IETF Logo Mail Archive

Re: [Jwt-reg-review] Request to register claim: permissions

Brian Campbell <bcampbell@pingidentity.com> Mon, 24 July 2017 11:20 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D7E5131C8F for <jwt-reg-review@ietfa.amsl.com>; Mon, 24 Jul 2017 04:20:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z8lC07zrdh_Q for <jwt-reg-review@ietfa.amsl.com>; Mon, 24 Jul 2017 04:20:39 -0700 (PDT)
Received: from mail-pg0-x235.google.com (mail-pg0-x235.google.com [IPv6:2607:f8b0:400e:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15A7A129AAD for <jwt-reg-review@ietf.org>; Mon, 24 Jul 2017 04:20:39 -0700 (PDT)
Received: by mail-pg0-x235.google.com with SMTP id 123so55910670pgj.1 for <jwt-reg-review@ietf.org>; Mon, 24 Jul 2017 04:20:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XyxFWvlt7BhXTMoBUEhvVbSFX6gzmXuAaiS4AckpfxM=; b=o6tVf+ehJdBDLFcmFlV/dAdtci4VA6akwpzBzYGCbnvMMR2WCOUdpgqwhxpvXMoEi2 aMqMs871qmyv97svF31SSkas6nFXXwFXDpWx0k3W6kXWELdNMGvmTRYtLAT7srUnLRxz kb5HOPtYIMgoJ6RT07dCwZAE2sZhoeLXXBliM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XyxFWvlt7BhXTMoBUEhvVbSFX6gzmXuAaiS4AckpfxM=; b=TTe0Jd8KM/tLmX9Ap37g0ZLortujSWxCU3P1VEDtu2k1IYzI0cd7/SwmTopQi8G9id zhCtEuAcbWTRvMY83whxHTTZQuDO8R8GWnaor1ZlHsvjDjx8eE29bh0LyyKOO26/Ch9z xFH4oPi96x+5HWvvGyx7lr7OkuenoJ+QFTUAhzn6ep8r5c2AaFCoCsaIUKCVT7eCl6Ky 38hab4GdtfK2rT3GW9OwOMEzBqpJzDakaM+tBIZbHSwnpUPWHSW8JFtG6rKYZeRVVNE/ Sm8Um0VBnP/7JIlEh+xxbzseZJD4a7Fes6mZVeVjell/2Zc6ikCwrExQ0UcxIPdbtRSm WTbw==
X-Gm-Message-State: AIVw110GW7VZi7aL4oXdfruaZbkIZsN76rg5ucd6EFKaIE2Agjh/4mTb P5MA112yVoACSzM2CLNgm+LfMr9xotVLMJ7BbNL5aifioiFaAB9sVC2RAKWrnGNuKQqEr3syB1F SFhtVfTEEdkhrq6XV
X-Received: by 10.98.63.10 with SMTP id m10mr6285257pfa.232.1500895238340; Mon, 24 Jul 2017 04:20:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.145.87 with HTTP; Mon, 24 Jul 2017 03:50:33 -0700 (PDT)
In-Reply-To: <CAMPbGmhtKuqK+XMgUna5N-TgxON1bXGyDiHz4g=ffBfNWTJDow@mail.gmail.com>
References: <CAMPbGmjim97Ww31RT3ybwZuoL2UA-p3ad8qRYC10kG69HQ1c8w@mail.gmail.com> <CA+k3eCRPevg3CNUTXgsQMn4Yg8sPcmEyixbova+DGx9=Ski4kw@mail.gmail.com> <CAMPbGmhtKuqK+XMgUna5N-TgxON1bXGyDiHz4g=ffBfNWTJDow@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 24 Jul 2017 12:50:33 +0200
Message-ID: <CA+k3eCSAQ1xwvrPC_1uCdW7pOTSRDZr8s4EwTm6Gk=xiCxS6Zw@mail.gmail.com>
To: Eve Maler <eve.maler@forgerock.com>
Cc: jwt-reg-review@ietf.org, Maciej Machulak <maciej.machulak@gmail.com>, Justin Richer <justin@bspk.io>
Content-Type: multipart/alternative; boundary="94eb2c112c3e86de7405550e6752"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/J_UkGyM_r3BCiRqTiB94hwi9_oQ>
Subject: Re: [Jwt-reg-review] Request to register claim: permissions
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 11:20:44 -0000

Thanks for the update, Eve.

On Mon, Jul 24, 2017 at 2:01 AM, Eve Maler <eve.maler@forgerock.com> wrote:

> Hi Brian-- The Work Group has discussed this, and decided to rescind our
> registration request. Thanks very much for your time and feedback. We may
> come back at a later date with something more fully considered.
>
>
> *Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging
> Technology
> Cell +1 425.345.6756 <(425)%20345-6756> | Skype: xmlgrrl | Twitter:
> @xmlgrrl
>
> On Wed, Jun 28, 2017 at 1:24 PM, Brian Campbell <
> bcampbell@pingidentity.com> wrote:
>
>> Hi Eve,
>>
>> I think a bit more revision work on the document is needed before this
>> request to register the 'permissions' JWT claim can be sent to IANA.
>>
>> Section 5 kind of sort of implies the possible use of JWT in saying,
>> "Validate the RPT locally if it is self-contained" but otherwise JWT isn't
>> mentioned in the document at all other than the IANA request in Section
>> 9.2. (which cites [OIDCCore] regarding JWT claim registration rather than
>> RFC 7519 that it should be - see https://tools.ietf.org/html/rf
>> c7800#section-6.1 for an example).  For that matter RFC 7519, which
>> defines JSON Web Token and established the claims registry, isn't even
>> referenced in the document.
>>
>> Section 5.1.1
>> <https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.html#uma-bearer-token-profile>.
>> is about the 'permissions' parameter in the Token Introspection response.
>> While there are similarities in how they sometimes are used, the
>> introspection response parameters and JWT claims are distinct and different
>> things. Sec 5.1.1. can't be said to define a JWT claim. At the least, I
>> would expect some definition of the 'permissions' claim in JWT even if it
>> just cites the introspection response parameter and says it means the same
>> thing but is a claim in a self-contained JWT. I'm guessing that was more or
>> less the intent. But that's a lot of inferring and I believe a
>> specification and IANA registration need to be more explicit.
>>
>>
>>
>>
>>
>> On Fri, Jun 16, 2017 at 6:41 PM, Eve Maler <eve.maler@forgerock.com>
>> wrote:
>>
>>> As required by RFC 7519 Section 10.1, the authors of the specification Federated
>>> Authorization for User-Managed Access (UMA) 2.0
>>> <https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.html>  are
>>> requesting to register the following claim:
>>>
>>>    - permissions
>>>
>>> The claim definition appears in Section 5.1.1
>>> <https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.html#uma-bearer-token-profile>.
>>> The IANA request appears in Section 9.2
>>> <https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.html#rfc.section.9.2>
>>> .
>>>
>>> Thank you. We look forward to your response.
>>>
>>>
>>> *Eve Maler*ForgeRock Office of the CTO | VP Innovation & Emerging
>>> Technology
>>> Cell +1 425.345.6756 <(425)%20345-6756> | Skype: xmlgrrl | Twitter:
>>> @xmlgrrl
>>>
>>> _______________________________________________
>>> Jwt-reg-review mailing list
>>> Jwt-reg-review@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jwt-reg-review
>>>
>>>
>>
>>
>> --
>> <https://www.pingidentity.com>[image: Ping Identity]
>> <https://www.pingidentity.com>
>> Brian Campbell
>> Distinguished Engineer
>> bcampbell@pingidentity.com
>> w: +1 720.317.2061 <(720)%20317-2061>
>> c: +1 303.918.9415 <(303)%20918-9415>
>> Connect with us: [image: Glassdoor logo]
>> <https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm> [image:
>> LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
>> logo] <https://twitter.com/pingidentity> [image: facebook logo]
>> <https://www.facebook.com/pingidentitypage> [image: youtube logo]
>> <https://www.youtube.com/user/PingIdentityTV> [image: Google+ logo]
>> <https://plus.google.com/u/0/114266977739397708540> [image: Blog logo]
>> <https://www.pingidentity.com/en/blog.html>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
>
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*

v2.23.0 | Report a Bug | By Email