Re: [Ace] draft-ietf-ace-oauth-authz

Ludwig Seitz <ludwig.seitz@ri.se> Mon, 25 February 2019 14:20 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88B86130F08; Mon, 25 Feb 2019 06:20:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9kA5I6x3fnbz; Mon, 25 Feb 2019 06:20:38 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on0617.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0e::617]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A7DE130F05; Mon, 25 Feb 2019 06:20:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K54YTIykKVaOouoEsHbHKN5Ar+lN5Mm7ZzosPrH83Bo=; b=gGqMuMcdHUw2KZ+c54yVIzeCapNJyP6ceDseMiypUKl+/qfnEAkPGgZT1/FdwdJ9O/2i0Pi7InPGhrH8jbCdUo/0KOvX/ovJuN7yuKOUwy8qjUE5JjV4XnT6dubHnYaA0IETKJz5dEfOBkmQzTTTHWrSHBd1iJAJlIjZAEdSZM0=
Received: from DB6P18901CA0024.EURP189.PROD.OUTLOOK.COM (2603:10a6:4:16::34) by VI1P18901MB0109.EURP189.PROD.OUTLOOK.COM (2603:10a6:801:f::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.16; Mon, 25 Feb 2019 14:20:35 +0000
Received: from VE1EUR02FT059.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e06::209) by DB6P18901CA0024.outlook.office365.com (2603:10a6:4:16::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.14 via Frontend Transport; Mon, 25 Feb 2019 14:20:35 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by VE1EUR02FT059.mail.protection.outlook.com (10.152.13.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1580.10 via Frontend Transport; Mon, 25 Feb 2019 14:20:34 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Mon, 25 Feb 2019 15:20:33 +0100
To: Jim Schaad <ietf@augustcellars.com>, <draft-ietf-ace-oauth-authz@ietf.org>
CC: 'ace' <ace@ietf.org>
References: <000201d4cbd5$d6837900$838a6b00$@augustcellars.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <a4e42204-df48-f550-7e98-095bdbdd9ff3@ri.se>
Date: Mon, 25 Feb 2019 15:20:33 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <000201d4cbd5$d6837900$838a6b00$@augustcellars.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms030209020202080605000401"
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-1.sp.se (10.100.0.161) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(376002)(39860400002)(396003)(346002)(136003)(2980300002)(189003)(199004)(235185007)(16586007)(110136005)(58126008)(65956001)(65806001)(71190400001)(69596002)(22756006)(104016004)(84326002)(40036005)(386003)(53546011)(478600001)(8936002)(2906002)(97736004)(5660300002)(33964004)(76176011)(53936002)(65826007)(316002)(31696002)(16576012)(86362001)(22746008)(568964002)(68736007)(2616005)(486006)(7736002)(305945005)(44832011)(36756003)(16526019)(186003)(11346002)(336012)(229853002)(8676002)(81156014)(3846002)(6116002)(446003)(77096007)(476003)(5024004)(4326008)(106002)(6246003)(14444005)(74482002)(106466001)(31686004)(126002)(26005)(81166006)(64126003)(356004); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1P18901MB0109; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6a654b3b-f10c-4a90-7141-08d69b2c683b
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4608103)(4709054)(2017052603328)(7153060)(7193020); SRVR:VI1P18901MB0109;
X-MS-TrafficTypeDiagnostic: VI1P18901MB0109:
X-Microsoft-Exchange-Diagnostics: 1; VI1P18901MB0109; 20:dPSgAqO+V5EuL88Z0QZn1rih+LbvGfmqzeHlEbffKKc0GZgy8mECLH1Q/Q65M4B2AcBE9wbw++/PIOwMpx2YyEHP+whS87ZPDlBUOqGK1juQW6RbVh1ZTMD1umG+TPejL6l3loCW+V/Ds0k9RzWnPpo6wirHXM6VuBemJpqLyfcJOSts8ZwMEIccTCvvKl1QqB3A31LSLpyMcfVAOegZbU12+1/lA8upmEaaVxZIpwzUNwjENbqgLshmQ8U+iRo6
X-Microsoft-Antispam-PRVS: <VI1P18901MB01098DB39AD28F33FBEB8EAB827A0@VI1P18901MB0109.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 095972DF2F
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; VI1P18901MB0109; 23:pj4NT1QAl6mpZCnsFKHE6VkVdzVE+XzQ4p8ETVG?= =?us-ascii?Q?EKz8a/j/v07wQsGs9IsavJRI97/2n6GNNoC/+W4Fq7U36lsd+yzpP4X2uG/x?= =?us-ascii?Q?wki8G8lC2jHwb8odGMXdQilnb9W0OYhWrET5rLiIFP3YInih6yMqm5I7K6vW?= =?us-ascii?Q?OD3YJesWEwXbKTf6do1O6yo0eg+Nqhx7Smjnl/VJzH48mKsKd0p1RHdBXsnm?= =?us-ascii?Q?K7l76upKEzJjlNwhuIunLulFJh73A1jCiqY7w87KoSbdVHY5uYJ91bLSoaSj?= =?us-ascii?Q?xzhnDfsrYYswuMYnZFuJD1dqOH+VyRr5URXvPAj5RG73yU1P2Z5mH+WX4mEZ?= =?us-ascii?Q?qanE8OWefm57QcmVRKDdp/du5OuG2OD7zgcUloTfEPdPVPRlanMV1R7hobYN?= =?us-ascii?Q?bUALkBdctW30p5fSyFqLbr6fQUMxSe07Uy3V/YGFmaW4MBd3wHV3kiC5r+Zc?= =?us-ascii?Q?ZE6bTrMuy6nBYVXFd+kErJRdEddp0c2Nkt7eZVVJgB9WjJClgEwPNj2dCpKa?= =?us-ascii?Q?0WjFD6Qo1m8b22oBILqreU6E339Dds2fSt24BgyrSSa0oZrrgCRL9OWqvhj+?= =?us-ascii?Q?KIuTniawxkMg7qA2IenEvPGHN5qZFqXiEmZHron6uyTO6QOC97ILgZ9ygLxH?= =?us-ascii?Q?lZhI/RYl8p/r+ZfrdwFKBOluT4rrn2I0+m4heU9B1FYmHrkAcEKGBxlsf4hc?= =?us-ascii?Q?myVBOU1pSv+om4I4+W0L51C7onUSJWNP6URC9s6ApBzk7SAWGV5MfU2uA7oL?= =?us-ascii?Q?wIZ19EtQabXFZGMC9lyXfqv3APeze+ofZoXMxQGrMickCzJRjdiKFCIHUYgb?= =?us-ascii?Q?pHrRK3fAqCfDstKwkPTmv1qwrum2mDy+VmccdogHXvAxG1QQiDq6+OIArYRF?= =?us-ascii?Q?9B+S1soGVzkt2pdUWCp/MvnsSagwujPY5QoMFmGjAIkyO7AxdO9I25NdQSnd?= =?us-ascii?Q?Vl7+zgNNnjh3EXjsL3DiwiHQlmppV6ysyEnXBBUhm77+99T1JJi0a3ywII2x?= =?us-ascii?Q?KEWx+kkery04i+x3PNf8YlI3jnJ2nkfMKxkTb9gFg8Cs7veYwN070Hkw8IN8?= =?us-ascii?Q?BVXhhB9LI/J0B4WfQvVXfUoEfF+S9Kz/6CEFjEE772YnnuKq+H4SwnH+GgYr?= =?us-ascii?Q?IMIJP6GRy7VzOrQVntVSWwM+yReJ7ZUJWjV0Ou9qhW9sgqxulreiYNqH/PgY?= =?us-ascii?Q?u2yBhbu7h5wlclD9pdcCC4cnmuHSvCw5rmH2yvbZpKO/URXjOPslPQrQRX9h?= =?us-ascii?Q?6UFQm8enEbp9TDgGc+PNLp2Oftpb1gWRXrIWgSOEW58/Ga0OdDfQCRQ8/WeL?= =?us-ascii?Q?lagZhSvUYnMF31LUYEPuOXyEAJ8FrjaiGVHNKj8W5wF/C8qf5yrg5akRlyGF?= =?us-ascii?Q?0v0L4wSnmQlZca84oAUvkOxNxVSw75yM21rhCD5viFG5P2FFF91d7NejgKI0?= =?us-ascii?Q?/TTg3xk0afqzqCX6cwDaAMJRj/w51Epq67jA9UF67vh816PWpfMPdon5RYCf?= =?us-ascii?Q?i4nlVlpwq+C/xanKKyWIWI/7OPRio58iBaZM=3D?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: VTeTm4X40ZwuAeWTsRl3TNoFn/66p64qnlmVbYBtC9wOjvE+CGqPoPYnI0l4se6hHGe5zdBp85O1iSBoOWWkszZZOgmJDCL3rXn/9NzwxJUu1Fpfg9UNB7iGzeXJ5XBW1rnvecRRpgehrRGq79eyZ4a/3PJb/WUbUEKTeV3OVqYMNG7QNo4zwWk3gKppeoHJnhSLhifP/8b7XxDf/fhbN0Q/htwrSNm73dYV5zY+NV863G2Mw9PWSkk/NBowwLxDR3+r9+OQb2KR3/Ld4o8+iB6f1QZEkpNwXmQQQrElZAYSsvS2aeEbptTw5VXTI5w+y3MvTJmlKBU0fqkn6xfKOLiwQKtmzbuYEJN5hc4hMq7tY3IDO/eHauBCwoxc359Ku4Eg5N8dt7DMzfWlmIstNKGEzK3uHJRpsWEwGSOVhDQ=
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Feb 2019 14:20:34.7004 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 6a654b3b-f10c-4a90-7141-08d69b2c683b
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P18901MB0109
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ZUlRsEQM4MQNWdVyQ5axPOM3ntM>
Subject: Re: [Ace] draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 14:20:44 -0000

On 24/02/2019 01:13, Jim Schaad wrote:
> 1.  Figure 4 needs to be updated as it no longer matches Figure 3.
> 
Fixed

> 2. In section 8.2 - Should he error usage location match any of the current
> values in the table.   Possibly "authorization server response"
> 
Fixed, I made that "token error response" as one of the specified 
locations in RFC 6749 11.4.1.

(side note: The OpenID and Kantara IANA registrations apparently missed 
the limited range of values specified for this field and used custom 
location descriptions).

> 3. In section 8.3 - Is/Should there be a requirement that the error also be
> registered in an OAuth registry?  If so then this needs to be part of the
> expert reviewer instructions on this registry.

The expert reviewer instructions already state this:

"Since a high degree of overlap is expected between these registries 
  and the contents of the OAuth parameters registries, experts should 
require new registrations to maintain a reasonable level of alignment 
with parameters from OAuth that have comparable functionality."

This includes the error registry, do you think this is sufficiently 
clear or should I elaborate?

> 
> 4. In section 8.4 - Is there a reason to require a specification for this
> registry?  Should it be sufficient to have somebody request that a mapping
> be registered and the DE approves it?  The previous comment would apply to
> all of the mapping registries that are just mappings.
> 
The idea is to prevent the squatting of low byte count abbreviations by 
parameters that are not frequently used, thus there is a range of 
different policies for different integer abbreviation number ranges.
(note: I'm following the example of the CWT specification here)

> 5. In section 8.5 - You are missing two fields of the registration template.
> Specifically should the expiration time field be noted in the "Additional
> Token Endpoint Response Parameters" column.
Fixed

> 
> 6. In section 8.9 - see comments of section 8.3 and 8.4
> 
> 7.  In section 8.11 - see comments of section 8.3 and 8.4
> 
See above


> 8.  This document has an IPR disclosure on it.   If anybody has any problems
> with the current disclosure then they need to speak up now.

Processing ...

The changes are currently only in the github version, I will upload a 
new version of the draft soon.

/Ludwig

-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51