Re: [Last-Call] [OAUTH-WG] [Gen-art] Genart last call review of draft-ietf-oauth-rar-15
Justin Richer <jricher@mit.edu> Fri, 02 December 2022 14:31 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60D69C09F96F; Fri, 2 Dec 2022 06:31:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.395
X-Spam-Level:
X-Spam-Status: No, score=-4.395 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OWnVXV4WmTqg; Fri, 2 Dec 2022 06:31:30 -0800 (PST)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE783C14F6E5; Fri, 2 Dec 2022 06:31:29 -0800 (PST)
Received: from w92exedge3.exchange.mit.edu (W92EXEDGE3.EXCHANGE.MIT.EDU [18.7.73.15]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id 2B2EVGpV007474; Fri, 2 Dec 2022 09:31:25 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1669991488; bh=SCoRM15MymBaKj2oolzypOp2GigdTD7a88+Zvep0GaE=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=nDjyajqMSlufLau8Aem8l0mNCyyV/dH+hu0I+TL1PHiJN23ahSNXlmHBnioWXNPOJ 82D0XKPpK7i3tBeMxRpQx2m/FXCAjkZ3zOwtVfSgmMnHzlo2o9Kq6LKSGlvi1v45XN sG4eiAnpa5Sn4mTs/IhUWoeVRy6+AVnpY0vilWddAXBFX4hcqmlYKBB2o6sS2eSPpa jutfVNtJxeJE9v8kJa14qKgqXwS4H8fsoj133RSCNlWzF2SA45y3c0cfWmnrRiFZ97 BWXdFUdUUgfGlNkRjJJ62/4JfFlKFFMcSjo1GxJ2PE13B1rrcOic6z/rB5XjYhBKJ1 Yp23/dg6+dPsg==
Received: from oc11expo26.exchange.mit.edu (18.9.4.97) by w92exedge3.exchange.mit.edu (18.7.73.15) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Fri, 2 Dec 2022 09:30:32 -0500
Received: from oc11exhyb3.exchange.mit.edu (18.9.1.99) by oc11expo26.exchange.mit.edu (18.9.4.97) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Fri, 2 Dec 2022 09:30:57 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.44) by oc11exhyb3.exchange.mit.edu (18.9.1.99) with Microsoft SMTP Server (TLS) id 15.0.1497.42 via Frontend Transport; Fri, 2 Dec 2022 09:30:56 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hwRs/FEs6RsLnVZWjVZUEx94unLH+tU1454RyYZ+AmJ7oINgpnetVzZQKfi+zfxHjfZdT8nRCCEBibmuJZ1PZe/krwiYqqdn42gD7ZUt097enXGjrAL83/gG3d7u+hn+zucXKc8Rcgr+22qBvE0L3InteBN/EmKu6AVbZ5VGf5In8SYLSe7R9jb04MwvcxHSZ4JV202E8Fkj2fi31LwNCun2iE84vimtO0pXLVGWUge+aTbSQX5ALcGlaI4F7AjOLy2zKtiNKo2o2+vfgEWjoNsfDoEaCaXbkr+1ALNQ/VeXYkEyrhDcjJuB2kSPq6w0O0UpSEeH6Bp1PsrLMuEATw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=SCoRM15MymBaKj2oolzypOp2GigdTD7a88+Zvep0GaE=; b=hwe0osL58MEdXdvQ9gWlWuUsWEfxjI9gk3qobVy0II/QUhvD1sGg7HAS1CapSXNGg9pWmCfy0nuCXYn8hpfWgv/HUx7fZdR1J/o6QN8Q8BzWY5ysDvnbADzGV8SW9NvJVNDhT1YzPVZANI74iBlvtxlxxMjmBHFNC3HDRtpJjZJgE2Y0iAIkjiwQHUQDgtb4I/cQW5uZfj+tYLUfjx1xtix50IaA3srdQIkmIfC5NBW3Ovkqk+MPfYVwePMJePqBOT3AJhWFRXMdp/7pJlhy83hB/TrnJwAx4yyujD46+zXfBb4sqMvk0kOrK0jo+Y9IiKZl2O6lo4yMdupl/97bYQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by BL0PR0102MB3361.prod.exchangelabs.com (2603:10b6:207:32::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5857.22; Fri, 2 Dec 2022 14:30:54 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::5639:ceea:e5a7:c8dc]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::5639:ceea:e5a7:c8dc%7]) with mapi id 15.20.5857.023; Fri, 2 Dec 2022 14:30:54 +0000
From: Justin Richer <jricher@mit.edu>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
CC: Robert Sparks <rjsparks@nostrum.com>, "gen-art@ietf.org" <gen-art@ietf.org>, "draft-ietf-oauth-rar.all@ietf.org" <draft-ietf-oauth-rar.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] [Gen-art] [Last-Call] Genart last call review of draft-ietf-oauth-rar-15
Thread-Index: AQHY+tZewbIYx9Pe4USbanSCOzLej65YAgsAgAApqoCAAAxfAIAAAzQAgAFaroCAASm7AA==
Date: Fri, 02 Dec 2022 14:30:54 +0000
Message-ID: <3DBB9307-4FAC-4E3D-A5B1-9102B81528D5@mit.edu>
References: <166872457082.62668.15876743882764157331@ietfa.amsl.com> <ee3757aa-2ac1-4f5b-b77f-1831ac5781bd@nostrum.com> <193798dd-5a78-a2eb-cdc9-0a90764e2b7b@nostrum.com> <CA+k3eCTX66JJti8sVmKOC=oM242T72+U4bk1D4fTqphRy74qSg@mail.gmail.com> <fba1f40b-ad75-6008-bd0c-195d719dfde1@nostrum.com> <CA+k3eCSzk6Nx4j6GMiFjjSRWy2cKVwmj4UP1miNmkhDcc4cRQQ@mail.gmail.com> <3a74cefe-e941-6f51-e232-c77e1b7b83c0@nostrum.com> <CA+k3eCRTkZGSOWw7rWL2KVHU=8HPd8Vyu+6J3mDbETsxqLpHLw@mail.gmail.com>
In-Reply-To: <CA+k3eCRTkZGSOWw7rWL2KVHU=8HPd8Vyu+6J3mDbETsxqLpHLw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|BL0PR0102MB3361:EE_
x-ms-office365-filtering-correlation-id: 24499968-bc5d-4e46-1d26-08dad471d1eb
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ctCVK5xN8tVMTaevF8g6JpdKW/RJgx9o18WhGpZK6SICO2WZ5lPNmgYrJ/uY2/DsUSWdLFwezCtWesqtrpjkaZldS6v0+f88G+HWAs861z6hwdRyamgiaTiYWm3WUkgmiZnLkRXWBFSymc53A1a/q33v28Lkv+3n2fcOaXLIiN3sP7lQbebMRSfS1XnxM7CMWxru46JHNWXGJmkx8DmuQ8iyHOjT+c0k9K9cKQ+UPgpQY+XywtAgE7KZdSsCV0c1NTUa/7tvMvyxdzzr/qpZXLheZWMzTk8+ZNZPnobs5g8cgUZddaEcvkdawZ/mUnHQndGIa3SHD0gDrp3ASWCfUOXCTy1o3TdiNWk42TVMfZW7jM3d3tOGC7iS2yVUM5qhocbJ07gQxD+I4DbNzKCSoiYCbIHjZAuBEZAZlhZJ6+L669Wq3ARxH3zQbb2e4OWdaOT32akyWWtaBKRNvbozBiCYfJc1zZ4qsG28ZQYWoI+x45SijUtAVZmGsE8oBKIYxUuyPZxF2UBbqtGrECJzUMKHSym8qSZKO4bCq0zotJQ73LAFjvO1liFI9psB8AKRoXmMHSoGmrDrmyh3QxzO42/zC4Q4O1j9pZ5t0rsECf575dJMxii06Smsbc08aNx2w7iH6jcNchWcfpVoj5Yj5oCLhZoDyI7G3kh64TUfmrjPFkUy5WXXBGowivmnhssr8+WWQ8D3SPQ1slxoW21FhPO3cdMETUlL6446cGirJCriWCCWApGCANr8WJJCMwLE9p3BsMtQIkl0DKo2ISTjng==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4444.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(396003)(39860400002)(366004)(346002)(136003)(376002)(451199015)(122000001)(83380400001)(75432002)(76116006)(86362001)(316002)(786003)(38070700005)(38100700002)(64756008)(66446008)(66476007)(166002)(66556008)(66946007)(91956017)(4326008)(8676002)(41300700001)(54906003)(2906002)(5660300002)(8936002)(53546011)(6512007)(6506007)(2616005)(186003)(6486002)(966005)(71200400001)(26005)(478600001)(36756003)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: lh1ip/HYGx1+0Pj8MlEslOA4nJv3iO1uLoc2Bg000r9B3hUIAJ9AnlgtcHwFMx44Mk3g7CMN1qID8t3FhqXSYKUm52SFdoKL5pYzbNlNh0DShhWhvV+Fmyju339uFRoxr5f3DXD09CMjQN5tmwlgkh/xb+6/oR2B0ByZHdZFylWasly5RXD4OfMocZfBPCqMSKpxFhF0h5+N13UWm0J0VzXnd4ZltkVtHvLXKRT+jjPIqGdV14WZ8D6F+RCllbnP0Ac4S/HfPDbdjAV8dEzzJXDB5C2aux6NbZbV7A7qmgT+ACDshNz/zcY6u0817H/U6gWSanExZKQI2su9/kuvbDpUer3ao69KCAAnreRCVwBeA7gNLPFTeRkCeqZBtJ6ayLHvm2hL4UXeJLAPlSUU+ZRjGSoRkcyODgIlDbjTjHrelIcTRHW8ZNaCEcQa5o49lBG5A8AksVlZEdA2olWr05/b+t56nlM951f16RenTYEZVo5dj0HOPpf52JqhTnsiATMEP0txN7CPSV4JYG+uu64GIHU1BCoNgoRErj9wwIXXQnFBiJZl3xtfqQ6i/8vrNUcHxu+laEcolo6QKSdEYqgo1CN9KzmA1xi1YwET90EoeNuIITC0FO/u0toYo740aEg922zQMmZYXoDDdvua4UDU5a6HGILL7jIWddObHiuXs4n0HdfRuyTdKTwCJmmEC4nATphtsI0FumCOpUm/JRoLrgIpl1GGIVPFqA32tzysDAkpjaQlnDxpBXj1kqae38X5EJPOmvpE4Cn2EZQlEI+9y/nz4k/UsWp0G+XVOw4FilUTrZzO8rxBisWRMEzBd6zXpqMdJbLI+dtuDASCDvCVni3lkP8Mt30gRXOxJj3P6D6mEFJyTF/qu0iw6taCYrDLSyzcWb0K2lJPDFETbT5LBJzZ1EdXSLYfG50HUWJOm+D0Xsry001nfR3fOP44sSr6wxosr6t1sHMG+LfZG7QrYrEx0nxxJ7Tj5Y6bkfQjCkbISVfLbESri9flRcgjiTyT6jj19eUoEBWd9sNeQM9dxtxFivXFXkgW24N4pbw3kYgLAOnBOHu+CoETnRGsyKVuagVQbuysdYfHARehx4+Db4mkqX8h4xfxIF6P+JQEd5fBA2v1kzeXYMl7RW3MuGJZqpS2himov42l7PxPp7lZLps0wMCoxfzbbBnxA/FOv3GgEDPJ0X6/IvPq2PDa2CmyxJR3uBBOoAkh4sp8Y9Qp+prEt6j3MhJHrtfQAcrlUv3th1GrXvlHL3angJ8/Tr461iF7fbXLm2ijm8r6aN9XAAzyAozkNq6djJjzggnv5NyUO9tA/eAgQqk7wMUNzPbgX+EMIuP+obJ/tm1d2tO+qaZarQh4U2IiB6neIwAx2iumdWp2aicoulQJguYzpzraED+dVhe3UDl08xvqGqXWEY0hxW9QqCm0zZmgWhDn1MihBp6ndqFW/YWnjkUm4+nTWWE2gLO5eZ2xNTJIuSC7Auy0PTHBjJAlBi1DSV+evJoMiCe2VmhKUKAw7VM6yYp7VNy3abCoClDMOjaXLzztPqgz20yz/zv9sQi5HyMw5PMad1gyJtrzOOxGyb85
Content-Type: multipart/alternative; boundary="_000_3DBB93074FAC4E3DA5B19102B81528D5mitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 24499968-bc5d-4e46-1d26-08dad471d1eb
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Dec 2022 14:30:54.4429 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jubaeMqLTdZEeGOHBcgB9sG0XLeyWCI3JOu2yb9Xnlsl3QhmEgKhJS5ua2MMZxSR
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR0102MB3361
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/yoWWYs4DhtxBrYktghN9ALcw_9M>
Subject: Re: [Last-Call] [OAUTH-WG] [Gen-art] Genart last call review of draft-ietf-oauth-rar-15
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Dec 2022 14:31:34 -0000
FWIW, this is in line with what I understood the previous sentences to mean as well — so I’m happy for this being a simpler and more precise language. What we were really trying to avoid is things like, for example, someone putting a URI in as their “type” value and doing URI-level equivalence between two different type values. In other words, “http://example.com”, “http://example.com:80/“, and “http://example.com/“ would all be different “type” values according to RAR because the strings are different. — Justin On Dec 1, 2022, at 3:45 PM, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org<mailto:bcampbell=40pingidentity.com@dmarc.ietf.org>> wrote: On Wed, Nov 30, 2022 at 5:04 PM Robert Sparks <rjsparks@nostrum.com<mailto:rjsparks@nostrum.com>> wrote: On 11/30/22 5:53 PM, Brian Campbell wrote: On Wed, Nov 30, 2022 at 4:08 PM Robert Sparks <rjsparks@nostrum.com<mailto:rjsparks@nostrum.com>> wrote: On 11/30/22 2:39 PM, Brian Campbell wrote: <snip> On Thu, Nov 17, 2022 at 3:45 PM Robert Sparks <rjsparks@nostrum.com<mailto:rjsparks@nostrum.com>> wrote: <snip> I have two major issues that I think need discussion: Major Issue 1) The document seems to be specifying a new way of comparing json names, claiming it is what RFC8259 requires, but I disagree that RFC8259 says what this document is claiming. If I'm correct, the document is trying to rely on the text in section 7 of RFC8259 to support the idea that implementation MUST NOT alter the json names (such as applying Unicode normalization) before comparison and that the comparison MUST be performed octet-by-octet. Rather, section 7 says something more like "you better escape and unescape stuff correctly if you’re going to do unicode codepoint by codepoint comparison" which is a completely different statement. If I'm right, and this is a new comparison rule that goes beyond what JSON itself defines, I think the group should seek extra guidance from Unicode experts. If I'm wrong and this behavior is defined somewhere else, please provide a better pointer to the definition. In many environments, its unusual for an implementation relying on a stack below it to have any say at all on whether normalization is going to be applied to the unicode before the application gets to look. Rather than trying to work around the problem you've identified with normalization by specifying the comparison algorithm, consider just making stronger statements about the strings used in the json names the document defines. Why _can't_ you restrict the authorization_details values to ascii? If it's because you want to present the string to a user, consider putting a presentation string elsewhere in the json that is not used for comparison. To the best of my understanding, it's not trying to specify a new or different way of comparing JSON names or values. I think it's only trying to say that the application must not do any *additional* normalization of the string values that it gets from the JSON stack or any other extra processing for the sake of comparison. I think anyway. Honestly, I didn't really (and still don't) understand the concerns that some of the WG had that led to the text in question. So I didn't pay close attention to it while thinking to myself there can't be harm in saying to do a byte-by-byte comparison with no additional processing. But here we are... Does that halfhearted explanation alleviate your concerns at all? Or, with that explanation in mind, are there specific changes to the text (in sec 12<https://www.ietf.org/archive/id/draft-ietf-oauth-rar-15.html#section-12> and sec 2<https://www.ietf.org/archive/id/draft-ietf-oauth-rar-15.html#section-2>, I think) that would alleviate your concerns? Or do we need to consider just deleting those parts? I did track down this issue about it https://github.com/oauthstuff/draft-oauth-rar/issues/28 for maybe added context. Thanks for that pointer. If that's the extent, then I really think the group should walk this back just a little and answer why restricting these names to (a subset of) ascii is an unacceptable thing to do. The conversation there reinforces my guess that these aren't meant for display to users, so why take on the additional complexity? Make it easy for implementors to get it right with much less effort. Yes, that guess is correct that type value is not meant for display to users (the issue is about type value). I can't confidently say the same about names and values that any particular type will define. I don't think it matters though. It's not that restricting is unacceptable but that it's not necessary. Just using the values that come from the JSON layer is enough. And I'd contend there's not really additional complexity. It just appears like additional complexity because of the unnecessary and maybe less than idea wording in the draft. Wording that I'd be more than happy to try and fix up or just remove. If you can change it to "compare these the same way you would compare anything else out of json" and the group is fine with it, then great. Okay, I've changed it attempting to say that with https://github.com/oauthstuff/draft-oauth-rar/pull/94/commits/98e1b73ff3cad699191606eaf9278e6653fe7493 The WG is on this thread so I expect/hope that anyone that isn't fine with it will chime in. <snip> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [Last-Call] Genart last call review of draft-ietf… Robert Sparks via Datatracker
- Re: [Last-Call] Genart last call review of draft-… Robert Sparks
- Re: [Last-Call] [Gen-art] Genart last call review… Robert Sparks
- Re: [Last-Call] [Gen-art] Genart last call review… Brian Campbell
- Re: [Last-Call] [Gen-art] Genart last call review… Robert Sparks
- Re: [Last-Call] [Gen-art] Genart last call review… Brian Campbell
- Re: [Last-Call] [Gen-art] Genart last call review… Robert Sparks
- Re: [Last-Call] [Gen-art] Genart last call review… Brian Campbell
- Re: [Last-Call] [OAUTH-WG] [Gen-art] Genart last … Justin Richer
- Re: [Last-Call] [OAUTH-WG] [Gen-art] Genart last … Brian Campbell
- Re: [Last-Call] [Gen-art] Genart last call review… Lars Eggert