Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)

Bill Mills <wmills_92105@yahoo.com> Mon, 16 November 2015 21:55 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D962B1B3144 for <oauth@ietfa.amsl.com>; Mon, 16 Nov 2015 13:55:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.784
X-Spam-Level:
X-Spam-Status: No, score=-2.784 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8uZnc6EvQAV for <oauth@ietfa.amsl.com>; Mon, 16 Nov 2015 13:55:04 -0800 (PST)
Received: from nm31-vm1.bullet.mail.bf1.yahoo.com (nm31-vm1.bullet.mail.bf1.yahoo.com [72.30.239.9]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46E1B1B313D for <oauth@ietf.org>; Mon, 16 Nov 2015 13:55:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1447710903; bh=UrQdeN+eNPPJaUMWVpbXrTW6HabwtbMha0ViBor65/Q=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=iF9ynehYXT5YlZYUeS1ThUQLhzheKexOScBR4ybbXZvoeLhwgdfHRe+Lem4Q/JfRKBsa/qCPPww/2XbSzkCKGL5RE8MiIiGBdc7Td3nUvX/EiXYitA8PsOpaIUWPuwiR5OjkQodCmSRVDqc05QZw8mHYIHeVtlO/aut/GSOpVRpHb+xtviOBDSm2Ll77cMdp+UgkAoxni7/D5kCGPQ//1AXaoqh1GHI7OtkDkdd+1rB7lrYZNaBLrZHme1eTcFhNlL7elIMg9aRJPV4Beh523VQigAFDTztb2KDHr08/IIuagKOzfvC0nr2fVo0Dq5aInAFWmgjl3PiALanjYc4BxA==
Received: from [98.139.215.143] by nm31.bullet.mail.bf1.yahoo.com with NNFMP; 16 Nov 2015 21:55:03 -0000
Received: from [98.139.212.233] by tm14.bullet.mail.bf1.yahoo.com with NNFMP; 16 Nov 2015 21:55:03 -0000
Received: from [127.0.0.1] by omp1042.mail.bf1.yahoo.com with NNFMP; 16 Nov 2015 21:55:03 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 268461.9154.bm@omp1042.mail.bf1.yahoo.com
X-YMail-OSG: v8TadEwVM1lh6uRY_RFhdpxBfTWrh5yUWLSgsfyIvPGiapYMbfNuPRvUbL8F_Xl q7_lM.79IOFlpovfYF0KORpGS51IR63.YEBccG27T5HSKnbbDPzywoBXM.o3UqAutdc92x6WIwDm i2nwpTKyHD5L_2dnx6NH5sptpTw3YBieaDRRi6qRuRZl7Jjuu8wzVl2PfaKeDwN0Y_fjh48GmBUj 17z841A0MIh5cBc2a.Z9j97tQ0RfMjrGmDoIPVp5z_gREuxrh.PktHizGwRAX7r1UDWa5eqvlPyV N87qisbcgXB4TTOR0HyWqUq2Cl8vzlV1ZfssIie7jNUHLbCB.ClkxxCmK7dMpi1qUVnotDYls5mN DkXwnS4T1QImWyFd9qCWJDQ9ZwmYS45MYkyA9V7NF2wTA7L76ejyhCOJUa.oiPLbs7Jl.oX7.gzp pGwnCtd4qTrUhq3DGPjc_vqQ4McclZoQXyQR5ThU0DWwFMoXxbxOaXCXfciyJp_X0uw.0iWODp88 O5VuUPsiDwuegeYOVB8VEBkyNUPKh4f692OWmifQ-
Received: by 66.196.80.146; Mon, 16 Nov 2015 21:55:02 +0000
Date: Mon, 16 Nov 2015 21:54:52 +0000
From: Bill Mills <wmills_92105@yahoo.com>
To: William Denniss <wdenniss@google.com>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Message-ID: <364007597.6139430.1447710892429.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <CAAP42hD2xsOGT5_iFQ2QZD5Om8Xkj0Z3vAFTk5ZhimM+Nf9X0Q@mail.gmail.com>
References: <CAAP42hD2xsOGT5_iFQ2QZD5Om8Xkj0Z3vAFTk5ZhimM+Nf9X0Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_6139429_1436115240.1447710892409"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/dX93IV9NCRSUswypCbGt6VcRnUI>
Cc: Carsten Bormann <cabo@tzi.org>, "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2015 21:55:08 -0000

If there are structural differences in what CBOR can support it would be worthwhile to note that.  Examples of things supported in JWT that you can't do in CBOR could be very helpful to implementers.
 


     On Monday, November 16, 2015 1:32 PM, William Denniss <wdenniss@google.com> wrote:
   

 You raise some good points, and perhaps that is relevant to future claims. The spec as drafted, is a one-for-one copy of the standard JWT claims, which is why I raised this point.
Is the goal a CBOR representation of a JWT? If so, can it be defined in terms of a JWT?  Would the CNF claim then inherit that representation (treating the JWE and JWK as their CBOR equivalents)?
Perhaps if you go the separate registry route, those claims that *are* defined the same should at least normatively reference JWT?  I want to avoid the whole "on behalf of" / "act as" fiasco where things can get re-defined, and muddled.
On Mon, Nov 16, 2015 at 7:09 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:

Hi William, I have been trying to do a document update to see how well a combined registry works and I have been wondering whether it is really worth the effort.To make a good judgment I looked at the CNF claim defined in draft-ietf-oauth-proof-of-possession. The CNF claim may contain sub-elements, such as a JWE or a JWK. If we translate the same mechanisms to the CWT (which makes sense) then we need to point to the respective COSE structures instead. Those do not only use a different encoding but also the functionality does not match the JOSE structures 100%. So, there are potentially differences. I am also not sure whether we really want to translate the full functionality of all the claims from JWT over to the CWT equivalent. It basically puts the burden on someone defining new claims (either in JWT or in CWT) to create the corresponding structures in a format they may not necessarily be familiar with or even care about. I have seen that happening in the RADIUS world protocol designers had to also define the equivalent structures for use with Diameter and, guess what, most of the definitions were wrong (since the authors did not care about Diameter when working on RADIUS). Ciao
Hannes  From: William Denniss [mailto:wdenniss@google.com]
Sent: 12 November 2015 19:19
To: Erik Wahlström neXus
Cc: Carsten Bormann; Hannes Tschofenig; Mike Jones; cose@ietf.org; <oauth@ietf.org>; ace@ietf.org
Subject: Re: [COSE] A draft on CBOR Web Tokens (CWT) Regarding the draft itself, a few comments: 1. Can we unify the claim registry with JWT? I'm worried about having the same claims defined twice in CWT and JWT with possibly conflicting meanings (and needless confusion even when they do match).  Comparing https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-3.1.2 and https://tools.ietf.org/html/rfc7519#section-4.1.2 which are nearly identical, I just don't see the value in re-defining it. We may add new standard claims to JWT in the future (I proposed one in Yokohama on the id-event list), it would be good if this didn't need a separate entry in CWT too, but could just apply directly (separately, I think you should consider this claim, as it helps prevent tokens from being re-used in the wrong context). 2.Is Section 4 "Summary of CBOR major types used by defined claims" normative (https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-4)? What is the intention of this section? I feel like it could probably be fleshed out a bit. 3. Add a xref to draft COSE spec in section 6Add xref to RFC7519 On Thu, Nov 12, 2015 at 12:01 PM, Erik Wahlström neXus <erik.wahlstrom@nexusgroup.com> wrote:Hi Carsten,

Thanks, and I agree. I’ve heard arguments for all three work groups.

Borrowed some of your words to define the content of the draft :)
It’s it essentially a JWT, phrased in and profiled for CBOR to address ACE needs, where OAuth needs COSE functionality, for object security.

I’m open for letting the AD’s move it around, but having it right next to JWT seems right to me. Also open for the ACE WG. Feel it has less place in COSE for the same reasons JWT is not in the JOSE WG.

/ Erik

> On 12 Nov 2015, at 20:45, Carsten Bormann <cabo@tzi.org> wrote:
>
> Hi Erik,
>
> having this draft is a good thing.
>
> One thing I'm still wondering is what WG is the best place to progress
> this.  We probably don't need to spend too much time on this because,
> regardless of the WG chosen, the people in another WG can look at it.
> Still, getting this right might provide some efficiencies.
>
> What is the technical content of this draft?  Is it a new token that
> OAuth needs specifically for the new COSE-based applications of OAuth?
> Is it a new token that is specifically there for addressing ACE needs?
> Or is it essentially the same substance as JWT, but phrased in and
> profiled for CBOR?
>
> Depending on the answer, CWT should be done in OAuth, ACE, or COSE.
> (I'd rather hear the answer from the authors than venture a guess myself.)
>
> Grüße, Carsten
>
>
>
> Erik Wahlström neXus wrote:
>> Hi,
>>
>> In the ACE WG a straw man proposal of a CBOR Web Token (CWT) was defined
>> in the draft "Authorization for the Internet of Things using OAuth 2.0”
>> [1]. We just broke out the CBOR Web Token into a separate draft and the
>> new draft is submitted to the OAUTH WG. It can be found here:
>>
>> https://datatracker.ietf.org/doc/draft-wahlstroem-oauth-cbor-web-token/
>>
>> Abstract:
>> "CBOR Web Token (CWT) is a compact means of representing claims to be
>> transferred between two parties.  CWT is a profile of the JSON Web Token
>> (JWT) that is optimized for constrained devices. The claims in a CWT are
>> encoded in the Concise Binary Object Representation (CBOR) and CBOR
>> Object Signing and Encryption (COSE) is used for added application layer
>> security protection.  A claim is a piece of information asserted about a
>> subject and is represented as a name/value pair consisting of a claim
>> name and a claim value."
>>
>> / Erik
>>
>>
>> [1] https://tools.ietf.org/html/draft-seitz-ace-oauth-authz-00
>>
>>
>> _______________________________________________
>> COSE mailing list
>> COSE@ietf.org
>> https://www.ietf.org/mailman/listinfo/cose

_______________________________________________
COSE mailing list
COSE@ietf.org
https://www.ietf.org/mailman/listinfo/cose 

-- IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth