(Writing with my chair hat on.) This document is in the RFC Editor queue in
the EDIT state. Its IANA state is OK – Actions Needed. I would support adding
a sentence along these lines during AUTH48 processing, probably at the end of
Section
5.6<https://www.ietf.org/archive/id/draft-ietf-cose-key-thumbprint-06.html#name-cose-key-thumbprint-uris>:
“Note that these URIs are intended for use with any kinds of specifications and
not just OAuth or COSE specifications.”
I wouldn’t support changing the URI syntax at this late stage of the
specification process, as it would raise questions of whether to remove the
spec from the RFC Editor queue and send it back to the working group.
-- Mike
From: Orie Steele <[email protected]>
Sent: Tuesday, October 8, 2024 9:50 AM
To: Brian Campbell <[email protected]>
Cc: Tschofenig, Hannes <[email protected]>;
[email protected]; cose <[email protected]>
Subject: [COSE] Re: [IANA #1361034] expert review for
draft-ietf-cose-key-thumbprint (oauth-parameters)
On Tue, Oct 8, 2024 at 11:10 AM Brian Campbell
<[email protected]<mailto:[email protected]>> wrote:
The OAuth URI
registry<https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xml#uri>
on the OAuth
Parameters<https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xml>
registry page was established by RFC6755 An IETF URN Sub-Namespace for
OAuth<https://www.rfc-editor.org/rfc/rfc6755.html>, which says it "establishes
an IETF URN Sub-namespace for use with OAuth-related specifications." The
subnamespace of "urn:ietf:params:oauth:" (which I got wrong by omitting the
"ietf:" part in my prior message, apologies) was created stating in the
intro<https://www.rfc-editor.org/rfc/rfc6755.html#section-1> that "OAuth
relevant parameters will be established underneath it." The presence of the
word "oauth" in the URN Sub-namespace itself also implies some relationship to
OAuth.
COSE and COSE keys and their thumbprints are not OAuth-related specifications
nor OAuth relevant parameters.
That's why I feel this is incorrect.
JWK Thumbprints URIs<https://www.rfc-editor.org/rfc/rfc9278.html> are arguably
also not OAuth-related. I'd be pretty sympathetic to that argument. I'd also be
sympathetic to an argument that that document shouldn't even exist. But it's
much too late to do anything about that now. And JWKs are used in some
OAuth-related specifications and the document came up through the OAUTH WG so
there is some relationship, if a rather tenuous one.
I agree with your comments regarding the relationship of JWK Thumbprints to
OAuth.
The same public key expressed as a JWK or COSE Key will have different
thumbprints.
For this reason, I think it will be least astonishing for developers to
discover the URI expressions of thumbprints in the same registry.
BTW, this topic was discussed previously here, and I agree with Mike's comment
generally:
https://mailarchive.ietf.org/arch/msg/cose/wGUObrMhC1QmERJ5_l47gK8unF4/
Especially this part: Unnecessary differences when doing the same thing should
be avoided.
While digging this up I realized the document does not explicitly state that
these thumbprint URIs can be used by applications other than OAuth.
I see several paths forward:
- Remove the COSE Key Thumbprint URI from the document.
- Keep it and use a different sub-namespace (not oauth).
- Keep it and use oauth
I prefer the last option, but I believe we should apply Mike Jones' suggestion
to be explicit that these URIs are expected to be used by applications other
than OAuth.
On Mon, Oct 7, 2024 at 5:36 PM Orie Steele
<[email protected]<mailto:[email protected]>> wrote:
Brian, indeed this was done to align with the existing JWK Thumbprint URI.
Why do you feel this is incorrect?
Here is the JWK example:
urn:ietf:params:oauth:jwk-thumbprint:NzbLsX...
In an ideal world, I think names for keys should be shorter... and not protocol
specific.
Something like:
urn:jkt:Nzb....
urn:ckt:Nzb....
But that's not the way these parameters have been registered historically.
OS
On Mon, Oct 7, 2024, 5:34 PM Brian Campbell
<[email protected]<mailto:[email protected]>>
wrote:
I realize this comes quite late, sorry, probably too late for any action. I
find myself here due mostly to a tangentially related discussion in a different
standards-related organization.
But can anyone explain the justification for the use of the OAuth URI registry
here? I realize the registry exists so it was probably a convenient thing to do
to carve out a URN sub-namespace. And I know that, for better or worse, the JWK
Thumbprint URI uses "urn:oauth:params:" so this was likely just following what
was done there. But the use of "urn:oauth:params:" for a COSE Key Thumbprint
URI really doesn't seem quite right.
On Thu, Apr 4, 2024 at 9:04 AM Tschofenig, Hannes
<[email protected]<mailto:[email protected]>>
wrote:
Hi David,
I hope it is OK for me to do the expert review given that I am also an author
of the specification.
I checked the text in the IANA registry of the draft against the body of the
document and the request to add a new entry to the OAuth URI registry for the
URN: urn:ietf:params:oauth:ckt is correct.
Ciao
Hannes
PS: Could you remove the Arm email address from the IANA system?
-----Original Message-----
From: COSE <[email protected]<mailto:[email protected]>> On Behalf Of
David Dong via RT
Sent: Wednesday, 13 March 2024 20:38
Cc: [email protected]<mailto:[email protected]>;
[email protected]<mailto:[email protected]>
Subject: [COSE] [IANA #1361034] expert review for
draft-ietf-cose-key-thumbprint (oauth-parameters)
Dear Hannes Tschofenig (cc: cose WG),
As the designated expert for the OAuth URI registry, can you review the
proposed registration in draft-ietf-cose-key-thumbprint-04 for us? Please see
https://datatracker.ietf.org/doc/draft-ietf-cose-key-thumbprint/
The due date is March 27th, 2024.
If this is OK, when the IESG approves the document for publication, we'll make
the registration at:
https://www.iana.org/assignments/oauth-parameters/
With thanks,
David Dong
IANA Services Sr. Specialist
_______________________________________________
COSE mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/cose
_______________________________________________
COSE mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/cose
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately by
e-mail and delete the message and any file attachments from your computer.
Thank you._______________________________________________
COSE mailing list -- [email protected]<mailto:[email protected]>
To unsubscribe send an email to [email protected]<mailto:[email protected]>
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately by
e-mail and delete the message and any file attachments from your computer.
Thank you.
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries<http://www.transmute.industries/>
[https://ci3.googleusercontent.com/mail-sig/AIorK4xqtkj5psM1dDeDes_mjSsF3ylbEa5EMEQmnz3602cucAIhjLaHod-eVJq0E28BwrivrNSBMBc]<https://transmute.industries/>
_______________________________________________
COSE mailing list -- [email protected]
To unsubscribe send an email to [email protected]
