99Z03/+OoObGUA7FBx3jPas0gBueihQiYHFuhjAOomcsosWZ7PgeZvXBctdg+qzC9INf1md2McVqjPSBzsG9yzAFOPODgAp26/TLQo04tWBiDWOSWMr0J57dxCneVrrT5BPz/Wn6bildp2j3dF49y4N1Ap4HIBMk7YTDfMMprpSFB/bTqTqyyeeyEuWTR1vOVQJ0qug24zpU1yDn6dEbi+iIR6PswYcZ83AL/Riq12qW6y/aVrmIsbT43xh6rSQiPr2otmPfUUz6rM4dgpjtqOEtoEwAOdkGKdXHF5JmuS8LQqbLM8Xkt7sDCW5K5huyC2msMv1Arn8zZm20bQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z0h6nMbZQY68/XoBsia6jW+51OYqljlC881H3YhblKw=; b=NuGzbQ2YRMTrN3VgHaWp0ic0ONsxsCt8mE/juoRZBEkrlxmr1Z500SuOmfzd1tnvi+bHwa2C6lOdFGww//2Q/eMocRGtUNGljpBfScnxylTQoWjEVAwTtoguuIbxr/6KJsxe4UHXWInnYlmBi20ZjcTnbRfIHbAoP1FI7YHhqfOoS1/mv/fzKKSPwRMlIihhAcEQa1hWymDdmoCdAEM3jsveExSPdpkjfVwZSQ0Ur1Zp0OKxQNM7FmER2Fanu6FxEfQXisW7niHdo/9fFPrEXBsfys2HaCixaZWSjiLLw8gTNwayXXQ0ciiy5k6poUri82uRDoqEUFisAkQxhhBHhQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=z0h6nMbZQY68/XoBsia6jW+51OYqljlC881H3YhblKw=; b=wIAfpBnGnvuTXXNwYxDvOfmXFPP5wnuC3v54PCvJo7XW1B0BbPvGQQn266dn49axaiF2Hon3wmlZ7CbwqaiVKbs9OGe7CWC1F9pb8PaPsj6JkrnoO/f/NSYtTZQ22lBdDWK5j61mr5bKXe+sRe9qX88UyhMtpjuOiKDEUSo4O28=
Received: from PH0PR11MB4966.namprd11.prod.outlook.com (2603:10b6:510:42::21) by PH0PR11MB4886.namprd11.prod.outlook.com (2603:10b6:510:33::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3977.25; Thu, 25 Mar 2021 12:58:42 +0000
Received: from PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::dcdf:3910:b85d:6eba]) by PH0PR11MB4966.namprd11.prod.outlook.com ([fe80::dcdf:3910:b85d:6eba%7]) with mapi id 15.20.3977.029; Thu, 25 Mar 2021 12:58:42 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Seitz Ludwig <ludwig.seitz@combitech.se>, The IESG <iesg@ietf.org>
CC: "draft-ietf-ace-oauth-authz@ietf.org" <draft-ietf-ace-oauth-authz@ietf.org>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: =?utf-8?B?W0VYVEVSTkFMXSDDiXJpYyBWeW5ja2UncyBObyBPYmplY3Rpb24gb24gZHJh?= =?utf-8?Q?ft-ietf-ace-oauth-authz-38:_(with_COMMENT)?=
Thread-Index: AQHXHyuZU/A3KOOoPkeRpDWfQb0fYKqUYRwggABeeYA=
Date: Thu, 25 Mar 2021 12:58:42 +0000
Message-ID: <9F2C0EC3-797C-4719-BD85-0E8DD4FD0878@cisco.com>
References: <161642497935.28459.6337296577160925255@ietfa.amsl.com> <133ef81b68af4ee0ae5d573b51b9aa48@combitech.se>
In-Reply-To: <133ef81b68af4ee0ae5d573b51b9aa48@combitech.se>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21031401
authentication-results: combitech.se; dkim=none (message not signed) header.d=none;combitech.se; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2001:420:c0c1:36:3470:a7a9:9db:4371]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8f0a39b7-0415-4940-e292-08d8ef8db7a3
x-ms-traffictypediagnostic: PH0PR11MB4886:
x-microsoft-antispam-prvs: <PH0PR11MB4886391378A1D5B089FEF28DA9629@PH0PR11MB4886.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3044;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bQBdUszU8TPMfckVE3JBerMJWlr0yQ9HwF9romeOYgLTtrfuzx8gTdQPJaOachZPt2ItufjdQb36qkSMiD1escsahGOnSs0+lWSOtu4+OxEpkcmI9BNwHOadRkGp8wDHmV9rCqYPTbS0dXucEPnl3kTxOvjUszHqsYyBss/itkiwRA+H1llOkoYxQXLdIIpTwW4cSddEXtvhfSwfF8CGF0yh0YVpiZM4dZixkKvYfQ4vbzRW7ChEF3yG0EnZw0XJm3rnM21jDNWlmOGfrkcSdnbYIywkYSDwNhWuLcRXDXjmwOXQx5oVAZlU1R0frqaoIiFHJZFST9oBiDqJUO/xfYNFqGluYXhM/Kd6UVFbrk2uPQTo0s+WeBej2DN8XCG8BP1qupVstQU1ra/umF9WDh5qE0tMVqUZcZVKA3oq3UI+IWiRcbbuxOKyY6E2sTdXevz+y2r1AnerBZsGtmCLX/e1Pg5ktrlIRnbO6yTExfZ+UqU2oOK0Mme29jEeiNeBSb6Z9U5A4Gs6TpOxlnJUDE3Ods04lOiSKN0C9YCAMqhHvE9n6t7HzVyWp5KzKpogcEQIQmiw/g0K+m9lc4n5V4iG4siyMMvy7QOERcryApUtv4egHZ/v3iBgrnw9PbH/I6w7+85A01b/UVBmVl6Wkae95OgJjVS0mow09YFIgQEX9igUNTxk/ens2I7ZO7fP
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR11MB4966.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(39860400002)(396003)(136003)(366004)(376002)(76116006)(2616005)(38100700001)(53546011)(4326008)(91956017)(6512007)(6506007)(8936002)(66574015)(66946007)(71200400001)(5660300002)(36756003)(86362001)(66446008)(478600001)(64756008)(66556008)(6486002)(83380400001)(66476007)(33656002)(2906002)(110136005)(54906003)(316002)(224303003)(186003)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?VFBpV0k2TUJadVRlcVhUTkhWZm93WFJXUmJsYmpia0lENmVNd0RyTFh6Ti9J?= =?utf-8?B?bW9heGZONmNKbHVFZjJQNDJDWnhyNHdEUUxRS09FR3dPYklpRDdCenZpMnhN?= =?utf-8?B?KzIzNjhUZFA0SGJSaG53dmxhcDF5VElXc0FQd240a2lUM1dlUzhMbytCekw4?= =?utf-8?B?d2ZHVlgyK2w0RGNzOXU0eDk4aVl0cTQ2dWFmYVkzNGhUVjVpZmFLZkFMVXND?= =?utf-8?B?TFdWLzYrWDRwdkwwbmp2S3RsYm1QMWdEazFUbTVxZlJ2N0k3R3FXL3ZzNmZa?= =?utf-8?B?QlJ2aWNBVXkycFhLRkY3ZGxqMi9relFXQjZwQXZQcEo4eDB4OFhHc2VrSlRP?= =?utf-8?B?R2VVaDhZcm1yK3ZjRm1KSmUydmM5RHdybG9VSWxqanFpc2VDWnplZDVzejA2?= =?utf-8?B?aG1XRnRpQmkvOXYxTDNZc2tTOFlSbm5oSFZWYW9EUDdmOWxkdERlb3NqQnU3?= =?utf-8?B?azErbjh3b0Nqa1VPN1ROUGo0ZjFtcWNmV25YMHNZQXN2aEJQUTh1THFNY2Ux?= =?utf-8?B?eXFKZFBZbnpvb2U3NHdHR1EzcTR5WDNIOGErN3BKZHBEN2tJVzNmNHp3OVJF?= =?utf-8?B?RDAzZ25xUGpKUmdQTGljMlNsRWlTR3plL1V5Si9YaTJLSnQ1QVh2OGNTQVJw?= =?utf-8?B?eVYwU1p4RDl5WUE3RGpzdzhEOVB3NlJoU2srczFlSXAwV0pPbUVMd1BNWG9s?= =?utf-8?B?aDNsM0phQk1BMnQ1QXJVYkVDUXUyNmUyTWN6UEtsNnFFMVUrQ0U4SDFUemgr?= =?utf-8?B?SDNlQzRLQXFDZkw5amNFSDVjVzBoZHRZZ1FOR2pIYlp5YVlRWTNvVGlRdXpw?= =?utf-8?B?NU1VVE9za2pRcTZUUzZiUkxGSTFNc1F3QTE5NzRGUHVpeFAzYTg4NmhJNVJ6?= =?utf-8?B?Y1NhUnJPMldJL3N3aHkrTkx5M3FSeGxJY1BCcUMza0NueGluVlZtdHE1OGNL?= =?utf-8?B?YW1LWDl3UVVxSU9rTFZidEZaZ3BPL2ZjMXhKeVRIUFVLRGlNcnlFdWlSSlpS?= =?utf-8?B?MUZZM0JhLzlaN3hKdm51WHZSbHpWOTVvU0RnL3JWblhTb3c2eGNua3dkSlNN?= =?utf-8?B?M2VMc3RnZjRZQkpNaWZ0dU0yaEFudTRZVkNmSkpEbDV1U0JyQ1UyRkRycXB6?= =?utf-8?B?WEdIb29ZN2JGQkZ4SnFqQkxzeDFqUGVxd3cxV0xyUlAwRmpkcVAzNE5ZRlUv?= =?utf-8?B?RTFRbnhyNDZ5YWk2RG9zQ253cWRGUmpoWlVxY0FPbCtNSk81UVIwcXNBc0sw?= =?utf-8?B?YXdWaTJCdkcrL1F6WTNaZWxIcGRydG45V1h1MHJLcHk4KzExbENZdVJqV0lF?= =?utf-8?B?d01ROS9KWnlsUGNtMjJJMkpMRGtGZ01SRXAzQzBOVlB6ZGJxZFhERW0vOEVX?= =?utf-8?B?SWJydEo5T3Rva0M1Y2J2V21RaDhXVzJ6ZlFodkNhcjdpRzBNMmxCSEowYmlZ?= =?utf-8?B?cUlzNFFlNG00d3JxYmVYNmFWa3VUZm0wNXlHL1BTcU5ic2p5S01mWStTc2Vo?= =?utf-8?B?S0xkUnY1ek1KSlowc2FkZlpDekxxSy9rRzhKT2NQN25VemtYc0ZHVWJPYk1s?= =?utf-8?B?L1VlbXBhZitTNDhKZVpIL2N2azBMd0ZIMXlHM2I5VlNpSGxFMHM4VWZLWFQ4?= =?utf-8?B?UGZqbER6Wi9hRmZPbldqejMxbFVuN0VmcjFXVG5zSHB4MTA3b2hrR0pJK1pR?= =?utf-8?B?VVVvelI5NWtBeXJuSm1mczNXQkZDOTZzSkUwRmZhVkpINW1xLzcxcG40SGRJ?= =?utf-8?B?UVdZblZQbjBIeXV1bTRja3ZDcjZEM3VDVjZsUW53NG5IOEFpRlhFOCtuK1RD?= =?utf-8?B?SDVNRWVjKzJhbGlMSU1tY0FZRVBIaDVTN3RQb0puYXJYbytJQTlqQ0RSUC9i?= =?utf-8?Q?LtLVRnK/vyk54?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <D1FFFC0E7A875E46BBA9705AB91CEE68@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR11MB4966.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8f0a39b7-0415-4940-e292-08d8ef8db7a3
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2021 12:58:42.2088 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8wz8tdNu5eOzdByxnOKdDXkPP1S5E0lCAx0sdXYL4ECueLAYUneELaoQ6qJsk2rWYV9JU+8508d+hZnLxGYF1g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB4886
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.22, xbe-aln-007.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/UyOh674by7DoR5GyqW6FjAdexwk>
Subject: Re: [Ace] =?utf-8?q?=5BEXTERNAL=5D_=C3=89ric_Vyncke=27s_No_Objection?= =?utf-8?q?_on_draft-ietf-ace-oauth-authz-38=3A_=28with_COMMENT=29?=
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2021 12:58:52 -0000

Thank you Seitz for your detailed and quick reply.

I agree with your replies (and thank you for the added information) and actions.

Regards

-éric


-----Original Message-----
From: Seitz Ludwig <ludwig.seitz@combitech.se>
Date: Thursday, 25 March 2021 at 10:42
To: Eric Vyncke <evyncke@cisco.com>om>, The IESG <iesg@ietf.org>
Cc: "draft-ietf-ace-oauth-authz@ietf.org" <draft-ietf-ace-oauth-authz@ietf.org>rg>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>rg>, "ace@ietf.org" <ace@ietf.org>
Subject: RE: [EXTERNAL] Éric Vyncke's No Objection on draft-ietf-ace-oauth-authz-38: (with COMMENT)

    Hello Éric,

    Thank you for your review. I plan to submit an update of the draft to address your comments (and others') by the end of the week.
    I have some comments inline.

    /Ludwig

    > -----Original Message-----
    > == COMMENTS ==
    > 
    > -- Section 3 --
    > Should references/expansions be added for "HTTP/2, MQTT, BLE and QUIC"
    > ?
    Fixed

    > 
    > -- Section 3.1 --
    > Suggest to review the order of the definitions, notably popping up
    > "introspection" as it is used by most of the other terms.
    >
    Done


    > -- Section 4 --
    > Mostly cosmetic, any reason why figure 1 is so far away from its mention in
    > §1 ?
    > 
    I moved the figure and its explanations up in the section. The figure does not have a strong dependency on the text blocks that were moved down in the process.


    > In "ensure that its content cannot be modified, and if needed, that the
    > content is confidentiality protected", I wonder why the confidentiality is only
    > optional ? As far as I understand it, the possession of an access token grants
    > access to a ressource, so, it should be protected against sniffing. What did I
    > miss ?
    > 
    Actually you also need the proof-of-possession key. If that is only referenced in the token, or if the token only contains the public key part of an asymmetric key pair you could get away with only integrity protecting an access token.


    > In "If the AS successfully processes the request from the client" may look
    > ambiguous because processing correctly (per protocol) an invalid credential is
    > also "successfully processed". Suggest to mention something about "positive
    > authentication" ;)
    > 
    Fixed

    > -- Section 5 --
    > As a non-English native speaker, I cannot see the verb in the second
    > proposition in "For IoT, it cannot be assumed that the client and RS are part
    > of a common key infrastructure, so the AS provisions credentials or
    > associated information to allow mutual authentication.". While I obviously
    > understand the meaning, could it be rephrased ?
    > 
    Rephrased


    > -- Section 5.1.1 --
    > Could the word "unprotected" be better defined in "received on an
    > unprotected channel" ? E.g., is it only about TLS ? Else, I like the implicit lack
    > of trust.
    > 
    I'd like to avoid restricting the scope to protected/unprotected channels here, since we have profiles that use object security on the individual messages (oscore).

    > -- Section 5.1.2 --
    > I must admit that I have failed to understand the semantic of "audience"...
    > Can you either explain its meaning or provide a reference ?
    > 
    Added a reference

    > -- Section 5.5 --
    > In "Since it requires the use of a user agent (i.e., browser)" is it "i.e." or "e.g."
    > ?
    This comment seems to refer to an older version of the draft. 

    > 
    > -- Section 5.6 --
    > s/the semantics described below MUST be/the semantics described in this
    > section MUST be/ ?
    Fixed
    > 
    > In "The default name of this endpoint in an url-path is '/token'" should
    > "SHOULD" normative language be used ?
    > 
    This is inherited from OAuth 2.0, where I was given to understand that this is not even a SHOULD requirement.

    > -- Section 5.6.4.1 --
    > In figure 11, would you mind adding the section ID in addition to RFC 6749 ? I
    > failed to spot them in RFC 6749.
    > 
    Done (they are really well hidden in 6749)

    > -- Section 5.7.2 --
    > It is a little unclear to me which profile must be used as 'profile' is optionnial?
    > Should a default or any profile be used ?
    Added some guidance

    > 
    > -- Section 5.8.1 --
    > Suggest to use the BCP14 "SHOULD" in the text "The default name of this
    > endpoint in an url-path is '/authz-info'"
    I would like to maintain the alignment here with OAuth 2.0 were default endpoint names are not even a SHOULD.

    > 
    > -- Section 10.2 --
    > Is RFC 7049 really an informative reference as CBOR appears as the default
    > encoding ?
    This was updated to RFC 8949, which now is a normative reference. 

    > 
    > == NITS ==
    > 
    > s/application layer protocol/application-layer protocol/ ?
    FIXED
    > 
    > Should multi-words message names (e.g.,  AS Request Creation Hints) be
    > enclosed by quotes ?
    > 


    > -- Section 2 --
    > Please introduce "authz-info" before first use.
    > 
    There is a reference to the section where authz-info is defined in -38. Are you suggesting some other approach?

    > -- Section 3.1 --
    > "PoP" is expanded twice in this section ;-)
    Fixed

    > 
    > "CBOR encoding (CWT) " the "CWT" acronym does not match the expansion
    > :-)
    Rephrased this.
    > 
    > -- Section 4 --
    > 
    > Sometimes "Client" is used and sometimes "client" is used...
    > 
    Fixed

    > s/reference to a specific credential/reference to a specific access credential/
    > ?
    This actually refers to the proof-of-possession credential. I'll add some clarification.

    > 
    > -- Section 5.1.2 --
    > Can you introduce to "kid" acronym ? It too me a while to understand that it
    > is
    > (probably) key-id... :-)
    In -38 this section now says: "A "kid" element containing the key identifier ...". Does that address your issue?

    > 
    > Unsure whether "nonce: h'e0a156bb3f'," is the usual IETF way to introduce
    > an hexadecimal number.
    It is CBOR diagnostic notation as indicated in the reference to the figure.

    > 
    > typo in "5.8.4.  Key Expriation" :-)
    Fixed.