[Ace] Review of draft-ietf-ace-oauth-params-00
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Tue, 23 October 2018 19:09 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC1FC130F17 for <ace@ietfa.amsl.com>; Tue, 23 Oct 2018 12:09:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RnuJ6BDacXAA for <ace@ietfa.amsl.com>; Tue, 23 Oct 2018 12:09:51 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-am5eur02on0600.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe07::600]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67B99130EEC for <Ace@ietf.org>; Tue, 23 Oct 2018 12:09:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=21TXq20PKxSdjRhpF8UIvWA6VmG/B3OOKOr04sR4M8I=; b=HRsB/GP3BszaGm1M3ALVFszgpa0qrv1/62xSkMZ6UgPkiOg6TYg7HKgpkISZd+LI36txiDYE0A69QlG5bZBj6Lr3TDIn0i1oRC4mexcpeRSKsiM7EHMt31L2Km1rKa3k5sO20SjDwdBtyF4nfyn6GfsKzGCnPXHm3do23Zx12jA=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1758.eurprd08.prod.outlook.com (10.168.67.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1250.29; Tue, 23 Oct 2018 19:09:48 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::7165:6199:a54f:510c]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::7165:6199:a54f:510c%2]) with mapi id 15.20.1273.014; Tue, 23 Oct 2018 19:09:48 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "Ace@ietf.org" <Ace@ietf.org>
Thread-Topic: Review of draft-ietf-ace-oauth-params-00
Thread-Index: AdRrA+0cVyM+dWrcQLCmuAJtHJOHpQ==
Date: Tue, 23 Oct 2018 19:09:48 +0000
Message-ID: <VI1PR0801MB2112DD9ECD09B98C5060D868FAF50@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [64.71.18.60]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1758; 6:KisEjCg53rjKLT0+Q/n4BumQUfcj0OX5NLS7pjU4sMWXs/QO4HtDstiEAZZeEx/eTcWaYuA1eSImBzCbwBoLNgpeCp+HR7qa4vOrt6OoT80n32Qo+tfkx5hVsQhZVag11RQ+fvswRMWL5fAo689a4EeYqYZfhmrbs3kc3uEDqRxL7yn8HKydl8QoQuAEx1wRo3U3DhuQYr3UIv1iS8YfSb0vgc5hI1x76wO8VRi/+gkaRnMUL6YHFSNN40nlCiiBP7iaeeaElWnpm06FGs6eO8TGKyCa9Sa2vKOtqdp97h3f4Bxbxf29gKaWB6iQrqX7yl1DI+gUOXo9zf+NjyBQ6y6iYTV1bbHXRQKjt4tDqxIIu1WRyYoWoRTCGt9RbKc890lLN24NT/PTqzb9XDTvlUlfLHQsScFaoahpE/V+SFCodsW5kyUCufR7ueWsPXrW0YWfD/syyM0KPBKdTOY8fw==; 5:HG9C+VdHS6SoF3tFectbkXHsf3bW4GvHVaXY4GYnmO4KvmJGeIcjLQGQBrHB5dxt9JIvNA+QB9xpuaANULVey65GhSKKi9KiC3JDa8uIOM8088q+Lj6zdJMI5Y7gJlmV48AXsdaXYrSWTi0gX2r2qMTUpNcU70kjid914zlkbZg=; 7:Do6CHXLBtQldVENR/7GcTU1BzuEnAgTfkeckj683RtWTQBEBVgogkBDv65U6WBc06BRSlpdbqJNTU+QEdlxnrbLYy/TANmMPVGQ+iY7iuYdpJBPH63VZLsatBboq6EVCnNRDWmWp+GPjjyLFm6/229rx6n9qDKmNV8lubcdM0TrJzV+MEvJYXgCF+FPtMFLyDkYIU3/n3ki6kNjCQts7aOmpdvivj/oBiH7+7FY58EoesGmD1BPUZL5TmOqXSK0C
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: c08c84f1-842a-4ea2-e0e8-08d6391b1a5a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1758;
x-ms-traffictypediagnostic: VI1PR0801MB1758:
x-microsoft-antispam-prvs: <VI1PR0801MB175812AF75FA7A61B6392B94FAF50@VI1PR0801MB1758.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155)(28532068793085)(190501279198761)(227612066756510);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3231355)(944501410)(4982022)(52105095)(3002001)(93006095)(93001095)(6055026)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(201708071742011)(7699051)(76991095); SRVR:VI1PR0801MB1758; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1758;
x-forefront-prvs: 0834BAF534
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(396003)(136003)(366004)(346002)(376002)(40434004)(199004)(189003)(53754006)(102836004)(5630700001)(9686003)(26005)(2906002)(6306002)(54896002)(68736007)(105586002)(6506007)(5660300001)(72206003)(6436002)(25786009)(5640700003)(33656002)(2900100001)(53936002)(478600001)(97736004)(2351001)(14454004)(966005)(2501003)(5250100002)(66066001)(71200400001)(71190400001)(486006)(3846002)(790700001)(7696005)(55016002)(6116002)(8936002)(86362001)(81156014)(476003)(6916009)(81166006)(8676002)(14444005)(99286004)(256004)(74316002)(186003)(7736002)(316002)(5024004)(106356001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1758; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: x9i7uA1zoZ648d3zgtNcyev1qZjX2GlE7wxFAcyAO9r8eIlZF8ou2ndKF+fhJ6HHUjkaw+7qlL1u4rbpT3HjFFR+1/fqZ5tyQxRn0pPUj3z9Y60t3kT1RZutAAmhWweWcGvWWpHhHMyfjCJmMOfDvewSNrqwXiCePw+GgYqnEB9kT8g/mXGfBrAnvECoykrZcc98+MH0N1UiIgKvQS1wMdGEO5Tnxo4oMtkyHnPJX3RXWTKOQtafm+uoH6MExGabUwopIdOvJ8Pn16L6WNL33cv33IZoeT3XGP2IBFLvhmhFz+2W/hCg+sTWsmvwyl9/22wlrvj2CHBS6WhAuXm/2MooJ42pXuQOM1g0uNnT5MY=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_VI1PR0801MB2112DD9ECD09B98C5060D868FAF50VI1PR0801MB2112_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c08c84f1-842a-4ea2-e0e8-08d6391b1a5a
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2018 19:09:48.7786 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1758
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Sr6zE3DEGmhT26vMOicwj2PWKHk>
Subject: [Ace] Review of draft-ietf-ace-oauth-params-00
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2018 19:09:55 -0000
Hi all, I read through draft-ietf-ace-oauth-params-00 and have a few comments. 1) I believe the document should explain in more detail about how it fits into the rest of the OAuth PoP token work. The story essentially is that we have the HTTP-based transport in the OAuth WG and we have the CoAP-based transport in ACE. draft-ietf-ace-oauth-params-00 is about registering the necessary parameters for use with CoAP only. Neither the abstract nor the intro says this. 2) 'req_aud' parameter At the last IETF OAuth meeting in Montreal we agreed to adopt a new document, called resource indicators, and it can be found here: https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-01 I believe the parameter name and semantics defined in draft-ietf-oauth-resource-indicators-01 should match what is defined in draft-ietf-ace-oauth-params-00. The name of the parameter in draft-ietf-oauth-resource-indicators-01 is 'resource' and it is defined as resource Indicates the location of the target service or resource where access is being requested. Its value MUST be an absolute URI, as specified by Section 4.3 of [RFC3986], which MAY include a query component but MUST NOT include a fragment component. Multiple "resource" parameters MAY be used to indicate that the requested token is intended to be used at multiple resources. In a nutshell I believe you should do the following: a) rename the parameter to 'resource' to get it inline with draft-ietf-oauth-resource-indicators-01 b) use the same semantics as in draft-ietf-oauth-resource-indicators-01 c) find out what the encoding considerations are when using CoAP 3) 'req_cnf' parameter Changing the name of the parameter name from the previous 'cnf' is good and that was also requested at the last IETF due to the potential confusion with the 'cnf' claim name. However, I believe the semantics is different to the semantics defined in draft-ietf-oauth-pop-key-distribution. Unless I misunderstand but the relevant text regarding the req_cnf parameter content is this: o "req_cnf" in the token request C -> AS, OPTIONAL to indicate the client's raw public key, or the key-identifier of a previously established key between C and RS that the client wishes to use for proof-of-possession of the access token. For example, in draft-ietf-oauth-pop-key-distribution there is no key identifier passed from the client to the server when making the request for a PoP token. Instead, the server just mints one (along with the symmetric key) and sends it to the client. Ciao Hannes PS: Why was a standalone document written instead of leaving the parameters in the ACE-OAuth framework spec? I guess there are reasons (which I may have missed). IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Ace] Review of draft-ietf-ace-oauth-params-00 Hannes Tschofenig
- Re: [Ace] Review of draft-ietf-ace-oauth-params-00 Ludwig Seitz
- Re: [Ace] Review of draft-ietf-ace-oauth-params-00 Ludwig Seitz
- Re: [Ace] Review of draft-ietf-ace-oauth-params-00 Jim Schaad