Re: [OAUTH-WG] [Ace] [COSE] A draft on CBOR Web Tokens (CWT)
Hannes Tschofenig <hannes.tschofenig@gmx.net> Sun, 15 November 2015 18:41 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 543D81A8A09 for <oauth@ietfa.amsl.com>; Sun, 15 Nov 2015 10:41:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.185
X-Spam-Level:
X-Spam-Status: No, score=-0.185 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZZS8Ay41_r2d for <oauth@ietfa.amsl.com>; Sun, 15 Nov 2015 10:41:20 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BDF91A8A0D for <oauth@ietf.org>; Sun, 15 Nov 2015 10:41:19 -0800 (PST)
Received: from [192.168.10.139] ([80.92.121.34]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MRXVc-1Zn0gX3jmi-00SgtS; Sun, 15 Nov 2015 19:41:02 +0100
To: William Denniss <wdenniss@google.com>, Erik Wahlström neXus <erik.wahlstrom@nexusgroup.com>
References: <53BB1987-979C-4945-9C7D-CDB6619AEFFC@nexusgroup.com> <5644EC40.4010002@tzi.org> <73929C18-A3E7-4ACA-A6DC-5A7AD7576C9B@nexusgroup.com> <CAAP42hAWfBRKw-3OM1dPkgK40Af4KVBaVdhzdAGhon=VFV6LSA@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Enigmail-Draft-Status: N1110
Message-ID: <5648D1BA.4050109@gmx.net>
Date: Sun, 15 Nov 2015 19:40:58 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <CAAP42hAWfBRKw-3OM1dPkgK40Af4KVBaVdhzdAGhon=VFV6LSA@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="v45I75QNUTv0ruRI9p7HAqSNBwwrE7ebv"
X-Provags-ID: V03:K0:aWpJU2nX6Dg3ODin2pSzRuBaAl+4QBVV7Eiw/ySTuhmnCxrvQmC cBMaijuXLTQtq0d3ngP2sBq9YPGMaQUR35VAeJzdECut2v32w1H+H/OvqjE+gUYoqqictky 26p//8eQF42ag34rwxDfhrTpXyfpJKZmhqOxI5LU9DVOvQMAL4D+aJkhC7cz63NCs54bgM3 iXiIbGUj5fh413fQSwcQQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:0XtVYMZjSZU=:diIV5ujH9+ZbE8puMt3mrt WXFSSvrKH3servB7U9CE53b+HeoihJVLxbeS6lkyiu1+s7M5z3kE0kDDQJnvbMKvm/5Z2TGvY CI/WXKiKmolh4hSlygQtilobIVzEqPyMh6Ur4a/xkkRQf5n8sSMXjuOWGcdPXGwsE3yAnuVJe 2NiZCdIIi9O0RhGGkQTTUaBckh+kYzYP7OEKqPejxhBKYVmEOY5GbI70zOOAacTms038lCqR2 JkKFof6qV2EjC5/MdZFXsWXtWDjqhGrW6GMHxQds08AH4zpnQzF7wGabrMcukNSoeHpo92Bn8 OGpa4jKrtnTV79qJOIF+bq36XzoFD/UJcjYHZhUdS+0qfJ2KHCuoH47J/arRZ3KWly0Wj56DE oc3rf73XSvHNjKx/dm0A6zPpN29FOQWS0qpCdRzh5sYZGAjcBGqOf4sFHonBGAZDp6p3PTz+F nTgDeyxNkvV4GPj/j0ooPUCe37Zv6XYOljANvg2M39poCh+cVzrwyuy0rXlWUi2BrGBVM82WR DiVpMcSRmooMx77GPWuN6T/ok1/8fZC1IPDzBzIQmSjmfybE2hcJ+vhBnhtye0/mvEPmXBSTT Rz3apQDmjOBYadoOTx1OR7JaRkqFSr44c2gwyoVKadzHjqJ3XjfVVah1svxZifw3Yf3CsMV5o 4ya7nMOE+KOuznDMk5CVlSsVNsQfzdqZ00brIFHTnvjfct1QvgqMR+deGX6qohq2ZiF06g+8G SrTE+9IH0TWRtmQCSfrfyF90Ttus6WfCi2mrRiTU/2gqgFvJIRt9JALlg0E=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ps717rGFa3QoMv7KcgmMUoMPaVg>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Carsten Bormann <cabo@tzi.org>, "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [Ace] [COSE] A draft on CBOR Web Tokens (CWT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2015 18:41:22 -0000
[only posting to OAuth list] Hi William, thanks for your quick review comments. On 11/13/2015 04:19 AM, William Denniss wrote: > Regarding the draft itself, a few comments: > > 1. > Can we unify the claim registry with JWT? I'm worried about having the > same claims defined twice in CWT and JWT with possibly conflicting > meanings (and needless confusion even when they do match). > > Comparing https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-3.1.2 > and https://tools.ietf.org/html/rfc7519#section-4.1.2 which are nearly > identical, I just don't see the value in re-defining it. > > We may add new standard claims to JWT in the future (I proposed one > <https://mailarchive.ietf.org/arch/search/?email_list=id-event&gbt=1&index=7qNUnaE9lt2LyayMnmNyWpZSIEM> in > Yokohama on the id-event list > <https://www.ietf.org/mailman/listinfo/id-event>), it would be good if > this didn't need a separate entry in CWT too, but could just apply > directly (separately, I think you should consider this claim, as it > helps prevent tokens from being re-used in the wrong context). > For this IANA registry issue we have essentially two options: a) Single registry: JWT and CWT claims listed in the same registry b) Separate registries for JWT claims and for CWT claims. The drawback about using two registries is the additional effort in registering many, if not all, claims twice (with the potential risk to get them misaligned). The advantage is to avoid confusion when some entries are only applicable to the CWT or the JWT registry, respectively. Note that we had the same question with regard to the token introspection registry* where I argued that we should use a single registry and we ended up defining two registries in the end. In this specific case I believe there is value in using one registry only since I don't see a reason for web and smart phone apps not using the CBOR-based encoding. During the last few years I witnessed a lot of activities that aimed to reduce the message size of protocols used in the mobile space. (*): I believe that Erik should update his token introspection draft (see https://tools.ietf.org/html/draft-wahlstroem-ace-oauth-introspection-01) by registering the CWT claims to the token introspection defined registry. > 2. > Is Section 4 "Summary of CBOR major types used by defined claims" > normative > (https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-4)? > What is the intention of this section? I feel like it could probably be > fleshed out a bit. Maybe that section is not well motivated and should rather be placed into the IANA consideration section instead. All it does is to summarizes the CBOR-relevant information into a table. > > 3. > Add a xref to draft COSE spec in section 6 > <https://tools.ietf.org/html/draft-wahlstroem-oauth-cbor-web-token-00#section-6> > Add xref to RFC7519 Missing references will be fixed. Ciao Hannes > > On Thu, Nov 12, 2015 at 12:01 PM, Erik Wahlström neXus > <erik.wahlstrom@nexusgroup.com <mailto:erik.wahlstrom@nexusgroup.com>> > wrote: > > Hi Carsten, > > Thanks, and I agree. I’ve heard arguments for all three work groups. > > Borrowed some of your words to define the content of the draft :) > It’s it essentially a JWT, phrased in and profiled for CBOR to > address ACE needs, where OAuth needs COSE functionality, for object > security. > > I’m open for letting the AD’s move it around, but having it right > next to JWT seems right to me. Also open for the ACE WG. Feel it has > less place in COSE for the same reasons JWT is not in the JOSE WG. > > / Erik > > > > On 12 Nov 2015, at 20:45, Carsten Bormann <cabo@tzi.org > <mailto:cabo@tzi.org>> wrote: > > > > Hi Erik, > > > > having this draft is a good thing. > > > > One thing I'm still wondering is what WG is the best place to progress > > this. We probably don't need to spend too much time on this because, > > regardless of the WG chosen, the people in another WG can look at it. > > Still, getting this right might provide some efficiencies. > > > > What is the technical content of this draft? Is it a new token that > > OAuth needs specifically for the new COSE-based applications of OAuth? > > Is it a new token that is specifically there for addressing ACE needs? > > Or is it essentially the same substance as JWT, but phrased in and > > profiled for CBOR? > > > > Depending on the answer, CWT should be done in OAuth, ACE, or COSE. > > (I'd rather hear the answer from the authors than venture a guess > myself.) > > > > Grüße, Carsten > > > > > > > > Erik Wahlström neXus wrote: > >> Hi, > >> > >> In the ACE WG a straw man proposal of a CBOR Web Token (CWT) was > defined > >> in the draft "Authorization for the Internet of Things using > OAuth 2.0” > >> [1]. We just broke out the CBOR Web Token into a separate draft > and the > >> new draft is submitted to the OAUTH WG. It can be found here: > >> > >> > https://datatracker.ietf.org/doc/draft-wahlstroem-oauth-cbor-web-token/ > >> > >> Abstract: > >> "CBOR Web Token (CWT) is a compact means of representing claims to be > >> transferred between two parties. CWT is a profile of the JSON > Web Token > >> (JWT) that is optimized for constrained devices. The claims in a > CWT are > >> encoded in the Concise Binary Object Representation (CBOR) and CBOR > >> Object Signing and Encryption (COSE) is used for added > application layer > >> security protection. A claim is a piece of information asserted > about a > >> subject and is represented as a name/value pair consisting of a claim > >> name and a claim value." > >> > >> / Erik > >> > >> > >> [1] https://tools.ietf.org/html/draft-seitz-ace-oauth-authz-00 > >> > >> > >> _______________________________________________ > >> COSE mailing list > >> COSE@ietf.org <mailto:COSE@ietf.org> > >> https://www.ietf.org/mailman/listinfo/cose > > _______________________________________________ > COSE mailing list > COSE@ietf.org <mailto:COSE@ietf.org> > https://www.ietf.org/mailman/listinfo/cose > > > > > _______________________________________________ > Ace mailing list > Ace@ietf.org > https://www.ietf.org/mailman/listinfo/ace >
- [OAUTH-WG] A draft on CBOR Web Tokens (CWT) Erik Wahlström neXus
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Erik Wahlström neXus
- Re: [OAUTH-WG] A draft on CBOR Web Tokens (CWT) Mike Jones
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Justin Richer
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … William Denniss
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Carsten Bormann
- Re: [OAUTH-WG] [Ace] [COSE] A draft on CBOR Web T… Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … William Denniss
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Bill Mills
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Carsten Bormann
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Bill Mills
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Hannes Tschofenig
- Re: [OAUTH-WG] [COSE] A draft on CBOR Web Tokens … Justin Richer