On Tue, Oct 8, 2024 at 11:10 AM Brian Campbell <[email protected]> wrote:
> The OAuth URI registry > <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xml#uri> > on the OAuth Parameters > <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xml> > registry page was established by RFC6755 An IETF URN Sub-Namespace for > OAuth <https://www.rfc-editor.org/rfc/rfc6755.html>, which says it > "establishes an IETF URN Sub-namespace for use with OAuth-related > specifications." The subnamespace of "urn:ietf:params:oauth:" (which I got > wrong by omitting the "ietf:" part in my prior message, apologies) was > created stating in the intro > <https://www.rfc-editor.org/rfc/rfc6755.html#section-1> that "OAuth > relevant parameters will be established underneath it." The presence of the > word "oauth" in the URN Sub-namespace itself also implies some relationship > to OAuth. > > COSE and COSE keys and their thumbprints are not OAuth-related > specifications nor OAuth relevant parameters. > > That's why I feel this is incorrect. > > JWK Thumbprints URIs <https://www.rfc-editor.org/rfc/rfc9278.html> are > arguably also not OAuth-related. I'd be pretty sympathetic to that > argument. I'd also be sympathetic to an argument that that document > shouldn't even exist. But it's much too late to do anything about that now. > And JWKs are used in some OAuth-related specifications and the document > came up through the OAUTH WG so there is some relationship, if a rather > tenuous one. > I agree with your comments regarding the relationship of JWK Thumbprints to OAuth. The same public key expressed as a JWK or COSE Key will have different thumbprints. For this reason, I think it will be least astonishing for developers to discover the URI expressions of thumbprints in the same registry. BTW, this topic was discussed previously here, and I agree with Mike's comment generally: https://mailarchive.ietf.org/arch/msg/cose/wGUObrMhC1QmERJ5_l47gK8unF4/ Especially this part: Unnecessary differences when doing the same thing should be avoided. While digging this up I realized the document does not explicitly state that these thumbprint URIs can be used by applications other than OAuth. I see several paths forward: - Remove the COSE Key Thumbprint URI from the document. - Keep it and use a different sub-namespace (not oauth). - Keep it and use oauth I prefer the last option, but I believe we should apply Mike Jones' suggestion to be explicit that these URIs are expected to be used by applications other than OAuth. > > > > On Mon, Oct 7, 2024 at 5:36 PM Orie Steele <[email protected]> > wrote: > >> Brian, indeed this was done to align with the existing JWK Thumbprint URI. >> >> Why do you feel this is incorrect? >> >> Here is the JWK example: >> >> urn:ietf:params:oauth:jwk-thumbprint:NzbLsX... >> >> In an ideal world, I think names for keys should be shorter... and not >> protocol specific. >> >> Something like: >> >> urn:jkt:Nzb.... >> >> urn:ckt:Nzb.... >> >> But that's not the way these parameters have been registered historically. >> >> OS >> >> On Mon, Oct 7, 2024, 5:34 PM Brian Campbell <bcampbell= >> [email protected]> wrote: >> >>> I realize this comes quite late, sorry, probably too late for any >>> action. I find myself here due mostly to a tangentially related discussion >>> in a different standards-related organization. >>> >>> But can anyone explain the justification for the use of the OAuth URI >>> registry here? I realize the registry exists so it was probably a >>> convenient thing to do to carve out a URN sub-namespace. And I know that, >>> for better or worse, the JWK Thumbprint URI uses "urn:oauth:params:" so >>> this was likely just following what was done there. But the use of >>> "urn:oauth:params:" for a COSE Key Thumbprint URI really doesn't seem quite >>> right. >>> >>> On Thu, Apr 4, 2024 at 9:04 AM Tschofenig, Hannes <hannes.tschofenig= >>> [email protected]> wrote: >>> >>>> Hi David, >>>> >>>> I hope it is OK for me to do the expert review given that I am also an >>>> author of the specification. >>>> >>>> I checked the text in the IANA registry of the draft against the body >>>> of the document and the request to add a new entry to the OAuth URI >>>> registry for the URN: urn:ietf:params:oauth:ckt is correct. >>>> >>>> Ciao >>>> Hannes >>>> >>>> PS: Could you remove the Arm email address from the IANA system? >>>> >>>> -----Original Message----- >>>> From: COSE <[email protected]> On Behalf Of David Dong via RT >>>> Sent: Wednesday, 13 March 2024 20:38 >>>> Cc: [email protected]; [email protected] >>>> Subject: [COSE] [IANA #1361034] expert review for >>>> draft-ietf-cose-key-thumbprint (oauth-parameters) >>>> >>>> Dear Hannes Tschofenig (cc: cose WG), >>>> >>>> As the designated expert for the OAuth URI registry, can you review the >>>> proposed registration in draft-ietf-cose-key-thumbprint-04 for us? Please >>>> see >>>> >>>> https://datatracker.ietf.org/doc/draft-ietf-cose-key-thumbprint/ >>>> >>>> The due date is March 27th, 2024. >>>> >>>> If this is OK, when the IESG approves the document for publication, >>>> we'll make the registration at: >>>> >>>> https://www.iana.org/assignments/oauth-parameters/ >>>> >>>> With thanks, >>>> >>>> David Dong >>>> IANA Services Sr. Specialist >>>> >>>> _______________________________________________ >>>> COSE mailing list >>>> [email protected] >>>> https://www.ietf.org/mailman/listinfo/cose >>>> _______________________________________________ >>>> COSE mailing list >>>> [email protected] >>>> https://www.ietf.org/mailman/listinfo/cose >>>> >>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibited. >>> If you have received this communication in error, please notify the sender >>> immediately by e-mail and delete the message and any file attachments from >>> your computer. Thank you.* >>> _______________________________________________ >>> COSE mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> >> > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
