Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-architecture-05

Justin Richer <> Thu, 19 November 2015 18:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1291A1B33E1 for <>; Thu, 19 Nov 2015 10:18:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.485
X-Spam-Status: No, score=-4.485 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8BswNBFGNmMI for <>; Thu, 19 Nov 2015 10:18:48 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1D9DB1B33E0 for <>; Thu, 19 Nov 2015 10:18:47 -0800 (PST)
X-AuditID: 1209190d-f79306d000006b70-2b-564e12866051
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 32.FF.27504.6821E465; Thu, 19 Nov 2015 13:18:46 -0500 (EST)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id tAJIIjV4018293; Thu, 19 Nov 2015 13:18:45 -0500
Received: from [IPv6:2607:fb90:2308:dab:0:4b:4084:d301] ([]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id tAJIIfs5016106 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 19 Nov 2015 13:18:43 -0500
Date: Thu, 19 Nov 2015 12:18:41 -0600
Message-ID: <>
Importance: normal
From: Justin Richer <>
To: Phil Hunt <>, Erik Wahlström neXus <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=""
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrIKsWRmVeSWpSXmKPExsUixG6notsm5Bdm8LxDyeLYrsVsFrteN7FY nHz7is1iwfxGdgcWjyVLfjJ5TJr2gcVj6/3fjB4fn95iCWCJ4rJJSc3JLEst0rdL4Mo4c2Ub a8GFA4wVc28sYW5gPLCbsYuRk0NCwERi6pU9ULaYxIV769m6GLk4hAQWM0msX/+HFcLZyChx 8sohFgjnGJPE39YP7CAtLAKqEs9eXmADsYUFPCT+rJsJNopXwE2irfMbkM3BwSkgJNG1SwIk zAZUPn1NCxOILSJQJtE3dQ5YObNAlMS6IxOZIVoFJU7OfMICEQ+VONz/lnECI98sJKlZSFIQ trrEn3mXmCFsRYkp3Q/ZZwFtZhZQk1jWqoQsvICRbRWjbEpulW5uYmZOcWqybnFyYl5eapGu kV5uZoleakrpJkZQqHNK8u5gfHdQ6RCjAAejEg8vx1mfMCHWxLLiytxDjJIcTEqivMKcfmFC fEn5KZUZicUZ8UWlOanFhxglOJiVRHidBYFyvCmJlVWpRfkwKWkOFiVx3rlffMOEBNITS1Kz U1MLUotgsjIcHEoSvEUgjYJFqempFWmZOSUIaSYOTpDhPEDDC8GGFxck5hZnpkPkTzGaSonz hoMkBEASGaV5cL1KQkICauy/Jyhz8K5mYGDwdmi5zAhKWWssRD++YhQHek+YNxSkkweY7uAm vgJaxgS07HeNL8iykkSElFQDo+Yx++MCVY+XHD5Tcu776QiJpJrHmuWXOafKRDl4pF2rOiXI 4tD0xCwzZcX8W0nCu552Ke/pu97MZx2qP6VJPaog4OU571dTD1Z8bZ31RyF4h9uCV6pd1jVW ShbvKlQbTC3cVwXs/LzFVpC3f/Jhw7lxE3bveXoyfPV8poZpJ7bqN4rPT9HtU2Ipzkg01GIu Kk4EAKDhtDY0AwAA
Archived-At: <>
Cc: "<>" <>, Justin Richer <>
Subject: Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-architecture-05
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Nov 2015 18:18:52 -0000

I agree with added "For example" in a few places. It's not normative it's informational here. 

-- Justin
/ Sent from my phone /

-------- Original message --------
From: Phil Hunt <> 
Date: 11/19/2015  11:28 AM  (GMT-06:00) 
To: Erik Wahlström neXus <> 
Cc: "<>" <>, Justin Richer <> 
Subject: Re: [OAUTH-WG] A review of draft-ietf-oauth-pop-architecture-05 

I think your point that maybe the architecture doc be generic enough to support both json and cbor tokens is worth consideration. 
I am just not sure of process and consensus now that we are past WGLC. Would the cose group prefer this?
Happy to do it if desired. Also understand if we are too far down the road. 

On Nov 19, 2015, at 08:39, Erik Wahlström neXus <> wrote:

Just a note then. I did not see anything that prohibited the usage of pop tokens for IoT so  shipping it as is works.

Sent from my iPhone

On 19 Nov 2015, at 17:18, Phil Hunt <> wrote:

On the subject of making the spec(s) less JWT specific, it was a foundational assumption and (I think) in the charter. However COSE wasn't around yet. 

I suppose the more generic architecture doc could be altered to cover IoT cases, but it may be problematic for the other specs that are more specific. 

Another issue is I assume the COSE based tokens will have a different type (eg cpop) to differentiate between jwt and COSE web tokens (what are we calling them now?). 

As this generalization change could be seen as substantial, I would like to have the chairs and AD comment. Is this a good idea?  Or is COSE better to write their own parallel arch draft?

I'm happy to bend to the will of the group(s) on this. 


On Nov 19, 2015, at 01:17, Erik Wahlström neXus <> wrote:


I have been reviewing draft-ietf-oauth-pop-architecture-05. In ACE WG we have a draft that uses PoP tokens for IoT and the architectures defined here so my review was done with that IoT perspective. I’m a bit late with the review and some of the
 comments might already be mentioned by others.



3.1. Preventing Access Token Re-Use by the Resource Server

If a symmetric key is used it’s possible to re-use the key for a resource server. The section talks about the importance of scopes, but I feel it should also mention the importance for the resource server to verify the audience (“aud”) claim in
 the token to disable missuse.


The draft in ACE WG ( relies heavily on this work. The main reason for this is the way PoP tokens can
 establish key material, with the help of the authorization server, on both the client and resource server. PoP tokens is also a very good fit for constrained IoT devices that can be offline and it’s also possible to use hardware key storages to handle asymmetric
 pop keys.

There could be a place for a new "Use Case" under section 3 that talks about scenarios where PoP keys are a really good match for offline IoT devices. I could help out ironing out a text for that with the help of the docs authors if that’s of


s/a bogus tokens/a bogus token


In the document only references are made to JSON, JWT and JOSE. More exactly in the following two sections:

   A number of the threats listed in Section 4 demand protection of the
   access token content and a standardized solution, in form of a JSON-
   based format, is available with the JWT [RFC7519].

   With the JSON Web Token (JWT) [RFC7519] a standardized format for
   access tokens is available.  The necessary elements to bind symmetric
   or asymmetric keys to a JWT are described in

Constrained IoT devices uses other access token and messages formats (according to our draft). It does not only use signed/encrypted JWT’s but also COSE protected CBOR Web Tokens. See

I totally agree that JWT is the correct examples to have in this document due to the fact that they are RFC’s, they are well known and should be used in as many places as possible, but it would be good to open up for other types of message formats.
 For example like this:

   A number of the threats listed in Section 4 demand protection of the
   access token content and a standardized solution in form of, for example, a JSON-
   based format, is available with the JWT [RFC7519].


 For that
   purpose the client will have to authenticate the resource server
   before transmitting the access token.

I’m missing a description about how this is handled in an end-to-end security scenario.


      The resource server queries the authorization server for the
      symmetric key.  This is an approach envisioned by the token
      introspection endpoint [I-D.ietf-oauth-introspection].

Not a question for this draft maybe, but in what draft is the introspection response claim defined? It’s not defined in and
 I don’t know in what other draft it can be defined.


In ACE WG the draft seitz-ace-oauth-authz have a profile for an access request to make it work over CoAP. CoAP is the HTTP equivalent for constrained devices, and it has limitations, for example it can’t send large tokens in options (headers in
 "http-speak"). This means that the draft defines a way to first send the PoP token to an new endpoint on the resource server to establish a security context. Then the real request against the resource server can be done once the security context is established.
 See more details here

An open question; should a flow like that be added to the architecture section? That means a new section 7.5.


Thanks for writing this. I think it’s very important work.

/ Erik


OAuth mailing list