IETF Logo Mail Archive

Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)

William Denniss <wdenniss@google.com> Mon, 16 November 2015 21:32 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0151E1B31DC for <oauth@ietfa.amsl.com>; Mon, 16 Nov 2015 13:32:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.963
X-Spam-Level:
X-Spam-Status: No, score=-1.963 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MnIlPyBIUOTK for <oauth@ietfa.amsl.com>; Mon, 16 Nov 2015 13:32:16 -0800 (PST)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79E6F1B31DF for <oauth@ietf.org>; Mon, 16 Nov 2015 13:32:16 -0800 (PST)
Received: by qgeb1 with SMTP id b1so59885929qge.1 for <oauth@ietf.org>; Mon, 16 Nov 2015 13:32:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=E8eYsjbIjwoeNMQUa5EJTt1SL1k1YMkaYX3FcoAps78=; b=YB8F7Oq53wu2tV5xPLOqEMmClrffHE0efz/8prrUzG6zdv4Y2lNMZYHTAMW9sl/bgN celuAmYUcdzOpYyPJnoV8IvhgKj4i0647yx3d6VfaYTJ123xhSix1mXxKX2Pg9tuF0Bz ZKYXqwDBJrON6NR9y3JvS3IKX804pXkNKxbYZ/8PaCJ/f6qjpAbunv1yBd0h/Ya6Y+8U 7BFbG6yn6ZPS5kbgRUIBYtyMGMT67cra6quT59kSPjH0YzmllmNFAjcnxPHEU8XU5Bsg PSXRMhyJBrqlffbOzGtp6ANk1mlmiMpHdK4vhij1xBxeNMCVTdpd72Z8dH3Dko4lJMy7 rihA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=E8eYsjbIjwoeNMQUa5EJTt1SL1k1YMkaYX3FcoAps78=; b=CmeLFW9Kc5BMb8NFDpXB54WZKTixR+JFkhZOJai6I8/JmILVvmz/L3TSQBE7Wh0NYL VHVmNskF7M2vatxq3bYT5a9bOmnhrmEXzptG+CIaNxQfHatBPY5hyXgQSAhdcR2pP34B GVBZuWPIYrBaxgjtHYbuzcFXLqgtNJ2v6SIt6723bYjFUXYBdO+cdHx5Ya1w0OskLna6 wYbMCh30OKq4PM2eYpby+mGiSnebEBpArKkCQehjiAklZMUfyaM2HYg9lVxOogoUz0sy l+s8i5c5lgwF6qVsid5VhG0754oTe0u2/q1NyitndNUmCCHChrXMLOQSPVrHIK7vIbKo ebmQ==
X-Gm-Message-State: ALoCoQlcQtxNH/zXMVabpkJcO273c0+YNM0mTFoxtsoz1+UoNvqFextij1s4crXFyVnhGOdJ8g+K
X-Received: by 10.140.177.199 with SMTP id x190mr39753650qhx.91.1447709535422; Mon, 16 Nov 2015 13:32:15 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.29.68 with HTTP; Mon, 16 Nov 2015 13:31:55 -0800 (PST)
In-Reply-To: <HE1PR08MB07324FD345F82CF6EC3AEAE3FA1E0@HE1PR08MB0732.eurprd08.prod.outlook.com>
References: <53BB1987-979C-4945-9C7D-CDB6619AEFFC@nexusgroup.com> <5644EC40.4010002@tzi.org> <73929C18-A3E7-4ACA-A6DC-5A7AD7576C9B@nexusgroup.com> <CAAP42hAWfBRKw-3OM1dPkgK40Af4KVBaVdhzdAGhon=VFV6LSA@mail.gmail.com> <HE1PR08MB07324FD345F82CF6EC3AEAE3FA1E0@HE1PR08MB0732.eurprd08.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 16 Nov 2015 13:31:55 -0800
Message-ID: <CAAP42hD2xsOGT5_iFQ2QZD5Om8Xkj0Z3vAFTk5ZhimM+Nf9X0Q@mail.gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Content-Type: multipart/alternative; boundary="001a113a74ba991c400524af24b8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/54p_Wm_tsqkIrB8yfWSKc9oTuak>
Cc: Carsten Bormann <cabo@tzi.org>, "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2015 21:32:20 -0000

You raise some good points, and perhaps that is relevant to future claims.
The spec as drafted, is a one-for-one copy of the standard JWT claims,
which is why I raised this point.

Is the goal a CBOR representation of a JWT? If so, can it be defined in
terms of a JWT?  Would the CNF claim then inherit that representation
(treating the JWE and JWK as their CBOR equivalents)?

Perhaps if you go the separate registry route, those claims that *are*
defined the same should at least normatively reference JWT?  I want to
avoid the whole "on behalf of" / "act as" fiasco where things can get
re-defined, and muddled.

On Mon, Nov 16, 2015 at 7:09 AM, Hannes Tschofenig <
Hannes.Tschofenig@arm.com> wrote:

> Hi William,
>
>
>
> I have been trying to do a document update to see how well a combined
> registry works and I have been wondering whether it is really worth the
> effort.
>
> To make a good judgment I looked at the CNF claim defined in
> draft-ietf-oauth-proof-of-possession. The CNF claim may contain
> sub-elements, such as a JWE or a JWK.
>
>
>
> If we translate the same mechanisms to the CWT (which makes sense) then we
> need to point to the respective COSE structures instead. Those do not only
> use a different encoding but also the functionality does not match the JOSE
> structures 100%. So, there are potentially differences. I am also not sure
> whether we really want to translate the full functionality of all the
> claims from JWT over to the CWT equivalent. It basically puts the burden on
> someone defining new claims (either in JWT or in CWT) to create the
> corresponding structures in a format they may not necessarily be familiar
> with or even care about. I have seen that happening in the RADIUS world
> protocol designers had to also define the equivalent structures for use
> with Diameter and, guess what, most of the definitions were wrong (since
> the authors did not care about Diameter when working on RADIUS).
>
>
>
> Ciao
> Hannes
>
>
>
>
>
> *From:* William Denniss [mailto:wdenniss@google.com]
> *Sent:* 12 November 2015 19:19
> *To:* Erik Wahlström neXus
> *Cc:* Carsten Bormann; Hannes Tschofenig; Mike Jones; cose@ietf.org; <
> oauth@ietf.org>; ace@ietf.org
> *Subject:* Re: [COSE] A draft on CBOR Web Tokens (CWT)
>
>
>
> Regarding the draft itself, a few comments:
>
>
>
> 1.
>
> Can we unify the claim registry with JWT? I'm worried about having the
> same claims defined twice in CWT and JWT with possibly conflicting meanings
> (and needless confusion even when they do match).
>
>
>
> Comparing
> https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-3.1.2
> and https://tools.ietf.org/html/rfc7519#section-4.1.2 which are nearly
> identical, I just don't see the value in re-defining it.
>
>
>
> We may add new standard claims to JWT in the future (I proposed one
> <https://mailarchive.ietf.org/arch/search/?email_list=id-event&gbt=1&index=7qNUnaE9lt2LyayMnmNyWpZSIEM> in
> Yokohama on the id-event list
> <https://www.ietf.org/mailman/listinfo/id-event>), it would be good if
> this didn't need a separate entry in CWT too, but could just apply directly
> (separately, I think you should consider this claim, as it helps prevent
> tokens from being re-used in the wrong context).
>
>
>
> 2.
>
> Is Section 4 "Summary of CBOR major types used by defined claims"
> normative (
> https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-4)?
> What is the intention of this section? I feel like it could probably be
> fleshed out a bit.
>
>
>
> 3.
>
> Add a xref to draft COSE spec in section 6
> <https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-6>
>
> Add xref to RFC7519
>
>
>
> On Thu, Nov 12, 2015 at 12:01 PM, Erik Wahlström neXus <
> erik.wahlstrom@nexusgroup.com> wrote:
>
> Hi Carsten,
>
> Thanks, and I agree. I’ve heard arguments for all three work groups.
>
> Borrowed some of your words to define the content of the draft :)
> It’s it essentially a JWT, phrased in and profiled for CBOR to address ACE
> needs, where OAuth needs COSE functionality, for object security.
>
> I’m open for letting the AD’s move it around, but having it right next to
> JWT seems right to me. Also open for the ACE WG. Feel it has less place in
> COSE for the same reasons JWT is not in the JOSE WG.
>
> / Erik
>
>
>
> > On 12 Nov 2015, at 20:45, Carsten Bormann <cabo@tzi.org> wrote:
> >
> > Hi Erik,
> >
> > having this draft is a good thing.
> >
> > One thing I'm still wondering is what WG is the best place to progress
> > this.  We probably don't need to spend too much time on this because,
> > regardless of the WG chosen, the people in another WG can look at it.
> > Still, getting this right might provide some efficiencies.
> >
> > What is the technical content of this draft?  Is it a new token that
> > OAuth needs specifically for the new COSE-based applications of OAuth?
> > Is it a new token that is specifically there for addressing ACE needs?
> > Or is it essentially the same substance as JWT, but phrased in and
> > profiled for CBOR?
> >
> > Depending on the answer, CWT should be done in OAuth, ACE, or COSE.
> > (I'd rather hear the answer from the authors than venture a guess
> myself.)
> >
> > Grüße, Carsten
> >
> >
> >
> > Erik Wahlström neXus wrote:
> >> Hi,
> >>
> >> In the ACE WG a straw man proposal of a CBOR Web Token (CWT) was defined
> >> in the draft "Authorization for the Internet of Things using OAuth 2.0”
> >> [1]. We just broke out the CBOR Web Token into a separate draft and the
> >> new draft is submitted to the OAUTH WG. It can be found here:
> >>
> >> https://datatracker.ietf.org/doc/draft-wahlstroem-oauth-cbor-web-token/
> >>
> >> Abstract:
> >> "CBOR Web Token (CWT) is a compact means of representing claims to be
> >> transferred between two parties.  CWT is a profile of the JSON Web Token
> >> (JWT) that is optimized for constrained devices. The claims in a CWT are
> >> encoded in the Concise Binary Object Representation (CBOR) and CBOR
> >> Object Signing and Encryption (COSE) is used for added application layer
> >> security protection.  A claim is a piece of information asserted about a
> >> subject and is represented as a name/value pair consisting of a claim
> >> name and a claim value."
> >>
> >> / Erik
> >>
> >>
> >> [1] https://tools.ietf.org/html/draft-seitz-ace-oauth-authz-00
> >>
> >>
> >> _______________________________________________
> >> COSE mailing list
> >> COSE@ietf.org
> >> https://www.ietf.org/mailman/listinfo/cose
>
> _______________________________________________
> COSE mailing list
> COSE@ietf.org
> https://www.ietf.org/mailman/listinfo/cose
>
>
>
> ------------------------------
>
> -- IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
>

v2.23.0 | Report a Bug | By Email