Re: [oauth-ext-review] [IANA #1146174] Expert review for nfv_token (oauth-parameters)

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 18 December 2019 09:35 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth-ext-review@ietfa.amsl.com
Delivered-To: oauth-ext-review@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 072AB1208EF for <oauth-ext-review@ietfa.amsl.com>; Wed, 18 Dec 2019 01:35:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=FffOlrCr; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=armh.onmicrosoft.com header.b=qdvIdYwM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id imA8w-rH10pE for <oauth-ext-review@ietfa.amsl.com>; Wed, 18 Dec 2019 01:34:59 -0800 (PST)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40058.outbound.protection.outlook.com [40.107.4.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEB1D1200E3 for <oauth-ext-review@ietf.org>; Wed, 18 Dec 2019 01:34:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/by/OmkbjmMkW3o2sOPaH0ca3doa8WhUSsFFhVREkKI=; b=FffOlrCr3ZHIoV5VK6FiqNGTXLNvhIAVjmlTryxT6pYuxllfKulvNbZXPjuYqpVEjOlDtCphyw6KcE+76KTAHdx5S0HEy8MstF2rQ9ydXvhOCu7uSZVHUqQ+pPVcLmr4KW3PcrkrrdGb5uLCU0cThyMthfrgkj++HlHrHH8OxZA=
Received: from VE1PR08CA0006.eurprd08.prod.outlook.com (2603:10a6:803:104::19) by HE1PR0802MB2362.eurprd08.prod.outlook.com (2603:10a6:3:cd::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.18; Wed, 18 Dec 2019 09:34:55 +0000
Received: from AM5EUR03FT046.eop-EUR03.prod.protection.outlook.com (2a01:111:f400:7e08::204) by VE1PR08CA0006.outlook.office365.com (2603:10a6:803:104::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2559.14 via Frontend Transport; Wed, 18 Dec 2019 09:34:55 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT046.mail.protection.outlook.com (10.152.16.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2559.14 via Frontend Transport; Wed, 18 Dec 2019 09:34:55 +0000
Received: ("Tessian outbound 4f3bc9719026:v40"); Wed, 18 Dec 2019 09:34:55 +0000
X-CR-MTA-TID: 64aa7808
Received: from c303ae16b355.2 by 64aa7808-outbound-1.mta.getcheckrecipient.com id BC805923-C631-4C34-83CD-8541C3830343.1; Wed, 18 Dec 2019 09:34:50 +0000
Received: from EUR04-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id c303ae16b355.2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 18 Dec 2019 09:34:50 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RX/isZoI/h1NC/bUD4E8fqctM8uZ0wJYATfzMO4Xyt8dg+n8zrpeR4xAhm7FmppukOvI/xl/izz3SSj7teQ+X7dfk5F5icKuVq00su/OuU3xgboOQsduT/J0nNifz76l6PRr2aAC5ZsfzXueHnlRQW8yoHG2d9lvG33dGynoN5E1zV3wHGaqqbsj2Mb13nhzMQxT6SXVodFCmtUrwJMDWaUqKKa9w6xwZElGp0qE1/fTzbcLX511lJcRLQvRrfy/ZPABTClyNL06VMxUHxmQTVvmj24nGDbBWdU6FRDXqVwVDXVec7KMFjYDgNX6bLv5zGG4HcbZxT8vL38BbDq9/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qvQg5HgsDwokXEE7dn/AU2kYFB0Rhbh4k1hXmVWeeUM=; b=OOftWEZfXH3X0zKK60YaVXC7Nu30uDmb5OhHDkXem8m900v198IAYhx7mkNULZbjOkFetAR6TeCOjlr6p7Ya1+NV/euk3INRZaVnC4K+xt5RcMSy9rBQlRyWK31fipO8MnnJQh6ezojVmrDFDmDhOHCD4x4NFMD5ZCeH4GBpVf/QL1j7yAbrGpbjiMlqXK7Sh71YogW3rslYrY6pd1N68Ag9/L8ya98aobAB/2WWKxzZgXYLmFV5CqefcKqF2D2e+zM2JAYISeNXW3LKDqv9zWl5UV+himTg/To/CINZ2AgUEod9Y/D+Q2PSs0Pcp7pd2MLL55l3wZpXvpRvsW/qfg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qvQg5HgsDwokXEE7dn/AU2kYFB0Rhbh4k1hXmVWeeUM=; b=qdvIdYwMa+1oTjBg7EdeNGp8bOVsa9WKIlMU461VU9Ta9HpzL4Fuea/2yAnjRYxl2bSTdu4T9XImXkFiLeRbXUoD4Eed0O5CBuSHymd5djy3M99w+zInVm33ktw+3c1WchL3fsdzNbsF4Ge7uHUU9XNk/oUuloy3i1KF3GyvNiY=
Received: from AM6PR08MB5285.eurprd08.prod.outlook.com (20.179.0.161) by AM6PR08MB4135.eurprd08.prod.outlook.com (20.179.2.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2538.18; Wed, 18 Dec 2019 09:34:49 +0000
Received: from AM6PR08MB5285.eurprd08.prod.outlook.com ([fe80::1581:c3da:22ee:41b9]) by AM6PR08MB5285.eurprd08.prod.outlook.com ([fe80::1581:c3da:22ee:41b9%7]) with mapi id 15.20.2559.012; Wed, 18 Dec 2019 09:34:49 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Miguel Angel Reina Ortega <MiguelAngel.ReinaOrtega@etsi.org>
CC: "oauth-ext-review@ietf.org" <oauth-ext-review@ietf.org>, Sabrina Tanamal via RT <iana-prot-param-comment@iana.org>
Thread-Topic: [IANA #1146174] Expert review for nfv_token (oauth-parameters)
Thread-Index: AQHVZ1NVSgpvQTm2/0+UjXsfRIg7pKcmKySggJoM7TA=
Date: Wed, 18 Dec 2019 09:34:49 +0000
Message-ID: <AM6PR08MB5285B6783B6E36E723DA9B4FFA530@AM6PR08MB5285.eurprd08.prod.outlook.com>
References: <RT-Ticket-1146174@icann.org> <rt-4.4.3-364-1561670178-1230.1146174-9-0@icann.org> <rt-4.4.3-4604-1561670999-1173.1146174-9-0@icann.org> <rt-4.4.3-2233-1568063569-1730.1146174-9-0@icann.org> <VI1PR08MB5360B934076939AFD8E1B397FAB10@VI1PR08MB5360.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR08MB5360B934076939AFD8E1B397FAB10@VI1PR08MB5360.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 6ad07dd5-3d20-4b9e-8f74-343894a559af.1
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [195.149.223.43]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: c3bbea08-48e0-4fa6-ef1f-08d7839d8a9a
X-MS-TrafficTypeDiagnostic: AM6PR08MB4135:|AM6PR08MB4135:|HE1PR0802MB2362:
x-ms-exchange-transport-forked: True
X-Microsoft-Antispam-PRVS: <HE1PR0802MB236278D14CE987A11200004FFA530@HE1PR0802MB2362.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:9508;
x-forefront-prvs: 0255DF69B9
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009020)(4636009)(366004)(376002)(396003)(136003)(39860400002)(346002)(40434004)(13464003)(189003)(199004)(51914003)(76116006)(52536014)(2906002)(71200400001)(66946007)(316002)(186003)(55016002)(966005)(9686003)(66446008)(7696005)(66476007)(64756008)(66556008)(8936002)(110136005)(86362001)(5660300002)(53546011)(6506007)(33656002)(4326008)(8676002)(54906003)(26005)(478600001)(81166006)(81156014); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR08MB4135; H:AM6PR08MB5285.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: Jo74/NCF6CGAa2P5CU47smHmRO5JSZQAUzPs/A5If1wqP/cGIr4zNNi2HvX4ttw5BZw4looDpRLyTIziQcx5e52FcnoQ5Wt3DZjo6BmnlrDRFe44kNMUb/GTEvmI+wee5LSvSALM+9wLaGrVm36JuHlrlL5MA3brr6XGfDketcBEXN/GeY83/OfrWd0CJj86V5wsKwKrKgkZgj2FJdTbO3wUiQB0qToyMN5YazEUCGznyk9aEmD1efCJK5Mn3CbhfY00Sq6rIn4ci6Ts5M2PmvmwSD098l4RxFJlTbTt/c7UOQ9pS8HOleV0Ql8niDSJbhUN58Sh4xVs/DUG1+KOBF9uKbC0U7J0ObF26RHMiWGrsr5RAP1XSmIupME+s/hx4FZx69jIaq9VJlwlFfxxtOfJpS05TZB+ZLafZ/Hzw7i2BCsf0esbfJepcpNs4Z0t4YC3kwMFlzrZx+xiTq1Oan3kMIG0leJEVtlzcWzVNiyCTBNSd9pqoLOMHI7zavnzLUBfJE6Ub1jEYUWo2pTnLOnNZX5JMOUGKhWc8FlBu75cJCp1lQ03LXdacb21k/YIF7+g6jT4LfR4vgmRvhqp/A==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR08MB4135
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT046.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; IPV:CAL; SCL:-1; CTRY:IE; EFV:NLI; SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(39860400002)(346002)(376002)(199004)(189003)(13464003)(40434004)(51914003)(7696005)(6506007)(53546011)(52536014)(2906002)(5660300002)(36906005)(86362001)(8676002)(356004)(9686003)(55016002)(26005)(478600001)(966005)(81166006)(4326008)(8936002)(186003)(336012)(110136005)(107886003)(26826003)(81156014)(54906003)(76130400001)(70586007)(316002)(33656002)(70206006); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0802MB2362; H:64aa7808-outbound-1.mta.getcheckrecipient.com; FPR:; SPF:Pass; LANG:en; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; A:1; MX:1;
X-MS-Office365-Filtering-Correlation-Id-Prvs: 613fa8cf-7486-40ec-5534-08d7839d86d0
X-Forefront-PRVS: 0255DF69B9
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: EqxHlP4mQyOv2kqwGgXcX9zcDlWRAVJ6pIp0xI4G0RBgunRTkg14Wpze8PlxXruu8Pdu4qjotR3GeqgWIWUAnWVvY6hwPt/csSFkyBVID1qxuddMQIwaTtAzjVmPCy5yWtOTyq+5oGvfqFCDkbJV42kUciE5TMuelI3QokQBAjjDikVQf+76YsI3JKm6X6HjizmMvzEXYhX5vsg9cZ1ze4Omr+OWKOr6xykYG4eESboQSLWh94DoG/vL4A7M3RbrJa1sC2LXTikLIt03DTMGpXamXdR4NNx2F7WfBZ2Jknri5WPTGcIqBR29c5llsD8UjS5XAWpflRb6OFNKPWH7UZy7+RecWtSDiqk9lwFzl6YooHmxTWRe79SiTy/4yJbf9NxXYTZL/MtlzLoTY7ELUH81dP6leHeA2B7767b6QXLc0I1q8RcQHp/o6Uu631JwWLu/4kM601869zGaqnbEp1p1/UCZt3sYUjR9lULdDFghi02EGZrSCu+YkQ5u+AHV06HYOWDeTPjw4goNgFTadch8NJSXTBmYrZ1pa2zaNcf5PqXJe8pzy6Z64fjPveH75CWyX3T85nuzwpDny7ZUeQ==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Dec 2019 09:34:55.4157 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c3bbea08-48e0-4fa6-ef1f-08d7839d8a9a
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0802MB2362
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth-ext-review/G7N6uWJgUttH0k7arcINKIJwsLY>
Subject: Re: [oauth-ext-review] [IANA #1146174] Expert review for nfv_token (oauth-parameters)
X-BeenThere: oauth-ext-review@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Review of proposed IANA registrations for OAuth." <oauth-ext-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth-ext-review>, <mailto:oauth-ext-review-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth-ext-review/>
List-Post: <mailto:oauth-ext-review@ietf.org>
List-Help: <mailto:oauth-ext-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth-ext-review>, <mailto:oauth-ext-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2019 09:35:02 -0000

Hi Miguel

IANA pointed me to a newly released specification. I read through the specification and did not find more information about why you need to define a new OAuth parameter for conveying the nfv token in the access token response. Maybe you can point me to the text. The track changes unfortunately did not reveal any relevant changes either.

From what it appears you are happy using MTLS for your purpose, which is great, and you define additional claims that go into the token. IMHO you could just convey the token in the RFC 6749-defined style with the need to define this new parameter.

Ciao
Hannes

-----Original Message-----
From: oauth-ext-review <oauth-ext-review-bounces@ietf.org> On Behalf Of Hannes Tschofenig
Sent: Wednesday, September 11, 2019 10:51 AM
To: Miguel Angel Reina Ortega <MiguelAngel.ReinaOrtega@etsi.org>
Cc: oauth-ext-review@ietf.org; Sabrina Tanamal via RT <iana-prot-param-comment@iana.org>
Subject: Re: [oauth-ext-review] [IANA #1146174] Expert review for nfv_token (oauth-parameters)

Hi Miguel

Thanks for the registration and sorry for my slow response.

The registration is fine in terms of provided parameters although the reference to the OpenID Connection specification confuses me a little bit.

I do, however, have a question regarding the nfv_token parameter. I looked at your spec and, if I understand it correctly, you want to return a proof-of-possession access token in the token response. What I don't understand is why you need a new parameter for carrying the nfv_token. You could just return the PoP token in the access_token parameter. The profiling of the content of the access token, as you are doing in Section 5.5, is OK.

From a quick look at your specification it appears that you have to register many other parameters with IANA as well, for example the client meta-data and the AS discovery meta-data. Am I wrong?

Ciao
Hannes

>
> On behalf of ETSI NFV ISG, I would like to submit the following
> registration request for the “OAuth Parameters” registry:
>
>
> *   Parameter name: nfv_token
> *   Parameter usage location: Access Token Response
> *   Change controller: ETSI (pnns@etsi.org)
>
> *   Specification document(s): clause 5.4
> <https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse>
> of the present ETSI GS NFV-SEC
> 022<https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?WKI
> _ID=54060>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
oauth-ext-review mailing list
oauth-ext-review@ietf.org
https://www.ietf.org/mailman/listinfo/oauth-ext-review
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.