Re: [Jwt-reg-review] [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-authz

Brian Campbell <bcampbell@pingidentity.com> Mon, 13 January 2020 21:01 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F17E12002F for <jwt-reg-review@ietfa.amsl.com>; Mon, 13 Jan 2020 13:01:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ui-TxkR5UyVQ for <jwt-reg-review@ietfa.amsl.com>; Mon, 13 Jan 2020 13:01:29 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0416E12001B for <jwt-reg-review@ietf.org>; Mon, 13 Jan 2020 13:01:29 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id i23so7973231lfo.7 for <jwt-reg-review@ietf.org>; Mon, 13 Jan 2020 13:01:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZEmQV202EB0Qz6YvGqr1oGHnVMEUXpyVOValMajGUzk=; b=QCyKfs6gltD52b0arn9xABDTP88GJmilasYyjlvVeBDbnrPfnGb/dA1Ds4b7SIzNdZ 2pelpFponbMULxswC/8nEYqaFrIX+X12oy71sNjGlFtq5mRlDae9WF7PhH/qzVpRS4aY 1o2mx+ElN12GCuYFtnZNj4tNO/yu79X15azmEpsbq/9QHGDN4tOkeTcOKg2/9V3qVsiq lsmP6MbdvE2qJPKMCzH3pXvdQ0+/EQauJnjob6DRMrBTsLnNBmlImyhMzulZWnWP5IlG q8gj2VfquvhnBIvqu+U++yClFoZVvri/x2yLGxDKGv2HBpSqc/+NV1c1OWrhAdWnEMuR zxvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZEmQV202EB0Qz6YvGqr1oGHnVMEUXpyVOValMajGUzk=; b=Yb4ohqdb6eBV9Qn6I6RwWadehZ2+LGJogS1X8YwKZ/mtOS7sVN96JFc2UxDb/oyX1W gB9+XC75I8xNHxwyds/yftY6OUW9guvHogxgFO1KHLwo2k9jXN47oyOvrqiFXS8VhYkw 7pmB1jLAsR8Z2K0SdGD5HFI7BJKwDV0hWK9eHouGsyGPEhE+JlrlL8JDzMWzVvI/Snad w0eb8ldwQLd0Z+W1Vo16JjWJLngyoUpNchw1DViS4qaNXlCENtUKsO2kEFOC1iEyLR7Y b26OvPuSl5v8LeUuUGcStl+voRBSr6K1XbaX6LsdjGUx7ZYnQ0Tt/WruXHvPTw5zcYUt YoGQ==
X-Gm-Message-State: APjAAAWzv86NavetMKyZCzOnZOFuRJuCPmtoZr53QL8mvL6p/XtRD2yG M3ehgngoCx2hHPBqPU3wV7sxORj8ARxH+J7Y/IOPhJ++uL9dejGvmmwtpSZsijpu4isiOy0OAz1 kWiAlkEl5WuOrSV+1f9+sTA3nSQ==
X-Google-Smtp-Source: APXvYqx98ItSK/VZOtIB6K+p+ehbmm27mbHyCtO3uYle1sX0z7lM8WlyYz5CdLca9eJCO5gbXrRxR7tEQAuLkIKIHE4=
X-Received: by 2002:ac2:5f59:: with SMTP id 25mr8820289lfz.193.1578949287234; Mon, 13 Jan 2020 13:01:27 -0800 (PST)
MIME-Version: 1.0
References: <9c32d171-9a4a-ba71-c989-92a177d9e989@gmx.de> <dc02aa6c-5cfc-bfb1-9672-facf7eb17ad7@gmx.de> <CA+k3eCSnNdvZAZZmequkLdcU_OkgD2au7+yFZOMJT3w0CLsrOQ@mail.gmail.com> <14a3c79d23e94d938be4a173a6c8256d@combitech.se>
In-Reply-To: <14a3c79d23e94d938be4a173a6c8256d@combitech.se>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 13 Jan 2020 14:01:00 -0700
Message-ID: <CA+k3eCQBRyZAmw_d0Mz3jZR0e5u7U77KnDnZbYm2Ad9=BP08OA@mail.gmail.com>
To: Seitz Ludwig <ludwig.seitz@combitech.se>
Cc: Ludwig Seitz <ludwig_seitz@gmx.de>, Roman Danyliw <rdd@cert.org>, "jwt-reg-review@ietf.org" <jwt-reg-review@ietf.org>, Jim Schaad <ietf@augustcellars.com>, The IESG <iesg@ietf.org>, "ace@ietf.org" <ace@ietf.org>, "drafts-lastcall@iana.org" <drafts-lastcall@iana.org>, Benjamin Kaduk <kaduk@mit.edu>
Content-Type: multipart/alternative; boundary="0000000000006260f1059c0bc7ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/tYsnSJMHMJ3076iiIrw-vx91OF8>
Subject: Re: [Jwt-reg-review] [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-authz
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jan 2020 21:01:32 -0000

Thanks for the updates Lugwig,

Section 6.6. does propose one mitigation for the unbounded memory growth
problem. However, it relies on the AS to do pretty specific things with the
content of other claims for it to even be possible for an RS to perform the
mitigation approach. Do you think, for interoperability, it needs to be
more prescriptive? Like maybe requiring the cti/jti claim with specific
content and characteristics when exi is present or embedding/encoding that
sequence number in the value of the exi itself alongside the lifetime of
the token.


On Sat, Jan 11, 2020 at 9:16 AM Seitz Ludwig <ludwig.seitz@combitech.se>
wrote:

> Hello Brian,
>
>
>
> Thank you for this review!
>
> I have added text to clarify the formatting of these parameters and claims
> when used in JSON-based interactions.
>
> More comments inline.
>
>
>
> Regards,
> Ludwig
>
>
>
> *From:* Ace <ace-bounces@ietf.org> *On Behalf Of *Brian Campbell
> *Sent:* den 10 januari 2020 21:57
> *To:* Ludwig Seitz <ludwig_seitz@gmx.de>
> *Cc:* Roman Danyliw <rdd@cert.org>rg>; jwt-reg-review@ietf.org; Jim Schaad <
> ietf@augustcellars.com>gt;; The IESG <iesg@ietf.org>rg>; ace@ietf.org;
> drafts-lastcall@iana.org; Benjamin Kaduk <kaduk@mit.edu>
> *Subject:* Re: [Ace] [Jwt-reg-review] Requested review for IANA
> registration in draft-ietf-ace-oauth-authz
>
>
>
> I'm really struggling with understanding what the value of an
> "ace_profile" claim actually would be in a JWT. A JSON string that's the
> profile name (though 5.6.4.3 maybe prohibits
>
> that)?  A JSON number that's an integer matching the CBOR Value? Something
> else?
>
>
>
> [LS] For JSON the string representation is ok, I reworded 5.6.4.3 to
> clarify this.
>
>
>
> Is the value of "exi" in a JWT a JSON number? Seems likely but it's
> something that should probably be made explicit.
>
>
>
> [LS] Now explicit
>
>
>
> Also for "exi", the requirement in 5.8.3. to "keep track of the
> identifiers of tokens containing the "exi" claim that have expired (in
> order to avoid accepting them again)" seems problematic in that it sounds
> like it's mandating an unbounded growth of memory use.
>
>
>
> Section 6.6. proposes a mitigation for the unbounded growth of memory use
> problem. Does that resolve your reservations?
>
>
>
> The draft says that the "cnonce" claim (value) uses binary encoding. What
> does that mean for JSON based JWT?
>
>
>
> [LS] Now Base64 encoded binary for JSON.
>
>
>
> On Sat, Dec 21, 2019 at 4:35 AM Ludwig Seitz <ludwig_seitz@gmx.de> wrote:
>
> Hello JWT registry reviewers,
>
> the IESG-designated experts for the JWT claims registry have asked me to
> send a review request to you about the claims registered here:
>
> https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-29#section-8.12
>
> Thank you in advance for you review comments.
>
> Regards,
>
> Ludwig
>
> _______________________________________________
> Jwt-reg-review mailing list
> Jwt-reg-review@ietf.org
> https://www.ietf.org/mailman/listinfo/jwt-reg-review
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._