Re: [Ace] draft-ietf-ace-oauth-authz

Ludwig Seitz <ludwig.seitz@ri.se> Tue, 26 February 2019 12:32 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5EEB12F295; Tue, 26 Feb 2019 04:32:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PSuJHELzlqt2; Tue, 26 Feb 2019 04:32:09 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80078.outbound.protection.outlook.com [40.107.8.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 370BA124C04; Tue, 26 Feb 2019 04:32:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=d/YvmbTC6OZIPG4z/v6OEWNQd9fK//MZF9yZXvKsBUs=; b=gv1bsWjMhpoBRdqrei2vjTfnn5J25Xdvt4ut+u+/iFYbINnxjnW4RPh9vGixrPSfuM4U643BBXYUHCcnT3u4ssET8bsN5EhvI1kWSdouxrjQNkhZIxsOI4h2XBtopxh1/LwIWcLrPLI2RVKRZmqWl91Cb8QR2seGo6Yo3EkwdiI=
Received: from DB6P18901CA0006.EURP189.PROD.OUTLOOK.COM (2603:10a6:4:16::16) by DB6P18901MB0104.EURP189.PROD.OUTLOOK.COM (2603:10a6:4:27::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.15; Tue, 26 Feb 2019 12:32:06 +0000
Received: from AM5EUR02FT034.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e1e::203) by DB6P18901CA0006.outlook.office365.com (2603:10a6:4:16::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1643.14 via Frontend Transport; Tue, 26 Feb 2019 12:32:06 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by AM5EUR02FT034.mail.protection.outlook.com (10.152.8.118) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1580.10 via Frontend Transport; Tue, 26 Feb 2019 12:32:06 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Tue, 26 Feb 2019 13:32:05 +0100
To: Jim Schaad <ietf@augustcellars.com>, <draft-ietf-ace-oauth-authz@ietf.org>
CC: 'ace' <ace@ietf.org>
References: <000201d4cbd5$d6837900$838a6b00$@augustcellars.com> <a4e42204-df48-f550-7e98-095bdbdd9ff3@ri.se> <00b001d4cd2c$c361f920$4a25eb60$@augustcellars.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <c0868edf-7914-fb86-6853-3615b608527f@ri.se>
Date: Tue, 26 Feb 2019 13:32:04 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <00b001d4cd2c$c361f920$4a25eb60$@augustcellars.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms020609000309050202040401"
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(346002)(136003)(376002)(396003)(39860400002)(2980300002)(199004)(189003)(22746008)(64126003)(84326002)(106466001)(36756003)(229853002)(2906002)(68736007)(356004)(71190400001)(81156014)(69596002)(81166006)(14444005)(31696002)(16586007)(86362001)(5024004)(97736004)(106002)(235185007)(16576012)(316002)(58126008)(478600001)(5660300002)(110136005)(8936002)(53936002)(65826007)(7736002)(16526019)(76176011)(186003)(33964004)(336012)(568964002)(104016004)(22756006)(386003)(65806001)(65956001)(74482002)(53546011)(476003)(305945005)(446003)(40036005)(8676002)(11346002)(2616005)(26005)(126002)(6116002)(31686004)(77096007)(3846002)(44832011)(486006)(4326008)(6246003); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6P18901MB0104; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: c8545ce5-01aa-4788-a6e9-08d69be66b3f
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(4608103)(4709054)(2017052603328)(7153060)(7193020); SRVR:DB6P18901MB0104;
X-MS-TrafficTypeDiagnostic: DB6P18901MB0104:
X-Microsoft-Exchange-Diagnostics: 1; DB6P18901MB0104; 20:GECq4aGhXd+ghl9uH3Vub10SuYD/Gv9vFiAJBKVJHVX2/KiXdivvW7hYfANHMPtI2lpzlQlk249Piae2qI25OJd8inbyO6kN6xtsHQ2bLpM4hcH4+YO2sK9pnbIozSPOUQiQixBO2Ij4mbJGuo2pwUmxTLYLl+4Fwg32styG2d+Zjs1buZZDOvFzVPf595eOpFEZnStH4KCHGT572PpYuvXvmUO4cVaR0kEpXIFUujVK1A5geQKPm3fWli3wQ+cn
X-Microsoft-Antispam-PRVS: <DB6P18901MB0104B0FA7E44D61D0908E2A6827B0@DB6P18901MB0104.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 096029FF66
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; DB6P18901MB0104; 23:gAdllnBJDC8072/qkyfK0e0hV+NhIOMeU4jCMhL?= =?us-ascii?Q?cqc5JzyIWgR3R8Dk9svr2ItljopMWNoe/memMgo4Fmp3knmUoCih57Ry4au9?= =?us-ascii?Q?TqycKQoqp0lWffpPKlz3UAfizQUlW9ulLOXCJeni9SP5BhELICEUEi1ERkB8?= =?us-ascii?Q?+Ab/nA8Rs5U3dr5RPrrh+rQSjFlppUSPfvmydJZd3C+IJwp/NU3GszOYO8e4?= =?us-ascii?Q?4pZN77+z17swHmLnr6snGbZe0YrMLl7c7dg4eR3ao4YAXzsFNg4+ukBwjoK7?= =?us-ascii?Q?mBDBy9H+ajkOdOH4IIaEhPNPdBfvjF0BABCWGIgLV2DoPFzwOoQ96nhLpHR4?= =?us-ascii?Q?mVpV4PNoVSPiRGuKi8PQhekLILrUdFK1Qw1RMIhkvqCJdP+YR41mPq+Imo5U?= =?us-ascii?Q?KujSYOb7/5iBtDolxweu76RrS8P8HgCOe5TmGv+9Lc22hZsGeixy8ELTVeC5?= =?us-ascii?Q?s9pY/v7HcQl9V9ZSEZKpG294Pnvxen6tNmI4QzLVR6rtHC+WZ4LVo0MGpnzG?= =?us-ascii?Q?MH9vBv25qJSMPpqFysehvBP0AW8Gou1U/oEL84EZDWpRGZBlHY2aZNVEV8M6?= =?us-ascii?Q?+5/4mD4L7DCJO9ZC6GrqEAdO11pMwgOQv0fujvICtYhPvABAJjkRFqmJa2du?= =?us-ascii?Q?yxUqNMHSfCeE271PJBIBV3EOXnHUOF16y+/l4mGHpoEE3JlYP7c69of5gl58?= =?us-ascii?Q?srfAqblYKT83XuAW3y4E+WZTkxS4wi8oaePA0T/8mC7JTRAOpsxzFw0pTNKt?= =?us-ascii?Q?caYOTouhTTbHqqwfSjYkLTSWJiSte9SXgF7N/Z2+NJ1Q7v/Xp54sxzYFWWw0?= =?us-ascii?Q?+Cs/iVpJRh8saI0Xefkx27II6O7gcWL0jpwyTsNv4SBkk3RwexTbwMkTRwA5?= =?us-ascii?Q?npzQcxAzWOOvLNPeGRPQ6/XAAjl8X07AoTCCo5y88T/DBrO317/6FeLwO87L?= =?us-ascii?Q?0r/a5YJ0LNMlQD97VBAB/BY+aFinG5qoVmzHzLIdaTd256rFav79g9GR4unI?= =?us-ascii?Q?5f20974aocQlzLDjOqLBYJk9sFSI5xVcnMk07FMnfr9qUXQTncwcEPG3IyeG?= =?us-ascii?Q?99W53a1O0lK2V3r00ZekDmNnDxWtr8e3shzgHvdxJcqvp9IJfBPp1Im+Py8N?= =?us-ascii?Q?ZXtMRIjHy6fkOKuEe+ZwayrVJOOJ+jdmZDj7izroP3btLD78UwsRlOmBgbZh?= =?us-ascii?Q?Z6ZKdrLYnSxyHpx5JmdHKkUMI1oYFyBU3qgM5A6kpBspKppQ6zPXO8MxC5fo?= =?us-ascii?Q?JUYZJxgmMhJ3W90asqQ6W3BXTMgzi0Zsq7Vamgtfhv8zicqoEPgrEArzmh+8?= =?us-ascii?Q?QNPb6dyX9bi0s5EvhsCfkErWbsNCObJ8PchUTRsH+9lA00jo8wqHGNq1Ubbx?= =?us-ascii?Q?0J+SNBzHCDPXtOnglBekOge1ZwGQquoOwXJyzp1slBjUErkMZAIFgAywCRyx?= =?us-ascii?Q?lUjgXoIr5cKoF04NZZ/t789cpw3J6BEieNOX1qMa6V4AA/XBts/I46yp+tGB?= =?us-ascii?Q?F0Yyq1Xmw09LN5rF4ISwZ00NI8nGlHktzBYg=3D?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: nyzadgbuD8sXigjd+h8B4NXmcb387uvJrvy7kzyXpHS5w0zJWChjFW7gfaaXEkY2Tf98lvmLP6f9dCduYtFvNr/6oVoXQh6LBV3WUaKxi6yfKLJ2Z8QCBN6qBiRXYjB7Qw1vNBs7G2e9TzD9ifCwm7ZJhONLUss1JFHDDDI4ZiGG4aiPEngZ4rPP5moLM9S7u2eZnRlunnTSiv9IyISqZsYvZ8t36QT+RtC2Y5vBF6a0OGGABu9RwqIb2ZuHCVUmndS1wTa/sE9/6ZcWYLoBXIEDrLyr8z/oHNIVLs4hLe6VIBhOnan2XHHOYy6SE/WpNQSs8qQSCCbQ5J0zOuAolMGOdC5fi1aNLDTgzCdeuDUGI8j5mVSgaa22KBf9k8c3gk+BF2eC6l8vB5BWwX622m+ld2VShB8ictCTcaMrJCM=
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Feb 2019 12:32:06.2329 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c8545ce5-01aa-4788-a6e9-08d69be66b3f
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P18901MB0104
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/_rNpgtYI2MvMqEp91K3q7gUjpL0>
Subject: Re: [Ace] draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2019 12:32:13 -0000

On 25/02/2019 18:08, Jim Schaad wrote:

>>> 3. In section 8.3 - Is/Should there be a requirement that the
>>> error also be registered in an OAuth registry?  If so then this
>>> needs to be part of the expert reviewer instructions on this
>>> registry.
>> 
>> The expert reviewer instructions already state this:
>> 
>> "Since a high degree of overlap is expected between these
>> registries and the contents of the OAuth parameters registries,
>> experts should require new registrations to maintain a reasonable
>> level of alignment with parameters from OAuth that have comparable
>> functionality."
>> 
>> This includes the error registry, do you think this is
>> sufficiently clear or should I elaborate?
> 
> The question I had was the difference between SHOULD and MUST be
> registered.  The text there says - try and keep them in sync, but if
> they are not it is not a problem.   If that is what you want then
> this is not a problem, I was just validating this.

The intention of the "should require ... a reasonable level of
alignment" was "try and keep them in sync, but if they are not you need
a good reason for this".

Your alternate interpretation makes me think the text is not worded
strongly enough.

> 
>> 
>>> 
>>> 4. In section 8.4 - Is there a reason to require a specification
>>> for this registry?  Should it be sufficient to have somebody
>>> request that a mapping be registered and the DE approves it?  The
>>> previous comment would apply
>> to
>>> all of the mapping registries that are just mappings.
>>> 
>> The idea is to prevent the squatting of low byte count
>> abbreviations by parameters that are not frequently used, thus
>> there is a range of different policies for different integer
>> abbreviation number ranges. (note: I'm following the example of the
>> CWT specification here)
> 
> Not requiring a document to exists could still allow this.  IANA
> would still have the DE approve the assignment.
> 

Ok so you mean not having "specification required" for -65536 to -257 
and 256 to 65535 and not having "standards action" for -256 to 255 would 
be ok?

Note that this would be different from the policy in RFC 8392 (CWT).

/Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51