Re: [Gen-art] [Ace] Genart last call review of draft-ietf-ace-oauth-params-06

Ludwig Seitz <> Sun, 22 December 2019 12:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DB3B1120114; Sun, 22 Dec 2019 04:36:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6d17V6udLax4; Sun, 22 Dec 2019 04:36:11 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 57D5312010C; Sun, 22 Dec 2019 04:36:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=badeba3b8450; t=1577018164; bh=NKargB5YzOhAVk+w29BZVH+JFhbw1SR8fECECdQIaR8=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=EhvKKBbtWkNsqocN/Gv1643KME5Io1OwAsZhQRd9J3kh70P02xWSWf9urO37/kSZc //c8ll20tpDaizjOr/OoO9y0vjmj9r3jF0WC0jLWLPKwtdmZBTQK9njEZBILkW7Ud+ q8qhjEcvcNnkgc5LlL2pZD9iLx9PuhA11GGvyi2A=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [] ([]) by (mrgmx105 []) with ESMTPSA (Nemesis) id 1N2V0B-1hfKY71p4p-013tDd; Sun, 22 Dec 2019 13:36:04 +0100
To: Elwyn Davies <>,
References: <>
From: Ludwig Seitz <>
Message-ID: <>
Date: Sun, 22 Dec 2019 13:35:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:bZcUBJmY7vljvff1FNjJuNxDgGNnSc12ju8JukVANPU214HF9HF Hq6avnQ5abXxFtwTz/Ja8sMeW+S3K7UxnvqO23Hstq3HTZ86RpzITvd2X+F1pbeqAclxzki q5O6pFt2aR19U7W83IDqaaSHmsJi2PyxWv2W2T/L+DO44fM6ZyFvi8r3UPC855WWG6zqMkI RiFWkUKa84UbzIAM/EVmw==
X-UI-Out-Filterresults: notjunk:1;V03:K0:wIzPWt7Z0r4=:2Ivk5kglV+pP35DCRZosv9 8TJM1PGp1Bumj5P6dDmxcCcJy96/64mpvIB1tcPx5vUfnNiJGsXQYBeqWfoW/RboYQFg+WNeS XibrV3KoosnFcqvT+SfdBpj3lDkFXC7GQSUmlB9/k+GcL83XyJ7W3zjJ0CgGZuVG1nwDQfPvV 6xH9zvGkRfdwoi6/TOH946ztcSf5tDtW1RMiZI8OEALBqcTPpF9q8gM/HfhJEgPP/7o7pkUZD /a1yDkwkqcih7orhxgPMV3XuqMMIl3XD64/2MnTZs/aVQ6qFdvbNJzceCYwP3IYwNRiEOcOFC 3Hw9w/Tt49FMjuCwgQNoOGxk+t5D7phiTvLNZ/xOrp7NXK2KhaZR27kb/ei/tHQJRD1mn1lfK mSHLq34tfMzsa5FiOYtj4CM+xs1JFtMwLXTogPWKADSE6JEkwf0+AAVZNdnQw6XgEp/x3a0Jk ALfjf7z0ouXRZ7zPFs5zARWaByvFtO8hPKx9CB9fXQW8+rCGmdFLkDhLMY24UChxSQWVODNzx xdeN7tyPKiep2C13t/2ZIOXUS2wB6l21jxXzdQ8dP+Zb+P0ELqhw1w0oxkLWttcYkfE5V2QMN LGG4ELaDHhGkzYPIZ78tMhfYZRDR/nXq6Iqg7ZBTes6a+rdHKaeAFV954nwLRfC8PIGAftq0c u8FT6ye79udeN5cZ6WHam0cewbkVbHe8F+xrZ8PdtSaRaYjlNAdNIg9KV7zB3nLM6SuVNz5RI fpU8ZxjyBMmrrl2u+0nBWIno7R2D0PnMLtlJQKg2EAwdwy5bmyIwnmJ60KHs03gbUrPiwNUw0 jtvlh7yvYwZD6S3x+LXgx5bTX2EJ6Aox9+r0pgHr5zvzktWUl/gocA3LrIjiigdgPxJCCbd8I 91tm5zIoigm3+a42B8ieMlDZPW4rUazKpWcKWNBt4WmYtCGWsIDHCX3Kyc2hDz5RhKtwr3UIZ m+4zOEqCPuakb1zNzAff5PcsG0fjhl7NIZv84EBJv0BPJXJdHqYb0NmztJiF6DifMKsrded61 9Y/P6DHl8nQdDuEfZWyKNjx4pfWliRbDN0XN42GWm4CI8YtpybvbE2eMJQ5k/ceU15JtjdQ3D GrgFIGArXrsfL7FwZfqm7F8ukCdAw2CIYD6r6SvkERKROzhk5ATV28UEdw4yOuFENxMVUkm8V H/v8SzGKiR/uxJ6JCxOGC5mMUqocF5xbOAi2UeBuZIy7SvZ37qzkxQM13G5cFoE0XovIDgB+7 H7cslnONHtmZUxqfAeeMbKmOI9e3+YVS3OunSL1rm+A4npk83dkBEFtW5TXo=
Archived-At: <>
Subject: Re: [Gen-art] [Ace] Genart last call review of draft-ietf-ace-oauth-params-06
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 22 Dec 2019 12:36:14 -0000

Hello Elwyn,

I have now submitted -09 to fix the minor issues and nits, which I
forgot in my -08.

Comments inline.



On 2019-12-14 23:46, Elwyn Davies via Datatracker wrote:

> Minor issues:
> ss3.1, 3.2 and 4.1:  The COSE_Key type 'EC' used in several kty fields is not
> defined.  I assume it should be 'EC2'.

> ss3.1, 3.2 and 4.1:  Does it matter that the definitions of the x and y
> parameters in an EC2 key are given as 'h' encodings in RFC8152 but are given as
> 'b64' in this document?  I am very much not an expert here.
All changed to 'h' encoding

> s6: This section starts with 'If CBOR is used...': The main ACE draft
> draft-ietf-ace-oauth-authz is apparently intended to cover both JSON and CBOR
> encodings of payloads, although CBOR is recommended.  This is not made explicit
> in this addition to that specification and the use of CBOR diagnostic
> representation and the prominence of COSE_Key items could make it appear up
> until s6 that this specification is intended just for CBOR encoding.  A few
> words at the beginning would clarify the dual alternatives.
Added a paragraph in the introduction to clarify this.

> Nits/editorial comments:
> General: s/e.g./e.g.,/ (3 places)

> Abstract, 2nd sentence: s/whishes/wishes/
> Abstract: Need to expand AS and RS.
> s2:  RS, AS and (probably) various other terms are defined in RFC 6749 and need
> to be expanded on  first use.  Adding something like the para from
> draft-ietf-ace-oauth-authz would solve this (except for the abstract).
I added a sentence in the terminology section to clarify this. However
note that it already said (in -06):

    Readers are assumed to be familiar with the terminology from

Which included the terms AS and RS.

> s3:  This section needs a reference to RFC 8152 for the specification of the
> CWT COSE_Key item that is used extensively.


> s3/s4: Some introductory text for each section is desirable.

> s3.1, para 2 (definition of req_cnf):: Possibly add a note that the
> recommendation against symmetric keys implies currently kty being 'Symmetric'.
> Will it ever be anything else?

> s3.1:  The text in s3.2 of draft-ietf-ace-cwt-proof-of-possession-03 contans
> the following
>     The COSE_Key MUST contain the required key members for a COSE_Key of that
>     key type and MAY contain other COSE_Key members, including the "kid" (Key
>     ID) member.
>     The "COSE_Key" member MAY also be used for a COSE_Key representing a
>     symmetric key, provided that the CWT is encrypted so that the key is not
>     revealed to unintended parties. The means of encrypting a CWT is explained
>     in [RFC8392]. If the CWT is not encrypted, the symmetric key MUST be
>     encrypted as described in Section 3.3.
> These riders probably apply to all the subsectons of s3 and to s4.1 and could
> be included in the currently empty main section text.

Here I disagree. The text explicitly refers to
draft-ietf-ace-cwt-proof-of-possession, saying that the contents of the
'cnf', 'req_cnf' and 'rs_cnf' parameters use the syntax of the 'cnf'
claim from section 3.1 of draft-ietf-ace-cwt-proof-of-possession.
The requirements in section 3.2 draft-ietf-ace-cwt-proof-of-possession
follow from the use of the definitions in 3.1.

I don't see the value of reiterating such a long text from that document
here, when an explicit reference is already given.

> s4.1, rs_cnf - DTLS-RPK: This term needs a reference (RFC 7250). Also all other
> uses do not hyphenate and RPK needs to be expanded.
>     s/DTLS-RPK handshake/DTLS Raw Public Key (RPK) handshake [RFC7250]/