IETF Logo Mail Archive

Re: [COSE] A draft on CBOR Web Tokens (CWT)

William Denniss <wdenniss@google.com> Fri, 13 November 2015 03:19 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: cose@ietfa.amsl.com
Delivered-To: cose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8AADB1B3F47 for <cose@ietfa.amsl.com>; Thu, 12 Nov 2015 19:19:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.088
X-Spam-Level:
X-Spam-Status: No, score=-1.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4qyPDEdjvDdD for <cose@ietfa.amsl.com>; Thu, 12 Nov 2015 19:19:48 -0800 (PST)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FB7F1B3F45 for <cose@ietf.org>; Thu, 12 Nov 2015 19:19:47 -0800 (PST)
Received: by qkas77 with SMTP id s77so35838652qka.0 for <cose@ietf.org>; Thu, 12 Nov 2015 19:19:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=OhV0MalIias2AhIT5ewNpHwULukXJA02/rJAmtrfKXY=; b=Ejo3ZFe3UZuRL13WEm1+NAtdeS5na43uIKZGA/4iZyBrdL4t5POuXT6Uk1PaZmDzzW 3t9ZxNuvs1ocFgiH2H5i7fnGxJfKgMVy7v+UECkI6C3TIxs3uTIjwaaYTA+mqaSYV+mr KPzNZJuB+c3ZkhA0Mz7EDmssHORbT8Wa4817pyDE8nfr3kVcKs2fgXHIB95HRY/vE4tJ K0d52PrOjNID4eOWmH6dsiS0+cvuSflri3q6PT9Ku45IBvWtAr+P8vbO2xzrVaP07moE R6mujkY8ikvER5wNGZ1yttlJJq/b3HUz6z76vNHqjo96ahoVAiNGTpYrmozn6Vlv8jkS Hc0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=OhV0MalIias2AhIT5ewNpHwULukXJA02/rJAmtrfKXY=; b=IkUfoId9WpQyCeGxdrvWJtzZ54UoYTtS3bKfztuiw8sz9eWD3viXpoL5K7SRODXNVR Nfi0ThhRYaLdxBtj+so/XEjckRQTMvt/FH8RPixg+ilO/x1BGGNeozOy4H/2W/HGvlFx xt6mLN+AX7mf40LVjm1CXUs1CDZmarfhCRcDy6+9iZwm8tk3hY0OfvF/PKC1cXwH65IN OKzg00eycvQOUVcA6PJhftMY4Lk1UrdAc87TOdZFa24zdBrOUBn3CQfYB0pnpG8OGPmC crbmhn0+fdLQKviKodIRt9C+JOjU0o3e8UDZYJUoB945BXlh5MvvEPz3AL2nNpVdZVIf B/WQ==
X-Gm-Message-State: ALoCoQntEKdXEEWP78TLiueEgeONSCN0TSku/OEonqTsDyUblFlmlJ0fZGZgpX9YrPLBzOGRlz/n
X-Received: by 10.55.55.82 with SMTP id e79mr18970471qka.59.1447384786307; Thu, 12 Nov 2015 19:19:46 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.29.68 with HTTP; Thu, 12 Nov 2015 19:19:26 -0800 (PST)
In-Reply-To: <73929C18-A3E7-4ACA-A6DC-5A7AD7576C9B@nexusgroup.com>
References: <53BB1987-979C-4945-9C7D-CDB6619AEFFC@nexusgroup.com> <5644EC40.4010002@tzi.org> <73929C18-A3E7-4ACA-A6DC-5A7AD7576C9B@nexusgroup.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 12 Nov 2015 19:19:26 -0800
Message-ID: <CAAP42hAWfBRKw-3OM1dPkgK40Af4KVBaVdhzdAGhon=VFV6LSA@mail.gmail.com>
To: Erik Wahlström neXus <erik.wahlstrom@nexusgroup.com>
Content-Type: multipart/alternative; boundary="001a114900f40ad79205246388f8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cose/4-3G0_i-DdJfj65vdMu-zzxIFLc>
Cc: Mike Jones <Michael.Jones@microsoft.com>, "ace@ietf.org" <ace@ietf.org>, Carsten Bormann <cabo@tzi.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "<oauth@ietf.org>" <oauth@ietf.org>, "cose@ietf.org" <cose@ietf.org>
Subject: Re: [COSE] A draft on CBOR Web Tokens (CWT)
X-BeenThere: cose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: CBOR Object Signing and Encryption <cose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cose>, <mailto:cose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cose/>
List-Post: <mailto:cose@ietf.org>
List-Help: <mailto:cose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cose>, <mailto:cose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2015 03:19:50 -0000

Regarding the draft itself, a few comments:

1.
Can we unify the claim registry with JWT? I'm worried about having the same
claims defined twice in CWT and JWT with possibly conflicting meanings (and
needless confusion even when they do match).

Comparing
https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-3.1.2
and https://tools.ietf.org/html/rfc7519#section-4.1.2 which are nearly
identical, I just don't see the value in re-defining it.

We may add new standard claims to JWT in the future (I proposed one
<https://mailarchive.ietf.org/arch/search/?email_list=id-event&gbt=1&index=7qNUnaE9lt2LyayMnmNyWpZSIEM>
in
Yokohama on the id-event list
<https://www.ietf.org/mailman/listinfo/id-event>), it would be good if this
didn't need a separate entry in CWT too, but could just apply directly
(separately, I think you should consider this claim, as it helps prevent
tokens from being re-used in the wrong context).

2.
Is Section 4 "Summary of CBOR major types used by defined claims" normative
(
https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-4)?
What is the intention of this section? I feel like it could probably be
fleshed out a bit.

3.
Add a xref to draft COSE spec in section 6
<https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-6>
Add xref to RFC7519

On Thu, Nov 12, 2015 at 12:01 PM, Erik Wahlström neXus <
erik.wahlstrom@nexusgroup.com> wrote:

> Hi Carsten,
>
> Thanks, and I agree. I’ve heard arguments for all three work groups.
>
> Borrowed some of your words to define the content of the draft :)
> It’s it essentially a JWT, phrased in and profiled for CBOR to address ACE
> needs, where OAuth needs COSE functionality, for object security.
>
> I’m open for letting the AD’s move it around, but having it right next to
> JWT seems right to me. Also open for the ACE WG. Feel it has less place in
> COSE for the same reasons JWT is not in the JOSE WG.
>
> / Erik
>
>
> > On 12 Nov 2015, at 20:45, Carsten Bormann <cabo@tzi.org> wrote:
> >
> > Hi Erik,
> >
> > having this draft is a good thing.
> >
> > One thing I'm still wondering is what WG is the best place to progress
> > this.  We probably don't need to spend too much time on this because,
> > regardless of the WG chosen, the people in another WG can look at it.
> > Still, getting this right might provide some efficiencies.
> >
> > What is the technical content of this draft?  Is it a new token that
> > OAuth needs specifically for the new COSE-based applications of OAuth?
> > Is it a new token that is specifically there for addressing ACE needs?
> > Or is it essentially the same substance as JWT, but phrased in and
> > profiled for CBOR?
> >
> > Depending on the answer, CWT should be done in OAuth, ACE, or COSE.
> > (I'd rather hear the answer from the authors than venture a guess
> myself.)
> >
> > Grüße, Carsten
> >
> >
> >
> > Erik Wahlström neXus wrote:
> >> Hi,
> >>
> >> In the ACE WG a straw man proposal of a CBOR Web Token (CWT) was defined
> >> in the draft "Authorization for the Internet of Things using OAuth 2.0”
> >> [1]. We just broke out the CBOR Web Token into a separate draft and the
> >> new draft is submitted to the OAUTH WG. It can be found here:
> >>
> >> https://datatracker.ietf.org/doc/draft-wahlstroem-oauth-cbor-web-token/
> >>
> >> Abstract:
> >> "CBOR Web Token (CWT) is a compact means of representing claims to be
> >> transferred between two parties.  CWT is a profile of the JSON Web Token
> >> (JWT) that is optimized for constrained devices. The claims in a CWT are
> >> encoded in the Concise Binary Object Representation (CBOR) and CBOR
> >> Object Signing and Encryption (COSE) is used for added application layer
> >> security protection.  A claim is a piece of information asserted about a
> >> subject and is represented as a name/value pair consisting of a claim
> >> name and a claim value."
> >>
> >> / Erik
> >>
> >>
> >> [1] https://tools.ietf.org/html/draft-seitz-ace-oauth-authz-00
> >>
> >>
> >> _______________________________________________
> >> COSE mailing list
> >> COSE@ietf.org
> >> https://www.ietf.org/mailman/listinfo/cose
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>

v2.23.0 | Report a Bug | By Email