Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)
William Denniss <wdenniss@google.com> Fri, 13 November 2015 03:19 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D5D91B3F4A for <oauth@ietfa.amsl.com>; Thu, 12 Nov 2015 19:19:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.088
X-Spam-Level:
X-Spam-Status: No, score=-1.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q0qaWGHO3FcZ for <oauth@ietfa.amsl.com>; Thu, 12 Nov 2015 19:19:50 -0800 (PST)
Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FA801B3F44 for <oauth@ietf.org>; Thu, 12 Nov 2015 19:19:47 -0800 (PST)
Received: by qkas77 with SMTP id s77so35838650qka.0 for <oauth@ietf.org>; Thu, 12 Nov 2015 19:19:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=OhV0MalIias2AhIT5ewNpHwULukXJA02/rJAmtrfKXY=; b=Ejo3ZFe3UZuRL13WEm1+NAtdeS5na43uIKZGA/4iZyBrdL4t5POuXT6Uk1PaZmDzzW 3t9ZxNuvs1ocFgiH2H5i7fnGxJfKgMVy7v+UECkI6C3TIxs3uTIjwaaYTA+mqaSYV+mr KPzNZJuB+c3ZkhA0Mz7EDmssHORbT8Wa4817pyDE8nfr3kVcKs2fgXHIB95HRY/vE4tJ K0d52PrOjNID4eOWmH6dsiS0+cvuSflri3q6PT9Ku45IBvWtAr+P8vbO2xzrVaP07moE R6mujkY8ikvER5wNGZ1yttlJJq/b3HUz6z76vNHqjo96ahoVAiNGTpYrmozn6Vlv8jkS Hc0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=OhV0MalIias2AhIT5ewNpHwULukXJA02/rJAmtrfKXY=; b=e0bvZWDw5YnETstU9WT+VZKEjQGEL8MzPJlGTzaKepePbVz2BR4pfEV0uDaCO8xB1M 88NeFSPir4k6fQDTdTHcyVRktD9Z0tQnnd4P4wns+WcaotjVTYUzRLzWEE8FLiIf38t2 FTAJjyWE1rmNFpQrYLfdLXmnFYuKcYqwcCOqndQkq3dIa69AaD4hgLR62C/6Bwv8Nmon qO2CobXgY45SC/mOnAsA5Mg+pDdKR9xVB3Vc9/WMxa5WCAZeWwNw9Xa6IM1AK+tuXF9V f+nhZMjQ6toUeilMLfZ0lO52mM8RQQhJTnJOt6VLG6ZJVhM7b0XMUpoqhLsrQb55XUI4 NGxw==
X-Gm-Message-State: ALoCoQk3JCzqtVRAEhv+RKthps94Kyl2gZ8ubUR2Lgzbb6InFgeSatA3Y9ZDN/03lfqziQyuAHyT
X-Received: by 10.55.55.82 with SMTP id e79mr18970471qka.59.1447384786307; Thu, 12 Nov 2015 19:19:46 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.29.68 with HTTP; Thu, 12 Nov 2015 19:19:26 -0800 (PST)
In-Reply-To: <73929C18-A3E7-4ACA-A6DC-5A7AD7576C9B@nexusgroup.com>
References: <53BB1987-979C-4945-9C7D-CDB6619AEFFC@nexusgroup.com> <5644EC40.4010002@tzi.org> <73929C18-A3E7-4ACA-A6DC-5A7AD7576C9B@nexusgroup.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 12 Nov 2015 19:19:26 -0800
Message-ID: <CAAP42hAWfBRKw-3OM1dPkgK40Af4KVBaVdhzdAGhon=VFV6LSA@mail.gmail.com>
To: Erik Wahlström neXus <erik.wahlstrom@nexusgroup.com>
Content-Type: multipart/alternative; boundary="001a114900f40ad79205246388f8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/MdSXqexOqPKOhhDSbaBGK6ULrqE>
Cc: "ace@ietf.org" <ace@ietf.org>, Carsten Bormann <cabo@tzi.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, "<oauth@ietf.org>" <oauth@ietf.org>, "cose@ietf.org" <cose@ietf.org>
Subject: Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2015 03:19:52 -0000
Regarding the draft itself, a few comments: 1. Can we unify the claim registry with JWT? I'm worried about having the same claims defined twice in CWT and JWT with possibly conflicting meanings (and needless confusion even when they do match). Comparing https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-3.1.2 and https://tools.ietf.org/html/rfc7519#section-4.1.2 which are nearly identical, I just don't see the value in re-defining it. We may add new standard claims to JWT in the future (I proposed one <https://mailarchive.ietf.org/arch/search/?email_list=id-event&gbt=1&index=7qNUnaE9lt2LyayMnmNyWpZSIEM> in Yokohama on the id-event list <https://www.ietf.org/mailman/listinfo/id-event>), it would be good if this didn't need a separate entry in CWT too, but could just apply directly (separately, I think you should consider this claim, as it helps prevent tokens from being re-used in the wrong context). 2. Is Section 4 "Summary of CBOR major types used by defined claims" normative ( https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-4)? What is the intention of this section? I feel like it could probably be fleshed out a bit. 3. Add a xref to draft COSE spec in section 6 <https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-6> Add xref to RFC7519 On Thu, Nov 12, 2015 at 12:01 PM, Erik Wahlström neXus < erik.wahlstrom@nexusgroup.com> wrote: > Hi Carsten, > > Thanks, and I agree. I’ve heard arguments for all three work groups. > > Borrowed some of your words to define the content of the draft :) > It’s it essentially a JWT, phrased in and profiled for CBOR to address ACE > needs, where OAuth needs COSE functionality, for object security. > > I’m open for letting the AD’s move it around, but having it right next to > JWT seems right to me. Also open for the ACE WG. Feel it has less place in > COSE for the same reasons JWT is not in the JOSE WG. > > / Erik > > > > On 12 Nov 2015, at 20:45, Carsten Bormann <cabo@tzi.org> wrote: > > > > Hi Erik, > > > > having this draft is a good thing. > > > > One thing I'm still wondering is what WG is the best place to progress > > this. We probably don't need to spend too much time on this because, > > regardless of the WG chosen, the people in another WG can look at it. > > Still, getting this right might provide some efficiencies. > > > > What is the technical content of this draft? Is it a new token that > > OAuth needs specifically for the new COSE-based applications of OAuth? > > Is it a new token that is specifically there for addressing ACE needs? > > Or is it essentially the same substance as JWT, but phrased in and > > profiled for CBOR? > > > > Depending on the answer, CWT should be done in OAuth, ACE, or COSE. > > (I'd rather hear the answer from the authors than venture a guess > myself.) > > > > Grüße, Carsten > > > > > > > > Erik Wahlström neXus wrote: > >> Hi, > >> > >> In the ACE WG a straw man proposal of a CBOR Web Token (CWT) was defined > >> in the draft "Authorization for the Internet of Things using OAuth 2.0” > >> [1]. We just broke out the CBOR Web Token into a separate draft and the > >> new draft is submitted to the OAUTH WG. It can be found here: > >> > >> https://datatracker.ietf.org/doc/draft-wahlstroem-oauth-cbor-web-token/ > >> > >> Abstract: > >> "CBOR Web Token (CWT) is a compact means of representing claims to be > >> transferred between two parties. CWT is a profile of the JSON Web Token > >> (JWT) that is optimized for constrained devices. The claims in a CWT are > >> encoded in the Concise Binary Object Representation (CBOR) and CBOR > >> Object Signing and Encryption (COSE) is used for added application layer > >> security protection. A claim is a piece of information asserted about a > >> subject and is represented as a name/value pair consisting of a claim > >> name and a claim value." > >> > >> / Erik > >> > >> > >> [1] https://tools.ietf.org/html/draft-seitz-ace-oauth-authz-00 > >> > >> > >> _______________________________________________ > >> COSE mailing list > >> COSE@ietf.org > >> https://www.ietf.org/mailman/listinfo/cose > > _______________________________________________ > COSE mailing list > COSE@ietf.org > https://www.ietf.org/mailman/listinfo/cose >
- [OAUTH-WG] A draft on CBOR Web Tokens (CWT) Erik Wahlström neXus
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Erik Wahlström neXus
- Re: [OAUTH-WG] A draft on CBOR Web Tokens (CWT) Mike Jones
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Justin Richer
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … William Denniss
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Carsten Bormann
- Re: [OAUTH-WG] [Ace] [COSE] A draft on CBOR Web T… Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … William Denniss
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Bill Mills
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Carsten Bormann
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Bill Mills
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Justin Richer