IETF Logo Mail Archive

[Ace] Progressing draft-ietf-ace-oauth-authz

Ludwig Seitz <ludwig.seitz@combitech.com> Tue, 26 October 2021 11:57 UTC

Return-Path: <ludwig.seitz@combitech.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 186623A103C for <ace@ietfa.amsl.com>; Tue, 26 Oct 2021 04:57:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=combitech.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZFmeozJ4fDTg for <ace@ietfa.amsl.com>; Tue, 26 Oct 2021 04:57:09 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20062.outbound.protection.outlook.com [40.107.2.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9B143A103B for <ace@ietf.org>; Tue, 26 Oct 2021 04:57:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Pk5WiVHyKJJCuujB88sZVF5zapKV0qsw9K+hV6V4RP1Fn0rBrwn5MUbB1wbKsYAzrHKuhJagOHwlBmWGOuyLYwQzRxQBCiT3rG1RKAzyyqD6PwMhJFl/6k1mr5lA3EZmRoifsoNzfNOUJWQQqWygiLphH/Cc15IZu7gSnwjRX1Wxps57zDMRtE0EwL9pIxvwrcY5puFiPjVULHnEM1xYMEz6HoNtnhymbEM/3GPj0O5DlIyu1wG5akGHc+WgzXAlpOU5oqZxJzmSNupc/rZa9kxqm1BW6K0mFCwh3O+Sz5tfLw2awep4rNAiYYV88euIQRUYs4uCa/5iUuhS/GOjUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6MvQWWwhk7A8JWtOnO50aVDUm0aGzY28oLsuAb/hLoc=; b=NRw090xGqOeiWb5mIzXqBxJqwzwd+DplPaILa6PYUD6ceeteP96rJ2hyT3qeTw7Q5o3ouiq6xgLwLpLFTv9YBebGb82uOFPa5r8QVn9BIfzejfRwGo1V+Nz72SdgdrL+iGqzXmhi4urIFk4YOXPy6/MLvRTpenUFcYB0bybHGcQeC1n091x9Bk29zG8u612xlakuK/xOYd4r+fFBHDEfxlBBNWHyF3WiV4RLuwEaMjjyfoBSZVzm2gQElaaKK3GyfoSVI7GuXg2Rq61I7WpyaRc7M2KZXF1DIkswPFdbS1OdZuZ/2hh1ZxWffFV0Ot2uRKWQZjGRltLn5iT7Ew07PA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=combitech.com; dmarc=pass action=none header.from=combitech.com; dkim=pass header.d=combitech.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=combitech.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6MvQWWwhk7A8JWtOnO50aVDUm0aGzY28oLsuAb/hLoc=; b=Qfugnbjeh3b4m1bf5VKsjBMJnB5q5dqO2/LHTRqMdS4vRvpFiU/Vr3IOb1slnH9AnWo9pEWreznmngQNiH4eAb0itOHQDsqcuYN2VoOwpw34AoUdRZTl6FHTMdWFfIChQUfxSqzxYpc4LvQ0aJXh0kQKRG1I8dYFp+hCh9IlYT4UQTaQjjB5C95eofU4OBjIqnNBwTvyyPt37+Tkc9eOGGpbS7kTNGrNoI27T39zK71J7WJoxFLhGCeVM6QlILN+NeLL94peKrK2qnYXyILQnPZY/T+DGO5YoTX/DKyktViFJ28e4FnEQy3KVnQzq3dhzWsKzyItN0GjYkN7rupE5g==
Received: from AM0PR0302MB3363.eurprd03.prod.outlook.com (2603:10a6:208:c::21) by AM0PR03MB4722.eurprd03.prod.outlook.com (2603:10a6:208:c5::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4628.18; Tue, 26 Oct 2021 11:57:04 +0000
Received: from AM0PR0302MB3363.eurprd03.prod.outlook.com ([fe80::b95d:d525:9bbb:391d]) by AM0PR0302MB3363.eurprd03.prod.outlook.com ([fe80::b95d:d525:9bbb:391d%7]) with mapi id 15.20.4628.020; Tue, 26 Oct 2021 11:57:04 +0000
From: Ludwig Seitz <ludwig.seitz@combitech.com>
To: "ace@ietf.org" <ace@ietf.org>
CC: "jricher@mit.edu" <jricher@mit.edu>
Thread-Topic: Progressing draft-ietf-ace-oauth-authz
Thread-Index: AdfKXdL3LDxCCgfVSaGr8zYJtWrK6A==
Date: Tue, 26 Oct 2021 11:57:03 +0000
Message-ID: <AM0PR0302MB3363701AF68B1BCD98EE81DF9E849@AM0PR0302MB3363.eurprd03.prod.outlook.com>
Accept-Language: en-US, sv-SE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_Enabled=true; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_SetDate=2021-10-26T11:36:58Z; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_Method=Standard; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_Name=Company Confidential; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_SiteId=0d11ac4a-ef5e-423a-803b-e51aacfa43d6; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_ActionId=7e6dacdc-130a-4639-87b0-9b1a5fea0e57; MSIP_Label_71cffee6-aa30-4f5a-bbc3-434e7067f7b3_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=combitech.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4d1fe93d-ffda-47ea-048f-08d99877ba17
x-ms-traffictypediagnostic: AM0PR03MB4722:
x-microsoft-antispam-prvs: <AM0PR03MB472268ADFF667C5FDA3C245B9E849@AM0PR03MB4722.eurprd03.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 11Drt0bPl0sXdxEAuFRMvagyf1TeCIx/df/O6ACBw3t4G64HCErTHj8pv9bSlEtunaFG5V+pIsFliWKT+7cLzW82Mbqm9F3jaLH+ePgPM85AueF/Mxbjbpr2V8Owv3/yYwNiVj3IE/DU62WvjmU1iKUuOaHmAppDBBjr7qq8LWMV0RXYVtocUOCFQ3lz6dVz60wAonAA3d07Qclzd78j+JEEygVv6GPyK3zVaQsPy+ynhS1283lYrLBmF8NhRbQpSzM1ajOp0nqakxzpJoSUK9LRRjJG3N88dOoI4zEPby5+hd9bOe+7yHpcFD7q3Aj0Nsf4AyLtuEi5rCfwdSpyn8gR82lUJwn8Bu7Fa8N1w2NC0mNUHBEpQgdx0s5ZcUNZm87rYov68fhOhpZJmorRLBvD1odvMBn2SlY2cix3x7mJXl732LVi+I4JUA9bzBYucCZj/9f/JTR9QFncgpc0qKCc2O4GqGjuueeXpG0JQnN+r5pyfhtSMgXqD1maAC4INCWV2HtkPj/wftBHy6/RG/yTRVoPpCBjmf8byOyzmaJFLOImSZ0hPmnRM02djNMyIQhaiZcSLAQXxwFpsmA6w5s1d8oqlHSMkm2Tk4fMcArEJQMAZH09qGLIhjms8FWNd8+q8Z7SweX0ti0/e3nh7ZZ8dbBSLoX9NFFdDmcyN+NNYDzXumoNJQCZ4D+TuhAu2dIp7GhmSQIBgX1CcuRF8txPStKFI++KJQ9Pc//exPPhHNyFnxvughus1vdk9yUfJebiz2N6HLMkoW+/rKMOn85el0qUG6GEfdDaX+gaHyE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR0302MB3363.eurprd03.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(66556008)(66476007)(508600001)(64756008)(76116006)(66946007)(33656002)(5660300002)(66446008)(83380400001)(966005)(38070700005)(71200400001)(52536014)(8676002)(8936002)(44832011)(6506007)(4326008)(316002)(66574015)(55016002)(9686003)(2906002)(26005)(86362001)(7696005)(186003)(6916009)(122000001)(38100700002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Wx8GNbe+D2ODAg1vid/FuVyKbGF/aao6dxv7k6hC252Wsx8T5KcMIgH3c4Nl2AQ32MvP/Kg2mmF6v/E2+v1eUFwa5S0Rau5s3K1knGPdrgL+/6zdY9LYU/D8Gn201oGCGcHBfEMnsH/R/J2hFAQS66Ap0+XS7KJ3x3jTfGJKvudDwUWIR1Pfn0vJf++XTUiIxkMZf24Y/XwJRi4a/HObogMapQdYeL26BvHZDqdtkZKL51h2kghfPzxPBsxhDtvuYL9Ytp3Y6P475xK357L26PK7JuT1IP4lY7DSzD3/zlwl0YXx35IziPgiQ4PrKrebEYM6XYPVod18G/KuKwaSUnva6TkmiA7yIdQ2RXf+J/K5O1643UjH0vVLt7GEr/lzZNDRiDFL6zrWvFm6uIWcSTxUpAvGP923S7KLVrSaEnVoSDKt2rbOVW9AiMAmfgtve1CSnoK7gYKO/aZygSjvA1tR5eoAvAkBpjWLG0yr1NtxqO9ax3IRzNcOSeXNcE7nPuPZWZbYN5X/V6vJa9zSeyorMc7l/5WSTQYe2rFbIW1luyn1pV6rEzuZ+6ob5bDYlToRNA+5Ol42KZehHE1oddF6LSyH0sx5YSNo/xAbraf6ZRXsOhzWAZbuVJ4A/Y+Obtr2f3sDZ7Y3x3NmSneIziQecMWtNNVb56LkvkWCGt9swdNsnMC0ULEFRa6ntvizicsCWDT3B+dZuSM7CUifYv6qAan+4/sGMJrAlb8LrVx5+BYSmSd6eTFI0hjnY8cNmRQDqrZc48ZvWZ8YQba+olSeqKbAOsPyeNloy+YplSCvGTGFRhPHqiaqBgJRoc7aqC/O7iTI5ox5bn0PnuqLJcN/G3iAKNJ87FAJ0awY45kbtt7YSH9juBeXUmuSlHKqkWVBXyXSiFzKs/s7Fpk3smyUf2IuRlKt7GZVaIsqIdmR8nyCoB0NVfj1Vb5pZYf0MBpnDOSBKDcAzAdctmCReONq6tgch3JSPmMv5gQi5yCfQ52criD9MUnL5z/DgLSQqFPvrefTlZWlwDNJm0bvaF0QXPa1OWrVEp+d/kmNNSMMkz20M5OYHKq6Um35qRCzDV9xeJURI+Lb+wy3D9XbYnFvSam2dlO/JRzyrbvYFN7kEN/qI0WRJ1C7dE9g/aRYRMVmN7HGeFahGjmmoATEIXf0LY6BDvfByqDt372CbS720VMLDo1DHbYGShb8DGAxKqalUBLmMSFeH6dVBzORdFVQXC/s2NN4r7Bd9HqslhxLSKx3JEjIo+11ksA56RTB2ohRXlt2nI+WC+6Q3tZdNNdj2eGIEfvlD+cPOGqQVVST5R9VczR/WOP577mNpMgCY73Lb1KbS5u7OV/mbK7ZP5O2y6AWay9nYM0lxvpCV+WiPyxWiz8K0KOS3OLH5PmN8T+pUSOLxAP+Q1wz/sCsfkKdlDs36k4heOvLs/g5yjhNZxJ8wR1BMWAdGlnqz45bEpBoSdq11eo03u2Uu/0FW+swN2pNj+u/HhyrGiVP9QI8lFbPkKJJkUWSl3ZVh+sMb5IZ+0QdDixC9GDz6EMd4hpQd+YjK5yAtJElazhfwYloLvHIDvhIFcvfRlujHonXeMbD2V4LFp1kFTgc0tpMgjSvOZL2a6k9uuPBZl+zsj7N94iqFNMWa802zMenmPDkKEcQxPo3Fb21Xo+qXPhl5g==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: combitech.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR0302MB3363.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4d1fe93d-ffda-47ea-048f-08d99877ba17
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Oct 2021 11:57:03.9756 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0d11ac4a-ef5e-423a-803b-e51aacfa43d6
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CEFzsbXA4DnWOE8UgcvVeS4Kp3PfTJXIUivkV5SGs1w/WaJ5Nyix+wjUjOJ4eapbz8TtQAHGQ9XJHjAR5XTu3srSeAjoIKblzboIK0nE1l4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR03MB4722
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/wHS1uo1sFaxQbSQFq0diDKQpThg>
Subject: [Ace] Progressing draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 11:57:15 -0000

Hello ACE (Cc to OAuth designated expert Justin),

The progress of draft-ietf-ace-oauth-authz is currently blocked due to an issue that has come to light in the IANA review process, and I'd like to solicit the feedback of the WG to determine how to go forward.

The issue is related to parameters used by the AS when responding to an Introspection query (see https://datatracker.ietf.org/doc/html/draft-ietf-ace-oauth-authz-45#section-5.9.2). Our approach so far has been to map all OAuth parameters to ACE and map all parameters created for the ACE interaction back to OAuth. The issue is that some of the ACE parameters (cnonce and cti, see Figure 16) have the datatype "byte string". In OAuth the Introspection parameters are formatted as JSON payload, which precludes the use of raw byte strings, a fact we overlooked when we tried to register the new parameters in the OAuth registry ( see https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-introspection-response).

My proposed fix for this would be to amend the descriptions of these two parameters in 5.9.2, specifying that their JSON representation is a text string containing the Base64url encoding of the original byte string payload.

Does the working group or the OAuth designated expert have any objections (or suggestions) to this approach?

Regards,

Ludwig

--
Ludwig Seitz
Infrastructure Security Analyst
Combitech AB
Djäknegatan 31 . SE-211 35 Malmö . Sweden
Phone: +46 102 160 846
ludwig.seitz@combitech.com . combitech.com This e-mail is private and confidential between the sender and the addressee. In the event of misdirection, the recipient is prohibited from using, copying or disseminating it or any information in it. Please notify the above of any such misdirection Please consider the environment before printing this e-mail!

v2.23.0 | Report a Bug | By Email