IETF Logo Mail Archive

[OAUTH-WG] Re: WGLC for Token Status List

Rohan Mahy <rohan.mahy@gmail.com> Thu, 06 February 2025 01:21 UTC

Return-Path: <rohan.mahy@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60656C1DA2DA for <oauth@ietfa.amsl.com>; Wed, 5 Feb 2025 17:21:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y0LQoSuR6BcN for <oauth@ietfa.amsl.com>; Wed, 5 Feb 2025 17:21:35 -0800 (PST)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61CF7C1A07F5 for <oauth@ietf.org>; Wed, 5 Feb 2025 17:21:35 -0800 (PST)
Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-5dcef821092so225717a12.0 for <oauth@ietf.org>; Wed, 05 Feb 2025 17:21:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1738804894; x=1739409694; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uL5dPgwB72hC/1oixPNUgRHARkmIar14PAsVBmjh1wY=; b=EQCwH7q0UT51tzk0hu6miz1zVUrS++c4UHjb0Y6jJH2xBMmszNblAnH77o64ozZv7Q iZlEr3txCv79EzgsQklthIGw5lVFFTGj+ay49bl0MZBjxnWO38YYwJM9pI6AKdkwZnJK Sz1XDGpC05v1Gh11l0aLD5R61l/kb5WJ6uG0opi4z9rcHfbekT1jlOuUhU9JWmq3zv3f +dsjve3TmyoenkB8K18JXfGNpdIACXs7wIXpUhKaTpaoc5LS+ATjWeGXsnqo+v6zN5xn V4TjnrX5SsENMSuaPvAZR91mRGX1zBiciSXCduLjaRNDwd37s470NAA2jLMpElIRHJvE 82iA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738804894; x=1739409694; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uL5dPgwB72hC/1oixPNUgRHARkmIar14PAsVBmjh1wY=; b=KVhoXF+iolMe1DdaGGPFs1r8hHrtHAfF2FiSyhmyXkriiRTtSg/VXnb+c3gWhMpWVA H1yTqvT+0GkIO9DC6kZxJsxALT6q9N53kUCkJ8qf+vztpcjU6YKyirtdffsOwU/+njdw YzsIHQC1bxhGxYBzcwbRurnlY56OOelXGI8vI4vlCpop/EkzOlWOb7tSYb14BzoGlYRv P9P0+alh7wmfP7b+0Sgsye2oKuKp/4XTPDD9Rk7DL9njbIpvdbY+EUqxCaKmAya998iG a8rBsvBmi9Uo8oF07qFaA1fwy9+WlS8csSPX3djeXo1x2RzLNE4aevLz1eYac40qyCki YmmA==
X-Gm-Message-State: AOJu0YzKkswfqhSN443zZht19E3ZW68GATG1ETI+hF0bNtpd4VTz0upa emeabN/DWBCxSQtjOa4qtePqRS1f8fyJ97d60mQ95oKysLVT4i+YbEow8otRGQgULGhqyCQD9L+ g05s24oYEq2gzm/eIS5lrxXawffA=
X-Gm-Gg: ASbGncsifzURgKDc2ysZxpT7UMT1ZyjXaNDhtGkJJYuHf1IY1ASfWatupbMgXhf+6JP 8ww5N8772S4suFnZgBpsBTzuHRTUFN2EW1izAl0ES8D3mGS0mngu8Hn+P8IxpYW9f9/uKQWmqUi 2jPQZfzttnuOdVP4+AvjzmEsH8LV41aA==
X-Google-Smtp-Source: AGHT+IHCeamBJUs7lgSz4H5pDt6ELH8TX65cuAWEc4lvFQBqXcwWMbRbuxsAXiwomQiS9G6jSU9BSu1ARgneCMbKw+w=
X-Received: by 2002:a05:6402:5298:b0:5d9:fbb5:9ee with SMTP id 4fb4d7f45d1cf-5dcdb71299bmr6294350a12.13.1738804893322; Wed, 05 Feb 2025 17:21:33 -0800 (PST)
MIME-Version: 1.0
References: <CADNypP_kmt2PdOJoUa+TNpYHYbfdyv+j2pteSaHsrPk4oxdqFw@mail.gmail.com>
In-Reply-To: <CADNypP_kmt2PdOJoUa+TNpYHYbfdyv+j2pteSaHsrPk4oxdqFw@mail.gmail.com>
From: Rohan Mahy <rohan.mahy@gmail.com>
Date: Wed, 05 Feb 2025 17:21:22 -0800
X-Gm-Features: AWEUYZlFHONhQBiVKEpsujBiOiJuGBP-t7gy2lwCCMHqrZ-EFmZRsnFkl92qLE0
Message-ID: <CAKoiRuadWywURt0BuXb3yLU1Mo-nq95WGHov0dbghr2W4ND9Vw@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000001670062d6f1078"
Message-ID-Hash: WJ2TAIPLURG2KUHKYBZRTCQIO6FVMPJW
X-Message-ID-Hash: WJ2TAIPLURG2KUHKYBZRTCQIO6FVMPJW
X-MailFrom: rohan.mahy@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: WGLC for Token Status List
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/e9f5UGbaJkMVEysGb6DXeJIpZfw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi,
I support the overall goals of this document. I do *not* think the document
was ready for WGLC; at minimum there are still plenty of TBDs and TODOs in
the text. Below are some comments:

1. I would prefer we make the document standards track instead of
informational.

2. You have to read through to section 6.2 to see how a verifier determines
the index of a token it receives in the status value array. Please add one
sentence in the Introduction saying that the index is in the referenced
token. You could even update the diagram to reflect this.

3. The document uses status_list (JSON object) and StatusList (CBOR map) to
refer to the map, but Status List seems to be used to refer to both the
compressed byte string (in Section 5) and the uncompressed byte array of
status values (in Section 4 step 2, and Section 4.1 2nd sentence).

4. CRLs (Certificate Revocation Lists) are a list of the serial numbers of
every invalidated certificate (with a reason code). While a compressed 1 or
2 bit status per token tends to be very compact per issued token, it would
be useful for the draft to show an analysis of what percentage of issued
tokens would need to be invalid before a status list would be smaller than
a CRL-like structure that only references invalid indexes in a (possibly
compressed) ordered list (assuming randomly distributed invalidations).

5. There is no discussion of maximum or recommended limits to the size of a
Status List. Starting ambitiously, idx is a JSON Number, so we should
probably follow the recommendation in
https://datatracker.ietf.org/doc/html/rfc8259#section-6 and say it MUST NOT
be larger than (2^53) - 1, but a 1-bit status list with that many indexes
would be 10TB with > 10:1 compression. I think the document needs to define
a reasonable maximum size, and could allow profiles to make that smaller.

6. I think it is a mistake to compress the entire status_list (JSON object)
or StatusList (CBOR map). Instead it would be better to compress just the
status value array (the "lst" field).

   - Naive implementations might try to decompress the entire object/map to
   get the bit field before trying to read the array.
   - If you make the "lst" field an uncompressed byte string in JSON, it
   will need to be base64url encoded *before* you compress it. Then the
   status_list object would need to be base64url encoded again. That's
   wasteful and accomplishes nothing as far as I can tell.
   - Because JSON maps and CBOR maps are encoded differently, compressing
   the object/map will make it hard to use a status list across token encoding
   environments. If only the contents of the "lst" field was compressed, it
   would allow an issuer to generate JWT/CWT pairs with the same index and use
   one status list between them. (both would be invalidated together).

7. I am surprised by some details of the CBOR encoding:

   - Traditionally, CWT maps have integer keys for comment values. Why not
   replace "bits" with 1, and "lst" with 2?
   - The document registers CWT claim keys 65534 and 65535. Why not ask for
   unused numbers in the 24-256 range?
   - It wasn't immediately clear from the text that the status list is a
   bstr encoding of the compressed serialized map. If we implement my
   recommendation in #6, this problem goes away.

8. There should be a CDDL snippet for the CBOR. I would be happy to provide
one once points 6 and 7 are addressed.

9. I think it will be important for implementers to have some advice on
constructing a logical scope for Referenced Tokens to be interoperable, so
that issuers have good practices for recycling indexes. For example if all
the tokens with the same status list URL have roughly the same duration of
validity, cycling through URL paths would eventually allow reuse after all
previously referenced tokens had expired.
Is it ok to generate a Status List for 100 tokens, then generate a new
Status List with the same "referenced token scope" that covers 200 tokens
(including the first 100 tokens)? If so, that would be good to say.

10. NIT: Section 6.3 refers to status_list but I think you mean StatusList

Thanks,
-rohan

On Thu, Jan 2, 2025 at 5:53 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
wrote:

> All,
>
> This is a WG Last Call for the *Token Status List *document.
> https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/
>
> Please, review this document and reply on the mailing list if you have any
> comments or concerns, by *Jan 17th*.
> Note that this document will be discussed during the OAuth WG *interim*
> on *Jan 13th*.
>
> Regards,
>   Rifaat & Hannes
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

v2.29.0 | Report a Bug | By Email | System Status