Re: [Ace] WGLC for draft-ietf-ace-authz

Ludwig Seitz <ludwig.seitz@ri.se> Tue, 30 October 2018 12:27 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4720D129385 for <ace@ietfa.amsl.com>; Tue, 30 Oct 2018 05:27:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7QX0DEBFyLxp for <ace@ietfa.amsl.com>; Tue, 30 Oct 2018 05:27:39 -0700 (PDT)
Received: from smtp-out10.electric.net (smtp-out10.electric.net [185.38.180.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 594DA128D68 for <ace@ietf.org>; Tue, 30 Oct 2018 05:27:39 -0700 (PDT)
Received: from 1gHT7P-00040e-Vi by out10c.electric.net with emc1-ok (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gHT7Q-00046W-TU for ace@ietf.org; Tue, 30 Oct 2018 05:27:36 -0700
Received: by emcmailer; Tue, 30 Oct 2018 05:27:36 -0700
Received: from [194.218.146.197] (helo=sp-mail-2.sp.se) by out10c.electric.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128) (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gHT7P-00040e-Vi for ace@ietf.org; Tue, 30 Oct 2018 05:27:35 -0700
Received: from [192.168.0.166] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Tue, 30 Oct 2018 13:27:35 +0100
To: <ace@ietf.org>
References: <065b01d45f4e$b8d372a0$2a7a57e0$@augustcellars.com> <SN6PR00MB0301580A2D802AB0F559A170F5F70@SN6PR00MB0301.namprd00.prod.outlook.com> <3B32C31E-11C3-4808-82DC-3C75C949A0E9@tzi.org>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <416e9dd0-cddf-c64c-9563-d8c99c46e849@ri.se>
Date: Tue, 30 Oct 2018 13:27:35 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <3B32C31E-11C3-4808-82DC-3C75C949A0E9@tzi.org>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-Outbound-IP: 194.218.146.197
X-Env-From: ludwig.seitz@ri.se
X-Proto: esmtps
X-Revdns:
X-HELO: sp-mail-2.sp.se
X-TLS: TLSv1.2:ECDHE-RSA-AES128-SHA256:128
X-Authenticated_ID:
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
X-PolicySMART: 14510320
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/tu4g8L-3A6pIMpsNCkzCWpzR_4M>
Subject: Re: [Ace] WGLC for draft-ietf-ace-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Oct 2018 12:27:41 -0000

On 25/10/2018 07:33, Carsten Bormann wrote:
> +1 for making all the CWT-like structures into real CWTs.
> 

A discussion of what we consider to be CWT-like structures and what not 
would be helpful as a follow-up here.

If draft-ietf-oauth-jwsreq is any indication the OAuth WG seems to 
consider that all requests to the AS can be passed as JWTs.

I'm unsure what their position on the AS responses is.

FYI my current reasoning and use of terms:

If a key/value pair is part of a CWT I call it a "claim".

If it is part of a request/response to the AS or RS I call it a "parameter".

I've been registering (or at least trying to) claims separately from 
parameters, leading to several double-registrations, when certain 
key/value definitions are used both as claims and parameters (such as 
scope, cnf etc).


/Ludwig



-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51