[Ace] Resume of discussion at IETF 103 meeting on draft-ietf-ace-oauth-authz

Ludwig Seitz <ludwig.seitz@ri.se> Mon, 12 November 2018 15:22 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3D610130E4D for <ace@ietfa.amsl.com>; Mon, 12 Nov 2018 07:22:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id AbYXadYNzXAQ for <ace@ietfa.amsl.com>; Mon, 12 Nov 2018 07:21:59 -0800 (PST)
Received: from smtp-out11.electric.net (smtp-out11.electric.net []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BD26128DFD for <ace@ietf.org>; Mon, 12 Nov 2018 07:21:59 -0800 (PST)
Received: from 1gME2G-000Fif-Uu by out11a.electric.net with emc1-ok (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gME2G-000Fjq-W0 for ace@ietf.org; Mon, 12 Nov 2018 07:21:56 -0800
Received: by emcmailer; Mon, 12 Nov 2018 07:21:56 -0800
Received: from [] (helo=sp-mail-2.sp.se) by out11a.electric.net with esmtps (TLSv1.2:ECDHE-RSA-AES128-SHA256:128) (Exim 4.90_1) (envelope-from <ludwig.seitz@ri.se>) id 1gME2G-000Fif-Uu for ace@ietf.org; Mon, 12 Nov 2018 07:21:56 -0800
Received: from [] ( by sp-mail-2.sp.se ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Mon, 12 Nov 2018 16:21:56 +0100
To: "ace@ietf.org" <ace@ietf.org>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <39e815e5-e602-0253-d324-13fb48f92d3a@ri.se>
Date: Mon, 12 Nov 2018 16:21:55 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: []
X-ClientProxiedBy: sp-mail-2.sp.se ( To sp-mail-2.sp.se (
X-Env-From: ludwig.seitz@ri.se
X-Proto: esmtps
X-HELO: sp-mail-2.sp.se
X-TLS: TLSv1.2:ECDHE-RSA-AES128-SHA256:128
X-Virus-Status: Scanned by VirusSMART (c)
X-Virus-Status: Scanned by VirusSMART (s)
X-PolicySMART: 14510320
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/zF4Z0_5UvWmk1ztGQM-UQqoi2dI>
Subject: [Ace] Resume of discussion at IETF 103 meeting on draft-ietf-ace-oauth-authz
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Nov 2018 15:22:02 -0000

Hello ACE,

I wanted to post a resume of the in room discussions from the IETF 103 
meeting, related to draft-ietf-ace-oauth-authz, for those who missed 
them and those who want to further comment (sorry for the verbose 
summary below):

During my presentation I put up a 7 issues for discussion as follows:

1. Use of one-byte CBOR abbreviations for parameters and CWT claims.

So far there is a consensus between me and Mike Jones on what we think 
is reasonable.

This would be summarized here: 

I was wondering if anyone else wants to weight in on what they consider 
important parameters & claims for constrained applications that need 
compact (one-byte) abbreviations in CBOR?

2. Unified registry for CWT claims and token/introspection parameter 

Currently the draft(s) have aligned the CBOR abbreviations for both CWT 
claims and token/introspection parameters under one singe number space.

There were arguments for splitting this up so that we can re-use the 
same compact one-byte abbreviations in those different "namespaces" i.e. 
there would be a number range just for CWT claims, and a separate one 
for introspection and token endpoint parameters.

Even here I'm interested in additional input.

3. CWT as format for signed protocol messages

As OAuth is currently working on a number of drafts specifying JWT as a 
format for encoding request (and response?) parameters wrt. the token 
and the introspection endpoint, the question was raised whether this 
should also be done for ACE and CWT.

My stance here (and I got the impression that the room agreed or at 
least had no strong opinion against) is that this is absolutely 
possible, but would best be done in an additional draft in order to not 
increase the already significant delay of draft-ietf-ace-oauth-authz.

4. Alignment between "req_aud" and "resource" parameters

draft-ietf-oauth-resource-indicators proposes a new parameter for the 
token request called "resource" which specifies the location of the 
resource or service for which the token is requested. This is supposed 
to map to the audience claim in the token.

draft-ietf-ace-oauth-params has in parallel defined the "req_aud" 
parameter (for "requested audience") which has a somewhat broader 
definition, roughly speaking "a value that the RS identifies with". This 
could be a public key, a group identifier or something else, so the key 
difference is that it is not specifically bound to the location of the RS.

I would argue to keep the "req_aud" as it is currently (since it covers 
a broader set of use cases than "resource"), but I would be curious to 
hear additional arguments for or against.

5. Handling of multiple tokens for one pair of client-RS

The question was whether an additional token issued for the same 
client-RS pair would

a.) Amend the permissions (i.e. scope) of the older token(s)

b.) Replace all older tokens for that client-RS pair

My implementation and my current understanding of the draft was a.) but 
apparently OAuth mostly does b.).
I would be strongly in favor of doing b.) (and clarifying the specs to 
this end) since it greatly simplifies the code on the RS side. Unless 
someone has a strong argument for approach a. I will implement that 
change in the next document update.

6. Do we need the expiration mechanism based on sequence numbers?

Section 5.8.3 of the draft currently proposes a sequence-number-based 
mechanism for expiration of access tokens on devices that do not have an 
internal clock. Since this mechanisms has pretty severe limitations and 
thus very weak security properties, and since we haven't yet seen a use 
case involving devices without at least an internal "wall-clock time" I 
propose to remove that mechanism from the draft, which seemed to be the 
in-room consensus as well.

7. Symmetric proof-of-possession keys and multi RS audiences

Currently the draft does NOT RECOMMEND this, since it allows one RS to 
impersonate the client towards other RSs that are part of the audience.
The in-room consensus seemed to be that this should be a MUST NOT 
instead and I agree.


Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51