Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)
William Denniss <wdenniss@google.com> Mon, 16 November 2015 21:32 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0151E1B31DC for <oauth@ietfa.amsl.com>; Mon, 16 Nov 2015 13:32:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.963
X-Spam-Level:
X-Spam-Status: No, score=-1.963 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MnIlPyBIUOTK for <oauth@ietfa.amsl.com>; Mon, 16 Nov 2015 13:32:16 -0800 (PST)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79E6F1B31DF for <oauth@ietf.org>; Mon, 16 Nov 2015 13:32:16 -0800 (PST)
Received: by qgeb1 with SMTP id b1so59885929qge.1 for <oauth@ietf.org>; Mon, 16 Nov 2015 13:32:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=E8eYsjbIjwoeNMQUa5EJTt1SL1k1YMkaYX3FcoAps78=; b=YB8F7Oq53wu2tV5xPLOqEMmClrffHE0efz/8prrUzG6zdv4Y2lNMZYHTAMW9sl/bgN celuAmYUcdzOpYyPJnoV8IvhgKj4i0647yx3d6VfaYTJ123xhSix1mXxKX2Pg9tuF0Bz ZKYXqwDBJrON6NR9y3JvS3IKX804pXkNKxbYZ/8PaCJ/f6qjpAbunv1yBd0h/Ya6Y+8U 7BFbG6yn6ZPS5kbgRUIBYtyMGMT67cra6quT59kSPjH0YzmllmNFAjcnxPHEU8XU5Bsg PSXRMhyJBrqlffbOzGtp6ANk1mlmiMpHdK4vhij1xBxeNMCVTdpd72Z8dH3Dko4lJMy7 rihA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=E8eYsjbIjwoeNMQUa5EJTt1SL1k1YMkaYX3FcoAps78=; b=CmeLFW9Kc5BMb8NFDpXB54WZKTixR+JFkhZOJai6I8/JmILVvmz/L3TSQBE7Wh0NYL VHVmNskF7M2vatxq3bYT5a9bOmnhrmEXzptG+CIaNxQfHatBPY5hyXgQSAhdcR2pP34B GVBZuWPIYrBaxgjtHYbuzcFXLqgtNJ2v6SIt6723bYjFUXYBdO+cdHx5Ya1w0OskLna6 wYbMCh30OKq4PM2eYpby+mGiSnebEBpArKkCQehjiAklZMUfyaM2HYg9lVxOogoUz0sy l+s8i5c5lgwF6qVsid5VhG0754oTe0u2/q1NyitndNUmCCHChrXMLOQSPVrHIK7vIbKo ebmQ==
X-Gm-Message-State: ALoCoQlcQtxNH/zXMVabpkJcO273c0+YNM0mTFoxtsoz1+UoNvqFextij1s4crXFyVnhGOdJ8g+K
X-Received: by 10.140.177.199 with SMTP id x190mr39753650qhx.91.1447709535422; Mon, 16 Nov 2015 13:32:15 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.29.68 with HTTP; Mon, 16 Nov 2015 13:31:55 -0800 (PST)
In-Reply-To: <HE1PR08MB07324FD345F82CF6EC3AEAE3FA1E0@HE1PR08MB0732.eurprd08.prod.outlook.com>
References: <53BB1987-979C-4945-9C7D-CDB6619AEFFC@nexusgroup.com> <5644EC40.4010002@tzi.org> <73929C18-A3E7-4ACA-A6DC-5A7AD7576C9B@nexusgroup.com> <CAAP42hAWfBRKw-3OM1dPkgK40Af4KVBaVdhzdAGhon=VFV6LSA@mail.gmail.com> <HE1PR08MB07324FD345F82CF6EC3AEAE3FA1E0@HE1PR08MB0732.eurprd08.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 16 Nov 2015 13:31:55 -0800
Message-ID: <CAAP42hD2xsOGT5_iFQ2QZD5Om8Xkj0Z3vAFTk5ZhimM+Nf9X0Q@mail.gmail.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Content-Type: multipart/alternative; boundary="001a113a74ba991c400524af24b8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/54p_Wm_tsqkIrB8yfWSKc9oTuak>
Cc: Carsten Bormann <cabo@tzi.org>, "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2015 21:32:20 -0000
You raise some good points, and perhaps that is relevant to future claims. The spec as drafted, is a one-for-one copy of the standard JWT claims, which is why I raised this point. Is the goal a CBOR representation of a JWT? If so, can it be defined in terms of a JWT? Would the CNF claim then inherit that representation (treating the JWE and JWK as their CBOR equivalents)? Perhaps if you go the separate registry route, those claims that *are* defined the same should at least normatively reference JWT? I want to avoid the whole "on behalf of" / "act as" fiasco where things can get re-defined, and muddled. On Mon, Nov 16, 2015 at 7:09 AM, Hannes Tschofenig < Hannes.Tschofenig@arm.com> wrote: > Hi William, > > > > I have been trying to do a document update to see how well a combined > registry works and I have been wondering whether it is really worth the > effort. > > To make a good judgment I looked at the CNF claim defined in > draft-ietf-oauth-proof-of-possession. The CNF claim may contain > sub-elements, such as a JWE or a JWK. > > > > If we translate the same mechanisms to the CWT (which makes sense) then we > need to point to the respective COSE structures instead. Those do not only > use a different encoding but also the functionality does not match the JOSE > structures 100%. So, there are potentially differences. I am also not sure > whether we really want to translate the full functionality of all the > claims from JWT over to the CWT equivalent. It basically puts the burden on > someone defining new claims (either in JWT or in CWT) to create the > corresponding structures in a format they may not necessarily be familiar > with or even care about. I have seen that happening in the RADIUS world > protocol designers had to also define the equivalent structures for use > with Diameter and, guess what, most of the definitions were wrong (since > the authors did not care about Diameter when working on RADIUS). > > > > Ciao > Hannes > > > > > > *From:* William Denniss [mailto:wdenniss@google.com] > *Sent:* 12 November 2015 19:19 > *To:* Erik Wahlström neXus > *Cc:* Carsten Bormann; Hannes Tschofenig; Mike Jones; cose@ietf.org; < > oauth@ietf.org>; ace@ietf.org > *Subject:* Re: [COSE] A draft on CBOR Web Tokens (CWT) > > > > Regarding the draft itself, a few comments: > > > > 1. > > Can we unify the claim registry with JWT? I'm worried about having the > same claims defined twice in CWT and JWT with possibly conflicting meanings > (and needless confusion even when they do match). > > > > Comparing > https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-3.1.2 > and https://tools.ietf.org/html/rfc7519#section-4.1.2 which are nearly > identical, I just don't see the value in re-defining it. > > > > We may add new standard claims to JWT in the future (I proposed one > <https://mailarchive.ietf.org/arch/search/?email_list=id-event&gbt=1&index=7qNUnaE9lt2LyayMnmNyWpZSIEM> in > Yokohama on the id-event list > <https://www.ietf.org/mailman/listinfo/id-event>), it would be good if > this didn't need a separate entry in CWT too, but could just apply directly > (separately, I think you should consider this claim, as it helps prevent > tokens from being re-used in the wrong context). > > > > 2. > > Is Section 4 "Summary of CBOR major types used by defined claims" > normative ( > https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-4)? > What is the intention of this section? I feel like it could probably be > fleshed out a bit. > > > > 3. > > Add a xref to draft COSE spec in section 6 > <https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-6> > > Add xref to RFC7519 > > > > On Thu, Nov 12, 2015 at 12:01 PM, Erik Wahlström neXus < > erik.wahlstrom@nexusgroup.com> wrote: > > Hi Carsten, > > Thanks, and I agree. I’ve heard arguments for all three work groups. > > Borrowed some of your words to define the content of the draft :) > It’s it essentially a JWT, phrased in and profiled for CBOR to address ACE > needs, where OAuth needs COSE functionality, for object security. > > I’m open for letting the AD’s move it around, but having it right next to > JWT seems right to me. Also open for the ACE WG. Feel it has less place in > COSE for the same reasons JWT is not in the JOSE WG. > > / Erik > > > > > On 12 Nov 2015, at 20:45, Carsten Bormann <cabo@tzi.org> wrote: > > > > Hi Erik, > > > > having this draft is a good thing. > > > > One thing I'm still wondering is what WG is the best place to progress > > this. We probably don't need to spend too much time on this because, > > regardless of the WG chosen, the people in another WG can look at it. > > Still, getting this right might provide some efficiencies. > > > > What is the technical content of this draft? Is it a new token that > > OAuth needs specifically for the new COSE-based applications of OAuth? > > Is it a new token that is specifically there for addressing ACE needs? > > Or is it essentially the same substance as JWT, but phrased in and > > profiled for CBOR? > > > > Depending on the answer, CWT should be done in OAuth, ACE, or COSE. > > (I'd rather hear the answer from the authors than venture a guess > myself.) > > > > Grüße, Carsten > > > > > > > > Erik Wahlström neXus wrote: > >> Hi, > >> > >> In the ACE WG a straw man proposal of a CBOR Web Token (CWT) was defined > >> in the draft "Authorization for the Internet of Things using OAuth 2.0” > >> [1]. We just broke out the CBOR Web Token into a separate draft and the > >> new draft is submitted to the OAUTH WG. It can be found here: > >> > >> https://datatracker.ietf.org/doc/draft-wahlstroem-oauth-cbor-web-token/ > >> > >> Abstract: > >> "CBOR Web Token (CWT) is a compact means of representing claims to be > >> transferred between two parties. CWT is a profile of the JSON Web Token > >> (JWT) that is optimized for constrained devices. The claims in a CWT are > >> encoded in the Concise Binary Object Representation (CBOR) and CBOR > >> Object Signing and Encryption (COSE) is used for added application layer > >> security protection. A claim is a piece of information asserted about a > >> subject and is represented as a name/value pair consisting of a claim > >> name and a claim value." > >> > >> / Erik > >> > >> > >> [1] https://tools.ietf.org/html/draft-seitz-ace-oauth-authz-00 > >> > >> > >> _______________________________________________ > >> COSE mailing list > >> COSE@ietf.org > >> https://www.ietf.org/mailman/listinfo/cose > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose > > > > ------------------------------ > > -- IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. >
- [OAUTH-WG] A draft on CBOR Web Tokens (CWT) Erik Wahlström neXus
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Erik Wahlström neXus
- Re: [OAUTH-WG] A draft on CBOR Web Tokens (CWT) Mike Jones
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Justin Richer
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … William Denniss
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Carsten Bormann
- Re: [OAUTH-WG] [Ace] [COSE] A draft on CBOR Web T… Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … William Denniss
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Bill Mills
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Carsten Bormann
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Bill Mills
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Justin Richer