Re: [Ace] Resource, Audience, and req_aud

Ludwig Seitz <ludwig.seitz@ri.se> Fri, 08 February 2019 07:33 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7555B130F39; Thu, 7 Feb 2019 23:33:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bN8GJJFnPtxI; Thu, 7 Feb 2019 23:33:00 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70072.outbound.protection.outlook.com [40.107.7.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 243A4130F34; Thu, 7 Feb 2019 23:32:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=F9h/1WcRKncgD5a/owW7Vj3zc25EGQa0FnotHMuV3Fc=; b=W3Noh2l33aOtETpLJ2k4Dmd+kLV+vUPLHTaKQQZCoKIHm7Kzn207g2br2jtq0QNnfIkWcXUWg0C6yt+l71/uIXcva3ldUwNEen5fk7Wxk5F0mowe4/NxQFx9lY+1I8GBPCxtI0/4IGdCsfey7pTBNsmoh46Z6NVOLvvDT3XcO6E=
Received: from DB6P189CA0025.EURP189.PROD.OUTLOOK.COM (2603:10a6:6:2e::38) by AM5P189MB0323.EURP189.PROD.OUTLOOK.COM (2603:10a6:206:20::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.17; Fri, 8 Feb 2019 07:32:57 +0000
Received: from HE1EUR02FT019.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e05::201) by DB6P189CA0025.outlook.office365.com (2603:10a6:6:2e::38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1601.17 via Frontend Transport; Fri, 8 Feb 2019 07:32:56 +0000
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by HE1EUR02FT019.mail.protection.outlook.com (10.152.10.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1580.10 via Frontend Transport; Fri, 8 Feb 2019 07:32:56 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Fri, 8 Feb 2019 08:32:56 +0100
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "ace@ietf.org" <ace@ietf.org>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>
References: <VI1PR0801MB21126944E558E53992EB7FD3FA680@VI1PR0801MB2112.eurprd08.prod.outlook.com> <c62835cb-6d98-f5dc-d8d8-fe80181a8a5c@ri.se> <VI1PR0801MB2112BA5A6A6AC736575BC19BFA680@VI1PR0801MB2112.eurprd08.prod.outlook.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <a8821e81-1819-5af8-7630-f61681476987@ri.se>
Date: Fri, 8 Feb 2019 08:32:46 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <VI1PR0801MB2112BA5A6A6AC736575BC19BFA680@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms040807070107000503040107"
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(396003)(136003)(346002)(376002)(39860400002)(2980300002)(199004)(189003)(110136005)(53936002)(386003)(33964004)(6346003)(84326002)(31686004)(53546011)(6666004)(33896004)(336012)(65956001)(2906002)(6246003)(106002)(86362001)(16586007)(486006)(65806001)(126002)(356004)(58126008)(476003)(316002)(305945005)(44832011)(26005)(31696002)(7736002)(2201001)(16576012)(2616005)(71190400001)(76176011)(235185005)(77096007)(2501003)(8936002)(69596002)(186003)(568964002)(16526019)(106466001)(478600001)(11346002)(3846002)(6116002)(446003)(81156014)(36756003)(81166006)(97736004)(8676002)(40036005)(104016004)(22756006)(68736007)(74482002)(64126003)(65826007)(229853002)(14444005)(5024004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM5P189MB0323; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-Microsoft-Exchange-Diagnostics: 1; HE1EUR02FT019; 1:DWS6Gvj9Q23aov8wSy4kY44CJup0alScOlvnOLZlwzKZQ5T7E3rYVLtgGLa9hrgaeydrOqaq9RrOZCO0SGoT6JEsN8PmZccDQXVeXg84smenM3Al275Y1e9Aa5Qg+9jV79CMsCmsm7uq+ZaOreAmgvTcK+HCMoJ2u3EV4nOdL+I=
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 45482da2-c9ed-4b05-2657-08d68d97a4fa
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4608076)(4709027)(2017052603328)(7153060)(7193020); SRVR:AM5P189MB0323;
X-Microsoft-Exchange-Diagnostics: 1; AM5P189MB0323; 3:H7JcO/aCNo5o83dpTTu6uwY6c7ZD79UZJ8zZmYZDh6KAZZsFlmbAWAvVEqNbi7RePw+CM9TGnmxA+1XWfHCbwk7DJmQVs5efAikVObjfiBT4IqbRAUt9WtDghAPPjx1MbNG2rKnTnQQE2Gh+abr/vjaOpWGMLFUYTZ3st/ZAD4isUTQ/rO5qq1WNTduujKlq3CiuK4L7swW3ZJ6WVmOiKd1xhMlOKwK+xLgA426mRMzvHniS8J878MC724IQ47KTpnU6N4sRLwvKGK8htaC3C3WDuUSiDkq5F2x3QBworn1zfJVdHS10KfxbfYJh2JNSwA5iNL1NsuC+xYmlxa8l3yGd9Q2fC+Mm+ctJo2GqWQIItgKiuLkk3oX7nOOmB3Zc; 25:UV1pC5b85CNbAYImoMm2HYDEh50Md2708ol6L8EuzS54xBGTUuCOIDIRUczQemyJMBzf/y3wkUPBHLnmAYmUFtmRPr5fKTQ8CrMhXvDbpGqpzQf4fNwa+MxUUilzwnlpsNz7iIDeR7X9WuTB6zNsQ1U0rFFX+aaV53HG6XlTqWKKIKFKkknz8UoCQhtcFMqZBFizqH1sTEG8Wz3HbfLXYRsLHIcZnFyXLU+4/DJ91jWItq+SscOYNUJnWgLLjI4RWtg90Zd3xLF322iNdV3tn1VFVujBuGQf76pt5vMapenUadGNPMeoh6OEvCeOPP0qXHUvzKQkDKsgSBdeZx08tQ==
X-MS-TrafficTypeDiagnostic: AM5P189MB0323:
X-Microsoft-Exchange-Diagnostics: 1; AM5P189MB0323; 31:mFckKTe66rHVfA2O3XopC8SsLtrTozyyUK7CkBKAtXIU8GqbBGFxfAcnqzZHIPdYZBsmDYy29XWTBpErBFVLMKTVHb20nHGcgixDGbk/nhTSe3K3IKDNOhLMS3zT9mPMS1PP7k30GtYQp2MTkoQd0iYYDC0P/z42sXoZXDEXx9qiselip/udYP0vlwhFx4YZg2DqxXIxjunPl07gG2JSs6qfxb5hUbIvJ6GKZDYteU8=; 20:H+IRFYxoXsFK9KPc3bsJO7mi3pk7zlBN+1VuxT4m0POmdKM9hRd4acUzx1Phg+FSwSVslRzhshKGhdvfoOSFT8Tjgs3pU/2VMdpKcKnMmzA3O6jufSWfbzV1S5tX1xT5O6cO/X8kemABeADGho1CHnHMiAewykjPLxHJuotNGofG+TTZS8uYxIhmekFQp2bKb/zfwxDeN7gJ4rlYw/fo1MH3N+3imIyn4ytF5egl8kjn+lQZoxp3gSx5xZ/JjIea; 4:kosfxCkvXXzvHAzNAbH8zTHEAV9u16pS/3ecXJhqO+1bP9pjScRD99LH0h26YwyIiIdfPwiXyptNcvdHU7s9Sy78h+YlWPoNnQlYwHV6VRT4Uqwg1+6M5zGvagNZbpr2RpqA3QPS4HHnpJC/WaGhABfaNtwIhUg1kPg2Wp0oLFqBBwHU2QIDCx4LIlN54NiFZnGrpQVnd/JPCD3fEE/+3AOJH8h2bW2ig1pNwLH61F0EonomVeNHtj4W/LNyj7f+fpQ1xQJ7DfDfUcdgwNUcM2pQOkladNipVIetZ6yb2kQSqeSzQhtoNZ+YAn+rUWW+
X-Microsoft-Antispam-PRVS: <AM5P189MB0323E498D09BDCCFAB8B626482690@AM5P189MB0323.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 094213BFEA
X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; AM5P189MB0323; 23:dBbadFGS0VnV17DY1PbwlzJCkFf4monJRbj4e3Bzn?= =?us-ascii?Q?W1fDjE7OcC+buCrsSgKcIeC9AxDxi0AATBX9ralfoTR0NNI+lh/8WA0fvMXm?= =?us-ascii?Q?ePzRWLwVz1n86EOCUN/2e30Q4uawZdqiq2ahdT6wJmqxUv4dIJ1Xo2HGnVZC?= =?us-ascii?Q?FMx/obqkJs14l1q/GEtbRCTPsuzOzfhNAVYssfE7RvuqYC/FJp0CGHfKM8RV?= =?us-ascii?Q?ezHPjg7HYynXDbG9t4OwNRH+mPpiZHm9ei342mKSqyJ1ZplztvELOlsk9cC+?= =?us-ascii?Q?lTAMLPGXQhwEdHVhb2ms3qhvLNilJeGfCxvIWs2R4CVNm/e0hjD32AVR+Di+?= =?us-ascii?Q?UCYoEaAEO8gOXlV6N2yZTHiJ66bdT/YcQ9OXtkkxwGB5vE+2GfxGx5dOg3lN?= =?us-ascii?Q?RhspQ+dOpflN+wsSrMic/WzG5Avm0hHuCA6+5YPyUVEWCzVooGe7ShJymt+o?= =?us-ascii?Q?f8aBOIcfal0LN2pj+NixTSwRLkZ+GCqqgUgQ3yKbZ2Z92/ZJd4z3XnfeZ85h?= =?us-ascii?Q?902MCiptyEPCud5e0Kc2xvQIfAP6vwkAPm4lFmC1gVPaKliZIUUqRSKbaUAG?= =?us-ascii?Q?N4TxX3ED0Ji3rs8G35/C435AB85cq6X9PiLYxtpAbCdIXAqmSHdMtq76Ra6w?= =?us-ascii?Q?W2ad7Gbvrtp1kERtAnEIxZfoWP12lLd28NruxscXcbT4MKtUxVIvOqd6iHsH?= =?us-ascii?Q?2B07YweXquQmf5MH/rdRPbYYGq74X2VmhY0MsW/z31TH77U9AD1022dxd6fn?= =?us-ascii?Q?mZKw2ZJ+SnEszQUHmlNxsQLAA33UHQH7nwVKh655+hbtxNwK15Vy+ykzf/Mt?= =?us-ascii?Q?6doxX7AXPaU0LYT2x4SrmmpdTAoZZNGqus41n3H7dxU1FOEXZpp8LqD3uy1K?= =?us-ascii?Q?3uWMCpDFCPk+FOTsjJvTtCXxT926Kf6my6qgPWcFOkSshp2gphzH1fc4MVuZ?= =?us-ascii?Q?5O7W1b4LfTK4KWmtAmvnLFUeAS8xbNOV3ruE1vcyOk4LeBiX5LoqYzgsPmFj?= =?us-ascii?Q?Nuz7lbl5c4ZMCL8D9uEIrhmkZUM9fXqh9bPzTBFzqu7XvOHfX7tynHSsT70m?= =?us-ascii?Q?0gHw+FNIMBUSqmwfGZPXRQ2YglQ1mQ/an4902/ORUFF7/6GJACzmiDdkJpoG?= =?us-ascii?Q?uA12Ef/V/5acUQ+geB/m7rKz1DXBjbzXVL3YeeATVsr7MgEnFVa1upIPqBl6?= =?us-ascii?Q?erjefBiF7F7/iRQZN+7kO4JWOFK2FtxGhwQFQBh1WgdoVLaH42hS1iYDtDPC?= =?us-ascii?Q?xVy1baJTYKkkPNKDGWRF1eB2av6VrZFmecoWfzb8GCnMg2ad0dmgd5kydlBi?= =?us-ascii?Q?aERoFRaOFpunvt01BQFgWff+879/YbuUdV1bluFQ9ms4G6Xe+b1Ugs9C1ol5?= =?us-ascii?Q?zJEFQQUp2dPTt/ncAvJE9ShnCey/a1q/1X3S5GTcdy7CQxV9tGlgh4NUNXbM?= =?us-ascii?Q?IyqckJfKowRQuszWBK7LAJdNXVpyMSbI4yxGsFn+us4bA4o1JGtvxK/Z0KyM?= =?us-ascii?Q?dfIutA19eegjg4gxqpvr/A75OX8GpCeO42FWVfdBoaYCud/1DnB4Hyv9KUN/?= =?us-ascii?Q?JxjugJm0oxM35AgIw=3D=3D?=
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: 6kYXbsUxeN5/VMSYiSROfDgsJc54uMPeCD45oF5ftGtQPkobVe4DfO1XADd/Xbftf2rU6SCTXIkEmLGJQk6W0g0weM96/0ktLPkpKDH0tqmv1DPKPKotcaYPDZu9C21CNreCyaD6WhQwI/8M+zm6HqwpDasny3n+FewPdf+EjQkcPYzTPNBw+mmYEuajEwMehAzKy287zm+9rOEVtzb2ybVr3aq1U3gp3zbAVRWod8OGluo4FpayUr0TTWe5xWn3F4d+xS4gvq++etJb6JsbzBnNw2bxlfamMnPvwgU8hIyWHudY1OpQ7pWPx+JFhirvaigjr1it0RSc10Q496i73YxD3+jvLJzommPt91GGjDUTuqk2iwOaursWI06lfvOUeZ5LERt4C+eLVIlbW7mAnyVwsO162KKm3vqdgSzqLb8=
X-Microsoft-Exchange-Diagnostics: 1; AM5P189MB0323; 6:coukb/F1iXqa8cIqqnpuTWd/vPd1QRfdSGM1IxZ+jPAzL5bC/CXBBk/Y48YVrMG18PktgoVVxX2ONFyuOT+1JTgfoxePJmhe0BizYgywFpv/uLP4Oam3i5z5UNQuED/wHhowSmgXP59okFx9C8N4w9XtoqRd+U3DYyihC8JWn8HLIKAqENhonxf+39NVkR2irEvrncble9p8TfQqUuP9IXkwNdh596DtKU/5vsUSmCqm5xMDtvGchRNjWdUrM0/Wv1QiV2nbo1Au2l7XZiL4uiS8+keKyrpTQNaO7xjLTU5wc77kZZuBEBWJrvToWCX8Hlq30n4+NwRdEqzQV03nFhXdPHryygBe8ZlUfMicVMvyITiVB/O1pGNTmwDIAEfK6aSiJy7DLFtbsOBVPjZllrqisoyBs/OpzGldVc0kEOtH1Oob580iB3WpPkZyjMSesFsVhjQdhXcQiRrM0PFDXg==; 5:DYGHcAo1NF1UGrGj3mPfZbRO7361lkOgDS8DIHh3MsyHnOu2q2agMS3pUcq6jQSqrWVW1F+XT5TT/xZ/qrktJz8etlWpBWRdrcQ+h4UvHWwO0wUKTLScsGmomgKzpkG6lz0Efp8bvYZBUL/gNZIpe4P9QtCvL3XrFEZ3zKb83DinsW22yondeHnpoAMFA4vWNLZHRuu9ANCYFsVyJCBpZw==; 7:TbSkEkONp3IkyFXNS22lvp+hAMWj9sgSbOEv3143kfzXDIPuZJEF2f3aJpW2c/r0sDYorDA7lam4dXAbEb7mIhbBJyx2mLOe5fM81pQT07TFmibeAQW2VfHn+2JEjjj6B2RA8Bd7WpxUIuOBmZ8dGw==
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Feb 2019 07:32:56.5257 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 45482da2-c9ed-4b05-2657-08d68d97a4fa
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P189MB0323
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/rmleH-bvh0qtvFonniA6Bf29eaw>
Subject: Re: [Ace] Resource, Audience, and req_aud
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Feb 2019 07:33:05 -0000

On 07/02/2019 17:12, Hannes Tschofenig wrote:
> Hi Ludwig,
> 
>> What I understood from the feed-back is that using a parameter
>> called "aud" in a request to the token endpoint would be
>> interpreted as a restriction on the audience of authorization
>> servers that are addressed by this request.
> 
> I am not talking about a parameter called 'aud'. Take a look at the
> token exchange spec -- the parameter is called 'audience'. 'aud' is
> the name of the claim.
> 
> Ciao Hannes
> 
>

Ok I see, I had that mixed up.

Let me just note that having an "audience" parameter and an "aud" 
parameter (which is also referred to as 'audience') is not ideal when 
one wants to avoid confusion.

It seems the token-exchange draft is quite advanced, so referring to its 
"audience" parameter instead of defining "req_aud" (with more or less 
the same semantics) seems reasonable to me.

Do the chairs think that this would unduly delay the progress of 
draft-ietf-ace-oauth-params?

/Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51