Re: [Ace] OAuth-Authz Interop

Mike Jones <Michael.Jones@microsoft.com> Tue, 08 May 2018 17:40 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DC131270A3 for <ace@ietfa.amsl.com>; Tue, 8 May 2018 10:40:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jCgKRmQ9jteX for <ace@ietfa.amsl.com>; Tue, 8 May 2018 10:40:22 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0117.outbound.protection.outlook.com [104.47.32.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61DE21270AE for <ace@ietf.org>; Tue, 8 May 2018 10:40:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=PJjLJQvbW7ast4G4H56IxuM5P4RtZx+Ou5UCKW7duYE=; b=efhBI5tpI/gjts+Y599pL96QE55jQVRNfAwgwhQVnzwBKR+t5WfP0kRFy0XheYM7/p2M72fKW+yRF+Jfdv9HKQhWNSIjwHiSFPl4yH7hMpNaTbpofD31YOzUCfZxizOo1TTvY+VtdmIMIzjZrTxAqdlkikwhrra+GzBSUDAE5B0=
Received: from DM5PR00MB0296.namprd00.prod.outlook.com (2603:10b6:4:9e::37) by DM5PR00MB0374.namprd00.prod.outlook.com (2603:10b6:4:a0::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.790.0; Tue, 8 May 2018 17:40:19 +0000
Received: from DM5PR00MB0296.namprd00.prod.outlook.com ([fe80::3181:eda2:16cf:679d]) by DM5PR00MB0296.namprd00.prod.outlook.com ([fe80::3181:eda2:16cf:679d%4]) with mapi id 15.20.0791.000; Tue, 8 May 2018 17:40:19 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Ludwig Seitz <ludwig.seitz@ri.se>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] OAuth-Authz Interop
Thread-Index: AdPmIm8GwlgNR4Z4TAKB3oF5AiJBnQAd1sgAAAhBu4AADchQsA==
Date: Tue, 8 May 2018 17:40:19 +0000
Message-ID: <DM5PR00MB02969CC0E6E488B119028391F59A0@DM5PR00MB0296.namprd00.prod.outlook.com>
References: <005601d3e622$af427100$0dc75300$@augustcellars.com> <e3cc1920-c9a7-aefa-a683-239099f32d21@ri.se> <7af7e847-bc7a-82ff-2024-7321575450d8@ri.se>
In-Reply-To: <7af7e847-bc7a-82ff-2024-7321575450d8@ri.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-05-08T17:40:18.0973812Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:8::291]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR00MB0374; 7:FyWnV+wcmU8qUmzQ74gUFjmaISKe8L/D2SyT7I21/tTyDlQWMa3oWrsNRh79UjEad3qLmPePo0Xj42QNp9mmIR0E0S65CJP7Ac47PbP42q1jeOK3lxJbd+og1InUQKrWih2SpqCVv5tGt0jHv6Dsp7P5lGpuHmxnXJIiW0ZAArah4pH1SMISmjxtypPgdOmuw/EEi0GgZfGlCkcvQmFV9DD8p3pVihe+OYG3CAK8i0b9kA9GcSeFhLvwtgjHzSzs; 20:weef15bnxUer43kUEyMdVHiv6CY67AxGKruoPxX/xydkkef8FMPflV2c1wKDX4iUSi0hSSO0q2yLKPZnZi+zUKHKPspkOMtb9kWlRD6nqlpg31WgZK4clUi0bJcrbhZcfWl7XjxB3HjzeXLYt7Iq7QZovflhD3b+gtHtSnuM9Zs=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(48565401081)(2017052603328)(7193020); SRVR:DM5PR00MB0374;
x-ms-traffictypediagnostic: DM5PR00MB0374:
x-microsoft-antispam-prvs: <DM5PR00MB0374EE53D7D528DC10A16E28F59A0@DM5PR00MB0374.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(166708455590820)(209352067349851)(192374486261705)(60409825278598)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(8121501046)(5005006)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(3231254)(2018427008)(944501410)(52105095)(10201501046)(93006095)(93001095)(3002001)(6055026)(149027)(150027)(6041310)(20161123560045)(20161123562045)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:DM5PR00MB0374; BCL:0; PCL:0; RULEID:; SRVR:DM5PR00MB0374;
x-forefront-prvs: 0666E15D35
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(39860400002)(376002)(396003)(366004)(346002)(13464003)(377424004)(199004)(189003)(97736004)(7736002)(105586002)(2501003)(99286004)(21615005)(72206003)(10290500003)(5660300001)(81166006)(8676002)(81156014)(106356001)(966005)(8936002)(59450400001)(6506007)(68736007)(6116002)(790700001)(52396003)(10090500001)(76176011)(53546011)(7696005)(74316002)(14454004)(86362001)(6246003)(8990500004)(6346003)(5250100002)(2900100001)(186003)(102836004)(110136005)(86612001)(316002)(33656002)(229853002)(55016002)(236005)(54896002)(6306002)(9686003)(53936002)(22452003)(46003)(606006)(478600001)(2906002)(446003)(11346002)(25786009)(6436002)(476003)(3280700002)(3660700001)(486006); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR00MB0374; H:DM5PR00MB0296.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-message-info: V8XELL4w8DoIOSwjvzFVsthyZ9FZM6nHMWfkIVF4/7F0nwyImZoowH4DH8jyQHtSRfZNZsRJRp3JXhXDsGB1CHzWSabl01DG31GvjH2kc4urVMt5vL3qaf+wp/unB6vSN/cL7xZw8EL96EN/PU+TIZpF5kjWU5b9I4IimDYyrhusYbGGB/eXimpPA24g2dSN
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR00MB02969CC0E6E488B119028391F59A0DM5PR00MB0296namp_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: b59d5b4e-f1e2-4bbd-07bf-08d5b50ac4b2
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b59d5b4e-f1e2-4bbd-07bf-08d5b50ac4b2
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 May 2018 17:40:19.5724 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR00MB0374
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/sxkySpXE6ZFkTEwDRm9BtM7qSK4>
Subject: Re: [Ace] OAuth-Authz Interop
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2018 17:40:25 -0000

Before any interop work is done, I suggest that it would be better to first address the significant CBOR number assignment issues I pointed out in my review on October 10, 2017 https://www.ietf.org/mail-archive/web/ace/current/msg02364.html, so that the interop is more likely to occur using number assignments that are less likely to change.  I'm repeating the most important of these comments below, since it was apparently not acted upon.


5.5.5 Mapping parameters to CBOR
It looks to me like these values are intended to align with those registered in the CBOR Web Token (CWT) Claims registry initially populated by https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-08#section-9.1.2.  If so, the spec should make this relationship explicit.  However, it would be inappropriate to use the rare single-byte CBOR integer values for application-specific claim keys.  I would suggest that the claim identifiers for client_id through refresh_token and profile start at 256 (a two-byte CBOR value) and go up from there.  In that case, I suspect they could be successfully registered in the CWT Claims registry – which I think you want.  (“cnf” will already be registered by draft-ietf-ace-cwt-proof-of-possession.)



Likewise, please search the review for all instances of the words “register” and “registry” and revised the spec accordingly before any interop work is started.



                                                                -- Mike





-----Original Message-----
From: Ace <ace-bounces@ietf.org>; On Behalf Of Ludwig Seitz
Sent: Tuesday, May 8, 2018 3:54 AM
To: ace@ietf.org
Subject: Re: [Ace] OAuth-Authz Interop



On 2018-05-08 08:57, Ludwig Seitz wrote:

> On 2018-05-07 18:44, Jim Schaad wrote:

>> I have been meaning to get this out for a while and have failed.  A

>> doodle poll to setup an interop event for this work is at

>> https://doodle.com/poll/k27g9r26bghvnytu If you want to participate

>> and none of the times are good please let me know.

>>

>> Things for testing:

>> 1)  DTLS profile w/ shared secret

>> 2)  DTLS profile w/ RPK

>> 3)  OSCORE profile

>>

>>

>

> Note that I'm in the process of writing a test manual, I'll put it up

> on the WG github as soon as it has some form and structure. Feel free

> to contribute. I'm hoping to have it online by the end of the day.

>

> /Ludwig

>

>



You can find my first draft of the interop manual here:



https://github.com/ace-wg/ace-oauth/blob/master/InteropTestPlan.txt



Note that large parts are still work in progress, but the test plan for the token endpoint should give you a hint as to how I was thinking it could work.



Feel free to propose changes and improvements.





/Ludwig



--

Ludwig Seitz, PhD

Security Lab, RISE SICS

Phone +46(0)70-349 92 51



_______________________________________________

Ace mailing list

Ace@ietf.org<mailto:Ace@ietf.org>

https://www.ietf.org/mailman/listinfo/ace