[OAUTH-WG] Transaction tokens draft-ietf-oauth-transaction-tokens-01 - my comments
"yaronf.ietf@gmail.com" <yaronf.ietf@gmail.com> Mon, 25 March 2024 03:23 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3022C14F609 for <oauth@ietfa.amsl.com>; Sun, 24 Mar 2024 20:23:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.462
X-Spam-Level:
X-Spam-Status: No, score=-0.462 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AzTwXCMIIXqR for <oauth@ietfa.amsl.com>; Sun, 24 Mar 2024 20:23:00 -0700 (PDT)
Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E19A8C14F603 for <oauth@ietf.org>; Sun, 24 Mar 2024 20:23:00 -0700 (PDT)
Received: by mail-ej1-x633.google.com with SMTP id a640c23a62f3a-a4751063318so98040766b.0 for <oauth@ietf.org>; Sun, 24 Mar 2024 20:23:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711336977; x=1711941777; darn=ietf.org; h=content-transfer-encoding:to:message-id:thread-topic:subject:from :date:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=sXP3PZan7VmajAVyJrOICyuPDhK733dML8Igg86PAbk=; b=Ei5/J68PZe8AA2wzBI+Oq8ZmASBuzyv0oS0ZCBdIvY+hRMJzmbkuVaMXAnkAAbToqF PfwA2RByQdJvCdIkBgFFmKZBTzVozInQmp1RddvHnEbJulCsBagFIL1ewSIU8gEF15Cw uUbwadydnFHvWSieOWXLsjtcUGK8puNquMSwAPKpdyU7hYa1qzyJmaNA7TA3QcxotQ2+ /SZEGd+nj9YzGHza9OJpIXwnrRvl7teS5w+OOeEktmHlnNaBTgyvADQsNhjX91LwqB9N QP5wWZ2yG7GAJqg5MtzzI8YpjGB8pBoaFtbOsMEHFwNcJXk/qdLT+Qq5EiToRJXwvyfG YA3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711336977; x=1711941777; h=content-transfer-encoding:to:message-id:thread-topic:subject:from :date:mime-version:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=sXP3PZan7VmajAVyJrOICyuPDhK733dML8Igg86PAbk=; b=tGtvhf/sjQ7Nc4CXkW16CVfvZ4HeVYuyfj+qrMZ+hCrL70ssHUPD8tij1Pp1YBhBjH PnHcCcQ2JaKbCo/TkeUVTNTLU9IPPwrSoB6y6ULvGF5ytPfvi2U3OtwjInVEoHiZfTV5 vJTs4Lfz1quHFdtt6IAEjzFEay/dOJddAFzdXDNpTtzSB0ZaroVhh0V/Iv8jH9fZE1Bt ZWnAhr9aSolF8HS/PLkbCoiWKvq8qerxumTtIrjOzjOebr6Ysm3a8SFR5hjMwZJCFyua b2x98/AauiDQuuU585J6mgzp/ruI5yuBgTRm1lkOnaEL5ZbzF3P2VPf6kKy9hipEQiGt MraQ==
X-Gm-Message-State: AOJu0YxXZcwrtdrLGTDioAr/9QjhiMOuXapuGWtKR4to2H71Fzd2u3/G JZoGYNuLplVZ2TiWe+2GLReekQXGA+t0tlQzeJu1Qpl60XrzYjA2ppGlVDN4gCQh2w==
X-Google-Smtp-Source: AGHT+IFWIHNVoyWrReSk+zeWDcfkVu1VqTz5Cjkopgtrw+GVwJxvfgAtjDqQcRUnYDGmccIzhNKyLA==
X-Received: by 2002:a17:907:a088:b0:a4a:3403:342e with SMTP id hu8-20020a170907a08800b00a4a3403342emr1097297ejc.56.1711336976865; Sun, 24 Mar 2024 20:22:56 -0700 (PDT)
Received: from macos-F7LQR2FV6V ([5.195.34.6]) by smtp.gmail.com with ESMTPSA id la5-20020a170907780500b00a45621ded4bsm2589797ejc.146.2024.03.24.20.22.55 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Mar 2024 20:22:56 -0700 (PDT)
MIME-Version: 1.0
Date: Mon, 25 Mar 2024 07:22:50 +1000
From: "yaronf.ietf@gmail.com" <yaronf.ietf@gmail.com>
Thread-Topic: Transaction tokens draft-ietf-oauth-transaction-tokens-01 - my comments
Message-ID: <C47E13AB-306C-1C48-A16E-C380020E53AC@hxcore.ol>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qPxczdlhrkWbAu6eD8VmMmqRZj8>
Subject: [OAUTH-WG] Transaction tokens draft-ietf-oauth-transaction-tokens-01 - my comments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2024 03:23:04 -0000
I had a long flight and I’m still not there yet… But had time to review this draft.
Thanks authors, this is important and useful work. It’s also quite early, so I have a long list of comments below.
- Intro: for "workloads", I suggest to add a reference to the WinSE Architecture draft.
- 2.1: "the execution of a call" - I think most people prefer "call chain" for this, where "call" only refers to a single hop. (Granted this is more of a call tree rather than a call chain, but we use “call chain” anyway.)
- 2.4: additional signatures: I think this is a leftover from a previous version of the draft, and as far as I can tell it is not supported by this version. Suggest to remove it.
- 2.5.1: typo, "in an a multi-workload".
- Figures: what is a "µ-service" and why do we need Greek letters?
- 4: the terminology section is not a good place for normative language, specifically around the "aud" claim.
- 5.2: I think txn should be OPTIONAL. While it is very useful, there may be architectural reasons why transaction ID issuance in an organization is independent of transaction tokens.
- 5.2: "purp" - need a lot more discussion of this claim, also it may be OPTIONAL too. Also, why not call it "scope" if that's what it is?
- 5.2: how is "azd" different from "rctx"? There's a whole section about "rctx" and nothing about "azd".
- 5.2: extensibility: please say explicitly that arbitrary claims may be added to the "azd" (and "rctx"?) objects. There is no IANA registry for either. Note that having 3 predefined attributes complicates the situation a bit - what happens if we want a 4th one? Also mention that any additional attributes are local to the trust domain.
- 5.2: "sub" should be better clarified, this is not your typical “sub”. Also, I strongly prefer "sub_id" here (RFC 9493), as the use case I have an mind is of the subject as a human. In addition, "as defined by the
audtrust domain" is confusing, I think you want to say that "sub" is relative to the scope of the trust domain. - 7.1: the bullets are formatted incorrectly (see HTML version of the draft).
- 7.4.1: maybe say explicitly "MUST NOT change the "sub"', because in many use cases this is the most important/sensitive claim.
- 7.5: unfortunately SPIFFE is only secure for this when used in conjunction with MTLS, so please reword the sentence (or wait for WimSE to solve this problem).
- 7.5: SPIFFE - all caps.
- 8.1: and obviously we need an IANA section to define this HTML header.
- 10.1: salted SHA256.
- 10.1: also, in most cases txn tokens MUST NOT be logged because they contain PII (e.g. a subject that's an email address).
- 11.1: I think there is some confusion here. It is possibly useful to define this value (if we want to embed txn tokens within access tokens). But the "typ" header is a whole different thing, it needs to be a media type. See https://datatracker.ietf.org/doc/html/rfc8725#name-use-explicit-typing" target="_blank" rel="nofollow">https://datatracker.ietf.org/doc/html/rfc8725#name-use-explicit-typing
Thanks,
Yaron
- [OAUTH-WG] Transaction tokens draft-ietf-oauth-tr… yaronf.ietf@gmail.com
- Re: [OAUTH-WG] Transaction tokens draft-ietf-oaut… Atul Tulshibagwale