And I thought this was why we “hired” experts.
As has been noted previously in this discussion, there is no requirement that the scope must be a text string, it can be a binary string as well. Further, I believe that there will start being some dictionary work being done at some point in the future when defining a new scope format so that any text strings could be compressed down. I also am of the opinion that one of the major uses of CWTs is going to be as an authorization token and that scoping of authorization is an important part of this. I would probably be more sympathetic to the argument of making it two bytes if that had been done for about half of the items currently registered. I would make it a one byte because I think it is important, is going to be used by a lot of places where just audience is not sufficient to restrict scope, and ACE is the current hotspot where it is going to be used. Both for general purpose authorization and for the group/multicast authorization as well. My current expectation is still that most of the time HTTP will be using JWT not CWT. Jim From: Hannes Tschofenig <hannes.tschofe...@arm.com> Sent: Monday, March 23, 2020 6:41 AM To: Jim Schaad <i...@augustcellars.com>; 'Seitz Ludwig' <ludwig.se...@combitech.se>; 'Mike Jones' <michael.jo...@microsoft.com>; 'Chuck Mortimore' <charliemortim...@gmail.com> Cc: chuck.mortim...@visa.com; cwt-reg-rev...@ietf.org; draft-ietf-ace-oauth-au...@ietf.org; drafts-expert-rev...@iana.org; ace@ietf.org Subject: RE: [Ace] [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims) Hi all, This is an interesting case. CWT was created based on the work on ACE-OAuth. I would therefore agree with Ludwig that it should receive priority treatment with regards to the selection of the value encodings. I do, however, also have sympathy for the argument Chuck mentioned regarding the scope encoded as a string. Of course, there is no need to encode the scope as a human-readable string. The main question is whether we should argue about one byte. Highly-paid ACE chairs: what is your opinion? Ciao Hannes From: Jim Schaad <i...@augustcellars.com <mailto:i...@augustcellars.com> > Sent: Saturday, March 21, 2020 4:32 PM To: 'Seitz Ludwig' <ludwig.se...@combitech.se <mailto:ludwig.se...@combitech.se> >; 'Mike Jones' <michael.jo...@microsoft.com <mailto:michael.jo...@microsoft.com> >; 'Chuck Mortimore' <charliemortim...@gmail.com <mailto:charliemortim...@gmail.com> >; Hannes Tschofenig <hannes.tschofe...@arm.com <mailto:hannes.tschofe...@arm.com> > Cc: chuck.mortim...@visa.com <mailto:chuck.mortim...@visa.com> ; cwt-reg-rev...@ietf.org <mailto:cwt-reg-rev...@ietf.org> ; draft-ietf-ace-oauth-au...@ietf.org <mailto:draft-ietf-ace-oauth-au...@ietf.org> ; drafts-expert-rev...@iana.org <mailto:drafts-expert-rev...@iana.org> ; ace@ietf.org <mailto:ace@ietf.org> Subject: RE: [Ace] [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims) No you should not need to make any changes in the document. This will be taken care of by the RFC Editor. Jim From: Ace <ace-boun...@ietf.org <mailto:ace-boun...@ietf.org> > On Behalf Of Seitz Ludwig Sent: Saturday, March 21, 2020 3:35 AM To: Mike Jones <michael.jo...@microsoft.com <mailto:michael.jo...@microsoft.com> >; Chuck Mortimore <charliemortim...@gmail.com <mailto:charliemortim...@gmail.com> >; hannes.tschofe...@arm.com <mailto:hannes.tschofe...@arm.com> Cc: chuck.mortim...@visa.com <mailto:chuck.mortim...@visa.com> ; cwt-reg-rev...@ietf.org <mailto:cwt-reg-rev...@ietf.org> ; draft-ietf-ace-oauth-au...@ietf.org <mailto:draft-ietf-ace-oauth-au...@ietf.org> ; drafts-expert-rev...@iana.org <mailto:drafts-expert-rev...@iana.org> ; ace@ietf.org <mailto:ace@ietf.org> Subject: Re: [Ace] [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims) Please disregard the last message (small keyboard, large fingers). What I intended to write was this: Sorry for the delay, I’ve now looked into the changes necessary and it basically is this line in the draft: 8.13. CBOR Web Token Claims […] Claim Key: TBD (suggested: 9) -> … suggested: 42) I wonder if I need to make this change at all since the value is only suggested (and we now have a diverging decision by the designated experts). Can IANA clarify this for me? Thank you for your patience, Ludwig From: Seitz Ludwig <ludwig.se...@combitech.se <mailto:ludwig.se...@combitech.se> > Sent: den 21 mars 2020 11:26 To: Seitz Ludwig <ludwig.se...@combitech.se <mailto:ludwig.se...@combitech.se> >; Mike Jones <michael.jo...@microsoft.com <mailto:michael.jo...@microsoft.com> >; Chuck Mortimore <charliemortim...@gmail.com <mailto:charliemortim...@gmail.com> >; hannes.tschofe...@arm.com <mailto:hannes.tschofe...@arm.com> Cc: chuck.mortim...@visa.com <mailto:chuck.mortim...@visa.com> ; ace@ietf.org <mailto:ace@ietf.org> ; draft-ietf-ace-oauth-au...@ietf.org <mailto:draft-ietf-ace-oauth-au...@ietf.org> ; drafts-expert-rev...@iana.org <mailto:drafts-expert-rev...@iana.org> ; cwt-reg-rev...@ietf.org <mailto:cwt-reg-rev...@ietf.org> Subject: RE: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims) Hello all, soo From: Ace <ace-boun...@ietf.org <mailto:ace-boun...@ietf.org> > On Behalf Of Seitz Ludwig Sent: den 17 mars 2020 10:01 To: Mike Jones <michael.jo...@microsoft.com <mailto:michael.jo...@microsoft.com> >; Chuck Mortimore <charliemortim...@gmail.com <mailto:charliemortim...@gmail.com> >; hannes.tschofe...@arm.com <mailto:hannes.tschofe...@arm.com> Cc: chuck.mortim...@visa.com <mailto:chuck.mortim...@visa.com> ; ace@ietf.org <mailto:ace@ietf.org> ; draft-ietf-ace-oauth-au...@ietf.org <mailto:draft-ietf-ace-oauth-au...@ietf.org> ; drafts-expert-rev...@iana.org <mailto:drafts-expert-rev...@iana.org> ; cwt-reg-rev...@ietf.org <mailto:cwt-reg-rev...@ietf.org> Subject: Re: [Ace] [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims) Fair enough, take my points as the author’s opinion only. That leaves us with 3 experts to make the decision. Your position is clear, Chuck hasn’t commented on the latest exchange but he was agreeing with you before. I propose we give Hannes another day and if he doesn’t comment we go ahead with your decision, is that acceptable for you? /Ludwig From: Mike Jones <michael.jo...@microsoft.com <mailto:michael.jo...@microsoft.com> > Sent: den 16 mars 2020 19:43 To: Seitz Ludwig <ludwig.se...@combitech.se <mailto:ludwig.se...@combitech.se> >; Chuck Mortimore <charliemortim...@gmail.com <mailto:charliemortim...@gmail.com> >; hannes.tschofe...@arm.com <mailto:hannes.tschofe...@arm.com> Cc: drafts-expert-rev...@iana.org <mailto:drafts-expert-rev...@iana.org> ; cwt-reg-rev...@ietf.org <mailto:cwt-reg-rev...@ietf.org> ; chuck.mortim...@visa.com <mailto:chuck.mortim...@visa.com> ; draft-ietf-ace-oauth-au...@ietf.org <mailto:draft-ietf-ace-oauth-au...@ietf.org> ; ace@ietf.org <mailto:ace@ietf.org> Subject: RE: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims) Ludwig, yes, while you’re a designated expert, note that the instructions to the designated experts at https://tools.ietf.org/html/rfc8392#section-9 includes this text: In cases where a registration decision could be perceived as creating a conflict of interest for a particular Expert, that Expert should defer to the judgment of the other Experts. So, as I see it, you should actually recuse yourself from this decision. That said, I’ve sent a private note to Hannes asking him to also weigh in. Cheers, -- Mike From: Seitz Ludwig <ludwig.se...@combitech.se <mailto:ludwig.se...@combitech.se> > Sent: Monday, March 16, 2020 3:18 AM To: Mike Jones <michael.jo...@microsoft.com <mailto:michael.jo...@microsoft.com> >; Chuck Mortimore <charliemortim...@gmail.com <mailto:charliemortim...@gmail.com> >; hannes.tschofe...@arm.com <mailto:hannes.tschofe...@arm.com> Cc: drafts-expert-rev...@iana.org <mailto:drafts-expert-rev...@iana.org> ; cwt-reg-rev...@ietf.org <mailto:cwt-reg-rev...@ietf.org> ; chuck.mortim...@visa.com <mailto:chuck.mortim...@visa.com> ; draft-ietf-ace-oauth-au...@ietf.org <mailto:draft-ietf-ace-oauth-au...@ietf.org> ; ace@ietf.org <mailto:ace@ietf.org> Subject: [EXTERNAL] RE: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims) Hi Mike, I will of course abide with a majority decision of the designated experts (note that I’m one of them too). I would therefore be very interested to hear Hannes take on this. Regards, Ludwig From: Mike Jones <michael.jo...@microsoft.com <mailto:michael.jo...@microsoft.com> > Sent: den 13 mars 2020 19:17 To: Seitz Ludwig <ludwig.se...@combitech.se <mailto:ludwig.se...@combitech.se> >; Chuck Mortimore <charliemortim...@gmail.com <mailto:charliemortim...@gmail.com> > Cc: Ludwig Seitz <ludwig_se...@gmx.de <mailto:ludwig_se...@gmx.de> >; drafts-expert-rev...@iana.org <mailto:drafts-expert-rev...@iana.org> ; cwt-reg-rev...@ietf.org <mailto:cwt-reg-rev...@ietf.org> ; chuck.mortim...@visa.com <mailto:chuck.mortim...@visa.com> ; draft-ietf-ace-oauth-au...@ietf.org <mailto:draft-ietf-ace-oauth-au...@ietf.org> ; ace@ietf.org <mailto:ace@ietf.org> Subject: Re: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims) RFC 8693 defines the “scope” JWT claim for use with OAuth 2.0, and so is application-specific – just like the corresponding CWT “scope” claim is specific to ACE OAuth. Unless Hannes (the other Designated Expert) disagrees with my and Chuck’s assessment by then, I propose that we proceed with the registrations on Monday, registering “scope” with value 41. -- Mike From: Seitz Ludwig <ludwig.se...@combitech.se <mailto:ludwig.se...@combitech.se> > Sent: Thursday, March 12, 2020 1:05 AM To: Chuck Mortimore <charliemortim...@gmail.com <mailto:charliemortim...@gmail.com> >; Mike Jones <michael.jo...@microsoft.com <mailto:michael.jo...@microsoft.com> > Cc: Ludwig Seitz <ludwig_se...@gmx.de <mailto:ludwig_se...@gmx.de> >; drafts-expert-rev...@iana.org <mailto:drafts-expert-rev...@iana.org> ; cwt-reg-rev...@ietf.org <mailto:cwt-reg-rev...@ietf.org> ; chuck.mortim...@visa.com <mailto:chuck.mortim...@visa.com> ; draft-ietf-ace-oauth-au...@ietf.org <mailto:draft-ietf-ace-oauth-au...@ietf.org> ; ace@ietf.org <mailto:ace@ietf.org> Subject: Re: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims) Hello Mike, Chuck, Thank you for clarifying your assessment Mike, thank you Chuck for weighing in. Mike you say: “the scope claim is specific to the ACE OAuth protocol” This is not entirely correct, since the scope claim is defined in RFC 8693 for Token Exchange, which is not an ACE protocol. Thus if any other protocol decides to use CWT and Token Exchange they would inherit the CWT abbreviation for that claim we are discussing here. I would therefore argue that this claim abbreviation has a wider set of applications than just ACE. As for the sparseness of 1 byte abbreviations: The range goes from -24 to 23. The CWT RFC uses 0-8 and none other are currently registered, so we have a few ones left. Regards, Ludwig From: Chuck Mortimore <charliemortim...@gmail.com <mailto:charliemortim...@gmail.com> > Sent: den 12 mars 2020 01:12 To: Mike Jones <michael.jo...@microsoft.com <mailto:michael.jo...@microsoft.com> > Cc: Ludwig Seitz <ludwig_se...@gmx.de <mailto:ludwig_se...@gmx.de> >; drafts-expert-rev...@iana.org <mailto:drafts-expert-rev...@iana.org> ; cwt-reg-rev...@ietf.org <mailto:cwt-reg-rev...@ietf.org> ; chuck.mortim...@visa.com <mailto:chuck.mortim...@visa.com> ; draft-ietf-ace-oauth-au...@ietf.org <mailto:draft-ietf-ace-oauth-au...@ietf.org> ; ace@ietf.org <mailto:ace@ietf.org> Subject: Re: [EXTERNAL] Re: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims) Agree with Mike's assessment. (One caveat to that is that I'm not close enough to CWT to understand how scare the single byte identifiers actually are.) On Wed, Mar 11, 2020 at 4:39 PM Mike Jones <michael.jo...@microsoft.com <mailto:michael.jo...@microsoft.com> > wrote: [Adding correct e-mail addresses for Chuck, who recently joined Visa] There are two reasons that I believe not using up one of the scarce one-byte claim identifiers for "scope" is appropriate: 1. The claim values for scopes are not short themselves. They are sets of ASCII strings separated by spaces. So the percentage difference in the total claim representation from adding a single byte will typically be small. 2. The single-byte claim identifiers already registered at https://www.iana.org/assignments/cwt/cwt.xhtml are claims that are likely to be useful to diverse sets of applications, and therefore merit the short identifiers; whereas, the scope claim is specific to the ACE OAuth protocol and not applicable to diverse sets of applications. It’s reasonable to give protocol-specific claim identifiers 2-byte representations. I’d be interested to hear from the two other designated experts on my assessment of the situation: Hannes and Chuck. -- Mike -----Original Message----- From: Cwt-reg-review <cwt-reg-review-boun...@ietf.org <mailto:cwt-reg-review-boun...@ietf.org> > On Behalf Of Ludwig Seitz Sent: Saturday, February 29, 2020 6:25 AM To: drafts-expert-rev...@iana.org <mailto:drafts-expert-rev...@iana.org> ; cwt-reg-rev...@ietf.org <mailto:cwt-reg-rev...@ietf.org> Cc: draft-ietf-ace-oauth-au...@ietf.org <mailto:draft-ietf-ace-oauth-au...@ietf.org> ; ace@ietf.org <mailto:ace@ietf.org> Subject: [EXTERNAL] Re: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims) On 2020-02-26 00:58, Amanda Baber via RT wrote: > Ludwig, Hannes, > > Can you confirm that you can make the CBOR Web Token Claim change > requested below? > > We also have Chuck Mortimore listed as an expert for this registry, > but our message to his Salesforce address bounced. > > Best regards, > > Amanda Baber Lead IANA Services Specialist > I strongly disagree with the assessment that the scope claim should be pushed into the two-byte range. The reason we introduced the scope claim is that an ACE RS typically does not have a direct connection to the AS, and is therefore unable to retrieve the scope of an access token from other sources than the access token itself. I therefore assert that ACE access tokens would often need to contain this claim in order to inform the RS. Since one of the major drivers of the ACE work has been to reduce the authorization overhead (otherwise we could just have used vanilla OAuth 2.0), I find it strange to needlessly add to the overhead by making the encoding of a frequently used claim longer than necessary. I am willing to listen to the arguments that have lead the expert reviewer to denying a value in the one-byte range, and discuss the reasoning further on list. Regards, Ludwig > On Tue Feb 18 22:42:22 2020, <mailto:michael.jo...@microsoft.com> > michael.jo...@microsoft.com wrote: >> I'm mostly OK with these registrations, however, DO NOT assign the >> value 9 to "scope". Rather, please put it in the two-byte range >> - for instance, with the value 41. >> >> -- Mike >> >> -----Original Message----- From: Cwt-reg-review >> < <mailto:cwt-reg-review-boun...@ietf.org> cwt-reg-review-boun...@ietf.org> >> On Behalf Of Sabrina Tanamal via RT >> Sent: Tuesday, February 18, 2020 1:06 PM Cc: >> <mailto:cwt-reg-rev...@ietf.org> cwt-reg-rev...@ietf.org Subject: >> [EXTERNAL] [Cwt-reg-review] [IANA >> #1158953] Requested review for IANA registration in >> draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims) >> >> Hi all, >> >> Resending this request for draft-ietf-ace-oauth-authz. >> >> Thanks, >> >> Sabrina Tanamal Senior IANA Services Specialist >> >>> On Sat Dec 21 11:37:11 2019, <mailto:ludwig_se...@gmx.de> >>> ludwig_se...@gmx.de wrote: >>>> Hello CWT registry reviewers, >>>> >>>> the IESG-designated experts for the CWT claims registry have asked >>>> me to send a review request to you about the claims registered >>>> here: >>>> >>>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft> >>>> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ft >>>> o >>>> >>>> ols.ietf.org <http://ols.ietf.org> %2Fhtml%2Fdraft-ietf-ace-oauth-authz-29%23section- >>>> 8.13&a >>>> mp;data=02%7C01%7CMichael.Jones%40microsoft.com <http://40microsoft.com> >>>> %7Ce23f64ac1ad74269c >>>> 3 >>>> >>>> c408d7b4b65d45%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63717656 >>>> 7656665548&sdata=r01W5Bx0gJh9ZPH8eNS%2BY765CnGq11DkknsHYQ751Dk% >>>> 3 >>>> >>>> D&reserved=0 >>>> >>>> Thank you in advance for you review comments. >>>> >>>> Regards, >>>> >>>> Ludwig >>>> >> >> _______________________________________________ Cwt-reg-review >> mailing list <mailto:cwt-reg-rev...@ietf.org> cwt-reg-rev...@ietf.org >> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww> >> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww >> .ietf.org <http://ietf.org> %2Fmailman%2Flistinfo%2Fcwt- >> >> reg- >> review&data=02%7C01%7CMichael.Jones%40microsoft.com >> <http://40microsoft.com> %7Ce23f64ac1ad >> 74269c3c408d7b4b65d45%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C63 >> 7176567656675543&sdata=XxBhQmqxGkCRiBxh0PdhX2IJD8TnbwWl%2Feo8VUsH >> Osg%3D&reserved=0 > _______________________________________________ Cwt-reg-review mailing list <mailto:cwt-reg-rev...@ietf.org> cwt-reg-rev...@ietf.org <https://www.ietf.org/mailman/listinfo/cwt-reg-review> https://www.ietf.org/mailman/listinfo/cwt-reg-review IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
