Re: [Ace] Mirja Kühlewind's No Objection on draft-ietf-ace-cwt-proof-of-possession-09: (with COMMENT)

Mike Jones <Michael.Jones@microsoft.com> Mon, 28 October 2019 16:19 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B16B112009C; Mon, 28 Oct 2019 09:19:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMKmC45BznFl; Mon, 28 Oct 2019 09:19:10 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640091.outbound.protection.outlook.com [40.107.64.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78EA8120098; Mon, 28 Oct 2019 09:19:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ij5sXyJFHY8hp/+m7NJ4CXxURPfSIKQYbfXivxFhia/N1hOLXfoYftgqOTn+uiXbbVU5nNI9iqBkrvGRQOuKtOJoCxANOH0Ho9TQsKijJGS7JtFhg5hmSJyxNnKg/m8W46bmhjzs9Y352pbsXQSID+1J9DM1oOF4Q18FUV6OrMWYvsi6yNN0CmnIMPg0vf3C4nyXtXUBxohOM4yPxTrlUl9JcLW761vnzy7pOCHUHlUjyLsz7firfm2cVgWtG73BuwtjDyxMxxc1uJNePyi6TbyEk2nF7ny0qnUbKdMUsNSMRztYpsE3nr9CuK5KieGNuUn8y11mvRSR6HCr3qlGCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cSVuDPIzquJp9aeFUE3QehVUMvURxJyO4kIxY0mLGJA=; b=FgwII/9ePE2Ho6VxkUxj/SeEHl/biWDGS9IvGFU7jzPkpDGMnRk4jA0mZDDPuAPr9IoyN3ihxwEeb5/bNRqDMC3AuXp6Y1bg9AuNKaqWAondBYSx55WnEwDxJyXqb0GR+nTSgASBzPZppuV4QWODggBxNUWhkcvyhr/bWqcyLNFHdaDGIB2QInXXooSylovsutTxb/9sdqYmUA9Alu8G8QQ+tWrIiENTCwPGvWDOv294d6DFgidiyKgbXUkjkbTsPSkIoWLis+RXoBdzKiNayNvwF3PtT+g7ncq19WvUvG3qf28NzT7j6c9m+9JZ2ZCptVsAGQ1Ov9W4EZMGmMwizg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cSVuDPIzquJp9aeFUE3QehVUMvURxJyO4kIxY0mLGJA=; b=EYp0881xPTSE9P0MSxfeH3v/txrEtC5oqO/Bmp6I33v7LKbO51d7FWVmrXjNljB0+P9xiWzk7rsELRiMeHpMEvfpMuf/ltq8kYbTMZbQeGDlX76qQO14H5zEBod9pOhdPGuDwRcW02lMLN60sj1zoXGju90xkc43oPnI1Nt2L+4=
Received: from BYAPR00MB0567.namprd00.prod.outlook.com (20.179.56.25) by BYAPR00MB0534.namprd00.prod.outlook.com (20.178.53.223) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2434.0; Mon, 28 Oct 2019 16:19:05 +0000
Received: from BYAPR00MB0567.namprd00.prod.outlook.com ([fe80::88e8:5b6d:4227:2b30]) by BYAPR00MB0567.namprd00.prod.outlook.com ([fe80::88e8:5b6d:4227:2b30%3]) with mapi id 15.20.2441.000; Mon, 28 Oct 2019 16:19:05 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Mirja Kuehlewind <ietf@kuehlewind.net>, Benjamin Kaduk <kaduk@mit.edu>
CC: Barry Leiba <barryleiba@computer.org>, "Roman D. Danyliw" <rdd@cert.org>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, The IESG <iesg@ietf.org>, "ace@ietf.org" <ace@ietf.org>, "draft-ietf-ace-cwt-proof-of-possession@ietf.org" <draft-ietf-ace-cwt-proof-of-possession@ietf.org>
Thread-Topic: [Ace] Mirja Kühlewind's No Objection on draft-ietf-ace-cwt-proof-of-possession-09: (with COMMENT)
Thread-Index: AQHVjaTaf28MZ9kKEUmdwFvS0aZ7rqdwNJuAgAAGEbA=
Date: Mon, 28 Oct 2019 16:19:05 +0000
Message-ID: <BYAPR00MB0567997BBAC77665CBE19822F5660@BYAPR00MB0567.namprd00.prod.outlook.com>
References: <157201926102.4337.10953843577545450235.idtracker@ietfa.amsl.com> <CALaySJKSmewUn3u2T7Nr5MaCOJ5C=pAii3UB230r+jox5m-4gQ@mail.gmail.com> <20191028153150.GY69013@kduck.mit.edu> <4F15E6F7-2DA0-4C90-B891-DDA65917D1A7@kuehlewind.net>
In-Reply-To: <4F15E6F7-2DA0-4C90-B891-DDA65917D1A7@kuehlewind.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=d43c9af0-0d5d-447f-9fa0-000049ed41b5; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-10-28T16:15:57Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.93.218]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: f217f2b9-7714-46e7-ac3a-08d75bc28d91
x-ms-traffictypediagnostic: BYAPR00MB0534:
x-microsoft-antispam-prvs: <BYAPR00MB05344D94A65A96F31453D203F5660@BYAPR00MB0534.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0204F0BDE2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(376002)(396003)(39860400002)(366004)(346002)(13464003)(189003)(199004)(66574012)(256004)(186003)(26005)(8936002)(76176011)(110136005)(71190400001)(71200400001)(224303003)(6506007)(66066001)(74316002)(55016002)(2171002)(6246003)(53546011)(305945005)(229853002)(33656002)(7736002)(14444005)(102836004)(7696005)(99286004)(6306002)(10090500001)(6436002)(3846002)(476003)(4326008)(6116002)(52536014)(81156014)(5660300002)(81166006)(9686003)(86362001)(2906002)(486006)(22452003)(8990500004)(64756008)(66556008)(66476007)(66946007)(66446008)(14454004)(966005)(316002)(25786009)(446003)(54906003)(76116006)(11346002)(10290500003)(478600001); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR00MB0534; H:BYAPR00MB0567.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: FFCMgB/5p+oowApExIJ4PdDFQwpXNNM5Al2bx6/0oS6ShT4AccYoxbXX0Dtwl9sGZq8MPcsi0me+V8QTBaXVyooV+MRxjI09qSzPe91UHrtAAmQbAr4BToqHMdLX/gh74wB4jApvCPAPOWDgvS325l/fdzrqAg5vR/4FwmMJSGF6dUza17/qYSf81rep6OcifzCeZ+DEfCbwRl+Zmwoc0t85IkLE4s6cGfLssv52m8QPiDb5fLvhNwTx5o1jB7qmJXCAL3NcJePpVkXBQ7GKL48quV/L3e1Cz/bKKknXmWoXUZL88G2KEv0dEEyNVpAvCX4tIcjb7IALp0BL6pSIKyvMuKoJZR0u0IRYwocgUsKtqrewzzGrJg7m/UXX1zujjtq9KlCnifuywhTEA1yFRnQf1gPyUz26QeKsbSJYIhxOFHg2Z80M6D/7Unl20C3F
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f217f2b9-7714-46e7-ac3a-08d75bc28d91
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Oct 2019 16:19:05.0833 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: d8lMWFlw4RAbNc7cmY1M8VltA8UcJ0ElGP95ZQgF941yuDuMwhn3NeVtu3sKOsGzsg7Xf9Ob/WbkEtwCLkhG4w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR00MB0534
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ewoMQHb983b_Zk_2Bg6B-4LMkhE>
Subject: Re: [Ace] Mirja Kühlewind's No Objection on draft-ietf-ace-cwt-proof-of-possession-09: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Oct 2019 16:19:14 -0000

The practice of using a mailing list for registration requests to enable public visibility of them goes back at least to .well-known URI registrations https://tools.ietf.org/html/rfc5785 by Mark Nottingham in April 2010.  OAuth 2.0 followed this practice in RFC 6749, as did the JOSE specs and JWT in RFCs 7515-19.  The rest is history, as they say.

				-- Mike

-----Original Message-----
From: Mirja Kuehlewind <ietf@kuehlewind.net> 
Sent: Monday, October 28, 2019 8:54 AM
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Barry Leiba <barryleiba@computer.org>; Roman D. Danyliw <rdd@cert.org>; ace-chairs@ietf.org; The IESG <iesg@ietf.org>; ace@ietf.org; draft-ietf-ace-cwt-proof-of-possession@ietf.org
Subject: Re: [Ace] Mirja Kühlewind's No Objection on draft-ietf-ace-cwt-proof-of-possession-09: (with COMMENT)

These are all quite recents examples, so maybe the procedures are changing at the moment. I guess we as the IESG should be aware and figure out what the right procedure actually should be here.

> On 28. Oct 2019, at 16:31, Benjamin Kaduk <kaduk@mit.edu> wrote:
> 
> On Fri, Oct 25, 2019 at 12:31:42PM -0400, Barry Leiba wrote:
>> Yeh, it's very common for authors to try to tell IANA how to handle 
>> registrations, and I often push back on that as inappropriate.  There 
>> are certainly special conditions that IANA should be told about, but 
>> this is standard work-flow management stuff that ought to be left to 
>> IANA.  I do think it should be changed before this is published, 
>> probably just removing that last sentence.
> 
> While I'm not opposed to normalizing on a default procedure, I think 
> the authors were just trying to follow existing examples.
> 
> RFC 7519:
> 
>   Values are registered on a Specification Required [RFC5226] basis
>   after a three-week review period on the jwt-reg-review@ietf.org
>   mailing list, on the advice of one or more Designated Experts.
>   However, to allow for the allocation of values prior to publication,
>   the Designated Experts may approve registration once they are
>   satisfied that such a specification will be published.
> 
>   Registration requests sent to the mailing list for review should use
>   an appropriate subject (e.g., "Request to register claim: example").
> 
>   Within the review period, the Designated Experts will either approve
>   or deny the registration request, communicating this decision to the
>   review list and IANA.  Denials should include an explanation and, if
>   applicable, suggestions as to how to make the request successful.
>   Registration requests that are undetermined for a period longer than
>   21 days can be brought to the IESG's attention (using the
>   iesg@ietf.org mailing list) for resolution.
> 
> RFC 8414:
> 
>   Values are registered on a Specification Required [RFC8126] basis
>   after a two-week review period on the oauth-ext-review@ietf.org
>   mailing list, on the advice of one or more Designated Experts.
>   However, to allow for the allocation of values prior to publication,
>   the Designated Experts may approve registration once they are
>   satisfied that such a specification will be published.
> 
>   Registration requests sent to the mailing list for review should use
>   an appropriate subject (e.g., "Request to register OAuth
>   Authorization Server Metadata: example").
> 
>   Within the review period, the Designated Experts will either approve
>   or deny the registration request, communicating this decision to the
>   review list and IANA.  Denials should include an explanation and, if
>   applicable, suggestions as to how to make the request successful.
>   Registration requests that are undetermined for a period longer than
>   21 days can be brought to the IESG's attention (using the
>   iesg@ietf.org mailing list) for resolution.
> 
> RFC 8447:
> 
>   Specification Required [RFC8126] registry requests are registered
>   after a three-week review period on the <tls-reg-review@ietf.org>
>   mailing list, on the advice of one or more designated experts.
>   However, to allow for the allocation of values prior to publication,
>   the designated experts may approve registration once they are
>   satisfied that such a specification will be published.
> 
>   Registration requests sent to the mailing list for review SHOULD use
>   an appropriate subject (e.g., "Request to register value in TLS bar
>   registry").
> 
>   Within the review period, the designated experts will either approve
>   or deny the registration request, communicating this decision to the
>   review list and IANA.  Denials SHOULD include an explanation and, if
>   applicable, suggestions as to how to make the request successful.
>   Registration requests that are undetermined for a period longer than
>   21 days can be brought to the IESG's attention (using the
>   <iesg@ietf.org> mailing list) for resolution.
> 
> [I stopped looking here]
> 
> So if we're going to change things around, maybe we should issue an 
> IESG statement.
> 
> -Ben
> 
>