IETF Logo Mail Archive

Re: [Ace] comment on draft-ietf-ace-oauth-authz-26

Ludwig Seitz <ludwig.seitz@ri.se> Thu, 21 November 2019 02:51 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9BDA120928 for <ace@ietfa.amsl.com>; Wed, 20 Nov 2019 18:51:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b23AAys_tewE for <ace@ietfa.amsl.com>; Wed, 20 Nov 2019 18:51:41 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00086.outbound.protection.outlook.com [40.107.0.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96D1512090F for <ace@ietf.org>; Wed, 20 Nov 2019 18:51:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=COWkTEOV/62fv7c3xxEx15sOu82ynbO7Esldhkp6XHje7yJkgebK3Twac6xnszb5og7GiZfbWuPTv0m8/5pghIDCqYc9HJMUSTvt6DTBwn6NHjE1Z95+2MoZUUTpkCGi3280jdM+kiYXaw2EqZXUeQnI0eLOKOVmNF/bO1Uid4T+vDqNvTPbzR6mGiTC+ETPXeynfHtyUOAe/9tkjiW3p9lIcjW/TPyRPCOs6cop4nLg8zWW7COjvvd4d9pg5E8wkaEqKw0Jp9YT58IRh9dbqtMTIda92bUOiNSsQX/9UeHAwdCv/BAGSUMYPopY+jWsGZrqKPMtZjgzFLzL6yIyxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rHr0H1pqQnbI7SRyQ11raVYHZaU57ZyEAr/gV9/bZCE=; b=ZSiYm2qXEJiB/i9Mi3xUr2JKJU2rIHan0ECx5zPisJ3bvJozhZ1DE0VL5M/lce27qo2dVlCWSMUe0mVKF9E7QspzkRPlzDB9LvHop6A++2Jlk3l/z2QPm1bpD0Dk0M8467Hu1F9POq4Vh9wQH0SrsFybvoGfCnPpOLB7s7oEBXKTSs+RMZv0N56xUgv12qKbonnrJA5uOHjC7Qz+CoBVZB0C6qqINayF1YpnHrOIlgbKA7MAQD8/DlCg/b3czSqU2ZGw5SxryFBgLui9SNGinsr9zA3NIs/C4ux5xuz1fRqec5B/IGDCB7KuV7DwNPxH4TPij2tBG14FNxOkQdIgpw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 194.218.146.197) smtp.rcpttodomain=ietf.org smtp.mailfrom=ri.se; dmarc=pass (p=none sp=none pct=100) action=none header.from=ri.se; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-RISEcloud-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rHr0H1pqQnbI7SRyQ11raVYHZaU57ZyEAr/gV9/bZCE=; b=bVuGUFHCjwCgAm7Z/CUrLyBfSqonqc/43RwGTlHL4KlTQj/kjHKSfn2wb/8QP2vdj1KgjGTiT0SFGMaVr2bx1b7jdnH81mVFhahRWxp8fMLUTOJLykpVPpVQb1s+3It/8xiWZArt6NyhQ6zeVN3jYK3R3ad0svrcqpyTjuWJJhA=
Received: from DB6P18901CA0024.EURP189.PROD.OUTLOOK.COM (2603:10a6:4:16::34) by HE1P18901MB0235.EURP189.PROD.OUTLOOK.COM (2603:10a6:3:96::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.17; Thu, 21 Nov 2019 02:51:37 +0000
Received: from VE1EUR02FT014.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e06::203) by DB6P18901CA0024.outlook.office365.com (2603:10a6:4:16::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2474.16 via Frontend Transport; Thu, 21 Nov 2019 02:51:37 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=pass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by VE1EUR02FT014.mail.protection.outlook.com (10.152.12.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.2474.17 via Frontend Transport; Thu, 21 Nov 2019 02:51:37 +0000
Received: from [31.133.132.127] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1779.2; Thu, 21 Nov 2019 03:51:34 +0100
To: ace@ietf.org
References: <CADZyTkkUsfeXcMo3pgZH47P2zWVdearXO4SLjvLOmDcGC4TptA@mail.gmail.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <93a0ac2d-6d00-ad7b-677c-4c44b77f91e0@ri.se>
Date: Thu, 21 Nov 2019 03:51:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <CADZyTkkUsfeXcMo3pgZH47P2zWVdearXO4SLjvLOmDcGC4TptA@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms000004040509000105000602"
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(376002)(39850400004)(136003)(189003)(199004)(65806001)(106002)(58126008)(316002)(16576012)(33964004)(6666004)(336012)(44832011)(76176011)(31686004)(16586007)(386003)(36756003)(6706004)(6306002)(6916009)(486006)(356004)(53546011)(5024004)(71190400001)(14444005)(6246003)(8676002)(81166006)(478600001)(81156014)(8936002)(2906002)(966005)(70586007)(70206006)(7736002)(229853002)(305945005)(22746008)(22756006)(568964002)(2351001)(16526019)(2616005)(126002)(476003)(446003)(956004)(11346002)(186003)(31696002)(26005)(86362001)(40036005)(65956001)(5660300002)(235185007)(3846002)(6116002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1P18901MB0235; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; MX:1; A:1;
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 712a4a93-bf7a-4199-e6c2-08d76e2dba34
X-MS-TrafficTypeDiagnostic: HE1P18901MB0235:
X-MS-Exchange-PUrlCount: 4
X-Microsoft-Antispam-PRVS: <HE1P18901MB0235FBE1ADDAD744A24382CF824E0@HE1P18901MB0235.EURP189.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 0228DDDDD7
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: T2Ys5m5J1Q9e+aoUOh8q94kyqHi3Q6csZ2Cn/Er1auL1phRRNSr+cgT+ZrZAmB/+AmxxsMntMzxRI57a7Pm4lTgRSG5BCYHpQAp8mMs88mWIdkHU8vE7wsw9T+JEe45EwFJ45V9xb9Ss1/eYVax7bg4wkMm4fD6UWMlIwOWoGt6ZajEHoLGLFmNEQr5b+jzNJbV0uMdUUAWWI/ahGVqMe9PuVRkvVnex25PhiclPP14v62S58Ki6UfIoZ3xngEauXn1DUMozcIn/ICg57WcU+e2cfFXkN3ifeJg3dph1rqr3RDpghXQD/Fi6Z7aXUdVuCzM5/TLAPFmPmeVDxZqhMdWVo/lbDSzNVICGQAEDzEd/JiBzPvhYYO102d7FCZowEiozzumuQzjM7b7siBGUsVM5UEXkgUIrxRjbJ0dq3R6P3eCTNC5imMsTrclsXDruux+NjcG6Jf/1fbj8CdSFC29LGWudef81vnfQAnhvhQA=
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Nov 2019 02:51:37.2076 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 712a4a93-bf7a-4199-e6c2-08d76e2dba34
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1P18901MB0235
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/gr00HDWui40WzkgclQqnU_uTkDY>
Subject: Re: [Ace] comment on draft-ietf-ace-oauth-authz-26
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 02:51:45 -0000

On 21/11/2019 03:29, Daniel Migault wrote:
> Hi,
> 
> This only concerns potential clarification of the text.
> 
> While reviewing mqtt-profile draft I raised an issue regarding the 
> reference for Oauth [RFC6749] while the remaining of the document 
> references draft-ietf-ace-oauth-authz [1]. My reading of 
> draft-ietf-ace-oauth-authz section 5.6.3 
> <https://tools..ietf.org/html/draft-ietf-ace-oauth-authz-26#section-5.6.3>. 
> was the same of the one of mqtt-profile coauthors, that is error 
> mandates the use of CBOR. Discussing this with others it seems a mis 
> interpretation of  draft-ietf-ace-oauth-authz section 5.6.3 
> <https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-26#section-5.6.3> [2].
> 
> I believe that is nice this is a mis-interpretation, but I would 
> recommend that the text makes it more explicit the use of JSON is 
> permitted. This seems to me a request to clarify the text.
> 
> Yours,
> Daniel
> 

I would be happy to add more clarification, but I'm currently at a loss 
of what that would be. Most of the bullets you cited already modify the 
MUSTs with "...when CBOR is used" or something similar to the same 
effect. The idea was to express: You can use the vanilla OAuth 
interactions based on JSON, but if you use CBOR then do it as specified 
here.

I am happy to take suggestions.

/Ludwig

> [1]
> """
> 
>     In the case of an error, the AS returns error responses for HTTP-
>     based interactions as ASCII codes in JSON content, as defined in
>     Section 5.2 of RFC 6749  <https://tools.ietf.org/html/rfc6749#section-5.2>  [RFC6749  <https://tools.ietf.org/html/rfc6749>].
> 
> """
> 
> [2]
> """
> 
> 
>         5.6.3
>         <https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-26#section-5.6.3>.
>         Error Response
> 
> 
> 
>     The error responses for CoAP-based interactions with the AS are
>     generally equivalent to the ones for HTTP-based interactions as
>     defined inSection 5.2 of [RFC6749]  <https://tools.ietf.org/html/rfc6749#section-5.2>, with the following exceptions:
> 
>     o  When using CBOR the raw payload before being processed by the
>        communication security protocol MUST be encoded as a CBOR map.
> 
>     o  A response code equivalent to the CoAP code 4.00 (Bad Request)
>        MUST be used for all error responses, except for invalid_client
>        where a response code equivalent to the CoAP code 4.01
>        (Unauthorized) MAY be used under the same conditions as specified
>        inSection 5.2 of [RFC6749]  <https://tools.ietf.org/html/rfc6749#section-5.2>.
> 
>     o  The Content-Format (for CoAP-based interactions) or media type
>        (for HTTP-based interactions) "application/ace+cbor" MUST be used
>        for the error response.
> 
>     o  The parameters "error", "error_description" and "error_uri" MUST
>        be abbreviated using the codes specified in Figure 12, when a CBOR
>        encoding is used.
> 
>     o  The error code (i.e., value of the "error" parameter) MUST be
>        abbreviated as specified in Figure 10, when a CBOR encoding is
>        used.
> /------------------------+-------------\
> 
>             | Name                   | CBOR Values |
>             |------------------------+-------------|
>             | invalid_request        |      1      |
>             | invalid_client         |      2      |
>             | invalid_grant          |      3      |
>             | unauthorized_client    |      4      |
>             | unsupported_grant_type |      5      |
>             | invalid_scope          |      6      |
>             | unsupported_pop_key    |      7      |
>             | incompatible_profiles  |      8      |
>             \------------------------+-------------/
> 
>             Figure 10: CBOR abbreviations for common error codes
> 
>     In addition to the error responses defined in OAuth 2.0, the
>     following behavior MUST be implemented by the AS:
> 
>     o  If the client submits an asymmetric key in the token request that
>        the RS cannot process, the AS MUST reject that request with a
>        response code equivalent to the CoAP code 4.00 (Bad Request)
>        including the error code "unsupported_pop_key" defined in
>        Figure 10.
> 
>     o  If the client and the RS it has requested an access token for do
>        not share a common profile, the AS MUST reject that request with a
>        response code equivalent to the CoAP code 4.00 (Bad Request)
>        including the error code "incompatible_profiles" defined in
>        Figure 10.
> 
> """
> 
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
> 


-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51

v2.23.0 | Report a Bug | By Email