IETF Logo Mail Archive

Re: [Ace] [Gen-art] Genart telechat review of draft-ietf-ace-cbor-web-token-12

Alissa Cooper <alissa@cooperw.in> Wed, 07 March 2018 17:53 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C41F612D96C; Wed, 7 Mar 2018 09:53:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=VVEUrm2m; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=cfqaotBE
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id acN8_3SQXNXL; Wed, 7 Mar 2018 09:53:36 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A9F5120721; Wed, 7 Mar 2018 09:53:35 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 9F0ED20BF5; Wed, 7 Mar 2018 12:53:33 -0500 (EST)
Received: from frontend1 ([10.202.2.160]) by compute7.internal (MEProxy); Wed, 07 Mar 2018 12:53:33 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=sJTK5bkIT5jx9ABJpajQYxem9wbklZvXzvAxYYxXkLo=; b=VVEUrm2m bzPrNmPfY+so/1JZqkYNRnlByyJzAN0NbZSYTJLIlIJkP7Mf6cSSXa8YYtwnlAuf 0QPqhBaehvvFxRFUgNpx01rFzQufSUnaNJ75DnGa+YBPAoKpC0Vai8s4I6S3yuSP bD696PQ8vcPjI9/jzYRn/wCbFoQHe7USADYuzjusfA3qLokSap/gzJE5mg8VOdXL v0xNex07u7TZDWThjgliBmA2cz7Lk+j7rxraz7xqCEMYnJznDcHsGT0dx9+ajtwt NJy31XDWSi7csXnoHZo2qUVtG9ndsoZao47PSbWfdNpwUolVVp2WeQ3sxxiNE+zA KWn70IRhiMgO2w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=sJTK5bkIT5jx9ABJpajQYxem9wbkl ZvXzvAxYYxXkLo=; b=cfqaotBEOm4nn3hOtSOAdSCyYUlu0j51NtrQE9m9Udx3H Rg7xi3dPONFNTZQWfJgZzRm4/XSseSHJ6yw4+IZq/LgWy5nstBJh+MQyktgwWSut bG7qJ6RFqYS8a8t71B7dyTNUMXOt48gItn+JNPnJctzMZEgW33l83WYJgDjp4Rl5 JdrBWWWLSQwQJle3xSApOIn07CPTO+GUQA9cX82kQvO+KeSa/LiJ6+GpIJyurD0X r0IUfYVrkLqBKnXM/XN7IJdyoAUJVMZPUpByrsL2u414C/FkkDcmxXgMjV74mYya S3PFtiehV9CLRVbZwT9U966+GkeG9eyVxB65526Hg==
X-ME-Sender: <xms:HSegWpsUjgQb7sbEdzTU8bH_RvHl1Z7Ft6HzhXSfKhDwM7iMUsuT_A>
Received: from [10.19.234.245] (unknown [128.107.241.170]) by mail.messagingengine.com (Postfix) with ESMTPA id E9B877E1F3; Wed, 7 Mar 2018 12:53:30 -0500 (EST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_20324883-8F60-47B0-A3B7-6349DB6DB260"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <SN6PR2101MB0943543E355D779E13E3B411F5D90@SN6PR2101MB0943.namprd21.prod.outlook.com>
Date: Wed, 07 Mar 2018 12:53:28 -0500
Cc: "draft-ietf-ace-cbor-web-token.all@ietf.org" <draft-ietf-ace-cbor-web-token.all@ietf.org>, Jim Schaad <ietf@augustcellars.com>, Benjamin Kaduk <kaduk@mit.edu>, "ace@ietf.org" <ace@ietf.org>, gen-art <gen-art@ietf.org>
Message-Id: <76AC61D3-5F41-44FB-8E05-367EE4B6CA1C@cooperw.in>
References: <151967178760.21771.14005895812023525211@ietfa.amsl.com> <021201d3af3e$1f204cc0$5d60e640$@augustcellars.com> <CAFgnS4USoaMrDSbvOZj4Pwg3DprMNNxrHoPn+DK-YjVNB-Jrog@mail.gmail.com> <20180227034009.GT50954@kduck.kaduk.org> <CAFgnS4VJDs0Xm2zFG5jXQ3eTC0umNvLxBmkLzQKzbPARZq1RVA@mail.gmail.com> <028701d3aff3$df7ef6f0$9e7ce4d0$@augustcellars.com> <CAFgnS4WrfRHPiMqETyOK=2g-bNKp66i-9NC9JLbbO6eh7brV6w@mail.gmail.com> <SN6PR2101MB09436CCA10FD477A41819B42F5C00@SN6PR2101MB0943.namprd21.prod.outlook.com> <CAFgnS4Wn=S_PskHiZu2qBXf_sHY7asgsHqsHUvNSkF31gKX4Cg@mail.gmail.com> <SN6PR2101MB0943543E355D779E13E3B411F5D90@SN6PR2101MB0943.namprd21.prod.outlook.com>
To: Mike Jones <Michael.Jones@microsoft.com>, Dan Romascanu <dromasca@gmail.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/z0zNNLAmJSqVRzlUm12rEkF9ruE>
Subject: Re: [Ace] [Gen-art] Genart telechat review of draft-ietf-ace-cbor-web-token-12
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2018 17:53:40 -0000

Dan, thanks for your review. Mike et al, thanks for your responses. I appreciate the novelty of the registration process here but I think the text as it currently stands is clear enough. I entered a No Objection ballot.

Alissa


> On Mar 5, 2018, at 7:44 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
> Dan, you’ll find changes that address your review comments in https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-13 <https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-13>.  See https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-13#appendix-C <https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-13#appendix-C> for a summary of the changes made.
>  
> Thanks again for your useful review!
>  
>                                                           -- Mike
>  
> From: Dan Romascanu <dromasca@gmail.com <mailto:dromasca@gmail.com>> 
> Sent: Tuesday, February 27, 2018 11:24 PM
> To: Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>>
> Cc: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com>>; gen-art <gen-art@ietf.org <mailto:gen-art@ietf.org>>; ace@ietf.org <mailto:ace@ietf.org>; ietf <ietf@ietf.org <mailto:ietf@ietf.org>>; Benjamin Kaduk <kaduk@mit.edu <mailto:kaduk@mit.edu>>; draft-ietf-ace-cbor-web-token.all@ietf.org <mailto:draft-ietf-ace-cbor-web-token.all@ietf.org>
> Subject: Re: [Ace] Genart telechat review of draft-ietf-ace-cbor-web-token-12
>  
> Hi Mike,
> 
> The edits that you propose in #1 and #2 are good IMO and they would improve the clarity of the document.
> 
> Concerning #3 - all the 'running code' examples that you provided are all for one type of policy only - Specification Required. The case here seems a little more complex, as the review and required advice refer to multiple policies. Thanks to the discussion and information provided by you and Jim, I believe that I better understand now how this works, and I defer to the General Area and Security AD the decision whether the text is sufficiently clear.
> 
> Thanks for addressing my comments.
> 
> Regards,
> 
> Dan
> 
>  
> On Wed, Feb 28, 2018 at 12:52 AM, Mike Jones <Michael.Jones@microsoft.com <mailto:Michael.Jones@microsoft.com>> wrote:
> Replies inline…
>  
> From: Ace <ace-bounces@ietf.org <mailto:ace-bounces@ietf.org>> On Behalf Of Dan Romascanu
> Sent: Tuesday, February 27, 2018 2:23 PM
> To: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com>>
> Cc: gen-art <gen-art@ietf.org <mailto:gen-art@ietf.org>>; ace@ietf.org <mailto:ace@ietf.org>; ietf <ietf@ietf.org <mailto:ietf@ietf.org>>; Benjamin Kaduk <kaduk@mit.edu <mailto:kaduk@mit.edu>>; draft-ietf-ace-cbor-web-token.all@ietf.org <mailto:draft-ietf-ace-cbor-web-token.all@ietf.org>
> Subject: Re: [Ace] Genart telechat review of draft-ietf-ace-cbor-web-token-12
>  
> Hi Jim,
> 
> There are still a few problems: 
>  
> 1. The policies and mapping to the values ranges are hidden in the Claim Key field in the template (the comment also made by Kathleen)
>  
> Per my earlier note, I will be making this language clearer when the next revision is published.                                                                                                                                             
>  
> 2. At least one incorrect policy name is used: Standards Track Required - do you mean Standards Action (?)
>  
> Thanks – I’ll update the terminology when the next draft is published.
>  
> 3. You describe a process that involves a mail list (cwt-reg-review@ietf.org <mailto:cwt-reg-review@ietf.org>) and Experts Review. This description is not clear. Usually IANA approaches one DE for advice and expects the advice from the same DE in a reasonable period of time. If I understand correctly the process described in Section 9.1 one or more DEs make a recommendation and run it with the mail list. Who establishes the consensus on the mail list? Assuming the mail list disagrees with the DE recommendation, who decides?
>  
> This is the process used for the .well-known URI spec, the JSON Web Token (JWT) spec, the JOSE specs, many OAuth specs and it works well.  It allows interested parties to see and comment on registration requests.  The Designated Experts are still the ones to decide.  See these references for some uses of this kind of publicly-visible registration procedure:
>  
> https://tools.ietf.org/html/rfc5785#section-5.1 <https://tools.ietf.org/html/rfc5785#section-5.1> (using wellknown-uri-review@ietf.org <mailto:wellknown-uri-review@ietf.org>)
> https://tools.ietf.org/html/rfc6749#section-11.1 <https://tools.ietf.org/html/rfc6749#section-11.1> (using oauth-ext-review@ietf.org <mailto:oauth-ext-review@ietf.org>)
> https://tools.ietf.org/html/rfc7515#section-9 <https://tools.ietf.org/html/rfc7515#section-9> (using jose-reg-review@ietf.org <mailto:jose-reg-review@ietf.org>)
> https://tools.ietf.org/html/rfc7800#section-6 <https://tools.ietf.org/html/rfc7800#section-6> (using jose-reg-review@ietf.org <mailto:jose-reg-review@ietf.org>)
>  
> I can find more examples of the use of this publicly-visible registration procedure if you like.
>  
> Regards,
> Dan
>  
>                                                           Thanks for the careful review, Dan,
>                                                           -- Mike
>  
> On Tue, Feb 27, 2018 at 7:53 PM, Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com>> wrote:
> Integer values between -256 and 255 and strings of length 1 are designated as Standards Track Required.
>  
> Integer values from -65536 to 65535 and strings of length 2 are designated as Specification Required.
>  
> Integer values of greater than 65535 and strings of length greater than 2 are designated as Expert Review. 
>  
> Integer values less than -65536 are marked as Private Use.
>  
> So that says what IANA policy is to be used for each of the different items.  This defines the policies and the ranges for those policies.
>  
> There is not anything that is making a distinction on what the criteria to be used by the DE in the document which is separate, but I don’t think that is needed.  This is why they are DEs.
>  
> I still don’t see what you think is missing.
>  
> Jim
>  
>  
> From: Dan Romascanu [mailto:dromasca@gmail.com <mailto:dromasca@gmail.com>] 
> Sent: Tuesday, February 27, 2018 2:00 AM
> To: Benjamin Kaduk <kaduk@mit.edu <mailto:kaduk@mit.edu>>
> Cc: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com>>; gen-art <gen-art@ietf.org <mailto:gen-art@ietf.org>>; draft-ietf-ace-cbor-web-token.all@ietf.org <mailto:draft-ietf-ace-cbor-web-token.all@ietf.org>; ietf <ietf@ietf.org <mailto:ietf@ietf.org>>; ace@ietf.org <mailto:ace@ietf.org>
> Subject: Re: [Ace] Genart telechat review of draft-ietf-ace-cbor-web-token-12
>  
> Hi,
> 
> See also my other notes.
> 
> I believe that what the document tries to say is:
> 
> Register R is divided into four different ranges R1, R2, R3, R4 (defining the value limits may be useful)
> 
> Values in range R1 are allocated according to policy P1 in the case that ...
> Values in range R2 are allocated according to policy P2 in the case that ...
> Values in range R3 are allocated according to policy P3 in the case that ...
> Values in range R4 are allocated according to policy P4 in the case that ...
> 
> But it doesn't say it. Mentioning four concurrent policies for the same registry without separation of values range, and without providing clear instructions when each policy is recommended to be used, seems confusing to me, and may be confusing for users of this document in the future.
> 
> Regards,
> 
> Dan
> 
>  
> On Tue, Feb 27, 2018 at 5:40 AM, Benjamin Kaduk <kaduk@mit.edu <mailto:kaduk@mit.edu>> wrote:
> On Mon, Feb 26, 2018 at 11:19:04PM +0200, Dan Romascanu wrote:
> > Hi Jim,
> >
> > Thank you for your answer and for addressing my comments.
> >
> > On item #2:
> >
> >
> >
> > On Mon, Feb 26, 2018 at 10:12 PM, Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com>> wrote:
> >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Dan Romascanu [mailto:dromasca@gmail.com <mailto:dromasca@gmail.com>]
> > > >
> > >
> > > ...
> >
> > > >
> > > > 2. I am a little confused by the definition of policies in Section 9.1:
> > > >
> > > >    Depending upon the values being requested, registration requests are
> > > >    evaluated on a Standards Track Required, Specification Required,
> > > >    Expert Review, or Private Use basis [RFC8126] after a three-week
> > > >    review period on the cwt-reg-review@ietf.org <mailto:cwt-reg-review@ietf.org> mailing list, on the
> > > >    advice of one or more Designated Experts.
> > > >
> > > > How does this work? The request is forwarded to the designated expert,
> > > > he/she make a recommendation concerning the policy on the mail list, and
> > > > depending on the feedback received a policy is selected? Who establishes
> > > > consensus?
> > > >
> > > > Frankly, I wonder if this can work at all. Are there other examples of
> > > four
> > > > different policies for the same registry, applied on a case-to-case
> > > basis?
> > >
> > > This is the same approach that is being used for the COSE registries.  As
> > > an example, you can look at https://www.iana.org/ <https://www.iana.org/>
> > > assignments/cose/cose.xhtml#algorithms.
> > >
> > > Part of the issue about this is that the JOSE/JWT registries do have the
> > > same different policies, but that differences are hidden from the IANA
> > > registry.  Since they allow for a URI to be used as the identifier of a
> > > field, only the plain text versions are registered.  Thus I can use "
> > > http://augustcellars.com/JWT/My_Tag <http://augustcellars.com/JWT/My_Tag>" as an identifier.  Since for CBOR
> > > the set of tag values is closed and does not have this escape (nor would
> > > one want the length of the tag) it is necessary to have this break down of
> > > tag fields.
> > >
> > >
> > >
> > >
> > This does not seem to be exactly the same approach. The COSE RFC 8152
> > defines the registry policy in a different manner. There is only one policy
> > that is proposed 'Expert Review' and than the Expert Review Instructions
> > are used to define the cases when a Standards Track specification is
> > required. No such text exists in the current I-D. There is no separation of
> > the values space in the registry according to the type of assignment here,
> > as  in RFC 8152.
> 
> The template in section 9.1.1 has the different policies for the
> different integer ranges, under the 'Claim Key' section.  Kathleen
> (IIRC) already noted that this should probably be repeated in the
> introductory part of section 9.1 as well, and that will be done
> before the document is sent to the IESG.
> 
> -Benjamin
>  
>  
>  
> _______________________________________________
> Gen-art mailing list
> Gen-art@ietf.org <mailto:Gen-art@ietf.org>
> https://www.ietf.org/mailman/listinfo/gen-art <https://www.ietf.org/mailman/listinfo/gen-art>

v2.23.0 | Report a Bug | By Email