IETF Logo Mail Archive

Re: [Ace] Eric Rescorla's No Objection on draft-ietf-ace-cbor-web-token-13: (with COMMENT)

Mike Jones <Michael.Jones@microsoft.com> Wed, 14 March 2018 21:35 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66B44127775; Wed, 14 Mar 2018 14:35:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JB7X9uEPAIzO; Wed, 14 Mar 2018 14:34:58 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0110.outbound.protection.outlook.com [104.47.33.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 887DB1276AF; Wed, 14 Mar 2018 14:34:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=aZlAH/7NgEbi1W64B2HoI2RNwyEXOZqPpA6iGVztqDc=; b=QHfQSHaHZXgMDlOSLdNjRiB3/WrXbi9yxiHNHi5ZAl66AE34aHMTBGM+joHswajmnfzuYtase+YLF9oaQSHmAlVVVoy09Lfja2JSTm5sUyn+4dze/YTzuiK3VrL25lMy8m3B6a3Ume2JkPqNKOm4OJk5ZYabmHHk9jX0tQCgKIQ=
Received: from SN6PR2101MB0943.namprd21.prod.outlook.com (52.132.114.20) by SN6PR2101MB1056.namprd21.prod.outlook.com (52.132.115.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.609.3; Wed, 14 Mar 2018 21:34:52 +0000
Received: from SN6PR2101MB0943.namprd21.prod.outlook.com ([fe80::94b3:487e:3b44:983e]) by SN6PR2101MB0943.namprd21.prod.outlook.com ([fe80::94b3:487e:3b44:983e%2]) with mapi id 15.20.0609.003; Wed, 14 Mar 2018 21:34:52 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Eric Rescorla <ekr@rtfm.com>, The IESG <iesg@ietf.org>, "Kathleen.Moriarty.ietf@gmail.com" <Kathleen.Moriarty.ietf@gmail.com>
CC: "draft-ietf-ace-cbor-web-token@ietf.org" <draft-ietf-ace-cbor-web-token@ietf.org>, "ace-chairs@ietf.org" <ace-chairs@ietf.org>, "kaduk@mit.edu" <kaduk@mit.edu>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: Eric Rescorla's No Objection on draft-ietf-ace-cbor-web-token-13: (with COMMENT)
Thread-Index: AQHTtlR5Mrb6w0KcG0myzjot6hlJVKPQRs5g
Date: Wed, 14 Mar 2018 21:34:51 +0000
Message-ID: <SN6PR2101MB0943032402E93129E4179974F5D10@SN6PR2101MB0943.namprd21.prod.outlook.com>
References: <152045520055.17654.5520380651718604431.idtracker@ietfa.amsl.com>
In-Reply-To: <152045520055.17654.5520380651718604431.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [79.7.33.193]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN6PR2101MB1056; 7:7o/SeLJvc2hSPX4wgLGQMZmpqR2VTvS/oPCwTvzerYlXgBieroewlPFBzARJdevxHhnWsT8NHcGTU0/GEbovX8UTgV9kmH15+Bpwh7A2K3jdub8gGeVZPwhsn/D+RPwtxPZH4LaMOpikBO4L8QdTm8t7RQXp3O6/p9QnRbWdutVEQl1a/HAdcuTEk8dT055oevOfMjkLPfSJ8WN+WrfrDPsPBTaSuKca+t9YkAKZ6+1Jte8lzrPzsfiK0huIgQSb; 20:qmK0UpzQ5ZbM1/LaA+Mx6tNC7I/Wb5mhJ5+ygU6XJJI5qPhqtQ89HV7qVjU0VJYR7PGCwssp3ClcPHSrSevE6iA8i6dd6Cl51ucSFvDgNOoNbmK2gCz9NmP99UfsG20tHyM3FxmKYDXKMO58ethX9LyIHpM49rHsdlXUK4DneN8=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: ea85c5dc-f413-48f4-26a6-08d589f36bc7
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:SN6PR2101MB1056;
x-ms-traffictypediagnostic: SN6PR2101MB1056:
x-microsoft-antispam-prvs: <SN6PR2101MB10568C1D95265DDE8112078AF5D10@SN6PR2101MB1056.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(240460790083961);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(61425038)(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3231221)(944501270)(52105095)(3002001)(6055026)(61426038)(61427038)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123560045)(6072148)(201708071742011); SRVR:SN6PR2101MB1056; BCL:0; PCL:0; RULEID:; SRVR:SN6PR2101MB1056;
x-forefront-prvs: 0611A21987
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(396003)(39860400002)(39380400002)(376002)(51914003)(199004)(189003)(13464003)(39060400002)(10290500003)(10090500001)(2501003)(2900100001)(54906003)(102836004)(110136005)(6346003)(6436002)(8990500004)(4326008)(5250100002)(6506007)(97736004)(9686003)(6306002)(22452003)(68736007)(53936002)(86612001)(478600001)(5660300001)(99286004)(316002)(53546011)(105586002)(305945005)(81156014)(81166006)(8676002)(66066001)(6246003)(7736002)(26005)(55016002)(3846002)(72206003)(6116002)(74316002)(2950100002)(76176011)(3660700001)(8936002)(33656002)(25786009)(106356001)(59450400001)(186003)(2906002)(3280700002)(7696005)(14454004)(229853002)(966005)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR2101MB1056; H:SN6PR2101MB0943.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-microsoft-antispam-message-info: wmiQ42OCNNR9qDCEIR0usW1ln7Swysi8q8fdEHXbzavKkm8a8Q4s8O+jd/xICmXqSqOxne3A9lQNZYgh+xblOj23Gv3efl785kFs9eNhQfZRoh38bCIlqKhGCnq++sqBwAFyoO1waUiQvSc8vQa++0oHYcLNbknQekjdUHNyZLB2ZzFpa4yaB0ypabGoXWMJhuiNUH0NQqZsmy6UzE+U1mSmo9tS/4MuC9ffVhNZ73frL0+KgIMIhT4bQSgMQ9ZVzJZdKdGaMX6UM3JbNpvooRFSBYU/k6KDVuapEqePnvmE0YASul8O6QHnX3uHx69zE9O6W1UajWxoxNOj7FI0Ng==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ea85c5dc-f413-48f4-26a6-08d589f36bc7
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Mar 2018 21:34:51.9658 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR2101MB1056
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/wB8bjERqIvIZj-0KLhIEJplpA-4>
Subject: Re: [Ace] Eric Rescorla's No Objection on draft-ietf-ace-cbor-web-token-13: (with COMMENT)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2018 21:35:01 -0000

Hi Ekr.  Thanks for the review comments.  Responses are inline below, prefixed by "Mike>"...

-----Original Message-----
From: Eric Rescorla <ekr@rtfm.com> 
Sent: Wednesday, March 7, 2018 12:40 PM
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-ace-cbor-web-token@ietf.org; ace-chairs@ietf.org; kaduk@mit.edu; ace@ietf.org
Subject: Eric Rescorla's No Objection on draft-ietf-ace-cbor-web-token-13: (with COMMENT)

Eric Rescorla has entered the following ballot position for
draft-ietf-ace-cbor-web-token-13: No Objection

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-ace-cbor-web-token/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

   The claim values defined in this specification MUST NOT be prefixed
   with any CBOR tag.  For instance, while CBOR tag 1 (epoch-based date/
   time) could logically be prefixed to values of the "exp", "nbf", and
   "iat" claims, this is unnecessary, since the representation of the
   claim values is already specified by the claim definitions.  Tagging
   claim values would only take up extra space without adding
   information.  However, this does not prohibit future claim
   definitions from requiring the use of CBOR tags for those specific
   claims.

Why do you need a MUST NOT here? This seems like not really an interop requirement

Mike> This requirement was added to simplify both producers and consumers of these tokens, after a working group discussion.  Not having to have code to validate, parse and then throw away tags prefixing claims of known types both makes representations smaller and requires less code.  Since the tags add no value for these claims, it seemed better to require that they be omitted.

  4.  Verify that the resulting COSE Header includes only parameters
       and values whose syntax and semantics are both understood and
       supported or that are specified as being ignored when not
       understood.

I'm surprised to find that this is not a generic 8152 processing rule.
Can you explain why this is necessary here?

Mike> This intentionally parallels the same rule in JWT (https://tools.ietf.org/html/rfc7519#section-7.2, step 5).  It's saying that you have to validate that the parameters describing the parameters describing the cryptographic operations performed.

				-- Mike

v2.23.0 | Report a Bug | By Email