Re: [Ace] Resume of discussion at IETF 103 meeting on draft-ietf-ace-oauth-authz

Jim Schaad <> Tue, 13 November 2018 04:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6BAE4126F72 for <>; Mon, 12 Nov 2018 20:47:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DolT4GmapanY for <>; Mon, 12 Nov 2018 20:47:20 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AD8CD124408 for <>; Mon, 12 Nov 2018 20:47:19 -0800 (PST)
Received: from Jude ( by ( with Microsoft SMTP Server (TLS) id 15.0.1347.2; Mon, 12 Nov 2018 20:42:23 -0800
From: Jim Schaad <>
To: 'Ludwig Seitz' <>, <>
References: <>
In-Reply-To: <>
Date: Tue, 13 Nov 2018 13:47:10 +0900
Message-ID: <000001d47b0b$f2169550$d643bff0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIcnhk+orfj/yndowaFI/EG3efuz6S814tQ
Content-Language: en-us
X-Originating-IP: []
Archived-At: <>
Subject: Re: [Ace] Resume of discussion at IETF 103 meeting on draft-ietf-ace-oauth-authz
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Nov 2018 04:47:23 -0000

Most of this is a restatement of previous positions.

> -----Original Message-----
> From: Ace <>; On Behalf Of Ludwig Seitz
> Sent: Tuesday, November 13, 2018 12:22 AM
> To:
> Subject: [Ace] Resume of discussion at IETF 103 meeting on draft-ietf-ace-
> oauth-authz
> Hello ACE,
> I wanted to post a resume of the in room discussions from the IETF 103
> meeting, related to draft-ietf-ace-oauth-authz, for those who missed them
> and those who want to further comment (sorry for the verbose summary
> below):
> During my presentation I put up a 7 issues for discussion as follows:
> 1. Use of one-byte CBOR abbreviations for parameters and CWT claims.
> So far there is a consensus between me and Mike Jones on what we think is
> reasonable.
> This would be summarized here:
> I was wondering if anyone else wants to weight in on what they consider
> important parameters & claims for constrained applications that need
> compact (one-byte) abbreviations in CBOR?

I have already weighted in where I care.

> 2. Unified registry for CWT claims and token/introspection parameter
> abbreviations
> Currently the draft(s) have aligned the CBOR abbreviations for both CWT
> claims and token/introspection parameters under one singe number space.
> There were arguments for splitting this up so that we can re-use the same
> compact one-byte abbreviations in those different "namespaces" i.e.
> there would be a number range just for CWT claims, and a separate one for
> introspection and token endpoint parameters.
> Even here I'm interested in additional input.

Especially after having gone to the RATS BOF, I really want to get these
separated and set an example for how things are done in the future.  Having
a CWT claim which identifies a namespace allows for a maximum number of
groups to define a new claim and then control the assignment within that
namespace in order to minimize size of those values.  Trying to go through
this process for the CWT claim experts does not make any sense.

> 3. CWT as format for signed protocol messages
> As OAuth is currently working on a number of drafts specifying JWT as a
> format for encoding request (and response?) parameters wrt. the token and
> the introspection endpoint, the question was raised whether this should
> be done for ACE and CWT.
> My stance here (and I got the impression that the room agreed or at least
> had no strong opinion against) is that this is absolutely possible, but
> best be done in an additional draft in order to not increase the already
> significant delay of draft-ietf-ace-oauth-authz.

This is trivial to do and should definitely be in a different document, but
I would like to know that people are going to really implement it before
publishing a document.  One thing is that we already have this ability w/
the OSCORE wrappers so the set of use cases may be very different.

> 4. Alignment between "req_aud" and "resource" parameters
> draft-ietf-oauth-resource-indicators proposes a new parameter for the
> token request called "resource" which specifies the location of the
> or service for which the token is requested. This is supposed to map to
> audience claim in the token.
> draft-ietf-ace-oauth-params has in parallel defined the "req_aud"
> parameter (for "requested audience") which has a somewhat broader
> definition, roughly speaking "a value that the RS identifies with". This
> be a public key, a group identifier or something else, so the key
difference is
> that it is not specifically bound to the location of the RS.
> I would argue to keep the "req_aud" as it is currently (since it covers a
> broader set of use cases than "resource"), but I would be curious to hear
> additional arguments for or against.

I agree with this.  We still need to get Hannes to clear his head and figure
out if he agrees with this after the discussions in Bangkok.

> 5. Handling of multiple tokens for one pair of client-RS
> The question was whether an additional token issued for the same client-RS
> pair would
> a.) Amend the permissions (i.e. scope) of the older token(s)
> b.) Replace all older tokens for that client-RS pair
> My implementation and my current understanding of the draft was a.) but
> apparently OAuth mostly does b.).
> I would be strongly in favor of doing b.) (and clarifying the specs to
this end)
> since it greatly simplifies the code on the RS side. Unless someone has a
> strong argument for approach a. I will implement that change in the next
> document update.

I am not a big fan of this as I think that it may lead to more tokens being
issued.  Have a long term token for doing reads and a very short term token
for doing writes without having to have different authentication seems to be
a problem that I am not sure how it would be solved.

> 6. Do we need the expiration mechanism based on sequence numbers?
> Section 5.8.3 of the draft currently proposes a sequence-number-based
> mechanism for expiration of access tokens on devices that do not have an
> internal clock. Since this mechanisms has pretty severe limitations and
> very weak security properties, and since we haven't yet seen a use case
> involving devices without at least an internal "wall-clock time" I propose
> remove that mechanism from the draft, which seemed to be the in-room
> consensus as well.

Not having something like an internal I have been running for clock is just
not something that I would worry about.  This does not mean that a wall
clock exists so you would need to look at how the exp in a CWT is specified.
You many need some type of good for n time rather than a wall time.

> 7. Symmetric proof-of-possession keys and multi RS audiences
> Currently the draft does NOT RECOMMEND this, since it allows one RS to
> impersonate the client towards other RSs that are part of the audience.
> The in-room consensus seemed to be that this should be a MUST NOT
> instead and I agree.

I think this should remain at NOT RECOMMENDED because in the future I think
it might be desired.


> /Ludwig
> --
> Ludwig Seitz, PhD
> Security Lab, RISE
> Phone +46(0)70-349 92 51
> _______________________________________________
> Ace mailing list