Re: [Ace] WGLC on draft-ietf-ace-cwt-proof-of-possession-02

Mike Jones <> Sun, 20 May 2018 11:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3CCF71270A0; Sun, 20 May 2018 04:34:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8LN0ZnLnqE_E; Sun, 20 May 2018 04:34:20 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0075F12708C; Sun, 20 May 2018 04:34:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8w+BbrLJ5vJXiLH6CS572/VVo/ZiXFDIfnwUDXXwxI4=; b=Bfv5/dtpSv+UFijRCxkZ4mxhnw7sH1vzpDf+TsL/leNWvCcIaUh1XPR+dGs44HQ4fBpGI2E4P52kPppnChoAsWgh0QTQU3p/0mlakJcvHVjybz+7P9vxCnbP7L5xNMX47OpzVfzTpmCqPqNPfLjeQ2zQnEN9XkRvNmvPriUV8+E=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.824.0; Sun, 20 May 2018 11:34:13 +0000
Received: from ([fe80::5444:5f2b:6904:5012]) by ([fe80::5444:5f2b:6904:5012%3]) with mapi id 15.20.0828.000; Sun, 20 May 2018 11:34:13 +0000
From: Mike Jones <>
To: Jim Schaad <>, "" <>
CC: "" <>
Thread-Topic: [Ace] WGLC on draft-ietf-ace-cwt-proof-of-possession-02
Thread-Index: AdPnGgXMYVrDIRKQRwyiq8BLgNVR0wAN1QSAAgfdtpA=
Date: Sun, 20 May 2018 11:34:13 +0000
Message-ID: <>
References: <359EC4B99E040048A7131E0F4E113AFC014C3AA67D@marchand> <00ad01d3e751$5c1f03a0$145d0ae0$>
In-Reply-To: <00ad01d3e751$5c1f03a0$145d0ae0$>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR00MB0398; 7:Am6JQ4KUsqWUltD8aREAwEJ5vING2Lu7Qy3Vu9Re7KN5EwubWZHCAlDJlCUu56/VvV5HPHUJCCtOUQzEdY6i7Mr7McTEbU37qMSqQQ34avyGsVSHow7qug2EjXWD2cpQMWyvHfpD5N0q6MyiH/ywHax/mJ2+O2SdVNvcdzx17BRoAD7GREC6hnqc3dpIfMiOssnwTJtRbAdq2Xk+VCtEH0M9KzZ6NzFo2/6/U3XyjHlGQTt1BfdmmcqA2EglbeSO; 20:ZlXCkHtqFk0kUtd7YoYWVTVCG4jqhJD11bD8oljExP1k83JEqAjU9tA8+TK/5aYwSpKqQdtxnB0Q1LC0rBPczusdX69abfns68ENljkXDpQOQg5UGoiLHxRdZqFdS6/IdYssL/E98slRuDLdHoQ+uz1JsDgVgJEMn0Qc7zxIm7w=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(2017052603328)(7193020); SRVR:SN6PR00MB0398;
x-ms-traffictypediagnostic: SN6PR00MB0398:
authentication-results: spf=none (sender IP is );
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(192374486261705)(38170694233816)(788757137089);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(5005006)(8121501046)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(3002001)(93006095)(93001095)(10201501046)(3231254)(2018427008)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(20161123562045)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011)(7699016); SRVR:SN6PR00MB0398; BCL:0; PCL:0; RULEID:; SRVR:SN6PR00MB0398;
x-forefront-prvs: 06780E24F8
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(376002)(39380400002)(39860400002)(346002)(366004)(51444003)(199004)(189003)(13464003)(74316002)(66066001)(229853002)(10290500003)(6436002)(5250100002)(33656002)(14454004)(8990500004)(55016002)(26005)(72206003)(53936002)(478600001)(186003)(10090500001)(2501003)(68736007)(966005)(6306002)(9686003)(102836004)(5660300001)(2900100001)(53376002)(105586002)(86362001)(6246003)(4326008)(8936002)(110136005)(25786009)(81166006)(6506007)(53546011)(8676002)(81156014)(486006)(316002)(7696005)(97736004)(59450400001)(2906002)(6116002)(476003)(3846002)(7736002)(3660700001)(11346002)(305945005)(99286004)(446003)(3280700002)(76176011)(22452003)(86612001)(106356001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR00MB0398;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 0KC4Jg2FPmbuSXZKQseoCD6B2jMImZq01VPsqy2YEobBWnNS35b5QjEqCke/s6P1wlDAwM5y2p6QP9O5Jz4KL1K6nh77WY3g3/ZDS0eRBE9M7NWUsWatSq7lUd6V+y6muiWcYEWJdeWZcqE0hDs3qJMcvwpyUkc5Bup0wY3BxLCRcGf/1zunlXHXqiLHvsYL
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: b2fa485d-5797-4d8b-cde0-08d5be459cae
X-MS-Exchange-CrossTenant-Network-Message-Id: b2fa485d-5797-4d8b-cde0-08d5be459cae
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 May 2018 11:34:13.1794 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR00MB0398
Archived-At: <>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cwt-proof-of-possession-02
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 20 May 2018 11:34:25 -0000

Thanks for your useful comments, Jim.  Replies are inline below.

-----Original Message-----
From: Jim Schaad <> 
Sent: Wednesday, May 9, 2018 6:51 AM
Subject: RE: [Ace] WGLC on draft-ietf-ace-cwt-proof-of-possession-02

I'll pull out the list of comments that I wrote a month ago but didn't start that computer up recently.

1.  Are all of the authors necessary?  As a chair I need to justify a count of more than 5 to the IESG.

The authors are the union of the set of authors of draft-jones-ace-cwt-proof-of-possession-00 and draft-ietf-ace-oauth-authz-04, which both contained independently developed and largely parallel treatments of the CWT PoP confirmation subject.  Ludwig was the primary author of this text in the second, so he should definitely be retained as an editor.  I'll leave it up to the other authors of draft-ietf-ace-oauth-authz-04 to self-identify whether they materially contributed to the CWT PoP confirmation text or not.  Maybe we can delete those who don't self-identify as contributors.

2.  Is the last sentence in section 1 necessary?  Are you actually defining any strings that could be case-sensitive?

Sure - we can delete the text "Unless otherwise noted, all the protocol parameter names and values are case sensitive."  It's a holdover from RFC 7800 that doesn't apply here.

3.  Terminology: In the definition of Issuer please make 'its' clearer.  It is not clear whose claims are being bound.

We can change "its claims" to "the claims in the CWT".

4.  Terminology: I still think this is 'Presenter' is a very strange term to use for this definition.  I would really like to see it be made something that makes sense and then say the term is the same as this in JWT.  The term has a model of use with it that I do not believe can be sustained even for the ACE Oauth case but really not in other cases.

This is the standard term for this role in the industry.  For instance, Section 1.2 (Terminology) of "SAML V2.0 Holder-of-Key Assertion Profile Version 1.0" defines "Presenter" with an equivalent meaning.

Also, for this reason, this is the same terminology used for this role in RFC 7800.  It is used pervasively throughout both this document and RFC 7800 - including in the diagrams in the introduction of RFC 7800.  I believe we would be doing a disservice to readers and implementers if we were to use a different term from that in RFC 7800 (and SAML) when the meaning is identical.

5.  Terminology: Recipient matches presenter, and it matches the OAuth model
and not a trust model world.   Relying party or service provider make far
more sense to me.

Same response as to 4.  We owe it to readers and implementers to keep the terminology consistent with RFC 7800 and industry practice.

6.  Under what circumstances would a 'sub' claim be present and it is not the presenter?  I can see that a holder of the key may be implicitly (or
anonymously) named, but putting something in the subject field which is not identifying the presenter is something that I would reject without a good presentation of why in the document.

Just as in (which is in the hands of the RFC Editor), it's dependent upon the profiling specification how the "sub" claim is used.  In some cases the subject and/or presenter will be identified with some combination of "iss" and/or "sub".  In other profiles, different representations will be appropriate, such as the use of the "subject_type" value in the RISC example in

Remember that in both JWT and CWT, the inclusion of *all* claims is left up to the profile.  The same is true of RFC 7800 and this spec (other than the use of the "cnf" claim).  We shouldn't tie the hands of profiles in a way that prevents them from using the representation of the presenter that is most natural for their use case.

7.  I would disagree with the claim that if the 'sub' claim is missing then it would normally be the issuer.  For the world of IoT, I would expect that the subject would not be present because there is no need to identify the subject to the recipient.  I.e. it is an anonymous subject.

I'm fine adding language saying that in some use cases, such IoT use cases, explicit identification of the presenter may not be necessary because in some cases, the recipient already implicitly has this information.  And I can drop the "normally" language about "iss" and instead tone it down to talk about "in some use cases".

8.  It is not clear to me that either of the sub and iss claims would normally be present.  They might be present but neither is needed.  The subject can be anonymous and the issuer is identified by the key used to validate the security on the CWT.

Per my response to 7, I can replace the "normally" language with "in some use cases" language, so the spec isn't presuming what "normal" usage is.  This should be up to the profiles.

9.  In section 3.1 the first two sentences appear to be contradictory.
Members are used to identify the POP key.  Other things than a POP key can be used than a POP key.  If they are used to identify the POP key- why would they not deal with the POP key?  I think that you should do a separation and define the 'cnf' file which can hold any number of confirmation methods and then have a section on defining some POP cnf method field holders.

Good point.  I can revise the text to be clear that confirmation is more general than confirmation via PoP key and that the conformation members defined and registered by this spec enable confirmation using a PoP key.

10.  In section 3.1 P1 - I am not sure why you have something here about confirming the authenticity of the token as oppose to confirming the identity of the presenter.  Why would that type of information be placed here where it is not useful.

In SAML, there are plenty of non-PoP confirmation methods and RFC 7800 (and this spec) was designed to enable a similar range of conformation methods to be registered and used.  For instance, SAML has an IP Address confirmation method.  (Yes, I understand that's of dubious value, but it's an easy to understand example.)  I can update the language to say that PoP keys confirm the identity of the presenter, whereas other confirmation methods may confirm other properties.

11.  In section 3.1 P2 - We are back to the same argument that existed for a CWT in general.  Not knowing that a CWT is for a specific application means that it can be used in a different application and checking that the first application would have done is ignored by the second one because it will ignore fields it does not understand.

This language is parallel to the language about understanding claims in JWT, CWT, and RFC 7800, by design.  In particular, the "MUST ignore not understood claims" language is the key to non-breaking extensibility.  Profiles can and will specify claim sets and validation rules for particular CWTs, just as they do for particular JWTs.  See the ID Token requirements in and the corresponding validation rules in for an example of such a profile for JWTs.  Profiles for CWT and CWT PoP will be similarly specific.

12. I am unclear why there should be a restriction on the number of POP keys that can be in a 'cnf' object.  If there are multiple keys, then any or all of them are of equal value in doing the confirmation.  Just like there can be multiple confirmation methods and an application could choose to use any one of them.

You're right that this could have been specified in a way that allows multiple keys in a "cnf" object but it is intended to simplify things for implementers and increase interoperability to by having just one.  Also, note that if multiple kinds of conformation keys are desired by a profile, the second sentence of paragraph 4 of already recommends how to achieve this.

13.  Not sure which section this belongs in, but the use of an COSE_Encrypt0 would be one way to combat tracking of identities based on the key value being used.  Different encrypted values could be sent to different servers and they would not necessarily know about use w/o internal collusion between them.  Similar effect by using an encrypted CWT.  Potentially requires use of TLS1.3 to protect the RPKs.  YMMV

I'll try to add something along these lines to the privacy considerations section.

14.  I have real problems w/ the use of a KID for POP identification.  It may identify the wrong key or, if used for granting access, may have problems w/ identity collisions.  These need to be spelt out someplace to help people tracking down questions of why can't I verify w/ this CWT, I know it's right.

The Key ID is a hint to help identify which PoP key to use.  Yes, if a Key ID is sent that doesn't correspond to the right PoP key, failures may occur.  I view that as usage bug - not a protocol problem.  If keys aren't consistently known and identified by both parties, there are lots of things that can go wrong, and this is only one such instance.  That said, I can try to say something about the need for keys to be consistently and known by both parties, if you think that would help.

15.  The content of 'kid' is application specific.  Where is an application going to define this such that it will work more generally.  The application in the case of the ACE working group boils down to the world (minus a few things).

Sure - its content is application-specific, but per my answer to 14, what matters is that keys are consistently identified between both participants.  Provided that's true, then it really doesn't matter whether a Key ID value is (a binary encoding of) "Jim's Key" or (a binary encoding of) "e762dcc3-bc8a-4125-844f-e5578695c834".

16. section 4 - Are audience restrictions not done in CWT? defines how to do audience restriction for CWTs.  I can change the JWT reference to the equivalent CWT reference.

17. section 4 - this implies that POP cannot be replayed via asymmetric keys.  Why would this be the case?

I'm a little confused by this comment because paragraph 4 explicitly states that "Proof of possession via encrypted symmetric secrets is subject to replay attacks".  So yes, they can be replayed, so I don't understand what you're commenting about or what additional explanation you'd like to see.

18. section 4 - prior to an issuer being able to create a CWT for a client w/ an asymmetric key in it, the issuer MUST go through a POP protocol of some type to validate that the client has possession of the key.  Issuers may want to repeat this validation at some interval for re-verification.
They should also keep track of the keys and flag where the same public key appears more than one for  review.

I assume that you're asking that something along the lines of the above be added to the Security Considerations?  I'd be fine doing that.

19.  Update IANA considerations w/ input from IANA and the CWT document.

Will do.

20.  Are keys big enough that it should be considered to move kid to the 2 byte range of identifiers?

I don't see any need to do this because the "cnf" identifier space is distinct from the CWT identifier space.  I really can't envision a scenario in which there will ever be 64 "cnf" values (32 single-byte positive integers and 32 single-byte negative integers).  It's a fair question, but as it see it, doing so would just add a byte for no practical reason.

21. Section 6.2.2 - the value type is not an array for COSE_Encrypt or COSE_Encyrpt0, these are the values.  As written I could put in an array
which is not one of those two structures and be valid.   Ditto for COSE_Key,
although w/ slightly less justification. says that "The COSE_Encrypt0 structure is a CBOR array."  But I can make the language more precise by saying that the value is a COSE_Encrypt or COSE_Encrypt0 value with optional matching CBOR tags.


Thanks again for your thorough review!

				-- Mike