Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)
Bill Mills <wmills_92105@yahoo.com> Tue, 17 November 2015 17:52 UTC
Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1AE51B2CEE for <oauth@ietfa.amsl.com>; Tue, 17 Nov 2015 09:52:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.084
X-Spam-Level:
X-Spam-Status: No, score=-0.084 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zS9jXkgR3YfC for <oauth@ietfa.amsl.com>; Tue, 17 Nov 2015 09:52:12 -0800 (PST)
Received: from nm6.bullet.mail.bf1.yahoo.com (nm6.bullet.mail.bf1.yahoo.com [98.139.212.165]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA8121B2CDB for <oauth@ietf.org>; Tue, 17 Nov 2015 09:52:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1447782731; bh=fzoeOryD8M1Qwx6v4T/SxRvAXjrlbK/ax8p0IkBD83U=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=JbuYd2vFGeW7cMaIiDgVe2xI1cyE9spKnO4GnXpM3A0+D7q09ALnfMdUNVvCFvzwBcT2jr4RYbsIKZqoTHUUFnJOlC5rF5o1NVMubNUeicBdKO/SezaAXS9Y9ESvp+KTmid7CUZUeR70dl0UPV46CLU/22KH/bftBTGqJKvM6/KuI9n32zWfrkvxJQpe+5M5cHeDKbF3eOojcJ7lTs9Imavxg+gBk9nV+DUhw36VWJXSpaepf+W5PbZUISxkH4KSGHEqE/F22wLTjFnyFkRmSlCWHYo+9k5uL0Bm0Zq5lvdIobWRCYpBPInfNkJqmn/Q0L+M5P85EOHSh+C0pLBc7Q==
Received: from [66.196.81.172] by nm6.bullet.mail.bf1.yahoo.com with NNFMP; 17 Nov 2015 17:52:11 -0000
Received: from [98.139.212.200] by tm18.bullet.mail.bf1.yahoo.com with NNFMP; 17 Nov 2015 17:52:11 -0000
Received: from [127.0.0.1] by omp1009.mail.bf1.yahoo.com with NNFMP; 17 Nov 2015 17:52:11 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 35460.25404.bm@omp1009.mail.bf1.yahoo.com
X-YMail-OSG: KoqATPQVM1mQa9Ubm03Kze7a6MFLcVo_FXFGRzs4MwQVB_wZrYmRKFPoHfaRN7l KDR_npS21GCo_JX5WlsAIFy2pkv5vncCHZSy_Udc2MeeH5o6L9NnsoUAaA7taiOgY2YhO2rDFybj K8VRkAHdy5lMI_XAYbl60HtzURjNKg0kqMnFJ7w5GXtO6tq1JueY6AfNdqpf0krpStttdZwsIm_F 1ALA6L2FTqAfdZhJZwvfTkT32LcrfqaWenC6p96hntiS6Q0qmM2opqknBr_o3tArS7BCS.kmyQ9_ YCjdnG.4L.AzPzAkfsEsykq41iGtBcEa5WQy.wjNOhNPIKcFn8KYK6avoIzKgnWpLSYaS57WbGI4 LYh8UzPMf6d5ct5C9jx0o7AxoGm85Sap5XxTpn3R9KhqQQCURgmg3O4JSqlBQtkgBrWNzoE6b7LJ 6v4NTPJeldI_3syJLhtF17Ql3gCx9HuMSdwiTtJGldvuwn6Dt3ZrV1nk80z3BXRhiph9iONJa1I. s1m18B8KMBggNFTp0qslEWhBOQv7j5qeRW0NMw1mizj7bD4CMt.dlYDNR8Qk3wybl2kc48NU-
Received: by 66.196.80.114; Tue, 17 Nov 2015 17:52:10 +0000
Date: Tue, 17 Nov 2015 17:52:10 +0000
From: Bill Mills <wmills_92105@yahoo.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, William Denniss <wdenniss@google.com>
Message-ID: <1371112237.6425773.1447782730081.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <HE1PR08MB0732DEC772A47528634F1F5CFA1D0@HE1PR08MB0732.eurprd08.prod.outlook.com>
References: <HE1PR08MB0732DEC772A47528634F1F5CFA1D0@HE1PR08MB0732.eurprd08.prod.outlook.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_6425772_1609887347.1447782730062"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ntEQ-jMVclSXI6M60ATItW78_WM>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens (CWT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2015 17:52:16 -0000
Is a data type mapping form JWT to CBOR sufficient then?
On Monday, November 16, 2015 11:26 PM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
#yiv5390846737 #yiv5390846737 -- _filtered #yiv5390846737 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv5390846737 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;}#yiv5390846737 #yiv5390846737 p.yiv5390846737MsoNormal, #yiv5390846737 li.yiv5390846737MsoNormal, #yiv5390846737 div.yiv5390846737MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv5390846737 a:link, #yiv5390846737 span.yiv5390846737MsoHyperlink {color:blue;text-decoration:underline;}#yiv5390846737 a:visited, #yiv5390846737 span.yiv5390846737MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv5390846737 p.yiv5390846737MsoAcetate, #yiv5390846737 li.yiv5390846737MsoAcetate, #yiv5390846737 div.yiv5390846737MsoAcetate {margin:0cm;margin-bottom:.0001pt;font-size:8.0pt;}#yiv5390846737 span.yiv5390846737EmailStyle17 {color:#1F497D;}#yiv5390846737 span.yiv5390846737BalloonTextChar {}#yiv5390846737 .yiv5390846737MsoChpDefault {} _filtered #yiv5390846737 {margin:72.0pt 72.0pt 72.0pt 72.0pt;}#yiv5390846737 div.yiv5390846737WordSection1 {}#yiv5390846737 Hi William, You are indeed correct that the current document contains a list of one-by-one copies of claims from the JWT. The only difference is the data type. Probably it would have been better to just reference the semantic from the JWT spec and then state the new data type. I fully understand the concern of defining CWT claims that have the same name as JWT claims but then different semantic. This would be terribly confusing. Ciao Hannes From: William Denniss [mailto:wdenniss@google.com]
Sent: 16 November 2015 22:32
To: Hannes Tschofenig
Cc: Erik Wahlström neXus; Carsten Bormann; Mike Jones; <oauth@ietf.org>
Subject: Re: [COSE] A draft on CBOR Web Tokens (CWT) You raise some good points, and perhaps that is relevant to future claims. The spec as drafted, is a one-for-one copy of the standard JWT claims, which is why I raised this point. Is the goal a CBOR representation of a JWT? If so, can it be defined in terms of a JWT? Would the CNF claim then inherit that representation (treating the JWE and JWK as their CBOR equivalents)? Perhaps if you go the separate registry route, those claims that *are* defined the same should at least normatively reference JWT? I want to avoid the whole "on behalf of" / "act as" fiasco where things can get re-defined, and muddled. On Mon, Nov 16, 2015 at 7:09 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote: Hi William, I have been trying to do a document update to see how well a combined registry works and I have been wondering whether it is really worth the effort. To make a good judgment I looked at the CNF claim defined in draft-ietf-oauth-proof-of-possession. The CNF claim may contain sub-elements, such as a JWE or a JWK. If we translate the same mechanisms to the CWT (which makes sense) then we need to point to the respective COSE structures instead. Those do not only use a different encoding but also the functionality does not match the JOSE structures 100%. So, there are potentially differences. I am also not sure whether we really want to translate the full functionality of all the claims from JWT over to the CWT equivalent. It basically puts the burden on someone defining new claims (either in JWT or in CWT) to create the corresponding structures in a format they may not necessarily be familiar with or even care about. I have seen that happening in the RADIUS world protocol designers had to also define the equivalent structures for use with Diameter and, guess what, most of the definitions were wrong (since the authors did not care about Diameter when working on RADIUS). Ciao
Hannes From: William Denniss [mailto:wdenniss@google.com]
Sent: 12 November 2015 19:19
To: Erik Wahlström neXus
Cc: Carsten Bormann; Hannes Tschofenig; Mike Jones; cose@ietf.org; <oauth@ietf.org>;ace@ietf.org
Subject: Re: [COSE] A draft on CBOR Web Tokens (CWT) Regarding the draft itself, a few comments: 1. Can we unify the claim registry with JWT? I'm worried about having the same claims defined twice in CWT and JWT with possibly conflicting meanings (and needless confusion even when they do match). Comparing https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-3.1.2 and https://tools.ietf.org/html/rfc7519#section-4.1.2 which are nearly identical, I just don't see the value in re-defining it. We may add new standard claims to JWT in the future (I proposed one in Yokohama on the id-event list), it would be good if this didn't need a separate entry in CWT too, but could just apply directly (separately, I think you should consider this claim, as it helps prevent tokens from being re-used in the wrong context). 2. Is Section 4 "Summary of CBOR major types used by defined claims" normative (https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-4)? What is the intention of this section? I feel like it could probably be fleshed out a bit. 3. Add a xref to draft COSE spec in section 6 Add xref to RFC7519 On Thu, Nov 12, 2015 at 12:01 PM, Erik Wahlström neXus <erik.wahlstrom@nexusgroup.com> wrote: Hi Carsten,
Thanks, and I agree. I’ve heard arguments for all three work groups.
Borrowed some of your words to define the content of the draft :)
It’s it essentially a JWT, phrased in and profiled for CBOR to address ACE needs, where OAuth needs COSE functionality, for object security.
I’m open for letting the AD’s move it around, but having it right next to JWT seems right to me. Also open for the ACE WG. Feel it has less place in COSE for the same reasons JWT is not in the JOSE WG.
/ Erik
> On 12 Nov 2015, at 20:45, Carsten Bormann <cabo@tzi.org> wrote:
>
> Hi Erik,
>
> having this draft is a good thing.
>
> One thing I'm still wondering is what WG is the best place to progress
> this. We probably don't need to spend too much time on this because,
> regardless of the WG chosen, the people in another WG can look at it.
> Still, getting this right might provide some efficiencies.
>
> What is the technical content of this draft? Is it a new token that
> OAuth needs specifically for the new COSE-based applications of OAuth?
> Is it a new token that is specifically there for addressing ACE needs?
> Or is it essentially the same substance as JWT, but phrased in and
> profiled for CBOR?
>
> Depending on the answer, CWT should be done in OAuth, ACE, or COSE.
> (I'd rather hear the answer from the authors than venture a guess myself.)
>
> Grüße, Carsten
>
>
>
> Erik Wahlström neXus wrote:
>> Hi,
>>
>> In the ACE WG a straw man proposal of a CBOR Web Token (CWT) was defined
>> in the draft "Authorization for the Internet of Things using OAuth 2.0”
>> [1]. We just broke out the CBOR Web Token into a separate draft and the
>> new draft is submitted to the OAUTH WG. It can be found here:
>>
>> https://datatracker.ietf.org/doc/draft-wahlstroem-oauth-cbor-web-token/
>>
>> Abstract:
>> "CBOR Web Token (CWT) is a compact means of representing claims to be
>> transferred between two parties. CWT is a profile of the JSON Web Token
>> (JWT) that is optimized for constrained devices. The claims in a CWT are
>> encoded in the Concise Binary Object Representation (CBOR) and CBOR
>> Object Signing and Encryption (COSE) is used for added application layer
>> security protection. A claim is a piece of information asserted about a
>> subject and is represented as a name/value pair consisting of a claim
>> name and a claim value."
>>
>> / Erik
>>
>>
>> [1] https://tools.ietf.org/html/draft-seitz-ace-oauth-authz-00
>>
>>
>> _______________________________________________
>> COSE mailing list
>> COSE@ietf.org
>> https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
COSE mailing list
COSE@ietf.org
https://www.ietf.org/mailman/listinfo/cose
-- IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
-- IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] A draft on CBOR Web Tokens (CWT) Erik Wahlström neXus
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Erik Wahlström neXus
- Re: [OAUTH-WG] A draft on CBOR Web Tokens (CWT) Mike Jones
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Justin Richer
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … William Denniss
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Carsten Bormann
- Re: [OAUTH-WG] [Ace] [COSE] A draft on CBOR Web T… Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … William Denniss
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Bill Mills
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Carsten Bormann
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Bill Mills
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Justin Richer