Re: [Jwt-reg-review] [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-authz

Ludwig Seitz <ludwig_seitz@gmx.de> Sat, 18 January 2020 16:22 UTC

Return-Path: <ludwig_seitz@gmx.de>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71F051200D5; Sat, 18 Jan 2020 08:22:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nqKhgcRDFjK0; Sat, 18 Jan 2020 08:22:32 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35064120077; Sat, 18 Jan 2020 08:22:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1579364499; bh=uLKBX3wAYDu4zWDUFbG2/2tBbuYoqyEY4fOtYuPOQ4o=; h=X-UI-Sender-Class:Subject:To:Cc:References:From:Date:In-Reply-To; b=crC7Fr335tWHrbECtiLkv/fhDRaOtC45M6zSQbkTgfxoFsRZZN1e5U3K5gn+LnJTi 92CtRc7vw1n6ip1N1yBdtAlARqjcbcZ7RD+9IcJozRrImGBjPiE53Mkt8H6rjWe9y9 kCq9TDEEJsKl9eEIMB8iPAXy8OpoPhbPs8CXQcO0=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.1.220] ([84.217.44.37]) by mail.gmx.com (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MtfNf-1jmLSG0R5j-00v5AK; Sat, 18 Jan 2020 17:21:39 +0100
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Seitz Ludwig <ludwig.seitz@combitech.se>
Cc: Roman Danyliw <rdd@cert.org>, "jwt-reg-review@ietf.org" <jwt-reg-review@ietf.org>, Jim Schaad <ietf@augustcellars.com>, The IESG <iesg@ietf.org>, "ace@ietf.org" <ace@ietf.org>, "drafts-lastcall@iana.org" <drafts-lastcall@iana.org>, Benjamin Kaduk <kaduk@mit.edu>
References: <9c32d171-9a4a-ba71-c989-92a177d9e989@gmx.de> <dc02aa6c-5cfc-bfb1-9672-facf7eb17ad7@gmx.de> <CA+k3eCSnNdvZAZZmequkLdcU_OkgD2au7+yFZOMJT3w0CLsrOQ@mail.gmail.com> <14a3c79d23e94d938be4a173a6c8256d@combitech.se> <CA+k3eCQBRyZAmw_d0Mz3jZR0e5u7U77KnDnZbYm2Ad9=BP08OA@mail.gmail.com>
From: Ludwig Seitz <ludwig_seitz@gmx.de>
Message-ID: <504e86ae-f577-8526-e1cb-ed38d6a2e36f@gmx.de>
Date: Sat, 18 Jan 2020 17:21:18 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <CA+k3eCQBRyZAmw_d0Mz3jZR0e5u7U77KnDnZbYm2Ad9=BP08OA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:dI9ohEOYpq5JbaOlk9y3LS9i+TT/kzr4xRI9e6PqHGbEfdfA9K+ DC5vvQqvMK8CQ5fdpgrJuMZjfH/bm3tHgV90PrYJPFbMwC6FCY/fY+t9j+2h65tJneEjhVn 1k5okJltFVFzLJcErDJRXPQ9Br8IT+4FDWRVQHG416Y05/OMNQWF1nkvGhb1jadEcowYpUe 2Y4o3m+WJGXurdz7O7WfA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:k9/hm0fTxC4=:pJUpqdm3f0UGvGq0ZsyYNR ELi13r/4yy+nW+NT/JokNxfly6OI6g4GiZaJPkIQsXRtARBu7YipK+ezmZf1Sw7AsLztHkJMq qRhRxerx34ysNp61oFSN6i6R/pvriyds20DzqUNT/q86pSdL8wpaFlIVi0KakrcwD+aMlK9T/ q9g53YjYNus/EegTNh68W6yUXT2ziOKEafUG1KD4sGxBJD2rTKzKMwLrAnIF4R/i/JYAYyt9y x4KblbqYkuHmcMju0BT7u4/yKeFVMissK9CKFinbW3ZUU0BJjVLEd4l8lhqvXKuVR+d149Hku 3kLbs9VHUZ/pgmVGXERI7vvqXsSc7ROsZORf9FhPwab8jLU/UbjALj4l53Qq1jk2tHkyYa6G+ /sNkD1Dp9hy3cNzoO+Yynwk0Qdo25LLaoRbOFL/Y0CP7ZIG/O0AIeqqbhIFTZrYyXHaCao5Di sq51tciz8ufgk/PeGRM3C7NsTRzJ7T87NbfO9mRU/TfDHiJFMyS4vOwVC/38R4PAU2PBQzcML 0vFpyxznDNUP9w5m/Oueo1OEqyz7Jlu0DJD0zc/AaM7InTqgTuNMf0NiBM0OuGH/u2XXjkHVz nvQ2kVIKdivNFQivdWiwGRPBTDT5gLuUNR5JFCf+OF7gxCXSBEwVnfYuxN4SlzMZV2+BFPCfK LGwqBf5zVyjlXLY80xBkrb2AS8NqC9RoC6KrdwBv5OqigYvECsvOQTzTsdgPiiYYCFOX0shEi f8DyNVL9rsY9d+TUv3O5gk4iIqizdBTtxP3Qi1StqZbXR2w/BSEBz3a4UTf6Almsog768SRz7 zt+tDJ34HWavt72GEmfvf4ZaY3G9ILAgcksNBsGPY+lYGxR+LzFFoTcJAo8aoWyviTSC0SMzA 9m6QO8pu14xlt6y3982lEUGQvVNTfeticZd5rekRGOBlQfdlh9CHRU0sPmVuRFkGy2PkioQkp MFuJgmW+3Hzt8riVuJa2cGLZDFVaMVBDYq74x5a2Ofr2TIVe1IOE5n07Kl5MDM6YUjHoojN16 2OfKKrumYU3ezhiKpCMVtROwMGxdT/sQXa0bsoMnxWTVszXkZHxx9ltpvpunRPjWjVtKfWrmm h1rHjUQPy4ECCLTHlotI85m5mTCWRacd60q9o4YPZ3vPAe+iYJVf3pZuwGGd93Era1M25AvIn 8ReUVwthdUiIawATKotaZdTWK/MFrcGiUkIH6wSXOKNF+uCjeej6uGfpjtuikxiZLvBc/h/a9 F2OnTXgbjkVQashKAroI1pFkhSZMgr+SyIEIqnw7jomMN3SgDJclEVI5PJSc=
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/aVskx8tQFAz9NykZ5aRMmMC0jkY>
Subject: Re: [Jwt-reg-review] [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-authz
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2020 16:22:34 -0000

On 2020-01-13 22:01, Brian Campbell wrote:
> Thanks for the updates Lugwig,
>
> Section 6.6. does propose one mitigation for the unbounded memory growth
> problem. However, it relies on the AS to do pretty specific things with
> the content of other claims for it to even be possible for an RS to
> perform the mitigation approach. Do you think, for interoperability, it
> needs to be more prescriptive? Like maybe requiring the cti/jti claim
> with specific content and characteristics when exi is present or
> embedding/encoding that sequence number in the value of the exi itself
> alongside the lifetime of the token.
>
>

This sounds like a reasonable requirement. I'm even inclined to make
that a MUST and not just a SHALL. Next update coming soon.

/Ludwig