Re: [Gen-art] [Ace] Genart last call review of draft-ietf-ace-oauth-params-06

Seitz Ludwig <> Mon, 23 December 2019 07:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8CBB7120074; Sun, 22 Dec 2019 23:52:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6lDhWAiRVx7l; Sun, 22 Dec 2019 23:52:43 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E1A1A12004A; Sun, 22 Dec 2019 23:52:42 -0800 (PST)
Received: from ([]) by (8.14.4/8.14.4) with ESMTP id xBN7qHsh025100 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 23 Dec 2019 08:52:17 +0100
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id xBN7q3fW013399 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 23 Dec 2019 08:52:03 +0100
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Mon, 23 Dec 2019 08:52:03 +0100
Received: from ([fe80::3c3e:6470:4c56:a86f]) by ([fe80::3c3e:6470:4c56:a86f%4]) with mapi id 15.01.1847.003; Mon, 23 Dec 2019 08:52:03 +0100
From: Seitz Ludwig <>
To: "'elwynd'" <>, Ludwig Seitz <>, "Elwyn Davies" <>, "" <>
CC: "" <>, "" <>, "" <>
Thread-Topic: [Gen-art] [Ace] Genart last call review of draft-ietf-ace-oauth-params-06
Thread-Index: AQHVuPcohBjIfZMHXEW74d/seKNoOKfHVcdA
Date: Mon, 23 Dec 2019 07:52:03 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-SE, sv-SE, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_343e0d4096cf4bb782cccf10176748f1combitechse_"
MIME-Version: 1.0
X-Saab-MailScanner-Information: Please contact the ISP for more information
X-Saab-MailScanner-ID: xBN7q3fW013399
X-Saab-MailScanner: Found to be clean
X-Saab-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=0.502, required 5, ALL_TRUSTED -1.00, HTML_MESSAGE 0.00, KAM_NUMSUBJECT 0.50, SURBL_BLOCKED 1.00, URIBL_BLOCKED 0.00)
X-Saab-MailScanner-Watermark: 1577692324.00995@vdOiiTCHW/Vc4xPoDziqPQ
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 ( []); Mon, 23 Dec 2019 08:52:18 +0100 (CET)
Archived-At: <>
X-Mailman-Approved-At: Fri, 03 Jan 2020 10:50:56 -0800
Subject: Re: [Gen-art] [Ace] Genart last call review of draft-ietf-ace-oauth-params-06
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Dec 2019 07:57:57 -0000

Hello Elwyn,

Sorry for being a pain. I have one more comment.

/Ludwig (now finally from the corporate account)

From: elwynd <>
Sent: den 22 december 2019 19:27
To: Ludwig Seitz <>de>; Elwyn Davies <>om>;
Subject: Re: [Gen-art] [Ace] Genart last call review of draft-ietf-ace-oauth-params-06

Hi, Ludwig.

Having had another look at section 3.1 of draft-ietf-ace-cwt-proof-of-possession, technically the rules about which keys have to be present are not part of the syntax of the cnf claim.  The point can be covered by changing '"syntax of the 'cnf' claim"
to "syntax and semantics of the 'cnf' claim"
in each case.

[LS] Ok. Will do.

However, the second look threw up another point:  Figure 2 in s3.2 gives a Symetric key example  - I think this should use an Encrypted_COSE_Key (or Encrypted_COSE_Key0) as described in section 3.3 of draft-ietf-ace-cwt-proof-of-possession.

[LS] Figure 2 in 3.2 gives an example of a AS response to a client requesting an access token. As per the requirements from draft-ietf-ace-oauth-authz, this communication MUST be confidentiality protected, therefore it is unnecessary to additionally encrypt the COSE_Key.
The provisions in 3.3 of draft-ietf-ace-cwt-proof-of-possession are for access tokens in CWT format, containing a symmetric key, that are not encrypted themselves (i.e. only MAC:ed or signed).

Otherwise I think we are done.

Eventually we will get to Christmas!

[LS] I promise to leave it be over the holidays.