On 30/10/2018 19:52, Mike Jones wrote:
Thanks for your responses, Ludwig.
....
I could live with "access_token" having a single-byte
representation, since as you point out, it is needed for every ACE
OAuth interaction. An "error" value is only needed when something
goes wrong, so that doesn't seem like a case that needs to be
optimized for space. A two-byte "error" representation will only be
used when errors have occurred, so shouldn't be a problem.
-- Mike
-----Original Message----- From: Ace <ace-boun...@ietf.org> On Behalf
Thank you for the quick and comprehensive answer Mike!
I conclude the following:
We are in agreement about giving "profile", "error", "token_type" and
"grant_type" two-byte abbreviations in CBOR.
"scope" and "access_token" will get a one-byte abbreviation aligned with
the unused numbers from CWT claims.
At IETF 103 I will propose the solution of registering all parameter
abbreviations in the CWT claim registry in order to align abbreviations
and avoid duplicate assignments.
If a signed request (and response) format is needed I am all for using
CWT in the context of ACE access token requests, responses and
introspection requests and responses. I will take up that discussion at
IETF 103.
I will propose to make "token_type" and "grant_type" OPTIONAL, deviating
from the OAuth 2.0 specs and defining the default token type to be "PoP"
and the default grant_type to be "client_credentials".
This will avoid having to send grant_type with every access token
request and token_type with every successful access token response.
Regards,
Ludwig
--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
