[OAUTH-WG] draft-ietf-oauth-revocation-04

"Donald F Coffin" <donald.coffin@reminetworks.com> Tue, 29 January 2013 20:29 UTC

Return-Path: <donald.coffin@reminetworks.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 4B8D021F881E for <oauth@ietfa.amsl.com>; Tue, 29 Jan 2013 12:29:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Status: No, score=x tagged_above=-999 required=5 tests=[]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id OF6eRncMUWQq for <oauth@ietfa.amsl.com>; Tue, 29 Jan 2013 12:29:27 -0800 (PST)
Received: from oproxy9.bluehost.com (oproxy9.bluehost.com []) by ietfa.amsl.com (Postfix) with SMTP id 42D0221F881D for <oauth@ietf.org>; Tue, 29 Jan 2013 12:29:25 -0800 (PST)
Received: (qmail 13600 invoked by uid 0); 29 Jan 2013 20:28:59 -0000
Received: from unknown (HELO host125.hostmonster.com) ( by oproxy9.bluehost.com with SMTP; 29 Jan 2013 20:28:59 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=reminetworks.com; s=default; h=Content-Type:MIME-Version:Message-ID:Date:Subject:Cc:To:From; bh=2/liaoMNkgoZBNq3AskoJQCvu1VFhMSOxCxuQCU7udA=; b=n3P19W/cTDJ8naDNxMiBkH+lrM+qloAN9b9yIrtGLvMsBc8yvMvSauaG9Qq+8ZlC4VeC1KJ2/fZcT35F5eYALaF/7dlfv5sxWVxwCcW69yIMl/FrmzD/10fE9lOHvoX0;
Received: from [] (port=3643 helo=HPPavilionElite) by host125.hostmonster.com with esmtpa (Exim 4.80) (envelope-from <donald.coffin@reminetworks.com>) id 1U0Hnd-0004sX-7q; Tue, 29 Jan 2013 13:28:59 -0700
From: Donald F Coffin <donald.coffin@reminetworks.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Tue, 29 Jan 2013 12:28:05 -0800
Message-ID: <006401cdfe5f$2555f170$7001d450$@reminetworks.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0065_01CDFE1C.173597A0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac3+XySLX08nTz+qSIW8wO67JUHy7w==
Content-Language: en-us
X-Identified-User: {1395:host125.hostmonster.com:reminetw:reminetworks.com} {sentby:smtp auth authed with donald.coffin@reminetworks.com}
Cc: John Adkins <jva2@pge.com>, Scott Crowder <scott.crowder@qadoenergy.com>, Dave Robin <drobin@automatedlogic.com>, John Teeter <john.teeter@peoplepowerco.com>, pmadsen@pingidentity.com, Edward Denson <ewd7@pge.com>, Marty Burns <marty@hypertek.us>, Uday Verma <uday.verma@ilinknet.com>, Ray Perlner <ray.perlner@nist.gov>, Anne Hendry <ahendry2@gmail.com>, Lynne Rodoni <mrodoni@semprautilities.com>, oauth@ietf.org
Subject: [OAUTH-WG] draft-ietf-oauth-revocation-04
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jan 2013 20:29:27 -0000

Hi Thorsten,


I am working with the OpenADE Task Force to document how the "Energy Service
Provider Interface (ESPI) Standard " published by the North American Energy
Standards Board (NAESB) in October of 2011 should be implemented.  The ESPI
Standard defines how Retail Customers, Third Party applications, and Data
Custodians (i.e. electrical, gas, or water utility) must interface to each
other and the data format used to exchange energy information.   The
interface between the Retail Customer and the Data Custodian is known as
"Download My Data", which defines how a Retail Customer receives their
energy information in an XML file downloaded to them by the Data Custodian.
The interface between the Third Party application and the Data Custodian is
known as "Connect My Data", which defines the message exchanges between the
Third Party application and the Data Custodian to allow the Third Party to
access data at the Data Custodian after a Retail Customer has granted the
Third Party application access.


It is my responsibility within the OpenADE Task Force to document the
integration of the OAuth 2.0 protocol with the ESPI Standard.  Since the
ESPI Standard requires Retail Customers, Third Party applications, and Data
Custodians to revoke Tokens (i.e. Access and Refresh Tokens) I am very
interested in the "Token Revocation (draft-ietf-oath-revocation-xx)" work
being done by you and your working group. 


Token Revocation Request


The Token Revocation request has only the "token" parameter with the
description that the authorization server is supposed to detect the token
type automatically.  I would like to request that an addition parameter
"token_type" be added to the request.  The "token_type" parameter could be
optional and would define the type of token being revoked (i.e. "access",
"refresh", "registration access", etc.).


The ESPI Standard was developed to support the Advanced Meter Interface
(AMI) which is the interface used by "Smart Meters" to provide automated
energy usage collection and other operational information about a Retail
Customer's residence to their Data Custodian.  Third Party applications will
be required to obtain the approval if each Retail Customer that has had a
"Smart Meter" installed before they will be able to access the data provided
by their "Smart Meter".  The number of "Smart Meters" currently installed at
the three largest California utilities (Pacific Gas & Electric, Southern
California Edison, and San Diego Gas & Electric) is in excess of 10.0 M and
growing.  The following table indicates the number of "Smart Meters" each of
the three utilities had installed as of May 2012:



"Smart Meters" Installed

Pacific Gas & Electric (PG&E)


San Diego Gas & Electric (SDG&E)


Southern California Edison (SCE)



The numbers in the chart were taken from the "Utility-Scale Smart Meter
Deployments, Plans, & Proposals -- IEE Report" published May 2012 by The
Edison Foundation Institute for Electric Efficiency" which I have attached.
The number of "Smart Meters" currently installed are even larger than shown
in the report as I compose this email.  Assuming 10% of Pacific Gas &
Electric's Retail Customers decide to utilize a Third Party application (3
Third Party applications are currently supported and are 3 more Third Party
applications are preparing to be supported) in order to support the ability
to revoke a token they would be required to track 500,000 access tokens and
500,000 refresh tokens.  Requiring PG&E's authorization server to
"automatically" determine the type of Token being revoked begins to
negatively impact their processing capability.  If the Token Revocation
request was capable of indicating the type of Token to be revoked, the
amount of time it will take PG&E's authorization server would show a
significant time savings to process the request.


Authorization Server Revocation Policy



      6.       Does the revocation of the access token also revoke the
refresh token (if it was provided) ? Or is this a revocation policy decision


- if the token passed to the request is a refresh token and the server
supports access token revocation, the server SHOULD also revoke them.
- if the token passed to the request is an access token, the server may
decide to revoke the respective refresh token as well.


I believe that if the token passed in the request is an access token, the
server MUST revoke any respective refresh token.  Otherwise, their exist a
potential security risk of the respective refresh token being used to gain
access to the resources for which the access token was issued.  It also
means the authorization server will have potential "junk" in the refresh
token file to search through for any additional Token Revocation request.


I look forward to receiving your response.


Best regards,


Donald F. Coffin



REMI Networks

22751 El Prado Suite 6216

Rancho Santa Margarita, CA  92688-3836


Phone:      (949) 636-8571

Email:       donald.coffin@reminetworks.com