Re: [Ace] OAuth-Authz Interop

Ludwig Seitz <ludwig.seitz@ri.se> Fri, 11 May 2018 13:06 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26A32126B7E for <ace@ietfa.amsl.com>; Fri, 11 May 2018 06:06:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LckzZJDtoXdf for <ace@ietfa.amsl.com>; Fri, 11 May 2018 06:06:19 -0700 (PDT)
Received: from smtp-out11.electric.net (smtp-out11.electric.net [185.38.181.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 332C41201F2 for <ace@ietf.org>; Fri, 11 May 2018 06:06:18 -0700 (PDT)
Received: from 1fH7kV-0001fq-Vt by out11c.electric.net with emc1-ok (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1fH7kW-0001hl-Tp; Fri, 11 May 2018 06:06:16 -0700
Received: by emcmailer; Fri, 11 May 2018 06:06:16 -0700
Received: from [194.218.146.197] (helo=sp-mail-2.sp.se) by out11c.electric.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128) (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1fH7kV-0001fq-Vt; Fri, 11 May 2018 06:06:15 -0700
Received: from [192.168.0.107] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.35; Fri, 11 May 2018 15:06:15 +0200
To: Mike Jones <Michael.Jones@microsoft.com>, Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
References: <005601d3e622$af427100$0dc75300$@augustcellars.com> <e3cc1920-c9a7-aefa-a683-239099f32d21@ri.se> <7af7e847-bc7a-82ff-2024-7321575450d8@ri.se> <DM5PR00MB02969CC0E6E488B119028391F59A0@DM5PR00MB0296.namprd00.prod.outlook.com> <00cb01d3e891$0158b8d0$040a2a70$@augustcellars.com> <BL0PR00MB0292D757C78D626AD8806135F5980@BL0PR00MB0292.namprd00.prod.outlook.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <d771fffb-b745-c1e0-afff-906b032de22d@ri.se>
Date: Fri, 11 May 2018 15:06:15 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <BL0PR00MB0292D757C78D626AD8806135F5980@BL0PR00MB0292.namprd00.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-Outbound-IP: 194.218.146.197
X-Env-From: ludwig.seitz@ri.se
X-Proto: esmtps
X-Revdns:
X-HELO: sp-mail-2.sp.se
X-TLS: TLSv1.2:ECDHE-RSA-AES128-SHA256:128
X-Authenticated_ID:
X-PolicySMART: 14510320
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/yC6rciKSrDlM7Bf0pC6TOVm1yyo>
Subject: Re: [Ace] OAuth-Authz Interop
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 May 2018 13:06:21 -0000

On 2018-05-10 22:00, Mike Jones wrote:
> FYI, I haven’t seen any discussion on my review comment that these 
> values should be registered as CWT claims if continued alignment of 
> values is desired.  Certainly the draft hasn’t done that. *Do people see 
> this alignment as valuable?*
> 

Everything that is used as CWT claim is also registered as such, if it 
is not already registered. In our case that is just the "scope" claim 
(we will be adding a "profile" claim in the next iteration).

However there are also OAuth token endpoint parameters and OAuth 
introspection parameters, that partially have the same names as CWT 
claims (and the same meaning). Those are registered in other respective 
registries.

I have aligned the CBOR abbreviations for both claims and parameters of 
the same name (we obviously don't want an "aud" parameter in the access 
token request that abbreviates to 4 and an "aud" claim in a CWT that 
abbreviates to 5).

Do you see any concrete mismatch in the current registrations? The IANA 
section has grown pretty large and an error might have slipped past our 
vigilance.

/Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51