Re: [Jwt-reg-review] Request to register claims: "scope" , "at_use_nbr"

Miguel Angel Reina Ortega <MiguelAngel.ReinaOrtega@etsi.org> Wed, 22 May 2019 17:38 UTC

Return-Path: <MiguelAngel.ReinaOrtega@etsi.org>
X-Original-To: jwt-reg-review@ietfa.amsl.com
Delivered-To: jwt-reg-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89EAE120277 for <jwt-reg-review@ietfa.amsl.com>; Wed, 22 May 2019 10:38:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.289
X-Spam-Level:
X-Spam-Status: No, score=-4.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=etsi.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6e932vTlKcqO for <jwt-reg-review@ietfa.amsl.com>; Wed, 22 May 2019 10:38:41 -0700 (PDT)
Received: from relay.etsi.org (relay.etsi.org [195.238.226.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49E55120256 for <jwt-reg-review@ietf.org>; Wed, 22 May 2019 10:38:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=1524829736.etsi; d=etsi.org; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To:Content-Type: MIME-Version; i=MiguelAngel.ReinaOrtega@etsi.org; bh=suOHxYe4eqgyFGXDT8WTa1v3npc/rRd9rqj2vcPnl1U=; b=S6Hkpi/DH6EktRY3iXhODHLEKrXCdszRlCDnXEbt9XUVF6CRhHIFWBJGNhi8pOUyfmRJABu3YqsN KAawIDrFQ3HWyQ3j3wNpoA8oiWyKOyfQGSczrg4cAIeoCg9GuP8HKFgw4DNpmOlqOi3QPZXsczkg cCC2wAZLe1Uy0mupr9U=
Received: from outbound.etsi.org (172.27.1.75) by relay.etsi.org id hsm4i02gvlcp for <jwt-reg-review@ietf.org>; Wed, 22 May 2019 18:38:38 +0100 (envelope-from <MiguelAngel.ReinaOrtega@etsi.org>)
Received: from XMAIL.etsihq.org (172.27.1.75) by xMail.etsihq.org (172.27.1.75) with Microsoft SMTP Server (TLS) id 15.0.1236.3; Wed, 22 May 2019 19:38:38 +0200
Received: from XMAIL.etsihq.org ([172.27.1.75]) by xMail.etsihq.org ([172.27.1.75]) with mapi id 15.00.1236.000; Wed, 22 May 2019 19:38:38 +0200
From: Miguel Angel Reina Ortega <MiguelAngel.ReinaOrtega@etsi.org>
To: Brian Campbell <bcampbell@pingidentity.com>
CC: "jwt-reg-review@ietf.org" <jwt-reg-review@ietf.org>, PNNS <PNNS@etsi.org>
Thread-Topic: [Jwt-reg-review] Request to register claims: "scope" , "at_use_nbr"
Thread-Index: AdUPMhUNfRIGinBfSumW2jGWCJvh/AAwyFGAAAtdweAAJHlZgP///mKA///dwnA=
Date: Wed, 22 May 2019 17:38:37 +0000
Message-ID: <d3aee3b253e344c2b5b96605de99002c@xMail.etsihq.org>
References: <52951ff3f45146a284bc3401f2260915@xMail.etsihq.org> <CA+k3eCQEB9LZKKTt-bKOaAXLGLtgDWPkXUBhd2KkiYF+gE8WYg@mail.gmail.com> <51607e41f1fa41038abab52bd23f9bda@xMail.etsihq.org> <a4ab46ed99314ad28e994a46520270fc@xMail.etsihq.org> <CA+k3eCT2TbjRZP-SW3Sz80Oy_7CWMNy1oCQUtNUCfa1oz0p9nw@mail.gmail.com>
In-Reply-To: <CA+k3eCT2TbjRZP-SW3Sz80Oy_7CWMNy1oCQUtNUCfa1oz0p9nw@mail.gmail.com>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.35.156.11]
Content-Type: multipart/alternative; boundary="_000_d3aee3b253e344c2b5b96605de99002cxMailetsihqorg_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/jwt-reg-review/wLK11MKor1_2wRO1xijuidrYOjQ>
Subject: Re: [Jwt-reg-review] Request to register claims: "scope" , "at_use_nbr"
X-BeenThere: jwt-reg-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Expert review of proposed IANA registrations for JSON Web Token \(JWT\) claims." <jwt-reg-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jwt-reg-review/>
List-Post: <mailto:jwt-reg-review@ietf.org>
List-Help: <mailto:jwt-reg-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jwt-reg-review>, <mailto:jwt-reg-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 May 2019 17:38:57 -0000

Dear Brian,

Thanks for your answer.

I will then provide you with the pointer to the draft, and once specification is approved, I will resubmit the registration request with the final pointer.

Regarding the “scope” claim, which RFC should it be referenced if there’s already a number? And If there’s no number, should we reference the draft?

Thanks again.

Best regards.

-----------------------------------------------------------------------------------------------------------------
Miguel Angel Reina Ortega – Testing Expert
Centre for Testing and Interoperability (CTI)
ETSI ● www.etsi.org<http://www.etsi.org/> ● miguelangel.reinaortega@etsi.org<mailto:miguelangel.reinaortega@etsi.org>
Phone: +33 (0)4 92 94 43 49 ● Mobile: +33 (0)6 76 73 60 99

This email may contain confidential information and is intended for
the use of the addressee only. Any unauthorized use may be unlawful.
If you receive this email by mistake, please advise the sender
immediately by using the reply facility in your email software.
Thank you for your co-operation.

From: Brian Campbell <bcampbell@pingidentity.com>
Sent: 22 May 2019 19:34
To: Miguel Angel Reina Ortega <MiguelAngel.ReinaOrtega@etsi.org>
Cc: jwt-reg-review@ietf.org; PNNS <PNNS@etsi.org>
Subject: Re: [Jwt-reg-review] Request to register claims: "scope" , "at_use_nbr"

Hi Miguel, see inline below

On Wed, May 22, 2019 at 9:49 AM Miguel Angel Reina Ortega <MiguelAngel.ReinaOrtega@etsi.org<mailto:MiguelAngel.ReinaOrtega@etsi.org>> wrote:
Dear Brian,

I have a couple of questions. First, regarding the pointer to the specification. Actually, the specification is going to be approved this week and publicly available soon. I could provide a pointer that will not work for the time being but it will in short time. Would that be fine? Or would it be better to provide a temp pointer that works right now but modify it later?

It's a bit of chicken and egg, isn't it? And I'm honestly not sure how that's supposed to work. But I think that the latter - a pointer to a draft but soonish to be approved spec - would be appropriate for the review request. And the final pointer can be given to IANA for the registration request.


Second question is regarding the “scope” claim, the reason why it was requested is that it does not appear in the JSON Web token registry page. Is that just a mistake or is there a reason why it is not there?

The “scope” claim does not yet appear in the JSON Web token registry page but it should show up there (relatively) soon. The request has been made already https://mailarchive.ietf.org/arch/msg/jwt-reg-review/VXiedtm3lP0IfyEsVKkg92-I6TA


Please, your advice will be very much appreciated.

Best regards.

-----------------------------------------------------------------------------------------------------------------
Miguel Angel Reina Ortega – Testing Expert
Centre for Testing and Interoperability (CTI)
ETSI ● www.etsi.org<http://www.etsi.org/> ● miguelangel.reinaortega@etsi.org<mailto:miguelangel.reinaortega@etsi.org>
Phone: +33 (0)4 92 94 43 49 ● Mobile: +33 (0)6 76 73 60 99

This email may contain confidential information and is intended for
the use of the addressee only. Any unauthorized use may be unlawful.
If you receive this email by mistake, please advise the sender
immediately by using the reply facility in your email software.
Thank you for your co-operation.

From: Miguel Angel Reina Ortega
Sent: 22 May 2019 00:26
To: 'Brian Campbell' <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>>
Cc: 'jwt-reg-review@ietf.org<mailto:jwt-reg-review@ietf.org>' <jwt-reg-review@ietf.org<mailto:jwt-reg-review@ietf.org>>; PNNS <PNNS@etsi.org<mailto:PNNS@etsi.org>>
Subject: RE: [Jwt-reg-review] Request to register claims: "scope" , "at_use_nbr"

Dear Brian,

Thanks for your prompt response.

Indeed, you’re right, a Word document attached in an email is not sufficient. I sent it in that way for your review and confirmation before approving the document at ISG level (a bit chicken and egg problem).

I take note about your feedback on “scope” claim, bring that feedback to the ISG and if required as you said, I will make a new updated request which includes a pointer to the spec.

Best regards.

-----------------------------------------------------------------------------------------------------------------
Miguel Angel Reina Ortega – Testing Expert
Centre for Testing and Interoperability (CTI)
ETSI ● www.etsi.org<http://www.etsi.org/> ● miguelangel.reinaortega@etsi.org<mailto:miguelangel.reinaortega@etsi.org>
Phone: +33 (0)4 92 94 43 49 ● Mobile: +33 (0)6 76 73 60 99

This email may contain confidential information and is intended for
the use of the addressee only. Any unauthorized use may be unlawful.
If you receive this email by mistake, please advise the sender
immediately by using the reply facility in your email software.
Thank you for your co-operation.

From: Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>>
Sent: 21 May 2019 20:50
To: Miguel Angel Reina Ortega <MiguelAngel.ReinaOrtega@etsi.org<mailto:MiguelAngel.ReinaOrtega@etsi.org>>
Cc: jwt-reg-review@ietf.org<mailto:jwt-reg-review@ietf.org>; PNNS <PNNS@etsi.org<mailto:PNNS@etsi.org>>
Subject: Re: [Jwt-reg-review] Request to register claims: "scope" , "at_use_nbr"

Hello Miguel,

RFC 7519 says that values for the JSON Web Token Claims Registry<https://tools.ietf.org/html/rfc7519#section-10.1> are registered on a Specification Required basis. RFC 5226 says that Specification Required<https://tools.ietf.org/html/rfc5226#section-4.1> means that the values and their meanings must be documented in a permanent and readily available public specification. I do not believe a Microsoft Word document as an email attachment is sufficient in that regard. This registration review request will need to be made again with a straightforward pointer to such a permanent and readily available public specification that defines the claim.

Also note that the 'scope' claim is being defined in Section 4.2 of OAuth 2.0 Token Exchange<https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16#section-4.2> with effectively the same meaning.  Registration has already been requested from/by that document so isn't necessary from the ETSI GS NFV-SEC 022 perspective.

Thanks,
Brian Campbell
One of the (so called) Designated Experts for the JWT Claims Registry


On Mon, May 20, 2019 at 11:35 AM Miguel Angel Reina Ortega <MiguelAngel.ReinaOrtega@etsi.org<mailto:MiguelAngel.ReinaOrtega@etsi.org>> wrote:
Dear,
On behalf of ETSI NFV ISG, I would like to submit the following registration requests for the “JSON Web Token” registry:


  *   Claim Name: “scope”

  *   Claim Description: space-separated list of scope of operation values for which the access token is valid.
  *   Change Controller: ETSI (pnns@etsi.org<mailto:pnns@etsi.org>)

  *   Specification Document(s): Clause 5.5<https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims> of the present ETSI GS NFV-SEC 022<https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?WKI_ID=54060> (attached)


  *   Claim Name: “at_use_nbr”
  *   Claim Description: Number of API requests for which the access token can be used.
  *   Change Controller: ETSI (pnns@etsi.org<mailto:pnns@etsi.org>)

  *   Specification Document(s): Clause 5.5<https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims> of the present ETSI GS NFV-SEC 022<https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?WKI_ID=54060> (attached)

Best regards.


-----------------------------------------------------------------------------------------------------------------
Miguel Angel Reina Ortega – Testing Expert
Centre for Testing and Interoperability (CTI)
ETSI ● www.etsi.org<http://www.etsi.org/> ● miguelangel.reinaortega@etsi.org<mailto:miguelangel.reinaortega@etsi.org>
Phone: +33 (0)4 92 94 43 49 ● Mobile: +33 (0)6 76 73 60 99

This email may contain confidential information and is intended for
the use of the addressee only. Any unauthorized use may be unlawful.
If you receive this email by mistake, please advise the sender
immediately by using the reply facility in your email software.
Thank you for your co-operation.

_______________________________________________
Jwt-reg-review mailing list
Jwt-reg-review@ietf.org<mailto:Jwt-reg-review@ietf.org>
https://www.ietf.org/mailman/listinfo/jwt-reg-review



CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.