I support that text. On Wed, Oct 9, 2024, 4:12 PM Brian Campbell <[email protected]> wrote:
> Indeed I am late to the party on this one. Apologies again for that. It's > quite challenging to keep up with things. At least it is for me. > > I maintain that the use of an 'oauth' namespace for a COSE thing is > inappropriate. But also recognize the many impediments to change, > particularly at this stage. > > I'd suggest an AUTH48 note that's more reflective of the situation, > however - something along the lines of: > > "Note that, despite 'oauth' in the namespace, these URIs are intended > for use with applications and specifications not necessarily related to > OAuth." > > On Tue, Oct 8, 2024 at 12:21 PM Michael Jones <[email protected]> > wrote: > >> (Writing with my chair hat on.) This document is in the RFC Editor queue >> in the EDIT state. Its IANA state is OK – Actions Needed. I would support >> adding a sentence along these lines during AUTH48 processing, probably at >> the end of Section 5.6 >> <https://www.ietf.org/archive/id/draft-ietf-cose-key-thumbprint-06.html#name-cose-key-thumbprint-uris> >> : >> >> “Note that these URIs are intended for use with any kinds of >> specifications and not just OAuth or COSE specifications.” >> >> >> >> I wouldn’t support changing the URI syntax at this late stage of the >> specification process, as it would raise questions of whether to remove the >> spec from the RFC Editor queue and send it back to the working group. >> >> >> >> -- Mike >> >> >> >> *From:* Orie Steele <[email protected]> >> *Sent:* Tuesday, October 8, 2024 9:50 AM >> *To:* Brian Campbell <[email protected]> >> *Cc:* Tschofenig, Hannes <[email protected]>; >> [email protected]; cose <[email protected]> >> *Subject:* [COSE] Re: [IANA #1361034] expert review for >> draft-ietf-cose-key-thumbprint (oauth-parameters) >> >> >> >> >> >> >> >> On Tue, Oct 8, 2024 at 11:10 AM Brian Campbell < >> [email protected]> wrote: >> >> The OAuth URI registry >> <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xml#uri> >> on the OAuth Parameters >> <https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xml> >> registry page was established by RFC6755 An IETF URN Sub-Namespace for >> OAuth <https://www.rfc-editor.org/rfc/rfc6755.html>, which says it >> "establishes an IETF URN Sub-namespace for use with OAuth-related >> specifications." The subnamespace of "urn:ietf:params:oauth:" (which I got >> wrong by omitting the "ietf:" part in my prior message, apologies) was >> created stating in the intro >> <https://www.rfc-editor.org/rfc/rfc6755.html#section-1> that "OAuth >> relevant parameters will be established underneath it." The presence of the >> word "oauth" in the URN Sub-namespace itself also implies some relationship >> to OAuth. >> >> >> >> COSE and COSE keys and their thumbprints are not OAuth-related >> specifications nor OAuth relevant parameters. >> >> >> >> That's why I feel this is incorrect. >> >> >> >> JWK Thumbprints URIs <https://www.rfc-editor.org/rfc/rfc9278.html> are >> arguably also not OAuth-related. I'd be pretty sympathetic to that >> argument. I'd also be sympathetic to an argument that that document >> shouldn't even exist. But it's much too late to do anything about that now. >> And JWKs are used in some OAuth-related specifications and the document >> came up through the OAUTH WG so there is some relationship, if a rather >> tenuous one. >> >> >> >> I agree with your comments regarding the relationship of JWK Thumbprints >> to OAuth. >> The same public key expressed as a JWK or COSE Key will have different >> thumbprints. >> For this reason, I think it will be least astonishing for developers to >> discover the URI expressions of thumbprints in the same registry. >> >> BTW, this topic was discussed previously here, and I agree with Mike's >> comment generally: >> >> https://mailarchive.ietf.org/arch/msg/cose/wGUObrMhC1QmERJ5_l47gK8unF4/ >> >> Especially this part: Unnecessary differences when doing the same thing >> should be avoided. >> >> While digging this up I realized the document does not explicitly state >> that these thumbprint URIs can be used by applications other than OAuth. >> >> I see several paths forward: >> >> - Remove the COSE Key Thumbprint URI from the document. >> - Keep it and use a different sub-namespace (not oauth). >> - Keep it and use oauth >> >> I prefer the last option, but I believe we should apply Mike Jones' >> suggestion to be explicit that these URIs are expected to be used by >> applications other than OAuth. >> >> >> >> >> >> >> >> >> >> On Mon, Oct 7, 2024 at 5:36 PM Orie Steele <[email protected]> >> wrote: >> >> Brian, indeed this was done to align with the existing JWK Thumbprint URI. >> >> >> >> Why do you feel this is incorrect? >> >> >> >> Here is the JWK example: >> >> >> >> urn:ietf:params:oauth:jwk-thumbprint:NzbLsX... >> >> >> >> In an ideal world, I think names for keys should be shorter... and not >> protocol specific. >> >> >> >> Something like: >> >> >> >> urn:jkt:Nzb.... >> >> >> >> urn:ckt:Nzb.... >> >> >> >> But that's not the way these parameters have been registered historically. >> >> >> >> OS >> >> >> >> On Mon, Oct 7, 2024, 5:34 PM Brian Campbell <bcampbell= >> [email protected]> wrote: >> >> I realize this comes quite late, sorry, probably too late for any action. >> I find myself here due mostly to a tangentially related discussion in a >> different standards-related organization. >> >> >> >> But can anyone explain the justification for the use of the OAuth URI >> registry here? I realize the registry exists so it was probably a >> convenient thing to do to carve out a URN sub-namespace. And I know that, >> for better or worse, the JWK Thumbprint URI uses "urn:oauth:params:" so >> this was likely just following what was done there. But the use of >> "urn:oauth:params:" for a COSE Key Thumbprint URI really doesn't seem quite >> right. >> >> >> >> On Thu, Apr 4, 2024 at 9:04 AM Tschofenig, Hannes <hannes.tschofenig= >> [email protected]> wrote: >> >> Hi David, >> >> I hope it is OK for me to do the expert review given that I am also an >> author of the specification. >> >> I checked the text in the IANA registry of the draft against the body of >> the document and the request to add a new entry to the OAuth URI registry >> for the URN: urn:ietf:params:oauth:ckt is correct. >> >> Ciao >> Hannes >> >> PS: Could you remove the Arm email address from the IANA system? >> >> -----Original Message----- >> From: COSE <[email protected]> On Behalf Of David Dong via RT >> Sent: Wednesday, 13 March 2024 20:38 >> Cc: [email protected]; [email protected] >> Subject: [COSE] [IANA #1361034] expert review for >> draft-ietf-cose-key-thumbprint (oauth-parameters) >> >> Dear Hannes Tschofenig (cc: cose WG), >> >> As the designated expert for the OAuth URI registry, can you review the >> proposed registration in draft-ietf-cose-key-thumbprint-04 for us? Please >> see >> >> https://datatracker.ietf.org/doc/draft-ietf-cose-key-thumbprint/ >> >> The due date is March 27th, 2024. >> >> If this is OK, when the IESG approves the document for publication, we'll >> make the registration at: >> >> https://www.iana.org/assignments/oauth-parameters/ >> >> With thanks, >> >> David Dong >> IANA Services Sr. Specialist >> >> _______________________________________________ >> COSE mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/cose >> _______________________________________________ >> COSE mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/cose >> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.*_______________________________________________ >> COSE mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.* >> >> >> >> >> -- >> >> >> >> >> *ORIE STEELE *Chief Technology Officer >> www.transmute.industries >> >> <https://transmute.industries/> >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
_______________________________________________ COSE mailing list -- [email protected] To unsubscribe send an email to [email protected]
