Ludwig, yes, while you’re a designated expert, note that the instructions to
the designated experts at https://tools.ietf.org/html/rfc8392#section-9
includes this text:
In cases where a registration decision could
be perceived as creating a conflict of interest for a particular
Expert, that Expert should defer to the judgment of the other
Experts.
So, as I see it, you should actually recuse yourself from this decision. That
said, I’ve sent a private note to Hannes asking him to also weigh in.
Cheers,
-- Mike
From: Seitz Ludwig <[email protected]>
Sent: Monday, March 16, 2020 3:18 AM
To: Mike Jones <[email protected]>; Chuck Mortimore
<[email protected]>; [email protected]
Cc: [email protected]; [email protected];
[email protected]; [email protected]; [email protected]
Subject: [EXTERNAL] RE: [Cwt-reg-review] [IANA #1158953] Requested review for
IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)
Hi Mike,
I will of course abide with a majority decision of the designated experts (note
that I’m one of them too). I would therefore be very interested to hear Hannes
take on this.
Regards,
Ludwig
From: Mike Jones
<[email protected]<mailto:[email protected]>>
Sent: den 13 mars 2020 19:17
To: Seitz Ludwig <[email protected]<mailto:[email protected]>>;
Chuck Mortimore <[email protected]<mailto:[email protected]>>
Cc: Ludwig Seitz <[email protected]<mailto:[email protected]>>;
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>
Subject: Re: [Cwt-reg-review] [IANA #1158953] Requested review for IANA
registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)
RFC 8693 defines the “scope” JWT claim for use with OAuth 2.0, and so is
application-specific – just like the corresponding CWT “scope” claim is
specific to ACE OAuth.
Unless Hannes (the other Designated Expert) disagrees with my and Chuck’s
assessment by then, I propose that we proceed with the registrations on Monday,
registering “scope” with value 41.
-- Mike
From: Seitz Ludwig <[email protected]<mailto:[email protected]>>
Sent: Thursday, March 12, 2020 1:05 AM
To: Chuck Mortimore
<[email protected]<mailto:[email protected]>>; Mike Jones
<[email protected]<mailto:[email protected]>>
Cc: Ludwig Seitz <[email protected]<mailto:[email protected]>>;
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>
Subject: Re: [Cwt-reg-review] [IANA #1158953] Requested review for IANA
registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)
Hello Mike, Chuck,
Thank you for clarifying your assessment Mike, thank you Chuck for weighing in.
Mike you say: “the scope claim is specific to the ACE OAuth protocol”
This is not entirely correct, since the scope claim is defined in RFC 8693
for Token Exchange, which is not an ACE protocol. Thus if any other protocol
decides to use CWT and Token Exchange they would inherit the CWT abbreviation
for that claim we are discussing here.
I would therefore argue that this claim abbreviation has a wider set of
applications than just ACE.
As for the sparseness of 1 byte abbreviations: The range goes from -24 to 23.
The CWT RFC uses 0-8 and none other are currently registered, so we have a few
ones left.
Regards,
Ludwig
From: Chuck Mortimore
<[email protected]<mailto:[email protected]>>
Sent: den 12 mars 2020 01:12
To: Mike Jones <[email protected]<mailto:[email protected]>>
Cc: Ludwig Seitz <[email protected]<mailto:[email protected]>>;
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>
Subject: Re: [EXTERNAL] Re: [Cwt-reg-review] [IANA #1158953] Requested review
for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token
Claims)
Agree with Mike's assessment. (One caveat to that is that I'm not close
enough to CWT to understand how scare the single byte identifiers actually are.)
On Wed, Mar 11, 2020 at 4:39 PM Mike Jones
<[email protected]<mailto:[email protected]>> wrote:
[Adding correct e-mail addresses for Chuck, who recently joined Visa]
There are two reasons that I believe not using up one of the scarce one-byte
claim identifiers for "scope" is appropriate:
1. The claim values for scopes are not short themselves. They are sets of
ASCII strings separated by spaces. So the percentage difference in the total
claim representation from adding a single byte will typically be small.
2. The single-byte claim identifiers already registered at
https://www.iana.org/assignments/cwt/cwt.xhtml are claims that are likely to be
useful to diverse sets of applications, and therefore merit the short
identifiers; whereas, the scope claim is specific to the ACE OAuth protocol and
not applicable to diverse sets of applications. It’s reasonable to give
protocol-specific claim identifiers 2-byte representations.
I’d be interested to hear from the two other designated experts on my
assessment of the situation: Hannes and Chuck.
-- Mike
-----Original Message-----
From: Cwt-reg-review
<[email protected]<mailto:[email protected]>> On
Behalf Of Ludwig Seitz
Sent: Saturday, February 29, 2020 6:25 AM
To: [email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>
Cc:
[email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>
Subject: [EXTERNAL] Re: [Cwt-reg-review] [IANA #1158953] Requested review for
IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)
On 2020-02-26 00:58, Amanda Baber via RT wrote:
> Ludwig, Hannes,
>
> Can you confirm that you can make the CBOR Web Token Claim change
> requested below?
>
> We also have Chuck Mortimore listed as an expert for this registry,
> but our message to his Salesforce address bounced.
>
> Best regards,
>
> Amanda Baber Lead IANA Services Specialist
>
I strongly disagree with the assessment that the scope claim should be pushed
into the two-byte range.
The reason we introduced the scope claim is that an ACE RS typically does not
have a direct connection to the AS, and is therefore unable to retrieve the
scope of an access token from other sources than the access token itself. I
therefore assert that ACE access tokens would often need to contain this claim
in order to inform the RS.
Since one of the major drivers of the ACE work has been to reduce the
authorization overhead (otherwise we could just have used vanilla OAuth 2.0), I
find it strange to needlessly add to the overhead by making the encoding of a
frequently used claim longer than necessary.
I am willing to listen to the arguments that have lead the expert reviewer to
denying a value in the one-byte range, and discuss the reasoning further on
list.
Regards,
Ludwig
> On Tue Feb 18 22:42:22 2020,
> [email protected]<mailto:[email protected]> wrote:
>> I'm mostly OK with these registrations, however, DO NOT assign the
>> value 9 to "scope". Rather, please put it in the two-byte range
>> - for instance, with the value 41.
>>
>> -- Mike
>>
>> -----Original Message----- From: Cwt-reg-review
>> <[email protected]<mailto:[email protected]>> On
>> Behalf Of Sabrina Tanamal via RT
>> Sent: Tuesday, February 18, 2020 1:06 PM Cc:
>> [email protected]<mailto:[email protected]> Subject: [EXTERNAL]
>> [Cwt-reg-review] [IANA
>> #1158953] Requested review for IANA registration in
>> draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)
>>
>> Hi all,
>>
>> Resending this request for draft-ietf-ace-oauth-authz.
>>
>> Thanks,
>>
>> Sabrina Tanamal Senior IANA Services Specialist
>>
>>> On Sat Dec 21 11:37:11 2019,
>>> [email protected]<mailto:[email protected]> wrote:
>>>> Hello CWT registry reviewers,
>>>>
>>>> the IESG-designated experts for the CWT claims registry have asked
>>>> me to send a review request to you about the claims registered
>>>> here:
>>>>
>>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft
>>>> o
>>>>
>>>>
ols.ietf.org<http://ols.ietf.org>%2Fhtml%2Fdraft-ietf-ace-oauth-authz-29%23section-
>>>> 8.13&a
>>>> mp;data=02%7C01%7CMichael.Jones%40microsoft.com<http://40microsoft.com>%7Ce23f64ac1ad74269c
>>>> 3
>>>>
>>>>
c408d7b4b65d45%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63717656
>>>> 7656665548&sdata=r01W5Bx0gJh9ZPH8eNS%2BY765CnGq11DkknsHYQ751Dk%
>>>> 3
>>>>
>>>>
D&reserved=0
>>>>
>>>> Thank you in advance for you review comments.
>>>>
>>>> Regards,
>>>>
>>>> Ludwig
>>>>
>>
>> _______________________________________________ Cwt-reg-review
>> mailing list [email protected]<mailto:[email protected]>
>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
>> .ietf.org<http://ietf.org>%2Fmailman%2Flistinfo%2Fcwt-
>>
>>
reg-
>> review&data=02%7C01%7CMichael.Jones%40microsoft.com<http://40microsoft.com>%7Ce23f64ac1ad
>> 74269c3c408d7b4b65d45%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63
>> 7176567656675543&sdata=XxBhQmqxGkCRiBxh0PdhX2IJD8TnbwWl%2Feo8VUsH
>> Osg%3D&reserved=0
>
_______________________________________________
Cwt-reg-review mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/cwt-reg-review
_______________________________________________
Ace mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ace
