Indeed I am late to the party on this one. Apologies again for that. It's quite challenging to keep up with things. At least it is for me.
I maintain that the use of an 'oauth' namespace for a COSE thing is inappropriate. But also recognize the many impediments to change, particularly at this stage. I'd suggest an AUTH48 note that's more reflective of the situation, however - something along the lines of: "Note that, despite 'oauth' in the namespace, these URIs are intended for use with applications and specifications not necessarily related to OAuth." On Tue, Oct 8, 2024 at 12:21 PM Michael Jones <[email protected]> wrote: > (Writing with my chair hat on.) This document is in the RFC Editor queue > in the EDIT state. Its IANA state is OK – Actions Needed. I would support > adding a sentence along these lines during AUTH48 processing, probably at > the end of Section 5.6 > <https://www.ietf.org/archive/id/draft-ietf-cose-key-thumbprint-06.html#name-cose-key-thumbprint-uris> > : > > “Note that these URIs are intended for use with any kinds of > specifications and not just OAuth or COSE specifications.” > > > > I wouldn’t support changing the URI syntax at this late stage of the > specification process, as it would raise questions of whether to remove the > spec from the RFC Editor queue and send it back to the working group. > > > > -- Mike > > > > *From:* Orie Steele <[email protected]> > *Sent:* Tuesday, October 8, 2024 9:50 AM > *To:* Brian Campbell <[email protected]> > *Cc:* Tschofenig, Hannes <[email protected]>; > [email protected]; cose <[email protected]> > *Subject:* [COSE] Re: [IANA #1361034] expert review for > draft-ietf-cose-key-thumbprint (oauth-parameters) > > > > > > > > On Tue, Oct 8, 2024 at 11:10 AM Brian Campbell <[email protected]> > wrote: > > The OAuth URI registry > <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xml#uri> > on the OAuth Parameters > <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xml> > registry page was established by RFC6755 An IETF URN Sub-Namespace for > OAuth <https://www.rfc-editor.org/rfc/rfc6755.html>, which says it > "establishes an IETF URN Sub-namespace for use with OAuth-related > specifications." The subnamespace of "urn:ietf:params:oauth:" (which I got > wrong by omitting the "ietf:" part in my prior message, apologies) was > created stating in the intro > <https://www.rfc-editor.org/rfc/rfc6755.html#section-1> that "OAuth > relevant parameters will be established underneath it." The presence of the > word "oauth" in the URN Sub-namespace itself also implies some relationship > to OAuth. > > > > COSE and COSE keys and their thumbprints are not OAuth-related > specifications nor OAuth relevant parameters. > > > > That's why I feel this is incorrect. > > > > JWK Thumbprints URIs <https://www.rfc-editor.org/rfc/rfc9278.html> are > arguably also not OAuth-related. I'd be pretty sympathetic to that > argument. I'd also be sympathetic to an argument that that document > shouldn't even exist. But it's much too late to do anything about that now. > And JWKs are used in some OAuth-related specifications and the document > came up through the OAUTH WG so there is some relationship, if a rather > tenuous one. > > > > I agree with your comments regarding the relationship of JWK Thumbprints > to OAuth. > The same public key expressed as a JWK or COSE Key will have different > thumbprints. > For this reason, I think it will be least astonishing for developers to > discover the URI expressions of thumbprints in the same registry. > > BTW, this topic was discussed previously here, and I agree with Mike's > comment generally: > > https://mailarchive.ietf.org/arch/msg/cose/wGUObrMhC1QmERJ5_l47gK8unF4/ > > Especially this part: Unnecessary differences when doing the same thing > should be avoided. > > While digging this up I realized the document does not explicitly state > that these thumbprint URIs can be used by applications other than OAuth. > > I see several paths forward: > > - Remove the COSE Key Thumbprint URI from the document. > - Keep it and use a different sub-namespace (not oauth). > - Keep it and use oauth > > I prefer the last option, but I believe we should apply Mike Jones' > suggestion to be explicit that these URIs are expected to be used by > applications other than OAuth. > > > > > > > > > > On Mon, Oct 7, 2024 at 5:36 PM Orie Steele <[email protected]> > wrote: > > Brian, indeed this was done to align with the existing JWK Thumbprint URI. > > > > Why do you feel this is incorrect? > > > > Here is the JWK example: > > > > urn:ietf:params:oauth:jwk-thumbprint:NzbLsX... > > > > In an ideal world, I think names for keys should be shorter... and not > protocol specific. > > > > Something like: > > > > urn:jkt:Nzb.... > > > > urn:ckt:Nzb.... > > > > But that's not the way these parameters have been registered historically. > > > > OS > > > > On Mon, Oct 7, 2024, 5:34 PM Brian Campbell <bcampbell= > [email protected]> wrote: > > I realize this comes quite late, sorry, probably too late for any action. > I find myself here due mostly to a tangentially related discussion in a > different standards-related organization. > > > > But can anyone explain the justification for the use of the OAuth URI > registry here? I realize the registry exists so it was probably a > convenient thing to do to carve out a URN sub-namespace. And I know that, > for better or worse, the JWK Thumbprint URI uses "urn:oauth:params:" so > this was likely just following what was done there. But the use of > "urn:oauth:params:" for a COSE Key Thumbprint URI really doesn't seem quite > right. > > > > On Thu, Apr 4, 2024 at 9:04 AM Tschofenig, Hannes <hannes.tschofenig= > [email protected]> wrote: > > Hi David, > > I hope it is OK for me to do the expert review given that I am also an > author of the specification. > > I checked the text in the IANA registry of the draft against the body of > the document and the request to add a new entry to the OAuth URI registry > for the URN: urn:ietf:params:oauth:ckt is correct. > > Ciao > Hannes > > PS: Could you remove the Arm email address from the IANA system? > > -----Original Message----- > From: COSE <[email protected]> On Behalf Of David Dong via RT > Sent: Wednesday, 13 March 2024 20:38 > Cc: [email protected]; [email protected] > Subject: [COSE] [IANA #1361034] expert review for > draft-ietf-cose-key-thumbprint (oauth-parameters) > > Dear Hannes Tschofenig (cc: cose WG), > > As the designated expert for the OAuth URI registry, can you review the > proposed registration in draft-ietf-cose-key-thumbprint-04 for us? Please > see > > https://datatracker.ietf.org/doc/draft-ietf-cose-key-thumbprint/ > > The due date is March 27th, 2024. > > If this is OK, when the IESG approves the document for publication, we'll > make the registration at: > > https://www.iana.org/assignments/oauth-parameters/ > > With thanks, > > David Dong > IANA Services Sr. Specialist > > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > COSE mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* > > > > > -- > > > > > *ORIE STEELE *Chief Technology Officer > www.transmute.industries > > <https://transmute.industries/> > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
