Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 07 February 2019 15:32 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0857012008F; Thu, 7 Feb 2019 07:32:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2XRJUCU5xNnG; Thu, 7 Feb 2019 07:32:38 -0800 (PST)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-am5eur03on0611.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe08::611]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81A42126D00; Thu, 7 Feb 2019 07:32:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3S/quHT7i3UbB1AjSNvzwePIOV99zb6Pgeh22v+N9nE=; b=QFsKjizF+qlB1RX2DgRVICJjp1h9k+J076HtZllnShxDwcRphr+6dXKGUekskP4MBjG0O6vELZXH5b47HGUjcAuxrjbDUX/7pNl6hOPfFKXu3fTVlN36pjYaRnAW7usd8Dj8796Z6Ag7ckCIwT56o0AremN+QAahkQQO2pFnjN8=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1775.eurprd08.prod.outlook.com (10.168.67.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.22; Thu, 7 Feb 2019 15:32:35 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3ce6:d8fa:3271:6019]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3ce6:d8fa:3271:6019%8]) with mapi id 15.20.1580.019; Thu, 7 Feb 2019 15:32:35 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Ludwig Seitz <ludwig.seitz@ri.se>, "ace@ietf.org" <ace@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] [Ace] Shepherd write-up for draft-ietf-oauth-resource-indicators-01
Thread-Index: AQHUt6gmW8ETQzXQdEeeWnvbq21Io6XUgBEQgAAEZgCAAAAfcA==
Date: Thu, 7 Feb 2019 15:32:35 +0000
Message-ID: <VI1PR0801MB2112CCBE0C86EFD5590D73FEFA680@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <CAGL6epKeGW195z2SJdcXU-MyVBwTBDnsvGeo7mNJvn8UkAWmnw@mail.gmail.com> <4eb4ea45-c3f2-7991-9544-612d055809ba@ve7jtb.com> <DM5PR00MB0293B214D198F4D9DBD08814F5990@DM5PR00MB0293.namprd00.prod.outlook.com> <CAO_FVe6CecdCxtJ78FcZ6pFJZwu6dudomjFgVeLr_cHNFbUZXQ@mail.gmail.com> <199fa6bd-8103-b1b3-12a3-08b5e3aad925@aol.com> <CAGL6epKismmWSnNcca41HWHEGhaJG7XhOULUwAz9jd5AemvuOg@mail.gmail.com> <BL0PR00MB02920F6A16D28D1652F21B2DF59A0@BL0PR00MB0292.namprd00.prod.outlook.com> <CAGL6epKjUJQNZdyHjrsJYvXE_p8QvjqxhcxXVnax2_VJ3qMO6g@mail.gmail.com> <CA+k3eCT-dU96D+_LdCtZGMA2TJij2Jzc=BgzCDkbkBGf=jKWnA@mail.gmail.com> <55a0362e-e588-bce5-f65f-856a1e21e88e@aol.com> <BL0PR00MB029262B150B2D8F3C3792302F5960@BL0PR00MB0292.namprd00.prod.outlook.com> <CA+k3eCT+ndfChx1-tqsxyqg8kX5Sc=BDw6UJyu2VQU3MDs1ssQ@mail.gmail.com> <65a8e83e-c72f-bbf5-77fd-ea8540b7ddc3@aol.com> <848e0ab3-f95f-2885-d24e-69925ed7ab1c@ri.se> <VI1PR0801MB21121E2B483FE0ACD87C6F34FA680@VI1PR0801MB2112.eurprd08.prod.outlook.com> <884da75e-8f45-7810-0563-8592d0298dd8@ri.se>
In-Reply-To: <884da75e-8f45-7810-0563-8592d0298dd8@ri.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.122.55]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1775; 6:KvBSgtpDZFOL9/lkuJKL2JAb2aKetJzHPPcm8Z9gSxrbtVcUverR4oqst4DKQmAT7SWr793hSet7ShNk4WCTIJf1nfNiKagvJb+F3KJ9yNvyN/IgHv2fPaUhYlQcAjGyN5Cb83+/fjInuJ8+2QqUNW4/MADH5EfBcNnveoTNeAisaXX4ie2r2ajiADYi+2V2cn1QbfySYdXQNyvycQsWUw1ZgExDqecaNH3bfLg0bMCnTKGpooZdjLMZm6ujVr/yrj3Ci7T8liGi4wv0m5UaJik3UMc7uZsPM1y7RfnKl0qWm1/PaWHPxV0guj5lGV8IY6HqvZxWodEGfluCwlyc7NTl1KQ60iiJaBpBwYofuj6faGZYWhmcQC+7iUdjc5uy6glk9knMT6u+qYl+/jNH/PXobZORmVkLwsXVe0j0NQdfUTsjAQCzutBC8vq2Iz7/b0l0aW0e4IusbJ3k/We72Q==; 5:V2ABoPUbE1hRrCqkvhkGEP8lzWOVoeUgOt0Pe2ZMukZJiY9gyMkqKeDPRW9TBMCZ7kfm9l547rJ5k2joIDbOGYH/PgVwieF1Op0gHBHqx0lWA2tTVYQt8LtexBaa5c65B7BStXPPx2KdrYgzLjLzv8unxbbtn6YuCC1EyROFirg2P2IpnRQi+WP5k6YIoXBTbYWUqRqKzo5nf+1NtOFm1Q==; 7:pvJPlOFKzPDsTsr3G6wgF4Vs6fvZFj7mJKB+aIjfzYczEN/7hBH7abieuycj8OsAUC15rH5JnJ0p3BbLSjx2rojE2tCr63U+9Zr6VW4/WJ5yaj4v9ENSQwbbN4886ojlrPwysTU/x0zfkfbK8O0TmA==
x-ms-office365-filtering-correlation-id: 45b513b8-a457-4a9f-9bf5-08d68d117c1d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4618075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1775;
x-ms-traffictypediagnostic: VI1PR0801MB1775:
x-microsoft-antispam-prvs: <VI1PR0801MB177560D0768E01ED16631245FA680@VI1PR0801MB1775.eurprd08.prod.outlook.com>
x-forefront-prvs: 0941B96580
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(396003)(136003)(376002)(346002)(40434004)(189003)(13464003)(199004)(110136005)(6436002)(3846002)(76176011)(68736007)(7696005)(6116002)(71200400001)(6246003)(97736004)(478600001)(7736002)(14444005)(5024004)(316002)(256004)(2501003)(93886005)(99286004)(71190400001)(25786009)(2201001)(53546011)(102836004)(229853002)(2906002)(33656002)(105586002)(86362001)(6506007)(26005)(186003)(74316002)(66066001)(11346002)(14454004)(305945005)(72206003)(476003)(81166006)(486006)(9686003)(81156014)(53936002)(446003)(8676002)(55016002)(106356001)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1775; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Y/WF8n2v8KezfAMWJWKTfC7IcKrGiCqKekGtrTJCsZhcOu0TfpXvqvRaKWHlHCRxKh3FSQR2O3B1hPvddbosTcnbWwASEL//kFGDs0JWQ7dNIpmy/Z/kCGZCxTHfMCZEZS7dJNThDSDtKLOYpqgCIAA1SezLrDaE6XgL9AQ+Q4MtAt5fmKJrYTAO/qW7ZCOQ/Hk4tG9OvWxv3/2VplvcLwYZCLs00PT2deDfD3nYxsLQ6arzhpyOraUOWuUJOZIhMrnw5QjFBi43XGPI1iY/ZxQbdyPQHSvwbuuKe7B8cUoqtngmB3S8Wlkfrv8GvvNS85ag5aNBuiBw4kkZ348lmCWGMk/jhJSh57IGZSunqrEH1IwyigQrQTwkl3gyP6SXowvdtp+tT1V6oF0Z32tA+etykL6No+NiG+DZFpjBj38=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 45b513b8-a457-4a9f-9bf5-08d68d117c1d
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2019 15:32:35.4488 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1775
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/aQrgllgV4zydxt6Y_pJsBQU_JqU>
Subject: Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2019 15:32:41 -0000

Hi Ludwig,

the issue is that folks in the OAuth group have defined two parameters, namely resource (for URIs) and audience (for logical names), and in ACE there is only one doing both.

To me this appears to be sub-optimal to have different ways to accomplish the same goal just based on the protocol the information is exchanged.

Which route is better? I don't care.

Ciao
Hannes



-----Original Message-----
From: Ludwig Seitz <ludwig.seitz@ri.se>
Sent: Donnerstag, 7. Februar 2019 16:29
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>om>; ace@ietf.org; oauth@ietf.org
Subject: Re: [OAUTH-WG] [Ace] Shepherd write-up for draft-ietf-oauth-resource-indicators-01

On 07/02/2019 16:15, Hannes Tschofenig wrote:
> Hi Ludwig,
>
>> My interpretation of this is that "resource" refers to a single resource
>
> No. Here is the text from token exchange (see last sentence):
>
>     resource
[...]
> Multiple "resource" parameters may be used to indicate
>        that the issued token is intended to be used at the multiple
>        resources listed.
>

Enumerating the audience is not the same as addressing it by a group name.

I agree that without too much stretching of the definition of the
resource parameter I could use URIs as group identifiers, however the
audience claim is defined to be "StringOrURI" so if someone defines an
audience identified by a String that is not an URI how does a client ask
for that with the resource parameter?

Or in short: Why don't you make your resource parameter mirror the "aud"
claim?

/Ludwig

--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.