Re: [oauth-ext-review] [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-params

Brian Campbell <> Mon, 13 January 2020 18:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 758101208C5 for <>; Mon, 13 Jan 2020 10:01:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HXmWxOl8j__L for <>; Mon, 13 Jan 2020 10:01:39 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B4AC312089F for <>; Mon, 13 Jan 2020 10:01:38 -0800 (PST)
Received: by with SMTP id w1so11159086ljh.5 for <>; Mon, 13 Jan 2020 10:01:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mA5UK0jVOT30/B0E//GIzMGFTLOicC7w8fvBHLl0VUo=; b=PQnsTDBYHaabHEZvFMDm1eFq2nj6iKxhXosuiOwubKSnXly3FjT9J1ERO7E3gHSQ2J 8qhcTv9wwJ+78Czsqa7LXHF5eqGnXxwIWgq4qPjTKB7hKaNksak7fRdzFwrMCer2Bl9W /Go8evpROjbMvkKOw3mvzsa3c5+fhGNWFA1IvFizH7/XBIAwLrZ0f2hoondhffaRtmjX J/3ncMsUf0sFfQ94e5wYjScLTjXvMHMuXJWNfPTI/B6IX6Mo97RhK5xe6Ul+GpxFScyj YRNMMB8eKQM4ay7v4xXAHJbdos1ElyFL4yALjZQSosgNKrbgiKmXm9uvreRFfoVJI+NS IZ0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mA5UK0jVOT30/B0E//GIzMGFTLOicC7w8fvBHLl0VUo=; b=B+RD9yprWhegSQV7OWQwa4sFUzIifQuyq54J8FB6t+93cuYhmvhFrw/JlCJSvoW55F HY8a/udBkwjF+JABbd7lKBhRi21BMMy1rTI0CyKsoGTTCEwAOGsaE+e0Ramay/ueQQd+ TLLEKRKbXsdR2mbxsPdsQ0d6gNLyOXVPULbuWHzYftpYKlH8rKrC6DyXU8Fr7IJ3JiRN n6LJ/7QxvYyL9AL1zT3KjL6hpvEZCdvV+nXXwxibF7q3oOSBGrGxUXH1qzh72BDdCmaf wCx39ra32S0fBorJEMdF7gfjoD8WP+Se/EiWgb/5g2hIkJ/W0pfVus/93fpL+bp8iF/4 eyJw==
X-Gm-Message-State: APjAAAU6kb9OTGxuhKeYH5t6wYDr8q6FsqjuDHYoCLgDgAyIKeQd94CP fhFLd/XPpLPXgOG1cyvn/5qcEYXtFMk3dy86gIZ1EXlgnUaxvdKWL9GNmh3LdEbOD4A5XDc0X9C /9veoeLlSwBHJ7Dx1IMZ2oeUUPPzH
X-Google-Smtp-Source: APXvYqy2La082688Tw09+b6LYeoTYoXNbPZO1yva+lJPNlicq1XW5+nqVjY6tl7NobV1b8jbt4pnuQYGqpa7xb3KMFE=
X-Received: by 2002:a05:651c:2c7:: with SMTP id f7mr11037482ljo.125.1578938496704; Mon, 13 Jan 2020 10:01:36 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Mon, 13 Jan 2020 11:01:10 -0700
Message-ID: <>
To: Seitz Ludwig <>
Cc: Ludwig Seitz <>, Roman Danyliw <>, "" <>, Daniel Migault <>, Jim Schaad <>, Benjamin Kaduk <>, "" <>, "" <>
Content-Type: multipart/alternative; boundary="00000000000037f8ea059c094483"
Archived-At: <>
Subject: Re: [oauth-ext-review] [Ace] Requested review for IANA registration in draft-ietf-ace-oauth-params
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Review of proposed IANA registrations for OAuth." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Jan 2020 18:01:41 -0000

Thanks Ludwig,

On Sat, Jan 11, 2020 at 8:20 AM Seitz Ludwig <>

> [snip]
> *From:* Ace <> *On Behalf Of *Brian Campbell
> [snip]
> So in -09 the "cnf" Introspection Response Parameter was the following the
> syntax of the "cnf" claim from PoP Key Semantics for CWTs
> [ID.ietf-ace-cwt-proof-of-possession] and in -10 it's following the syntax
> of PoP Key Semantics for JWTs [RFC7800] transitively via
> [I-D.ietf-oauth-mtls] reference. I think I understand that the two PoP key
> semantics documents are conceptually the same or similar. But I don't know
> that the syntax is the same? Figure 5
> <> is
> pointed to for mapping between CBOR and JSON but it only has mappings for
> the main top level parameters. Maybe I just don't get it or am missing
> something...
> [LS] No you are not missing something, I just got sloppy trying to do a
> quickfix.
> Background: The reason for defining both JSON and CBOR-based interactions
> is that you might have a powerful client communicating with a constrained
> RS. The client does vanilla OAuth interactions with the AS via the token
> endpoint, but is served a CWT and associated ACE parameters (cnf,
> ace-profile, …) for interaction with the RS.
> The pop-key should decode to the same binary representation regardless of
> whether it came in a JSON or CBOR wrapper.

Okay, so noting that there is cnf content that doesn't decode to a key, I
suppose I'll just take it on faith that all the relevant or expected usages
involve a key that can be represented in both CBOR and JSON.


_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._