IETF Logo Mail Archive

Re: [oauth-ext-review] [IANA #1146174] Expert review for nfv_token (oauth-parameters)

Miguel Angel Reina Ortega <MiguelAngel.ReinaOrtega@etsi.org> Wed, 18 December 2019 14:46 UTC

Return-Path: <MiguelAngel.ReinaOrtega@etsi.org>
X-Original-To: oauth-ext-review@ietfa.amsl.com
Delivered-To: oauth-ext-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C7D91201EA for <oauth-ext-review@ietfa.amsl.com>; Wed, 18 Dec 2019 06:46:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=etsihq.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ATnK0qjnu2Ex for <oauth-ext-review@ietfa.amsl.com>; Wed, 18 Dec 2019 06:46:00 -0800 (PST)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-ve1eur03on071b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe09::71b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 871B0120112 for <oauth-ext-review@ietf.org>; Wed, 18 Dec 2019 06:45:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FAsEuEULArH0n8gty5aRhXXvGt9qC/VSxzZAWxQub0HrGUXTiLL/G3wkgxeog3whcEnmI/59xuHcm0mKRsRCH2BnfO7fjw4aMyA+zvLCeJPfja6RNfYwoVaUN0/pmjnbqlPRkhz8sEoetRlYvsKZlG8NLShlhn+UGPSHTuRiIB+Aum0XJ25f2pcPSc4xqE9Fondv/YQ9VjYF/o2eSEfHPFqA6QZbH1AzIuT3mDh+2Sq0MA9BrtkqPHH3GlRAqUvChMkTqLRCsZq3dUxVDcf56uuPCrdvDN0F5pMDaD1vuugWQx/HxWgeot7BA7t6D+jiQ8tW/hRkBM13OQDmo0JG3g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mhf5LTuvo/I3yN/haI2xhiFRspo3IGboaOMiPieC77U=; b=e1ti1A4SvUWnTonjvX99PhmXX3tsiJM5fW8JqDvRzp2cPXF/uz8zaOEd7gQqqvo1vGxCIh3fyvCON188f/0TE+gqT3YPi2vF7MmYMIeBA5Z3mSSsoBGl6N3V7LvbpfpNjK4kbd6Z4TV9M6k+XxkgQO0NBgB9sXLvnisxQNgwFeIGmPcwAS4JC/JG1vPPq7jsN4WhxHiGY5Wf7xfIJbkZmyzYhwuVxxnds3wu99m+Hj6bmCG0gKgvLBo7uCcCJIyl2uYHG6iVBAkHeEQt50EXaLBcbmrvzsInGnx09dlPyvGvHrlqYByWqxAeUUBHxoJDTtKezHt1ffojevLvFgXPPQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=etsi.org; dmarc=pass action=none header.from=etsi.org; dkim=pass header.d=etsi.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=etsihq.onmicrosoft.com; s=selector2-etsihq-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mhf5LTuvo/I3yN/haI2xhiFRspo3IGboaOMiPieC77U=; b=bc7hxay1tHsdaYw0xAdN3o5e3nQhlK33RmosNDqOYJxQ1XXWYw/nhx7pnBKvGMECUzmGb/RptI9oV6g1N4qO7e8xC6sfaRnIm/9Gdj6R85vK+ESDPHfeInRe0Fo5v9YjUnfSP29U5HHnP23uLMp2LGZk+tfx8C99/+Gex5YzE7M=
Received: from AM7PR04MB7174.eurprd04.prod.outlook.com (52.135.57.215) by AM7PR04MB6934.eurprd04.prod.outlook.com (10.141.173.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2559.14; Wed, 18 Dec 2019 14:45:56 +0000
Received: from AM7PR04MB7174.eurprd04.prod.outlook.com ([fe80::68db:68c6:93f6:cd9c]) by AM7PR04MB7174.eurprd04.prod.outlook.com ([fe80::68db:68c6:93f6:cd9c%6]) with mapi id 15.20.2538.019; Wed, 18 Dec 2019 14:45:56 +0000
From: Miguel Angel Reina Ortega <MiguelAngel.ReinaOrtega@etsi.org>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
CC: "oauth-ext-review@ietf.org" <oauth-ext-review@ietf.org>, Sabrina Tanamal via RT <iana-prot-param-comment@iana.org>
Thread-Topic: [IANA #1146174] Expert review for nfv_token (oauth-parameters)
Thread-Index: AQHVZ1NVSgpvQTm2/0+UjXsfRIg7pKcmKySggJoM7TCAAFt8YA==
Date: Wed, 18 Dec 2019 14:45:56 +0000
Message-ID: <AM7PR04MB71746F9B3DC1CCC0EFDBCE108E530@AM7PR04MB7174.eurprd04.prod.outlook.com>
References: <RT-Ticket-1146174@icann.org> <rt-4.4.3-364-1561670178-1230.1146174-9-0@icann.org> <rt-4.4.3-4604-1561670999-1173.1146174-9-0@icann.org> <rt-4.4.3-2233-1568063569-1730.1146174-9-0@icann.org> <VI1PR08MB5360B934076939AFD8E1B397FAB10@VI1PR08MB5360.eurprd08.prod.outlook.com> <AM6PR08MB5285B6783B6E36E723DA9B4FFA530@AM6PR08MB5285.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB5285B6783B6E36E723DA9B4FFA530@AM6PR08MB5285.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=MiguelAngel.ReinaOrtega@etsi.org;
x-originating-ip: [212.234.161.1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ec033efa-248d-4070-642d-08d783c8fd47
x-ms-traffictypediagnostic: AM7PR04MB6934:
x-microsoft-antispam-prvs: <AM7PR04MB69348C0C66D46BD1DB4CF1D88E530@AM7PR04MB6934.eurprd04.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0255DF69B9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(366004)(136003)(396003)(39850400004)(376002)(13464003)(40434004)(189003)(199004)(51914003)(66476007)(55016002)(4326008)(66446008)(26005)(71200400001)(316002)(76116006)(2906002)(6916009)(66946007)(54906003)(66556008)(64756008)(33656002)(508600001)(86362001)(966005)(81156014)(81166006)(186003)(8676002)(7696005)(15974865002)(52536014)(6506007)(9686003)(8936002)(5660300002)(53546011); DIR:OUT; SFP:1102; SCL:1; SRVR:AM7PR04MB6934; H:AM7PR04MB7174.eurprd04.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: etsi.org does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UI13yLk6AG4NuO3nLENMKQKz9IdBV1HMPdah2ZiaVMFkOjpsnSgUGPfAzMaIt/qDyOn3uPx2/2b3yMTKQboZvWsB0H0b0Zfy1uEs91Yq/aX3N2fNw5aOrfsyDclUjFa73JWf8B8OFWWfdKIB2Sr3b9AU6KAoLW4KkkOO92H5IucAMOvPony8QIH2qXbXrDmqFU4L8H+lFAcwVOocJ4KdHeWKD4jTqkw5I6FseUbwOQYZisv429uXF1d8jOKijVHY17IyHb7MjheWfwG/gHpGSvBOVi5w2JLI0matkH5YepE4vFXXp3qdtIjpjm+0iswFIPlI2EUPhzIKuqMSKxZaicto9itDtIdB82rVlGpuO/C6b55TCrnaV5SH1mCLg/+uZOzwM5PoxFXafdm4b0HHhwpOE2yWOVSimczbwilhx6z3lKM2B85T7+X6Aj2hQ5SA51nKh0JOg8oEIqB1Xh/DAq6p8Yh1AyJYGUdI3FX55QBLg5/9s+UrKkVc8/qzzcECM2LYaeSgu2JZbbA9kY+NuPbMCEhDdyaEpufOSfXZgoCS8tYos1JImlu8kg+hZTGZAYSKPvj7RqdYHzPaU9CfLQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: etsi.org
X-MS-Exchange-CrossTenant-Network-Message-Id: ec033efa-248d-4070-642d-08d783c8fd47
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2019 14:45:56.1539 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e6746ab5-ebdc-4e9d-821b-a71bdaf63d9b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Sj7qOWk80RuWjiOjvg3h+NT6Cc47kqE3Q0zEo8GGwt4wDRlM70x5SDWvgsHxnTGo8B9k36QUile5X/ACzWAVjxa3CMUuYPbJgmt2uwr4Bcmf3MrS2hL1l/d+vTjdnGYF
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR04MB6934
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth-ext-review/FlcuR7oqMgio9Tn3_7N3UZr5pLc>
Subject: Re: [oauth-ext-review] [IANA #1146174] Expert review for nfv_token (oauth-parameters)
X-BeenThere: oauth-ext-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Review of proposed IANA registrations for OAuth." <oauth-ext-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth-ext-review>, <mailto:oauth-ext-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth-ext-review/>
List-Post: <mailto:oauth-ext-review@ietf.org>
List-Help: <mailto:oauth-ext-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth-ext-review>, <mailto:oauth-ext-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2019 14:46:03 -0000

Hi Hannes, 

Please, find inline some more information about it. Please, note that there's also an answer for your original question which  I think was not answered. 

Please, do not hesitate to come back if you have still some questions.

Best regards.

-----------------------------------------------------------------------------------------------------------------
Miguel Angel Reina Ortega – Testing Expert
Centre for Testing and Interoperability (CTI)
ETSI ● www.etsi.orgmiguelangel.reinaortega@etsi.org
Phone: +33 (0)4 92 94 43 49 ● Mobile: +33 (0)6 76 73 60 99

This email may contain confidential information and is intended for 
the use of the addressee only. Any unauthorized use may be unlawful. 
If you receive this email by mistake, please advise the sender
immediately by using the reply facility in your email software. 
Thank you for your co-operation.

-----Original Message-----
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com> 
Sent: 18 December 2019 10:35
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; Miguel Angel Reina Ortega <MiguelAngel.ReinaOrtega@etsi.org>
Cc: oauth-ext-review@ietf.org; Sabrina Tanamal via RT <iana-prot-param-comment@iana.org>
Subject: RE: [IANA #1146174] Expert review for nfv_token (oauth-parameters)

Hi Miguel

IANA pointed me to a newly released specification. I read through the specification and did not find more information about why you need to define a new OAuth parameter for conveying the nfv token in the access token response. Maybe you can point me to the text. The track changes unfortunately did not reveal any relevant changes either.

From what it appears you are happy using MTLS for your purpose, which is great, and you define additional claims that go into the token. IMHO you could just convey the token in the RFC 6749-defined style with the need to define this new parameter.
[NFV] As we define in the document an access token with specific claims, we defined also the nfv_token parameter for the access token request response to clearly notify that the token sent is of type nfv_token as defined in this specification. In the same way open Id has defined an Id_Token for the token they have defined.
Ciao
Hannes

-----Original Message-----
From: oauth-ext-review <oauth-ext-review-bounces@ietf.org> On Behalf Of Hannes Tschofenig
Sent: Wednesday, September 11, 2019 10:51 AM
To: Miguel Angel Reina Ortega <MiguelAngel.ReinaOrtega@etsi.org>
Cc: oauth-ext-review@ietf.org; Sabrina Tanamal via RT <iana-prot-param-comment@iana.org>
Subject: Re: [oauth-ext-review] [IANA #1146174] Expert review for nfv_token (oauth-parameters)

Hi Miguel

Thanks for the registration and sorry for my slow response.

The registration is fine in terms of provided parameters although the reference to the OpenID Connection specification confuses me a little bit.

I do, however, have a question regarding the nfv_token parameter. I looked at your spec and, if I understand it correctly, you want to return a proof-of-possession access token in the token response. What I don't understand is why you need a new parameter for carrying the nfv_token. You could just return the PoP token in the access_token parameter. The profiling of the content of the access token, as you are doing in Section 5.5, is OK.

From a quick look at your specification it appears that you have to register many other parameters with IANA as well, for example the client meta-data and the AS discovery meta-data. Am I wrong?
[NFV] Yes this registry request of these parameters appears in the annex C.4 (Client Registration Metadata registry) and C.5 (OAuth Authorization Server Metadata registry). There is also a new claim for the JSON in C.2 and a registry also for the "Well-Known URIs" Registry

Ciao
Hannes

>
> On behalf of ETSI NFV ISG, I would like to submit the following 
> registration request for the “OAuth Parameters” registry:
>
>
> *   Parameter name: nfv_token
> *   Parameter usage location: Access Token Response
> *   Change controller: ETSI (pnns@etsi.org)
>
> *   Specification document(s): clause 5.4
> <https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse>
> of the present ETSI GS NFV-SEC
> 022<https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?WKI
> _ID=54060>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
oauth-ext-review mailing list
oauth-ext-review@ietf.org
https://www.ietf.org/mailman/listinfo/oauth-ext-review
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email