[Ace] Parameter abbreviation number ranges for draft-ietf-ace-oauth-authz

Ludwig Seitz <ludwig.seitz@ri.se> Mon, 27 August 2018 07:52 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 0E2A4130DF3 for <ace@ietfa.amsl.com>; Mon, 27 Aug 2018 00:52:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id GT6IRtN_1B2i for <ace@ietfa.amsl.com>; Mon, 27 Aug 2018 00:52:06 -0700 (PDT)
Received: from smtp-out10.electric.net (smtp-out10.electric.net []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 763D1129C6B for <ace@ietf.org>; Mon, 27 Aug 2018 00:52:06 -0700 (PDT)
Received: from 1fuCJg-000jGz-T7 by out10c.electric.net with emc1-ok (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1fuCJg-000jIU-Tj for ace@ietf.org; Mon, 27 Aug 2018 00:52:04 -0700
Received: by emcmailer; Mon, 27 Aug 2018 00:52:04 -0700
Received: from [] (helo=sp-mail-2.sp.se) by out10c.electric.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128) (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1fuCJg-000jGz-T7 for ace@ietf.org; Mon, 27 Aug 2018 00:52:04 -0700
Received: from [] ( by sp-mail-2.sp.se ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Mon, 27 Aug 2018 09:52:03 +0200
To: "ace@ietf.org" <ace@ietf.org>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <ed5a89e7-e2ed-8804-037f-8b50d2bc6d64@ri.se>
Date: Mon, 27 Aug 2018 09:52:03 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: []
X-ClientProxiedBy: sp-mail-1.sp.se ( To sp-mail-2.sp.se (
X-Env-From: ludwig.seitz@ri.se
X-Proto: esmtps
X-HELO: sp-mail-2.sp.se
X-TLS: TLSv1.2:ECDHE-RSA-AES128-SHA256:128
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
X-PolicySMART: 14510320
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/cX-DjWxSC4PehY0bEmbaNeeT2pI>
Subject: [Ace] Parameter abbreviation number ranges for draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2018 07:52:10 -0000

Hello group,

at IETF 102 there was a discussion about the numerical abbreviations we 
introduced for both OAuth parameter names and access token claim names.

I have generated a proposal that makes better use of the number space, 
but I'd like the OAuth specialists to have a look at it and see if I 
pushed any important (= frequently used) OAuth parameter into the two 
byte number range.


CBOR integers have a very compact representation (1 byte) for numbers 
from 0-23, from 24-255 (which is all we will ever need ;-) ) they use 2 
bytes. Thus we'd like to use abbreviations in the first number range for 
parameters/claims that are frequently used.

My proposal follow below, please feel free to comment.


Existing claim name abbreviations from RFC 8392 (CWT) :
  iss  1
  sub  2
  aud  3
  exp  4
  nbf  5
  iat  6
  cti  7

New claim name abbreviation introduced by 

  cnf  8

New claims introduced by draft-ietf-ace-oauth-authz (with proposed 

  scope 9
  profile 10
  rs_cnf 11

Token endpoint parameters from RFC 6749 (OAuth 2.0) (with proposed 

scope 9
error 12
grant_type 13
access_token 14
token_type 15

client_id      24
client_secret  25
response_type  26
state 27
redirect_uri 28
error_description 29
error_uri 30
code 31
expires_in 32
username 33
password 34
refresh_token 35

New token endpoint parameters introduced by draft-ietf-ace-oauth-authz
(with proposed abbreviations):

req_aud 16
req_cnf 17
used_cnf 18
rs_cnf 19

(Note that req_* and used_cnf are not yet in the draft, but we came to 
the conclusion we will need them after the OAuth session at IETF 102. 
They will be in the next update)

Introspection endpoint paramenters from RFC  (OAuth 2.0 introspection)
(with proposed abbreviations):

iss 1
sub 2
aud 3
exp 4
iat 6
nbf 5
scope  9
token_type 15
active 20
client_id 24
username 33
jti (no abbreviation, we have cti)

New introspection endpoint parameters introduced by 

cnf 8
rs_cnf   19
profile  10

Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51