[Ace] Re: Orie Steele's Discuss on draft-ietf-ace-revoked-token-notification-08: (with DISCUSS and COMMENT)

Marco Tiloca <marco.tiloca@ri.se> Fri, 30 August 2024 18:24 UTC

Return-Path: <marco.tiloca@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E911EC14F73E; Fri, 30 Aug 2024 11:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ri.se
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j1ghNiDztWhD; Fri, 30 Aug 2024 11:24:12 -0700 (PDT)
Received: from GVYP280CU001.outbound.protection.outlook.com (mail-swedencentralazon11022094.outbound.protection.outlook.com [52.101.82.94]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BD94C14F711; Fri, 30 Aug 2024 11:24:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Tdh9wFxGRHKtj3kWae9Rt7ZkY7wileqSHRQfShkeGtKSwA+20KEjieOJFkIwYaxm8JIesSl8nvU60jOtMpP9gFmvk1z7JU+DmkoKtAd8Mb/7gAI8NHkd9lgd3VhEOJ4N0DMxaMRG+ZTTzERAPSx+ncn8y2TGF5n9UT9ymsNTpV2RO2Yt5JyLTFlaQw7QpkoalFhHCmuvGe5tY/440TdFShsL5EQ+NTW807y+v06sOn/XNjV0pEFzw3K3CPzyedbqvcb1VqdWMEgyzLHNDZ3dJz3UgnfBnsSllMSFctD4jjNCpqeBGNYEwG2Dzr68roMGjw0VPp8JNLGT1l7N7IBDiQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+3MC/ot3xoeGyz1Up/+q/Xf8gBVXgEYog3Ej6iBWzk0=; b=ZwVEA2ippOvPtbo/QLTxULGarvWgfBWeLnO2hmPN1VBJzdrDpUgZ4RqruaBvzTonpeximlKXVRoJq0ITOOTmQuWu9LTtrrqnkrBFsLC+LvAHd7x32MN5IoARPBp8/swQyQ1Z3WhIvJfwmAoun42xNh5D34alc8LkSXY2pauPNfgvlOV5UBCv8zH32fvviuw44Zam3k2Nzr8HydfyyNlX4Cyh7AIpOwhZoS3NiOQ++2zPO35v2HebanCMRE4alHZEoFKY8Vx+70apabCEidsA4DdUXOdGRFCkA2HDIlXr2QGDcBUy7bIb0kgT7yRhAcFc5EtTfSBC9t8ftHJe67AqjQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ri.se; dmarc=pass action=none header.from=ri.se; dkim=pass header.d=ri.se; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ri.se; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+3MC/ot3xoeGyz1Up/+q/Xf8gBVXgEYog3Ej6iBWzk0=; b=Yp+n5v7/YJxh0ic7wn7P4j+cBpQuvJTjtefzgb2gTze6TBf6NDjciGd6amMrW79AeqxwSOC6JB3mVe8r56twBNWNGMuQowwq6MEXLnCBJdyTzzW8+Wy2R0NIy2aV+ycsN9mqfmJAGQenp8R3Rc75t/hM4qYaWj5oihoTn+XQrr636+cfJpq6tbI0+mDf/xiK/rAuoKRufulq3neeCoQoVB+tT/ykZmSMsarT0KLWPpsE5O4Yg7SErp9Ix6WCX8ZI+2T9hm++tPNTFNxMqsvf+74tLUUQBJp1hv/2NMVmAOB7OFzHwlcG8QtrFfHJRDaOr34tLsMv0pWzUAjvkIv5ZA==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ri.se;
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17) by GV3P280MB1154.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:186::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7918.20; Fri, 30 Aug 2024 18:24:05 +0000
Received: from GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::b1d3:d63d:ce0b:3f70]) by GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM ([fe80::b1d3:d63d:ce0b:3f70%6]) with mapi id 15.20.7897.027; Fri, 30 Aug 2024 18:24:05 +0000
Message-ID: <ea3a63d5-ec5a-4e60-b481-084907f592ee@ri.se>
Date: Fri, 30 Aug 2024 20:24:03 +0200
User-Agent: Mozilla Thunderbird
To: Orie Steele <orie@transmute.industries>, The IESG <iesg@ietf.org>
References: <171935030396.146587.15146717274867364495@dt-datatracker-5864469bc9-n5hqk>
Content-Language: en-US
From: Marco Tiloca <marco.tiloca@ri.se>
Autocrypt: addr=marco.tiloca@ri.se; keydata= xsBNBFSNeRUBCAC44iazWzj/PE3TiAlBsaWna0JbdIAJFHB8PLrqthI0ZG7GnCLNR8ZhDz6Z aRDPC4FR3UcMhPgZpJIqa6Zi8yWYCqF7A7QhT7E1WdQR1G0+6xUEd0ZD+QBdf29pQadrVZAt 0G4CkUnq5H+Sm05aw2Cpv3JfsATVaemWmujnMTvZ3dFudCGNdsY6kPSVzMRyedX7ArLXyF+0 Kh1T4WUW6NHfEWltnzkcqRhn2NcZtADsxWrMBgZXkLE/dP67SnyFjWYpz7aNpxxA+mb5WBT+ NrSetJlljT0QOXrXMGh98GLfNnLAl6gJryE6MZazN5oxkJgkAep8SevFXzglj7CAsh4PABEB AAHNNk1hcmNvIFRpbG9jYSAobWFyY28udGlsb2NhQHJpLnNlKSA8bWFyY28udGlsb2NhQHJp LnNlPsLAdwQTAQgAIQUCWkAnkAIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRDuJmS0 DljaQwEvCACJKPJIPGH0oGnLJY4G1I2DgNiyVKt1H4kkc/eT8Bz9OSbAxgZo3Jky382e4Dba ayWrQRFen0aLSFuzbU4BX4O/YRSaIqUO3KwUNO1iTC65OHz0XirGohPUOsc0SEMtpm+4zfYG 7G8p35MK0h9gpwgGMG0j0mZX4RDjuywC88i1VxCwMWGaZRlUrPXkC3nqDDRcPtuEGpncWhAV Qt2ZqeyITv9KCUmDntmXLPe6vEXtOfI9Z3HeqeI8OkGwXpotVobgLa/mVmFj6EALDzj7HC2u tfgxECBJddmcDInrvGgTkZtXEVbyLQuiK20lJmYnmPWN8DXaVVaQ4XP/lXUrzoEzzsBNBFSN eRUBCACWmp+k6LkY4/ey7eA7umYVc22iyVqAEXmywDYzEjewYwRcjTrH/Nx1EqwjIDuW+BBE oMLRZOHCgmjo6HRmWIutcYVCt9ieokultkor9BBoQVPiI+Tp51Op02ifkGcrEQNZi7q3fmOt hFZwZ6NJnUbA2bycaKZ8oClvDCQj6AjEydBPnS73UaEoDsqsGVjZwChfOMg5OyFm90QjpIw8 m0uDVcCzKKfxq3T/z7tyRgucIUe84EzBuuJBESEjK/hF0nR2LDh1ShD29FWrFZSNVVCVu1UY ZLAayf8oKKHHpM+whfjEYO4XsDpV4zQ15A+D15HRiHR6Adf4PDtPM1DCwggjABEBAAHCwF8E GAECAAkFAlSNeRUCGwwACgkQ7iZktA5Y2kPGEwf/WNjTy3z74vLmHycVsFXXoQ8W1+858mRy Ad0a8JYzY3xB7CVtqI3Hy894Qcw4H6G799A1OL9B1EeA8Yj3aOz0NbUyf5GW+iotr3h8+KIC OYZ34/BQaOLzdvDNmRoGHn+NeTzhF7eSeiPKi2jex+NVodhjOVGXw8EhYGkeZLvynHEboiLM 4TbyPbVR9HsdVqKGVTDxKSE3namo3kvtY6syRFIiUz5WzJfYAuqbt6m3TxDEb8sA9pzaLuhm fnJRc12H5NVZEZmE/EkJFTlkP4wnZyOSf/r2/Vd0iHauBwv57cpY6HFFMe7rvK4s7ME5zctO Ely5C6NCu1ZaNtdUuqDSPA==
In-Reply-To: <171935030396.146587.15146717274867364495@dt-datatracker-5864469bc9-n5hqk>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------9jtngu6g0Jes1NLNSAWvOlej"
X-ClientProxiedBy: MM0P280CA0041.SWEP280.PROD.OUTLOOK.COM (2603:10a6:190:b::16) To GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM (2603:10a6:150:37::17)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GVYP280MB0464:EE_|GV3P280MB1154:EE_
X-MS-Office365-Filtering-Correlation-Id: db27cd54-eb58-449c-f70c-08dcc920edf9
X-LD-Processed: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8,ExtAddr
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|366016;
X-Microsoft-Antispam-Message-Info: 53raoE7M+ZzDXdfK6ZloeMdQSXAsN4awklZkW8a82HNXmuD3rTrkM6a8OXTLo0kSLnc3kpw6ucwSWC+rC2p4Pr9SJTApi2EvWbCJ3SgE5zuk2i4vkbm8aFdaXddU6cbhZB+Y/rmgsX3AGt6zdw/8x0mY33yq1OTPPQZfaGccFNcpsZD/rqbq8mN3VvaI+oV6E8YyEJihTatKXOAULH6IOITuchTbIOGyAh8U9OBWFAVVtiwXe8YVBTAzsdnK0IwZrDHfNViigc9jV/XKFdb09IQYBQg6XlxCfviedOGW0CIcf7GegAwuxcqAbHJp2z36czPHle8RWJt9dGOPYOhLEHDQCyblC12tthfLqC6rGE9ou5EQ2yQZePId0ov9RQZcYMN98EffY2gEDKqoPcLWTcbkfxmUmfCTkHFPqYON8KL5XCINv8zBqcWKxU7r62mGPDOIQDuo8EL7DizHfetOXnKWgR+5/r+SImCFo81tmpp50WNZM0PEWgSi2N/IARhQg3sdEzts/VGEiOJbwfM6LQdTYqJyWblxAQ6HEYfteNBgWBHHZ4JF8CfX7xciQ983HXNOOztAAKWVtBR4wWkSFO3Yj/cU1z3OGIip08++g3Vs/Py1Oetzf3cyGFCqsBR7/yWJyfUHi3U27tpTvvg48hrUyhWGIgCyuagbgrIXXGoU9W9qGBJpnwNJthocCv2gNZIUuPaTuPPiLYxomoWmn8R/H36tAI6RJ9IfbBNJSBqed8hdRosGT/8RZ7TclPmq+WjWvuhJibJQqdXL3L3xVmcdjeF0GwM4LwiHOqC8FRGxUc+U4kdIlrP+uI7OVPIz8/fycKod63rd+uvdez7sgL+4euPSZdMg+zwsR68TjtMtPdOi2VoV90djoEnrip5siU2kzXd37YLNGB2ubmkTaBKNgzmcxwPp/Bda+FeMCMmmyUuy6P9E4MRVMpgLT4P41NDydBYWi6zWskH7vhTNXlc7WDWeYCvTNCv56jvpShKSD3T02RdsbObLQTJT5dAddNAeMqXJCI2vYjv50tCuLXslZ6kojrfPFExsTqORvC5TGEJFS2NVW99yWGDgK8Cd7Q+VLo9k/BPz7mxFqvSSX71TXfju/MJq7b8u2AT48bznLw3u9XukUQnD1D4XZ+kb5T7dUnXtsf4w4w9JkVpuNNP9JJ4OtwiEoEfSfR6WyNpGG7mXL85IY3ndy4jc6V6pk2t9DNkFDQLh78iNgMvtAirE84FnpdopEqDJRfoUQXdlnjO/3KHgt+u+cO34leIyZRv98JIiY94ysyLmg5vdwvbv/LH246sMb//XNDNfq2U=
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(366016);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 84HRFi9JvPRuGIqoECoAFVfawimA48revjIorfUWXqDFv3gbjxMc7MWDs/wHZ4vSOoD3V3Z2veUUfJsy9j2FK2FgQ5dg/BlTFEnVW3xWdWSrYRivrq46BP854Azf0X0nOvuzVnWSWvxJFGnKDZQ3xripi3XTxBIEoq2zb0CVmwpEVaRdUMhisiaA7d76DZ5n5MswGDTdP5suX/VW6LgO+0JQoKw0xv6PWbI5pNx1ZZC2x1T4lL/pD7JHIswP315c6AOGMEhSCTZt2ECA70V2HztVeb1NAOXmqpNdthJJs+es2Qg1R6zDMqbP6Ci9yazXzbGj3gSKNE/o/IyVMqKkAnXTCjLvJQFJRlRkVnDMkCrxj/jOfzN+/j+Wmc79Nn50uFHGBPIRUQxcY5tr4YcPLsku51Cs17uYCHZnwntzCRDF5FNrsL5u4fjyMsFskmf1OZlsd1mnzy5+DET9uM1EzIrVnRP91w9OCT0ryr4RIR+bKUAckyoEyz6YZJQ1LeboiVeoIqJiYmHSYdFdCiUjHhmcY9XJTvGnVMHFU0FwjO7X1GDp8DCDx+b8s6lFe/llIQ3Mb2z7ywSaG3kCH+VqImtscHVvw4BTQUpHCWrrbRwMCK/tMy4ZZgwaWX0Qx/490iTAVwlvjtIg5wsvBjF0jPNoEfUuPwVfKJT3LVoQ256/3jZRnDi05QyYrYSCVq/I4URpALfw/uq7y5/fky0aq+8D6xYzmX7zquFgzsoFjglX2bVmAhPyN2m1KK8iZfQZJfuzFMCgWZ8FWgPaKp8qHNi+r5TPOuw3O5Nn7FRSoRRFyxSrpZKo1eJtlh0NztfdU9vrH1F9Zxzgk2BmnKcRiFDfCd54ZZpEEGGS6w6L+Ev+kqHmLRReIduNl0zTqsa1y33JkJej8GodHSZtYKf1QXlH2NFxLujEPe1FiRAbTQ7+jDM1D/MTGxoslHCWz3kF3ApKyBls7LIAW/6xJgkpuJFyrLvviYAhY15JZuHmb4/KeTF6tAvpjfltMaUb1zspxueGwiGV2BJB1xtPvDewo0VNNAXkM+GsY7eCdp2q1H9GIyUpydu8BPLul1adNrILFz8hquZjGtEh+nvNcdWjzYP7JAINRFfUoORuoXqfNU2zM1Wl3NRoENlItom76s1RG8Ji5qMCUKD492SFBEyqlw/BvNLh/qYR3Vs5vbICYIQh7JszPhjcoCNhzMsemwaSskDBY5xdk/bu0FN/TCVjvNwPFKsgl6gTiw/izKV7/I9XNUqxGFjftP6Xpwk/23xYoLdfhlKwP6b2gYjFJWaOHkTf3Kj0yIC7g58SxGkx7TozeNHv3FIsIzJ9S903IOSL2He3vtO648CEqYMq0xQvsWD+vceLdb4laexDIv1xaYo783JLosuul+SU5U0jAtgRxBZQwCcVCJW+0WUsJpFx0mnUAfHWXIUQtSFqZmDymV5IR5wHgjFG3AVX/O00J9fY6YCXD+PkGNxVKILiBeBrznGBX4GbCE4Z9I6KfK8hKWD4BxFBtrRiHHsXFcQe4Y6ZM/BUFLEbEt9cVt1Ag1Cp+mIQRpAB0vwChQD1Y1zsjzI2NYKq+14xzCEEUj7Xe3g8
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-Network-Message-Id: db27cd54-eb58-449c-f70c-08dcc920edf9
X-MS-Exchange-CrossTenant-AuthSource: GVYP280MB0464.SWEP280.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Aug 2024 18:24:05.0685 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: Mzc2bXMQxqKD50vq/E4AoOjUCKy3iAdLuZu2WBn6/jgWXGwXos3pjkd1r3TU5ONIpKx1p7mepFRSZnFuczZG6w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV3P280MB1154
Message-ID-Hash: SSS44JP5WNGUA3JXMSXHMLUYEPXOKULH
X-Message-ID-Hash: SSS44JP5WNGUA3JXMSXHMLUYEPXOKULH
X-MailFrom: marco.tiloca@ri.se
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-ace.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-ace-revoked-token-notification@ietf.org, ace-chairs@ietf.org, ace@ietf.org, goran.selander@ericsson.com
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Ace] Re: Orie Steele's Discuss on draft-ietf-ace-revoked-token-notification-08: (with DISCUSS and COMMENT)
List-Id: "Authentication and Authorization for Constrained Environments (ace)" <ace.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Zikt4Dg8qwg6mELohY2tZ-bxjsE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Owner: <mailto:ace-owner@ietf.org>
List-Post: <mailto:ace@ietf.org>
List-Subscribe: <mailto:ace-join@ietf.org>
List-Unsubscribe: <mailto:ace-leave@ietf.org>

Hello Orie,

Thanks a lot for your review! Please find in line below our detailed 
replies to your comments.

A Github PR where we have addressed your comments is available at [PR].

Thanks,
/Marco

[PR] https://github.com/ace-wg/ace-revoked-token-notification/pull/13

On 2024-06-25 23:18, Orie Steele via Datatracker wrote:
> Orie Steele has entered the following ballot position for
> draft-ietf-ace-revoked-token-notification-08: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer tohttps://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fabout%2Fgroups%2Fiesg%2Fstatements%2Fhandling-ballot-positions%2F&data=05%7C02%7Cmarco.tiloca%40ri.se%7C72300935721e46a3333e08dc955c5a7e%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638549471090227810%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Xp9IXGRRDf5QhFVsfuTduCPyzyUsUB8aG15YrBpexiI%3D&reserved=0 
> for more information about how to handle DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-ace-revoked-token-notification%2F&data=05%7C02%7Cmarco.tiloca%40ri.se%7C72300935721e46a3333e08dc955c5a7e%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638549471090237972%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=qDQkrMmwTVpdG2wVj37CocoXhS5UaPhTVh9DmmRDhl8%3D&reserved=0
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> # Orie Steele, ART AD, comments for draft-ietf-ace-revoked-token-notification-08
> CC @OR13
>
> https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthor-tools.ietf.org%2Fapi%2Fidnits%3Furl%3Dhttps%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-ace-revoked-token-notification-08.txt%26submitcheck%3DTrue&data=05%7C02%7Cmarco.tiloca%40ri.se%7C72300935721e46a3333e08dc955c5a7e%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638549471090243777%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=8mSA2Tn0PgJzW0KXznSsgyrLz72ngPs%2Fpr68EeTzDHo%3D&reserved=0
>
> ## Discuss
>
> ### token hashes aren't always hashes of tokens
>
> Compression or encoding (inflation for readability) are a separate concern from
> identifying access tokens by digest.
>
> ```
> 557           Note that BYTES is the binary representation of the access token,
> 558           irrespective of this being a CWT or a JWT.
>
> 560        *  HASH_INPUT_TEXT is the base64url-encoded text string that encodes
> 561           BYTES.
>
> 563        *  HASH_INPUT is the binary representation of HASH_INPUT_TEXT.
>
> ```
>
> This also creates a mismatch in what the hash is of:
>
> cbor access_token -> cwt -> base64url -> hash
> cbor access_token -> jwt -> base64url -> hash
>
> json access_token -> jwt -> hash
> json access_token -> cwt -> base64url -> hash
>
> Why not make hash input always the bytes of the jwt or cwt (no compression, no
> encoding)?
>
> It seems this might simplify the sections that follow as well.
>
> The general guidance should be that the token hash identifies the bytes that
> are input to the token verification process.

==>MT

**Short answer** --- The current design reflects the best that we have 
found possible to do in the light of three points:

* Achieving the goal of deterministically "labeling" access tokens in a 
way that is not ambiguous and that works for all the three ACE actors 
involved (AS, RS, C).
* Dealing with the fact that access tokens are opaque to C.
* Living with and preserving the flexibility that the ACE framework 
provides as to CBOR/JSON message encoding and CWTs/JWTs as types of 
access tokens.


**Long answer** --- The following refers to the four cases below. Note 
that all of them are admitted in the ACE framework (RFC 9200), largely 
due to the intentional compatibility with the OAuth ecosystem based on 
JSON and JWTs.

* Case 1 - The AS-to-C response is encoded in CBOR, and it transports a CWT.
* Case 2 - The AS-to-C response is encoded in CBOR, and it transports a JWT.
* Case 3 - The AS-to-C response is encoded in JSON, and it transports a JWT.
* Case 4 - The AS-to-C response is encoded in JSON, and it transports a CWT.

Let's break this down into three parts.


**Part 1 --- The points from the review comment are correct**

* It is correct that the hash input is not always the access token. In 
fact, that's the case only in Case 3.

* It is correct that inflation and identification are separate concerns. 
However, they do not necessarily conflict, and they do not in this 
document (see also the later Part 3 of this answer).

* It is correct that the token hash should **identify** the bytes that 
are input to the token verification process.

   In three out of four cases, the token hash is not computed directly 
on the access token. Nevertheless, a token hash effectively points the 
RS, C, and the AS to a corresponding access token in an unambiguous and 
deterministic way, thereby identifying such an access token as intended.

   This document does so while also preserving the intentional 
flexibility that the ACE framework has in supporting CBOR or JSON 
encoded messages conveying CWTs or JWTs as access tokens.

Granted: the name used in the document is "token hash", even though the 
hash is not computed directly from the access token in three out of four 
cases.

However, while such a name might not 100% accurately reflect what 
actually happens, it is a simple and short name that correctly refers to 
a hash identifying an access token.

Consistently, the document talks about a token hash **corresponding** to 
an access token as its associated label, and it specifies what the exact 
hash input has to be for each case.

Given an access token, the goal is ultimately for all the three ACE 
actors (AS, RS, and C) to always converge to the same identifier of that 
access token.

Per the current definition of hash input and token hash, this document 
always achieves that goal, while still ensuring the flexibility provided 
by the ACE framework and aligned with the OAuth ecosystem.

As a result of the incremental design process made on this document, the 
current design reflects the best that we have found possible to use, in 
the light of the intended objectives as well as of how the ACE framework 
works and the flexibility that it provides. This is further elaborated 
in the next part of this answer.


**Part 2 --- There is not a better and workable way**

The hash input cannot simply and always be the (possibly tagged) access 
token verbatim: that would prevent from preserving the flexibility 
provided by the ACE framework and aligned with the OAuth ecosystem, as 
to using CBOR or JSON encoded messages conveying CWTs or JWTs as access 
tokens.

If the hash input was the access token verbatim, then there would be no 
way to ensure that all the three ACE actors (AS, RS, and C) can 
deterministically compute the same hash to use as identifier of the 
given access token, in **any of the four cases** outlined above.

The following is a list of the most compelling reasons.

* In Case 4, C never receives the access token verbatim in the first 
place, but only its base64url encoding as computed by the AS.

   This is not something defined in this document, but it is rather 
admitted in the ACE framework in the interest of the flexibility and 
alignment with OAuth discussed above.

* In all the four cases, the access token is opaque to C.

   (In Case 4, as discussed in the previous point, C does not even 
receive the access token verbatim.)

   Per the current definition of hash input and token hash, this is 
however not an issue for the method defined in this document.

* Fundamentally, Case 4 is a legitimate corner case that prevents from 
simply hashing the access token verbatim while still ensuring that the 
three ACE actors (AS, RS, and C) always converge to the same identifier 
of the access token.

   Instead, we believe that the current definition of hash input and 
token hash is the best possible, because:

   - All the three ACE actors always converge to the same token hash, 
which they all use as unambiguous identifier of a given access token, as 
the ultimate intended goal.

   - The RS is always able to produce a reliable and safe token hash, in 
spite of not being able to know whether the AS-to-C response was encoded 
in CBOR (Case 1 and Case 2) or in JSON (Case 3 and Case 4).

     In this respect, as discussed in detail in Section 13.6 "Two Token 
Hashes at the RS using JWTs", we decided to deliberately penalize the 
cases where JWTs are used (Case 2 and Case 3), in favor of the cases 
where CWTs are used (Case 1 and Case 4) as the default and expected type 
of access tokens in the ACE framework.


**Part 3 --- Fundamentally, the current design works and achieves the 
intended goal**

The goal of the proposed method is to compute an identifier of an access 
token such that the following holds.

* The method allows all the three ACE actors (AS, RS, and C) to always 
deterministically compute that identifier.

* The method works in all the four cases outlined above, i.e., it 
preserves the flexibility of the ACE framework as to using CBOR or JSON 
encoded messages conveying CWTs or JWTs as access tokens.

* The method deals with the fact that access tokens are opaque to C.

* The method deals with the fact that, in AS-to-C responses encoded in 
JSON, access tokens are encoded differently depending on being JWTs 
(Case 3) or CWTs (Case 4).

* The method deals with the fact that the RS is not able to know whether 
the AS-to-C response was encoded in CBOR (Case 1 and Case 2) or in JSON 
(Case 3 and Case 4).

Since the above does hold for the proposed method and the three ACE 
actors do deterministically converge to the same identifier for the same 
access token, we do not see a real issue from the fact that the hash 
input is not always the access token verbatim.

In fact, when it is not (i.e., in Case 1, Case 2, and Case 4), the hash 
input is the base64url encoding of the access token, which is in turn 
deterministically computed from the access token verbatim.

<==

>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
>
> ## Comments
>
> ### commented bytes not elided
>
> ```
> 1296              [ h'01fa51cc/...
> 1297                  (remainder of the token hash omitted for brevity)/',
> 1298                h'01748190/...
> 1299                  (remainder of the token hash omitted for brevity)/'
> ```
>
> It could be just me, but I find this style of EDN confusing.
>
> I prefer to see elision and comments not mixed, and instead see:
>
> ```
> 1296              [ h'01fa51...4819', / elided for brevity /
> ```

==>MT

We have accordingly revised all the examples that use CBOR diagnostic 
notation with elision.

This applies to:

* Figure 6: Example of response following a full query request to the 
TRL endpoint

* Figure 8: Example of response following a diff query request to the 
TRL endpoint

<==

> ### not a token hash
>
> ```
> 1726       The RS MUST NOT delete the stored token hashes whose corresponding
> 1727       access tokens do not fulfill both the two conditions above, unless it
> 1728       becomes necessary due to memory limitations.  In such a case, the RS
> 1729       MUST delete the earliest stored token hashes first.
> ```
>
> Related to my discuss point, hashes of encoded or compressed tokens are
> different than hashes of tokens (as bytes).
>
> I don't think saying token or encoded token hashes whose corresponding
> access_token ... everywhere would be an improvement.

==>MT

This answer largely builds on the answer to the main DISCUSS point above.

True, the hash input used to compute a token hash is not the access 
token verbatim in three cases out of four. However, the result is indeed 
a value that unambiguously corresponds to the access token and can be 
deterministically computed by all the three ACE Actors (AS, RS, and C).

Practically, we need token identifiers that all the three ACE actors can 
independently and deterministically compute, in a way that works for all 
the cases admitted by ACE, i.e., preserving the flexibility of the ACE 
framework in supporting CBOR or JSON encoded messages conveying CWTs or 
JWTs as access tokens.

So "token hash" might not 100% accurately reflect what actually happens, 
but we think that it is a term still appropriate and convenient to use, 
since:

* It is simple and short.

* It reflects the fact that its value is computed as the result of a 
hash operation.

* It reflects the fact that its value is associated with an access token.

* It deliberately avoids the word "identifier", thus avoiding confusion 
with other identifiers such as 'jti' for JWTs and 'cti' for CWTs (see 
also the remark in the first bullet point of Section 1.1 "Terminology"), 
which are also not pertaining to C.

Therefore, we would prefer to keep the term "token hash".

<==

> ### cti is the new jti
>
> ```
> 1747       When, due to the stored and corresponding token hash th2, an access
> 1748       token t2 that includes the 'exi' claim is expunged or is not accepted
> 1749       upon its upload, the RS retrieves the sequence number sn2 encoded in
> 1750       the 'cti' claim (see Section 5.10.3 of [RFC9200]).  Then, the RS
> 1751       stores sn2 as associated with th2.  If expunging or not accepting t2
> 1752       yields the deletion of th2, then the RS MUST associate sn2 with th2
> 1753       before continuing with the deletion of th2.
> ```
>
> Should you comment on jti (and JWT) here?
> Does this section only apply to CWT ?

==>MT

In the quoted text from Section 10.1 "Handling of Access Tokens and 
Token Hashes", the 'cti' claim embeds a Sequence Number value for 
securely handling specifically CWTs that include the 'exi' claim. Such a 
method is defined in Section 5.10.3 of RFC 9200.

In fact, Section 5.10.3 of RFC 9200 does define that the same secure 
handling is used also for JWTs that include the 'exi' claim, by 
embedding a Sequence Number in their 'jti' claim.

We have extended the text in Section 10.1 "Handling of Access Tokens and 
Token Hashes" to cover also JWTs as follows.

OLD:
 > ... and iii) has the sequence number encoded in the 'cti' claim 
greater than the highest sequence number among the expired access tokens 
specifying the 'exi' claim for the RS (see Section 5.10.3 of [RFC9200]).

NEW:
 > ... and iii) has the sequence number encoded in the 'cti' claim (for 
CWTs) or in the 'jti' claim (for JWTs) greater than the highest sequence 
number among the expired access tokens specifying the 'exi' claim for 
the RS (see Section 5.10.3 of [RFC9200]).


OLD:
 > When, due to the stored and corresponding token hash th2, an access 
token t2 that includes the 'exi' claim is expunged or is not accepted 
upon its upload, the RS retrieves the sequence number sn2 encoded in the 
'cti' claim (see Section 5.10.3 of [RFC9200]).

NEW:
 > When, due to the stored and corresponding token hash th2, an access 
token t2 that includes the 'exi' claim is expunged or is not accepted 
upon its upload, the RS retrieves the sequence number sn2 encoded in the 
'cti' claim (for CWTs) or in the 'jti' claim (for JWTs) (see Section 
5.10.3 of [RFC9200]).

<==

> ### No reference to JWT BCP?
>
> https://eur05.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8725&data=05%7C02%7Cmarco.tiloca%40ri.se%7C72300935721e46a3333e08dc955c5a7e%7C5a9809cf0bcb413a838a09ecc40cc9e8%7C0%7C0%7C638549471090248190%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=QLesQ%2FfXPRdb6l3PPTeIgj2cbmxADV%2B4qOi2ETa6zFM%3D&reserved=0
>
> Consider if the JWT BCP is a useful reference to add to security considerations.

==>MT

We have revised the first paragraph of the Section 13.0 "Security 
Considerations" as follows, by extending the list of inherited 
considerations as pointing also to RFC 8725.

OLD:
 > The protocol defined in this document inherits the security 
considerations from the ACE framework for Authentication and 
Authorization [RFC9200], from [RFC8392] as to the usage of CWTs, from 
[RFC7519] as to the usage of JWTs, from [RFC7641] as to the usage of 
CoAP Observe, and from [RFC6920] with regard to computing the token 
hashes. The following considerations also apply.

NEW (emphasis mine):
 > The protocol defined in this document inherits the security 
considerations from the ACE framework for Authentication and 
Authorization [RFC9200], from [RFC8392] as to the usage of CWTs, from 
[RFC7519] **and [RFC8725]** as to the usage of JWTs, from [RFC7641] as 
to the usage of CoAP Observe, and from [RFC6920] with regard to 
computing the token hashes. The following considerations also apply.

<==

> ### warn users about mutability
>
> Signatures can have different forms (upper / lower s), unprotected headers can
> change the token hash, without invalidating the signature.
>
> Some of these techniques could be used to mount resource exhaustian attacks.

==>MT

(This is a long answer)

It is not clear what "signature" refers to (the word is not used in the 
document) and what exhaustion attack is possible because of the method 
proposed in this document. Access tokens might be issued specifically as 
signed objects, but that does not play a role here.

The hash input used to compute the token hash of an access token is 
deterministically prepared based on what is on the wire, i.e., what is 
in the AS-to-C response or in the message sent to the RS for uploading 
the access token.

Note that the RS does not store a token hash in case the RS fails to 
validate the corresponding, uploaded access token (which the RS also 
discards).

Specifically on exhaustion attacks, that is possibly a general concern 
when signed access tokens are repeatedly sent to the RS that attempts to 
verify those. In this respect, the method proposed in this document does 
not make such a general concern any worse. For the RS, computing the 
token hash is a parallel and orthogonal process to the verification of 
an access token, and certainly orders of magnitude lighter than the 
verification of a signature.


Yet, thanks to this comment and while thinking through it, we also 
noticed one more detail to fix, in order to ensure that the RS always 
computes the right token hash as intended by the AS.

Otherwise, an attack is possible in case the access token is uploaded to 
the RS over an unprotected communication channel (which is the basic 
case in the ACE framework). In particular, an active adversary can 
intercept the access token when this is sent to the RS and perform the 
following actions.

* The adversary manipulates the access token in a way which is going to 
be unnoticed by the RS, but without preventing the successful, 
cryptographic validation of the access token at the RS. To this end, the 
adversary has two possible options:
     - Adding and/or removing fields in the unprotected header(s) of the 
access token, as long as those fields do not play a role in the 
cryptographic validation of the access token.
     - Specifically when access tokens are CWTs, adding/removing or 
manipulating possible CBOR tag(s) enclosing the access tokens.

* The adversary sends the manipulated access token to the RS.

* Since the content of the unprotected header(s) as well as possible 
CBOR tags are not integrity-protected, the manipulations mentioned above 
does not impact the outcome of the access token validation performed by 
the RS, and it will go unnoticed.

* After a successful validation of the access token, the RS computes a 
corresponding token hash different from the one computed and stored by C 
and the AS.

* The RS stores the access token and the corresponding, wrong token hash.

If later on the access token is revoked, the AS provides the 
corresponding, correct token hash to the RS. However, the RS does not 
recognize the received token hash among the stored ones, and does not 
delete the revoked access token.


Intuitively, the attack above can be prevented as follows.

**An AS** providing the service defined in this document must issue 
access tokens such that the following holds.

* The access tokens do not include any parameter in the unprotected 
headers. That is, unprotected headers must be empty in CWTs and absent 
in JWTs.

   Instead, information to be conveyed by such parameters must be 
specified by parameters included in the protected headers, which are 
integrity-protected by the AS.

* When access tokens are specifically CWTs, they are always enclosed by 
exactly two CBOR tags.

   - The inner tag has number 16/17/18/96/97/98, consistent with the 
used COSE data item (e.g., COSE_Encrypt0 and tag number 16). That is, a 
CWT must be computed as a COSE_Tagged_Message (see Section 2 of RFC 9052).

   - The outer tag has number 61 (see RFC 8392), consistent with the 
fact that the access token is a CWT.

     (In a general case, the outer tag 61 would be optional to include. 
However, it feels safer for future use cases that might really need its 
presence to have it included rather than not in this deterministic 
construction.)

   - The number of both the inner and outer tag must be encoded to have 
the minimum possible length. E.g., the tag number 16 must be encoded 
exactly as 0xd0.

     (Section 9 of RFC 9052 does make restrictions of this sort, but not 
on the encoding of CBOR tag numbers applied to COSE messages)

**An RS** that uses the service defined in this document with the AS 
that has issued the access token must not accept and must discard an 
access token such that:

* The access token does not fulfill all the requirements above; or

* The access token is a CWT, and the tag number of the inner tag is not 
consistent with the actual type of the COSE data item to process (e.g., 
the tag number of the inner tag is 16, but the CWT is actually a COSE_Sign).

   (We would have expected that such consistency check was already 
mandated by COSE, but apparently it is not the case.)



What follows is the list of related, intended updates in the document 
and already in the Github PR.

(Some updated text referring to "(tagged) access token" is actually more 
accurate and good to have anyway, as it explicitly considers also the 
case of tagged CWTs.)

We have also discussed this fix with an implementer and reviewer of the 
draft, who agrees that this fix is simple and effective.


**New Section "Issuing of Access Tokens at the AS"**

This section defines requirements on the access tokens issued by the AS, 
separately for CWTs and JWTs.

It fits well between the current Section 2 "Protocol Overview" and 
Section 3 "Token Hash" of version -08.

The text of this new section is as follows.

NEW:
 > An AS that supports the method defined in this document MUST adhere 
to the following rules when issuing an access token.
 >
 > * All the intended header parameters in the access token MUST be 
specified within integrity-protected fields.
 >
 > * If the access token is a CWT, the following applies.
 >
 >   - Any "unprotected" field MUST be empty, i.e., its value MUST be 
encoded as the empty CBOR map (0xa0). This applies to: the top-level 
"unprotected" field of the COSE object used for the CWT; the 
"unprotected" field of each element of the "signatures" array; and the 
"unprotected" field of each element of any "recipients" array (see 
Sections 2, 3, 4, 5, and 6 of [RFC9052]).
 >
 >   - Consistent with the specific COSE object used for the CWT, the 
corresponding tagged structure in the set COSE_Tagged_Message MUST be 
used (see Section 2 of [RFC9052]). That is, the CBOR array that encodes 
the CWT MUST be tagged by using the COSE CBOR tag corresponding to the 
used COSE object. Table 1 in Section 2 of [RFC9052] specifies the tag 
numbers in question.
 >
 >     In turn, the resulting tagged data item MUST be tagged by using 
the CWT CBOR tag with tag number 61 (see Section 6 of [RFC8392]). After 
that, the resulting data item MUST NOT be further tagged.
 >
 >     Encoding of the tag numbers MUST be done using definite lengths, 
and the length of the encoded tag numbers MUST be the minimum possible 
length. This means that the tag number 16 is encoded as 0xd0 and not as 
0xd810.
 >
 >     The example in Figure \<FIGURE_NUMBER\> shows a CWT that uses the 
COSE object COSE_Encrypt0 (see Section 5.2 of [RFC9052]).
 >
 > * If the access token is a JWT, the following applies.
 >
 >   - If the access token is specifically a JWS [RFC7515] that uses the 
JWS JSON Serialization, it MUST NOT include the JWS Unprotected Header.
 >
 >   - If the access token is specifically a JWE [RFC7516] that uses the 
JWE JSON Serialization, it MUST NOT include the JWE Shared Unprotected 
Header and it MUST NOT include the "header" member in any of the 
elements of the "recipients" array.

```
/ CWT CBOR tag / 61(
   / COSE_Encrypt0 CBOR tag / 16(
     / COSE_Encrypt0 object / [
       / protected /   h'a3010a044c53796d6d65747269633132
                         38054d99a0d7846e762c49ffe8a63e0b',
       / unprotected / {},
       / ciphertext /  h'b918a11fd81e438b7f973d9e2e119bcb
                         22424ba0f38a80f27562f400ee1d0d6c
                         0fdb559c02421fd384fc2ebe22d70713
                         78b0ea7428fff157444d45f7e6afcda1
                         aae5f6495830c58627087fc5b4974f31
                         9a8707a635dd643b'
     ]
   )
)

Figure \<FIGURE_NUMBER\>
```

 > Section \<"Preventing Unnoticed Manipulation of Access Tokens"\> 
discusses how adhering to the rules above neutralizes an attack against 
the RS, where an active adversary can induce the RS to compute a token 
hash different from the correct one.


**Section 3.0 of v -08**

New paragraphs at the end of the section.

NEW:
 > Consistent with Section 3.4 of [RFC8949], the term "tag" is used for 
the entire CBOR data item consisting of both a tag number and the tag 
content: the tag content is the CBOR data item that is being tagged.
 >
 > Also, "tagged access token" is used to denote nested CBOR tags 
(possibly a single one), with the innermost tag content being a CWT.


**Section 3.1.1 of v -08**

OLD:
 > This implies that, within the CBOR map specified as message payload, 
the parameter 'access_token' is a CBOR data item of type CBOR byte 
string and with value the binary representation BYTES of the access 
token. In particular:
 >
 > * If the access token is a CWT, then BYTES is the binary 
representation of the CWT (i.e., of the CBOR array that encodes the CWT).
 > ...

NEW:
 > This implies that, within the CBOR map specified as message payload, 
the parameter 'access_token' is a CBOR data item of type CBOR byte 
string and with value BYTES. In particular:
 >
 > * If the access token is a CWT, then BYTES is the binary 
representation of the CWT (i.e., of the CBOR array that encodes the 
untagged CWT) or of a tagged access token with the CWT as innermost tag 
content.
 > ...


OLD:
 > This implies that, within the JSON object specified as message 
payload, the parameter 'access_token' has as value a text string TEXT 
encoding the access token. In particular:
 > ...
 > * If the access token is a CWT, then TEXT is the base64url-encoded 
text string of the binary representation of the CWT (i.e., of the CBOR 
array that encodes the CWT).

NEW:
 > This implies that, within the JSON object specified as message 
payload, the parameter 'access_token' has as value a text string TEXT. 
In particular:
 > ...
 > * If the access token is a CWT, then TEXT is the base64url-encoded 
text string of BYTES, which is the binary representation of the CWT 
(i.e., of the CBOR array that encodes the untagged CWT) or of a tagged 
access token with the CWT as innermost tag content.


**Section 3.1.2 of v -08**

OLD:
 > If the AS-to-Client response was encoded in CBOR, then TOKEN_INFO is 
the value of the CBOR byte string conveyed by the 'access_token' 
parameter of that response. This is irrespective of the access token 
being a CWT or a JWT. That is, TOKEN_INFO is the binary representation 
of the access token.

NEW:
 > If the AS-to-Client response was encoded in CBOR, then TOKEN_INFO is 
the value of the CBOR byte string conveyed by the 'access_token' 
parameter of that response. That is, TOKEN_INFO is the binary 
representation of the (tagged) access token.


OLD:
 > If the AS-to-Client response was encoded in JSON and the access token 
is a CWT, then ... text string that encodes the binary representation of 
the access token. That is, ...

NEW:
 > If the AS-to-Client response was encoded in JSON and the access token 
is a CWT, then ... text string that encodes the binary representation of 
the (tagged) access token. That is, ...


OLD (4 instances):
 > The access token can be uploaded to the RS ...

NEW (4 instances):
 > The (tagged) access token can be uploaded to the RS ...


**Section 3.2.0 of v -08**

OLD:
 > ... where the access token is included and provided to the requester 
Client.

NEW:
 > ... where the (tagged) access token is included and provided to the 
requester Client.


**Section 3.2.1 of v -08**

OLD
 > With reference to the example in Figure 2, BYTES is the bytes {0xd0 
0x83 0x43 ... 0x64 0x3b}.

NEW
 > With reference to the example in Figure 2, BYTES is the bytes {0xd8 
0x3d 0xd0 ... 0x64 0x3b}.


OLD:
 > Note that BYTES is the binary representation of the access token, 
irrespective of this being a CWT or a JWT.

NEW:
 > Note that BYTES is the binary representation of the tagged access 
token if this is a CWT (as per Section \<"Issuing of Access Tokens at 
the AS"\>), or of the access token if this is a JWT.


OLD
```
Header: Created (Code=2.01)
Content-Format: application/ace+cbor
Max-Age: 85800
Payload:
{
    / access_token / 1 : h'd08343a1010aa2044c53796d6d65
                           74726963313238054d99a0d7846e
                           762c49ffe8a63e0b5858b918a11f
                           d81e438b7f973d9e2e119bcb2242
                           4ba0f38a80f27562f400ee1d0d6c
                           0fdb559c02421fd384fc2ebe22d7
                           071378b0ea7428fff157444d45f7
                           e6afcda1aae5f6495830c5862708
                           7fc5b4974f319a8707a635dd643b',
    / token_type /  34 : 2 / PoP /,
    / expires_in /   2 : 86400,
    / ace_profile / 38 : 1 / coap_dtls /,
    / (remainder of the response omitted for brevity) /
}
```

NEW
```
Header: Created (Code=2.01)
Content-Format: application/ace+cbor
Max-Age: 85800
Payload:
{
    / access_token / 1 : h'd83dd0835820a3010a044c53796d6d
                           6574726963313238054d99a0d7846e
                           762c49ffe8a63e0ba05858b918a11f
                           d81e438b7f973d9e2e119bcb22424b
                           a0f38a80f27562f400ee1d0d6c0fdb
                           559c02421fd384fc2ebe22d7071378
                           b0ea7428fff157444d45f7e6afcda1
                           aae5f6495830c58627087fc5b4974f
                           319a8707a635dd643b',
    / token_type /  34 : 2 / PoP /,
    / expires_in /   2 : 86400,
    / ace_profile / 38 : 1 / coap_dtls /,
    / (remainder of the response omitted for brevity) /
}
```


**Section 3.2.2 of v -08**

OLD
 > With reference to the example in Figure 3, HASH_INPUT is the binary 
representation of "2YotnFZFEjr1zCsicMWpAA".

NEW (JWT taken from Appendix A.1 of RFC 7519):
 > With reference to the example in Figure 3, HASH_INPUT is the binary 
representation of "eyJh...YFiA". When showing the access token, Figure 3 
uses line breaks for display purposes only.
 > ...


OLD:
 > * If the access token is a CWT, then HASH_INPUT is the binary 
representation of the base64url-encoded text string that encodes the 
binary representation of the CWT.

NEW:
 > * If the access token is a CWT, then HASH_INPUT is the binary 
representation of a base64url-encoded text string, which encodes the 
binary representation of a tagged access token with the CWT as innermost 
tag content (as per Section \<"Issuing of Access Tokens at the AS"\>).


OLD
```
HTTP/1.1 200 OK
Content-Type: application/ace+json
Cache-Control: no-store
Pragma: no-cache
Payload:
{
    "access_token" : "2YotnFZFEjr1zCsicMWpAA",
    "token_type"   : "pop",
    "expires_in"   : 86400,
    "ace_profile"  : "1"
}
```

NEW (JWT taken from Appendix A.1 of RFC 7519):
```
HTTP/1.1 200 OK
Content-Type: application/ace+json
Cache-Control: no-store
Pragma: no-cache
Payload:
{
    "access_token" : "eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJB
                      MTI4Q0JDLUhTMjU2In0.
                      QR1Owv2ug2WyPBnbQrRARTeEk9kDO2w8
                      qDcjiHnSJflSdv1iNqhWXaKH4MqAkQtM
                      oNfABIPJaZm0HaA415sv3aeuBWnD8J-U
                      i7Ah6cWafs3ZwwFKDFUUsWHSK-IPKxLG
                      TkND09XyjORj_CHAgOPJ-Sd8ONQRnJvW
                      n_hXV1BNMHzUjPyYwEsRhDhzjAD26ima
                      sOTsgruobpYGoQcXUwFDn7moXPRfDE8-
                      NoQX7N7ZYMmpUDkR-Cx9obNGwJQ3nM52
                      YCitxoQVPzjbl7WBuB7AohdBoZOdZ24W
                      lN1lVIeh8v1K4krB8xgKvRU8kgFrEn_a
                      1rZgN5TiysnmzTROF869lQ.
                      AxY8DCtDaGlsbGljb3RoZQ.
                      MKOle7UQrG6nSxTLX6Mqwt0orbHvAKeW
                      nDYvpIAeZ72deHxz3roJDXQyhxx0wKaM
                      HDjUEOKIwrtkHthpqEanSBNYHZgmNOV7
                      sln1Eu9g3J8.
                      fiK51VwhsxJ-siBMR-YFiA",
    "token_type"   : "pop",
    "expires_in"   : 86400,
    "ace_profile"  : "1"
}
```


**Section 3.3.1 of v -08**

OLD:
 > Hence, the RS assumes TOKEN_INFO to be the binary representation of 
the access token.

NEW:
 > Hence, the RS assumes TOKEN_INFO to be the binary representation of 
the tagged access token with the CWT as innermost tag content (as per 
Section \<"Issuing of Access Tokens at the AS"\>).


OLD:
 > Hence, the RS assumes TOKEN_INFO to be the binary representation of 
HASH_INPUT_TEXT, which is the base64url-encoded text string that encodes 
the binary representation of the access token.

NEW:
 > Hence, the RS assumes TOKEN_INFO to be the binary representation of 
HASH_INPUT_TEXT. In turn, HASH_INPUT_TEXT is the base64url-encoded text 
string that encodes the binary representation of the tagged access token 
with the CWT as innermost tag content (as per Section \<"Issuing of 
Access Tokens at the AS"\>).


OLD:
 > ... and considers the result as the binary representation of the 
access token.

NEW:
 > ... and considers the result as the binary representation of the 
tagged access token.


**Section 10.1 of v -08**

OLD:
 > An RS MUST NOT accept and store an access token, if the corresponding 
token hash is among the currently stored ones.

NEW:
 > If an RS uses the method defined in this document with the AS that 
has issued an access token, then the RS MUST NOT accept and store that 
access token if any of the following holds.
 >
 > * The token hash corresponding to the access token is among the 
currently stored ones.
 >
 > * The access token is a CWT and any of the following holds.
 >
 >   - The access token includes a non-empty "unprotected" field, i.e., 
the value of the field is not encoded as the empty CBOR map (0xa0). This 
applies to: the top-level "unprotected" field of the COSE object used 
for the CWT; the "unprotected" field of each element of the "signatures" 
array; and the "unprotected" field of each element of any "recipients" 
array.
 >
 >   - The received CBOR data item that embodies the access token does 
not comply with what is defined in Section \<"Issuing of Access Tokens 
at the AS"\>. This concerns: the use of exactly two nested CBOR tags, 
where the outer tag is the CWT CBOR tag and the inner tag is one of the 
COSE CBOR tags; the tag numbers encoded with the minimum possible 
length; and the access token being the innermost tag content of the 
received CBOR data item.
 >
 >   - In the received CBOR data item that embodies the access token, 
the inner tag has a tag number that is not consistent with the actual 
COSE data item to process. For instance, the inner tag number is 16 
(COSE_Encrypt0), but the CWT is actually a COSE_Sign data item.
 >
 > * The access token is a JWT and any of the following holds.
 >
 >   - The access token is specifically a JWS [RFC7515] using the JWS 
JSON Serialization, and it includes the JWS Unprotected Header.
 >
 >   - The access token is specifically a JWE [RFC7516] using the JWE 
JSON Serialization, and it includes the JWE Shared Unprotected Header 
and/or includes the "header" member in any of the elements of the 
"recipients" array.


**New Section "Preventing Unnoticed Manipulation of Access Tokens"**

This section provides security considerations on this topic.

It fits well between Section 13.5 "Vulnerable Time Window at the RS" and 
Section 13.6 "Two Token Hashes at the RS using JWTs" of version -08.

The text of this new section is as follows.

NEW:
 > As defined in Section \<"Issuing of Access Tokens at the AS"\>, 
issued access tokens MUST NOT rely on unprotected headers to specify 
information as header parameters. Also, when issued access tokens are 
CWTs, they MUST be tagged by using the COSE CBOR tag corresponding to 
the used COSE object, the result MUST be in turn tagged by using the CWT 
CBOR tag, and no further tagging is performed.
 >
 > This ensures that the RS always computes the correct token hash 
corresponding to an access token, i.e., the same token hash computed by 
the AS and C for that access token.
 >
 > By construction, the rules defined in Section \<"Issuing of Access 
Tokens at the AS"\> prevent an active adversary from successfully 
performing an attack against the RS, which would otherwise be possible 
in case the access token is uploaded to the RS over an unprotected 
communication channel.
 >
 > In such an attack, the adversary intercepts the access token when 
this is sent to the RS. Then, the adversary manipulates the access token 
in a way which is going to be unnoticed by the RS, but without 
preventing the successful, cryptographic validation of the access token 
at the RS. To this end, the adversary has two possible options:
 >
 > * Adding and/or removing fields within the unprotected header(s) of 
the access token, as long as those fields do not play a role in the 
cryptographic validation of the access token.
 > * Specifically when the access token is a CWT, adding/removing or 
manipulating possible CBOR tag(s) enclosing the access token.
 >
 > After that, the adversary sends the manipulated access token to the RS.
 >
 > After having successfully validated the manipulated access token, the 
RS computes a corresponding token hash different from the one computed 
and stored by C and the AS. Finally, the RS stores the manipulated 
access token and the corresponding wrong token hash.
 >
 > Later on, if the access token is revoked and the AS provides the RS 
with the corresponding correct token hash, the RS does not recognize the 
received token hash among the stored ones, and therefore does not delete 
the revoked access token.

<==

> ### How should unavailability be treated?
>
> ```
> 1862       In order to avoid this, a requester SHOULD NOT rely solely on the
> 1863       CoAP Observe notifications.  In particular, a requester SHOULD also
> 1864       regularly poll the AS for the most current information about revoked
> 1865       access tokens, by sending GET requests to the TRL endpoint according
> 1866       to a related application policy.
> ```
>
> If the GET request fails, the client assumes there are no revoked tokens?
>

==>MT

No. In case a requester does not receive a response from the TRL 
endpoint or it receives an error response from the TRL endpoint, the 
requester makes no assumption regarding the revocation or expiration of 
its pertaining access tokens.

We have explicitly clarified it in the earlier Section 10 "Notification 
of Revoked Access Tokens", by including a new paragraph between the 
current second paragraph and the current third paragraph.

OLD:
 > In case the request is successfully processed, ...
 >
 > When the TRL is updated (see Section 4.1) ...

NEW:
 > In case the request is successfully processed, ...
 >
 > In case a requester does not receive a response from the TRL endpoint 
or it receives an error response from the TRL endpoint, the requester 
does not make any assumption or draw any conclusion regarding the 
revocation or expiration of its pertaining access tokens.
 >
 > When the TRL is updated (see Section 4.1) ...


Many thanks again for your comments!

<==


-- 
Marco Tiloca
Ph.D., Senior Researcher

Phone: +46 (0)70 60 46 501

RISE Research Institutes of Sweden AB
Box 1263
164 29 Kista (Sweden)

Division: Digital Systems
Department: Computer Science
Unit: Cybersecurity

https://www.ri.se