Re: [Cwt-reg-review] [Ace] [EXTERNAL] Re: [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)

Benjamin Kaduk <kaduk@mit.edu> Wed, 11 March 2020 23:50 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: cwt-reg-review@ietfa.amsl.com
Delivered-To: cwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A2AD3A0D8C; Wed, 11 Mar 2020 16:50:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.362
X-Spam-Level:
X-Spam-Status: No, score=-3.362 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-1.463, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7yV75y9KY5LV; Wed, 11 Mar 2020 16:50:14 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87ED23A0D31; Wed, 11 Mar 2020 16:50:14 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 02BNni7r028272 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Mar 2020 19:49:46 -0400
Date: Wed, 11 Mar 2020 16:49:44 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Cc: Ludwig Seitz <ludwig_seitz@gmx.de>, "drafts-expert-review@iana.org" <drafts-expert-review@iana.org>, "cwt-reg-review@ietf.org" <cwt-reg-review@ietf.org>, "charliemortimore@gmail.com" <charliemortimore@gmail.com>, "chuck.mortimore@visa.com" <chuck.mortimore@visa.com>, "draft-ietf-ace-oauth-authz@ietf.org" <draft-ietf-ace-oauth-authz@ietf.org>, "ace@ietf.org" <ace@ietf.org>
Message-ID: <20200311234944.GL98042@kduck.mit.edu>
References: <RT-Ticket-1158953@icann.org> <03f0f73f-4c82-9089-0a81-471a5fb54ba8@gmx.de> <d23d83eb-44ef-bece-cfcc-61ee5d951cd8@gmx.de> <rt-4.4.3-14831-1579299068-1542.1158953-37-0@icann.org> <rt-4.4.3-21646-1582059958-678.1158953-37-0@icann.org> <BY5PR00MB06762A9651316668A1290016F5110@BY5PR00MB0676.namprd00.prod.outlook.com> <rt-4.4.3-21645-1582065742-299.1158953-37-0@icann.org> <rt-4.4.3-11175-1582675119-1846.1158953-37-0@icann.org> <4788cad0-d1dc-2947-9e17-cad4f2147a7b@gmx.de> <DM6PR00MB0684B6E29343D9A1D2CAC62CF5FC0@DM6PR00MB0684.namprd00.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <DM6PR00MB0684B6E29343D9A1D2CAC62CF5FC0@DM6PR00MB0684.namprd00.prod.outlook.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cwt-reg-review/NmwIaJ192Jisjn7tU8KEfAaRnAw>
Subject: Re: [Cwt-reg-review] [Ace] [EXTERNAL] Re: [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)
X-BeenThere: cwt-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CWT Registry Review <cwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cwt-reg-review>, <mailto:cwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cwt-reg-review/>
List-Post: <mailto:cwt-reg-review@ietf.org>
List-Help: <mailto:cwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cwt-reg-review>, <mailto:cwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2020 23:50:24 -0000

On Wed, Mar 11, 2020 at 11:39:00PM +0000, Mike Jones wrote:
> [Adding correct e-mail addresses for Chuck, who recently joined Visa]
> 
> 
> 
> There are two reasons that I believe not using up one of the scarce one-byte claim identifiers for "scope" is appropriate:
> 
>   1.  The claim values for scopes are not short themselves.  They are sets of ASCII strings separated by spaces. So the percentage difference in the total claim representation from adding a single byte will typically be small..

ACE allows the scope to be a binary value and to use a different convention
than space-separated for multi-value scopes.

>   2.  The single-byte claim identifiers already registered at https://www.iana.org/assignments/cwt/cwt.xhtml are claims that are likely to be useful to diverse sets of applications, and therefore merit the short identifiers; whereas, the scope claim is specific to the ACE OAuth protocol and not applicable to diverse sets of applications.  It's reasonable to give protocol-specific claim identifiers 2-byte representations.

(This point I don't have a good response for.)

-Ben

> 
> 
> I'd be interested to hear from the two other designated experts on my assessment of the situation: Hannes and Chuck.
> 
> 
> 
>                                                        -- Mike
> 
> 
> 
> -----Original Message-----
> From: Cwt-reg-review <cwt-reg-review-bounces@ietf.org> On Behalf Of Ludwig Seitz
> Sent: Saturday, February 29, 2020 6:25 AM
> To: drafts-expert-review@iana.org; cwt-reg-review@ietf.org
> Cc: draft-ietf-ace-oauth-authz@ietf.org; ace@ietf.org
> Subject: [EXTERNAL] Re: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)
> 
> 
> 
> On 2020-02-26 00:58, Amanda Baber via RT wrote:
> 
> > Ludwig, Hannes,
> 
> >
> 
> > Can you confirm that you can make the CBOR Web Token Claim change
> 
> > requested below?
> 
> >
> 
> > We also have Chuck Mortimore listed as an expert for this registry,
> 
> > but our message to his Salesforce address bounced.
> 
> >
> 
> > Best regards,
> 
> >
> 
> > Amanda Baber Lead IANA Services Specialist
> 
> >
> 
> 
> 
> I strongly disagree with the assessment that the scope claim should be pushed into the two-byte range.
> 
> 
> 
> The reason we introduced the scope claim is that an ACE RS typically does not have a direct connection to the AS, and is therefore unable to retrieve the scope of an access token from other sources than the access token itself.  I therefore assert that ACE access tokens would often need to contain this claim in order to inform the RS.
> 
> Since one of the major drivers of the ACE work has been to reduce the authorization overhead (otherwise we could just have used vanilla OAuth 2.0), I find it strange to needlessly add to the overhead by making the encoding of a frequently used claim longer than necessary.
> 
> 
> 
> I am willing to listen to the arguments that have lead the expert reviewer to denying a value in the one-byte range, and discuss the reasoning further on list.
> 
> 
> 
> Regards,
> 
> 
> 
> Ludwig
> 
> 
> 
> 
> 
> > On Tue Feb 18 22:42:22 2020, Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com> wrote:
> 
> >> I'm mostly OK with these registrations, however, DO NOT assign the
> 
> >> value 9 to "scope".   Rather, please put it in the two-byte range
> 
> >> - for instance, with the value 41.
> 
> >>
> 
> >> -- Mike
> 
> >>
> 
> >> -----Original Message----- From: Cwt-reg-review
> 
> >> <cwt-reg-review-bounces@ietf.org<mailto:cwt-reg-review-bounces@ietf.org>> On Behalf Of Sabrina Tanamal via RT
> 
> >> Sent: Tuesday, February 18, 2020 1:06 PM Cc:
> 
> >> cwt-reg-review@ietf.org<mailto:cwt-reg-review@ietf.org> Subject: [EXTERNAL] [Cwt-reg-review] [IANA
> 
> >> #1158953] Requested review for IANA registration in
> 
> >> draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)
> 
> >>
> 
> >> Hi all,
> 
> >>
> 
> >> Resending this request for draft-ietf-ace-oauth-authz.
> 
> >>
> 
> >> Thanks,
> 
> >>
> 
> >> Sabrina Tanamal Senior IANA Services Specialist
> 
> >>
> 
> >>> On Sat Dec 21 11:37:11 2019, ludwig_seitz@gmx.de<mailto:ludwig_seitz@gmx.de> wrote:
> 
> >>>> Hello CWT registry reviewers,
> 
> >>>>
> 
> >>>> the IESG-designated experts for the CWT claims registry have asked
> 
> >>>> me to send a review request to you about the claims registered
> 
> >>>> here:
> 
> >>>>
> 
> >>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft
> 
> >>>> o
> 
> >>>>
> 
> >>>>
> 
> ols.ietf.org%2Fhtml%2Fdraft-ietf-ace-oauth-authz-29%23section-
> 
> >>>> 8.13&a
> 
> >>>> mp;data=02%7C01%7CMichael.Jones%40microsoft.com%7Ce23f64ac1ad74269c
> 
> >>>> 3
> 
> >>>>
> 
> >>>>
> 
> c408d7b4b65d45%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63717656
> 
> >>>> 7656665548&amp;sdata=r01W5Bx0gJh9ZPH8eNS%2BY765CnGq11DkknsHYQ751Dk%
> 
> >>>> 3
> 
> >>>>
> 
> >>>>
> 
> D&amp;reserved=0
> 
> >>>>
> 
> >>>> Thank you in advance for you review comments.
> 
> >>>>
> 
> >>>> Regards,
> 
> >>>>
> 
> >>>> Ludwig
> 
> >>>>
> 
> >>
> 
> >> _______________________________________________ Cwt-reg-review
> 
> >> mailing list Cwt-reg-review@ietf.org<mailto:Cwt-reg-review@ietf.org>
> 
> >> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> 
> >> .ietf.org%2Fmailman%2Flistinfo%2Fcwt-
> 
> >>
> 
> >>
> 
> reg-
> 
> >> review&amp;data=02%7C01%7CMichael.Jones%40microsoft.com%7Ce23f64ac1ad
> 
> >> 74269c3c408d7b4b65d45%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63
> 
> >> 7176567656675543&amp;sdata=XxBhQmqxGkCRiBxh0PdhX2IJD8TnbwWl%2Feo8VUsH
> 
> >> Osg%3D&amp;reserved=0
> 
> >
> 
> 
> 
> _______________________________________________
> 
> Cwt-reg-review mailing list
> 
> Cwt-reg-review@ietf.org<mailto:Cwt-reg-review@ietf.org>
> 
> https://www.ietf.org/mailman/listinfo/cwt-reg-review

> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace