IETF Logo Mail Archive

Re: [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-params

Jim Schaad <ietf@augustcellars.com> Mon, 20 January 2020 21:12 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9F812022C; Mon, 20 Jan 2020 13:12:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id assKLZ5pfRKy; Mon, 20 Jan 2020 13:12:19 -0800 (PST)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 300201201DC; Mon, 20 Jan 2020 13:12:18 -0800 (PST)
Received: from Jude (192.168.1.152) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 20 Jan 2020 13:12:11 -0800
From: Jim Schaad <ietf@augustcellars.com>
To: 'Brian Campbell' <bcampbell@pingidentity.com>, 'Seitz Ludwig' <ludwig.seitz@combitech.se>, draft-ietf-ace-cwt-proof-of-possession@ietf.org
CC: 'Roman Danyliw' <rdd@cert.org>, oauth-ext-review@ietf.org, 'Daniel Migault' <daniel.migault@ericsson.com>, drafts-lastcall@iana.org, 'Ludwig Seitz' <ludwig_seitz@gmx.de>, 'Benjamin Kaduk' <kaduk@mit.edu>, ace@ietf.org
References: <4a5177af-a442-f109-f620-0ae91953eb63@gmx.de> <CA+k3eCSG3m8=DTnNX-xa2ydaKzHU5WUC5JaWH9vbcMN2XcPnZw@mail.gmail.com> <acc7f28a-fc79-bd44-f228-f8e722415c2b@gmx.de> <CA+k3eCRJkQz2x_kKxQHoD7vtv9BkgsWFfGPJKwXdW3pjJhjBow@mail.gmail.com> <2616175d102b4c19a60c6a79d4256b5e@combitech.se> <CA+k3eCT6mZYmY1XQ1_wOi4QY+C_z6or4JUSQN2E+xeYpWgGjgw@mail.gmail.com> <018601d5cf21$19cec7b0$4d6c5710$@augustcellars.com>
In-Reply-To: <018601d5cf21$19cec7b0$4d6c5710$@augustcellars.com>
Date: Mon, 20 Jan 2020 13:12:08 -0800
Message-ID: <004701d5cfd6$48f25650$dad702f0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0048_01D5CF93.3AD35C10"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQEhd6Yle2bwoestBETa2w8Xfe67igHXMmInAunJ6fMCAFODFgH28139AnlL6EUC9B5uh6jri79g
Content-Language: en-us
X-Originating-IP: [192.168.1.152]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/pi8rUu9EWH5qmFBJLxrelEXxD9c>
X-Mailman-Approved-At: Thu, 23 Jan 2020 17:12:34 -0800
Subject: Re: [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-params
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jan 2020 21:12:23 -0000

I started doing testing of my code and I have started to run into some massive problems with the confirmation claim.    The COSE version of the POP key registrations cause a problem because of the way the registration template in the document is written.  It currently says:

 

JWT Confirmation Method Name:

 

Claim Name of the equivalent JWT confirmation method value, as

registered in [IANA.JWT.Claims <https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-11#ref-IANA.JWT.Claims> ].  CWT claims should normally have

a corresponding JWT claim.  If a corresponding JWT claim would not

make sense, the Designated Experts can choose to accept

registrations for which the JWT Claim Name is listed as "N/A".

 

The issue here is the word “equivalent”.  There are two possible interpretations of this:  That this is a similar item in terms of how things are used, but there is no way to encode this item into a JWT.  Or, that this is how one should encode this item in a JWT.  The first interpretation implies that even though one would like to pass a COSE_Key confirmation in a JWT there is no way to do this.  (Yes, one can potentially convert the COSE Key into a JOSE Key but that is not always going to succeed as some keys in one system may not be representable in the other system.) The second interpretation says that you just encode the COSE_Key as JSON and put it into the map with the ”jwk” key and you are happy.  Which of course will not work.

 

I had misled myself in the message below as I had missed reading the JWT Confirmation Method Name field in the registration templates.   If you look at the text below, it is hard to know if “COSE_Key” is to be used in a JSON structure (which I had originally assumed) or if “jwk” is supposed to be used in a JSON structure.

 

   o  Confirmation Method Name: "COSE_Key"
   o  Confirmation Method Description: COSE_Key Representing Public Key
   o  JWT Confirmation Method Name: "jwk"
   o  Confirmation Key: 1
   o  Confirmation Value Type(s): COSE_Key structure
   o  Change Controller: IESG
   o  Specification Document(s): Section 3.2 <https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-11#section-3.2>  of [[ this document ]]

 

At a minimum we should probably clarify the language on this.  And I need to look at the COSE documents and decode if there needs to be some text on encoding in a JSON environment or not.

 

Jim

 

 

From: Ace <ace-bounces@ietf.org> On Behalf Of Jim Schaad
Sent: Sunday, January 19, 2020 3:35 PM
To: 'Brian Campbell' <bcampbell@pingidentity.com>; 'Seitz Ludwig' <ludwig.seitz@combitech.se>
Cc: 'Roman Danyliw' <rdd@cert.org>; oauth-ext-review@ietf.org; 'Daniel Migault' <daniel.migault@ericsson.com>; drafts-lastcall@iana.org; 'Ludwig Seitz' <ludwig_seitz@gmx.de>; 'Benjamin Kaduk' <kaduk@mit.edu>; ace@ietf.org
Subject: Re: [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-params

 

I have managed to merge most of my code that deals with the confirmation claim and I have ended up with a single problem when dealing with confirmations.  If this is going to get fixed, it needs to get fixed in draft-ietf-ace-cwt-proof-of-possession prior to this document finishing processing the EDIT process in the RFC editor.

 

All of the items that can appear in a confirmation claim are unique except for the ‘kid’ claim method.  This field is defined as being a text field for JWT (RFC 7800), but it is defined as being a binary field for CWT.  It is a text field when defined in RFC 7800.  I do not anticipate any issues for the definition of a thumbprint as COSE is using a very different format for the definition of thumbprints which will led to a different naming convention.

 

Jim

 

 

 

From: Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com> > 
Sent: Monday, January 13, 2020 10:01 AM
To: Seitz Ludwig <ludwig.seitz@combitech.se <mailto:ludwig.seitz@combitech.se> >
Cc: Ludwig Seitz <ludwig_seitz@gmx.de <mailto:ludwig_seitz@gmx.de> >; Roman Danyliw <rdd@cert.org <mailto:rdd@cert.org> >; oauth-ext-review@ietf.org <mailto:oauth-ext-review@ietf.org> ; Daniel Migault <daniel.migault@ericsson.com <mailto:daniel.migault@ericsson.com> >; Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> >; Benjamin Kaduk <kaduk@mit.edu <mailto:kaduk@mit.edu> >; ace@ietf.org <mailto:ace@ietf.org> ; drafts-lastcall@iana.org <mailto:drafts-lastcall@iana.org> 
Subject: Re: [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-params

 

Thanks Ludwig,

 

On Sat, Jan 11, 2020 at 8:20 AM Seitz Ludwig <ludwig.seitz@combitech.se <mailto:ludwig.seitz@combitech.se> > wrote:

[snip] 

 

From: Ace <ace-bounces@ietf.org <mailto:ace-bounces@ietf.org> > On Behalf Of Brian Campbell

 

[snip]

                   

So in -09 the "cnf" Introspection Response Parameter was the following the syntax of the "cnf" claim from PoP Key Semantics for CWTs [ID.ietf-ace-cwt-proof-of-possession] and in -10 it's following the syntax of PoP Key Semantics for JWTs [RFC7800] transitively via [I-D.ietf-oauth-mtls] reference. I think I understand that the two PoP key semantics documents are conceptually the same or similar. But I don't know that the syntax is the same? Figure 5 <https://tools.ietf.org/html/draft-ietf-ace-oauth-params-10#section-6>  is pointed to for mapping between CBOR and JSON but it only has mappings for the main top level parameters. Maybe I just don't get it or am missing something...   

 

[LS] No you are not missing something, I just got sloppy trying to do a quickfix.

 

Background: The reason for defining both JSON and CBOR-based interactions is that you might have a powerful client communicating with a constrained RS. The client does vanilla OAuth interactions with the AS via the token endpoint, but is served a CWT and associated ACE parameters (cnf, ace-profile, …) for interaction with the RS. 

The pop-key should decode to the same binary representation regardless of whether it came in a JSON or CBOR wrapper.

 

Okay, so noting that there is cnf content that doesn't decode to a key, I suppose I'll just take it on faith that all the relevant or expected usages involve a key that can be represented in both CBOR and JSON. 


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email