Re: [Ace] [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)

with the registrations on Wednesday. Cheers, -- Mike From: Jim Schaad Sent: Monday, March 23, 2020 10:55 AM To: 'Hannes Tschofenig' ; 'Seitz Ludwig' ; Mike Jones ; 'Chuck Mortimore' Cc

Re: [Ace] [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)

, -- Mike From: Seitz Ludwig Sent: Monday, March 16, 2020 3:18 AM To: Mike Jones ; Chuck Mortimore ; hannes.tschofe...@arm.com Cc: drafts-expert-rev...@iana.org; cwt-reg-rev...@ietf.org; chuck.mortim...@visa.com; draft-ietf-ace-oauth-au...@ietf.org; ace@ietf.org

Re: [Ace] [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)

with the registrations on Monday, registering “scope” with value 41. -- Mike From: Seitz Ludwig Sent: Thursday, March 12, 2020 1:05 AM To: Chuck Mortimore ; Mike Jones Cc: Ludwig Seitz ; drafts-expert-rev...@iana.org; cwt-reg-rev...@ietf.org

Re: [Ace] [EXTERNAL] Re: [Cwt-reg-review] [IANA #1158953] Requested review for IANA registration in draft-ietf-ace-oauth-authz (cwt - CBOR Web Token Claims)

[Adding correct e-mail addresses for Chuck, who recently joined Visa] There are two reasons that I believe not using up one of the scarce one-byte claim identifiers for "scope" is appropriate: 1. The claim values for scopes are not short themselves. They are sets of ASCII strings

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) is now RFC 8747

I'm pleased to report that Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) is now RFC 8747. The abstract of the specification is: This specification describes how to declare in a CBOR Web Token (CWT) (which is defined by RFC 8392) that

Re: [Ace] [EXTERNAL] RE: Access token question

Ludwig' ; Mike Jones Cc: 'Ace Wg' Subject: [EXTERNAL] RE: Access token question You are missing something https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-33#section-8.13<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-ace-oauth-authz

Re: [Ace] [EXTERNAL] [Jwt-reg-review] [IANA #1160802] Re: Requested review for IANA registration in draft-ietf-ace-oauth-params

I am OK with these JWT claim registrations. -- Mike -Original Message- From: Jwt-reg-review On Behalf Of Sabrina Tanamal via RT Sent: Friday, January 24, 2020 8:59 AM Cc: r...@cert.org; daniel.miga...@ericsson.com; jwt-reg-rev...@ietf.org;

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) sent to the RFC Editor

I'm pleased to report that the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification is now technically stable and will shortly be an RFC - an Internet standard. Specifically, it has now progressed to the RFC Editor queue, meaning that the only remaining step before

Re: [Ace] I-D Action: draft-ietf-ace-cwt-proof-of-possession-11.txt

This version addresses the remaining IESG review comment by Mirja Kühlewind, which removes the language about contacting the IESG should the Designated Experts not act on IANA registrations in a timely way, per a decision by the IESG on today's telechat. -- Mike

Re: [Ace] Mirja Kühlewind's No Objection on draft-ietf-ace-cwt-proof-of-possession-09: (with COMMENT)

. Thank you, -- Mike -Original Message- From: Mike Jones Sent: Wednesday, October 30, 2019 5:48 PM To: Benjamin Kaduk Cc: Roman D. Danyliw ; ace-cha...@ietf.org; Mirja Kuehlewind ; The IESG ; ace@ietf.org; draft-ietf-ace-cwt-proof-of-possess

Re: [Ace] I-D Action: draft-ietf-ace-cwt-proof-of-possession-10.txt

This version addresses IESG comments from Adam Roach and Éric Vyncke, both of which resulted in local editorial improvements to the document. -- Mike -Original Message- From: Ace On Behalf Of internet-dra...@ietf.org Sent: Wednesday, October 30, 2019

Re: [Ace] Mirja Kühlewind's No Objection on draft-ietf-ace-cwt-proof-of-possession-09: (with COMMENT)

, -- Mike -Original Message- From: Ace On Behalf Of Benjamin Kaduk Sent: Wednesday, October 30, 2019 5:29 PM To: Mike Jones Cc: Roman D. Danyliw ; ace-cha...@ietf.org; Mirja Kuehlewind ; The IESG ; ace@ietf.org; draft-ietf-ace-cwt-proof-of-possess...@ietf.org; Barry

Re: [Ace] Éric Vyncke's No Objection on draft-ietf-ace-cwt-proof-of-possession-09: (with COMMENT)

Thanks for your review, Éric. The "iss" claim is now explained on first use at https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-10#section-3 (paralleling the treatment of the first use of the "sub" claim). Thanks again,

Re: [Ace] Mirja Kühlewind's No Objection on draft-ietf-ace-cwt-proof-of-possession-09: (with COMMENT)

what you decide. Thanks again, -- Mike -Original Message- From: Barry Leiba Sent: Monday, October 28, 2019 2:00 PM To: Mike Jones Cc: Mirja Kuehlewind ; Benjamin Kaduk ; Roman D. Danyliw ; ace-cha...@ietf.org; The IESG

Re: [Ace] Mirja Kühlewind's No Objection on draft-ietf-ace-cwt-proof-of-possession-09: (with COMMENT)

The practice of using a mailing list for registration requests to enable public visibility of them goes back at least to .well-known URI registrations https://tools.ietf.org/html/rfc5785 by Mark Nottingham in April 2010. OAuth 2.0 followed this practice in RFC 6749, as did the JOSE specs and

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing Gen-ART and SecDir reviews

A new version of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published addressing the Gen-ART and SecDir review comments. Thanks to Christer Holmberg and Yoav Nir, respectively, for these useful reviews. The specification is available at: *

Re: [Ace] Secdir last call review of draft-ietf-ace-cwt-proof-of-possession-08

Hi Yoav, https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-09 has been published, which addresses your review comments in the ways proposed below. Thanks again for your review! -- Mike From: Mike Jones Sent: Wednesday

Re: [Ace] Genart last call review of draft-ietf-ace-cwt-proof-of-possession-08

Hi Christer, https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-09 has been published, which addresses your review comments in the ways proposed below. Thanks again for your review! -- Mike From: Mike Jones Sent

Re: [Ace] Secdir last call review of draft-ietf-ace-cwt-proof-of-possession-08

Thanks a lot for your review, Yoav. Replies are inline, prefixed by “Mike>”… -Original Message- From: Yoav Nir via Datatracker Sent: Sunday, October 6, 2019 11:52 AM To: sec...@ietf.org Cc: draft-ietf-ace-cwt-proof-of-possession@ietf.org; i...@ietf.org; ace@ietf.org Subject:

Re: [Ace] Genart last call review of draft-ietf-ace-cwt-proof-of-possession-08

Thanks for your review, Christer. Replies are inline, prefixed by "Mike>"… -Original Message- From: Christer Holmberg via Datatracker Sent: Friday, October 4, 2019 10:44 AM To: gen-...@ietf.org Cc: draft-ietf-ace-cwt-proof-of-possession@ietf.org; i...@ietf.org; ace@ietf.org

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing remaining Area Director comments

A new version of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been published to address the remaining Area Director review comments by Benjamin Kaduk. Thanks to Ludwig Seitz for doing the bulk of the editing for this version. The specification is available

Re: [Ace] New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt

that text. Could you also do that, Ludwig? Thanks all, -- Mike -Original Message- From: Ludwig Seitz Sent: Wednesday, September 25, 2019 2:34 AM To: Mike Jones ; Samuel Erdtman Cc: Benjamin Kaduk ; draft-ietf-ace-cwt-proof-of-

Re: [Ace] New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt

. Thanks all, -- Mike From: Samuel Erdtman Sent: Wednesday, September 25, 2019 12:18 AM To: Ludwig Seitz Cc: Mike Jones ; Benjamin Kaduk ; draft-ietf-ace-cwt-proof-of-possession@ietf.org; ace@ietf.org Subject: Re: New Version Notification

Re: [Ace] New Version Notification - draft-ietf-ace-cwt-proof-of-possession-07.txt

I'm fine with us making both of the proposed changes. Thanks, -- Mike -Original Message- From: Benjamin Kaduk Sent: Tuesday, September 24, 2019 4:35 PM To: draft-ietf-ace-cwt-proof-of-possession@ietf.org Cc:

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing Area Director review comments

The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address the Area Director review comments by Benjamin Kaduk. Thanks to Ludwig Seitz and Hannes Tschofenig for their work on resolving the issues raised. The specification is available at: *

Re: [Ace] AD review of draft-ietf-ace-cwt-proof-of-possession-06

Please see my review of the PR, Ludwig. -Original Message- From: Ludwig Seitz Sent: Sunday, August 25, 2019 11:40 PM To: Benjamin Kaduk Cc: draft-ietf-ace-cwt-proof-of-possession@ietf.org; ace@ietf.org Subject: Re: AD review of draft-ietf-ace-cwt-proof-of-possession-06 Hi Ben,

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec fixing nits

The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address issues identified by Roman Danyliw while writing his shepherd review. Thanks to Samuel Erdtman for fixing an incorrect example. The specification is available at: *

[Ace] CWT equivalent of JWT.io

Does anyone know of an online tool that will decode CWTs like https://jwt.io/ does for JWTs? Thanks, -- Mike ___ Ace mailing list

Re: [Ace] Syntax check of examples in draft-ietf-ace-cwt-proof-of-possession-05

Thanks - we'll address that as well. -- Mike -Original Message- From: Ace On Behalf Of Roman Danyliw Sent: Friday, November 30, 2018 11:10 AM To: ace@ietf.org Subject: [Ace] Syntax check of examples in draft-ietf-ace-cwt-proof-of-possession-05 Hello!

Re: [Ace] Idnits on draft-ietf-ace-cwt-proof-of-possession-05

Will do... -Original Message- From: Ace On Behalf Of Roman Danyliw Sent: Friday, November 30, 2018 8:50 AM To: ace@ietf.org Subject: [Ace] Idnits on draft-ietf-ace-cwt-proof-of-possession-05 Hi! As part of the shepherd review, I ran idnits on draft-ietf-ace-cwt-proof-of-possession-05.

Re: [Ace] IPR Conformance check for draft-ietf-ace-cwt-proof-of-possession

Likewise, I am not aware of any IPR that pertains to this specification. -- Mike From: Ace on behalf of Göran Selander Sent: Friday, November 30, 2018 8:50:24 AM To: Roman Danyliw; ace@ietf.org Subject: Re: [Ace] IPR Conformance check for

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec adding Key ID considerations

Key ID confirmation method considerations suggested by Jim Schaad have been added to the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification. Per discussions in the working group meeting in Bangkok, it's now time for the shepherd review. The specification is available

Re: [Ace] Summarizing WGLC discussion of draft-ietf-ace-cwt-proof-of-possession

etf.org/arch/msg/ace/garcXUmWNHmEgZNS7FKT-AYBgMI? I'll look at it again now... Thanks, -- Mike From: Jim Schaad Sent: Thursday, November 8, 2018 11:30 AM To: Mike Jones ; 'Roman Dany

Re: [Ace] Summarizing WGLC discussion of draft-ietf-ace-cwt-proof-of-possession

FYI - I wrote about this new version at http://self-issued.info/?p=1933 and as @selfissued<https://twitter.com/selfissued>. -- Mike From: Ace On Behalf Of Mike Jones Sent: Tuesday, November 6, 2018 3:43 PM To: Roman Danyliw ; ace@ie

Re: [Ace] Summarizing WGLC discussion of draft-ietf-ace-cwt-proof-of-possession

Thanks for the useful summary, Roman. Replies are inline below prefixed by "Mike>". I've just published draft -04, which contains the small number of changes described below. I believe that this completes resolution of

Re: [Ace] WGLC for draft-ietf-ace-authz

This sounds like a good solution, Ludwig. Thanks for the productive conversation. -- Mike -Original Message- From: Ludwig Seitz Sent: Wednesday, October 31, 2018 2:08 AM To: Mike Jones ; ace@ietf.org Subject: Re: [Ace] WGLC for draft-ietf-ace-authz

Re: [Ace] WGLC for draft-ietf-ace-oauth-params

3.1, 3.2, and 4.1, parameter definitions: None of these parameter definitions specify the syntax of the parameters defined, making understanding these quite confusing. Yes, this is talked about later in the doc but there are not even forward references to where the definitions are completed in

Re: [Ace] PoP Key Distribution

I've replied on the OAuth mailing list. You can join it at https://www.ietf.org/mailman/listinfo/oauth to participate in the discussion. From: Ace On Behalf Of Hannes Tschofenig Sent: Tuesday, July 3, 2018 12:47 PM To: ace@ietf.org Subject: [Ace] FW: PoP Key Distribution Note that I posted a

Re: [Ace] Key IDs ... RE: WGLC on draft-ietf-ace-cwt-proof-of-possession-02

Thanks, Ludwig. Note that last paragraph of the new Operational Considerations section at https://tools.ietf.org/html/draft-ietf-ace-cwt-proof-of-possession-03#section-6 addresses this issue. In particular, the last sentence of the section talks about the need to keep keys used in different

Re: [Ace] Montreal IETF Agenda

I'd like 15 minutes to discuss draft-ietf-ace-cwt-proof-of-possession. Thanks, -- Mike -Original Message- From: Ace On Behalf Of Jim Schaad Sent: Monday, June 25, 2018 4:36 AM To: ace@ietf.org Subject: [Ace] Montreal IETF

Re: [Ace] Key IDs ... RE: WGLC on draft-ietf-ace-cwt-proof-of-possession-02

The sentence I sent was in addition to Hannes language to address the multiple CWT case discussed in the thread - not a replacement for it. -- Mike -Original Message- From: Jim Schaad Sent: Saturday, June 23, 2018 9:05 AM To: Mike Jones ; Hannes

Re: [Ace] Replay ... RE: WGLC feedback on draft-ietf-ace-cwt-proof-of-possession-02

I agree with this proposed update and will apply it to the editor's draft. -Original Message- From: Ace On Behalf Of Hannes Tschofenig Sent: Friday, June 22, 2018 6:36 AM To: Roman Danyliw ; ace@ietf.org Subject: [Ace] Replay ... RE: WGLC feedback on

Re: [Ace] Key IDs ... RE: WGLC on draft-ietf-ace-cwt-proof-of-possession-02

nt: Friday, June 22, 2018 1:44 PM To: Hannes Tschofenig Cc: Jim Schaad ; Mike Jones ; draft-ietf-ace-cwt-proof-of-possess...@ietf.org; ace@ietf.org Subject: Re: [Ace] Key IDs ... RE: WGLC on draft-ietf-ace-cwt-proof-of-possession-02 On Fri, Jun 22, 2018 at 01:36:16PM +, Hannes Tschofenig w

Re: [Ace] Key IDs ... RE: WGLC on draft-ietf-ace-cwt-proof-of-possession-02

ed so that an attacker cannot cause the wrong PoP key to be used by using a valid Key ID for the wrong kind of CWT." -- Mike -Original Message- From: Jim Schaad Sent: Friday, June 22, 2018 7:59 AM To: Hannes Tschofenig ; Mike Jones ; draft-ietf-ace

Re: [Ace] CWT-PoP & Multiple PoP keys

Good. Having resolved this, I believe we should be in position to do a release addressing the WGLC comments this week. -- Mike -Original Message- From: Ace On Behalf Of Ludwig Seitz Sent: Wednesday, June 20, 2018 12:14 AM To: ace@ietf.org Subject: Re:

Re: [Ace] Reminder -- WGLC on draft-ietf-ace-cwt-proof-of-possession-02

The proposed change to allow multiple PoP keys in a single "cnf" element introduces unnecessary syntactic and semantic ambiguity. It also breaks the semantic equivalence with RFC 7800. Hannes, you're right that there's not consensus to do this. Please see my review of your pull request at

Re: [Ace] WGLC on draft-ietf-ace-cwt-proof-of-possession-02

Thanks for your useful comments, Jim. Replies are inline below. -Original Message- From: Jim Schaad Sent: Wednesday, May 9, 2018 6:51 AM To: draft-ietf-ace-cwt-proof-of-possess...@ietf.org Cc: ace@ietf.org Subject: RE: [Ace] WGLC on

[Ace] “CBOR Web Token (CWT)” is now RFC 8392

The “CBOR Web Token (CWT)” specification is now RFC 8392 - an IETF standard. The abstract for the specification is: CBOR Web Token (CWT) is a compact means of representing claims to be transferred between two parties. The claims in a CWT are

Re: [Ace] OAuth-Authz Interop

Before any interop work is done, I suggest that it would be better to first address the significant CBOR number assignment issues I pointed out in my review on October 10, 2017 https://www.ietf.org/mail-archive/web/ace/current/msg02364.html, so that the interop is more likely to occur using

Re: [Ace] WGLC for draft-ietf-ace-cwt-proof-of-possession?

From: Mike Jones Sent: Wednesday, May 2, 2018 2:45 PM To: Jim Schaad <i...@augustcellars.com>; Roman Danyliw <r...@cert.org> Cc: Ludwig Seitz <lud...@sics.se>; goran.selan...@ericsson.com; e...@wahlstromstekniska.se; Samuel Erdtman <sam...@erdtman.se>; Hannes Ts

[Ace] CBOR Web Token (CWT) spec for the RFC Editor

One more clarification to the CBOR Web Token (CWT) specification has been made to address a comment by IESG member Adam Roach. This version is being sent to the RFC Editor in preparation for its publication as an RFC. The change was: * Added section

Re: [Ace] Alexey Melnikov's No Objection on draft-ietf-ace-cbor-web-token-12: (with COMMENT)

Hi Alexey, https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-14 should address your comments. Changes motivated by your comments were: - Added the text "IANA must only accept registry updates from the Designated Experts and should direct all requests for registration to the review

[Ace] CBOR Web Token (CWT) spec addressing IESG comments

The CBOR Web Token (CWT) specification has been updated to address comments received from Internet Engineering Steering Group (IESG) members. Changes were: * Cleaned up the descriptions of the numeric ranges of claim keys being registered in the

Re: [Ace] Eric Rescorla's No Objection on draft-ietf-ace-cbor-web-token-13: (with COMMENT)

Thanks, Ekr. One more reply to your last comment the bottom of the message… From: Eric Rescorla <e...@rtfm.com> Sent: Wednesday, March 14, 2018 2:38 PM To: Mike Jones <michael.jo...@microsoft.com> Cc: The IESG <i...@ietf.org>; kathleen.moriarty.i...@gmail.com; draft

Re: [Ace] Eric Rescorla's No Objection on draft-ietf-ace-cbor-web-token-13: (with COMMENT)

Hi Ekr. Thanks for the review comments. Responses are inline below, prefixed by "Mike>"... -Original Message- From: Eric Rescorla Sent: Wednesday, March 7, 2018 12:40 PM To: The IESG Cc: draft-ietf-ace-cbor-web-to...@ietf.org; ace-cha...@ietf.org;

Re: [Ace] Adam Roach's No Objection on draft-ietf-ace-cbor-web-token-13: (with COMMENT)

:28 PM To: Mike Jones <michael.jo...@microsoft.com>; Benjamin Kaduk <ka...@mit.edu> Cc: The IESG <i...@ietf.org>; draft-ietf-ace-cbor-web-to...@ietf.org; ace-cha...@ietf.org; ace@ietf.org Subject: Re: Adam Roach's No Objection on draft-ietf-ace-cbor-web-token-13: (with COMMENT) On 3/7

Re: [Ace] Adam Roach's No Objection on draft-ietf-ace-cbor-web-token-13: (with COMMENT)

Thanks, Ben and Adam. I've recoded a note to address the improvements below one the submission tool reopens. For what it's worth, I independently noticed the unintended overlap between the Standards Action and Specification Required number ranges in a conversation today with IANA. The point

Re: [Ace] Opsdir telechat review of draft-ietf-ace-cbor-web-token-12

Thanks for taking the time to review the specification, Carlos. You are now listed in the acknowledgements at https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-13#appendix-B. -- Mike -Original Message- From: Carlos Martinez

Re: [Ace] AD Review of draft-ietf-ace-cbor-web-token-12

, -- Mike -Original Message- From: Ace <ace-boun...@ietf.org> On Behalf Of Mike Jones Sent: Friday, February 16, 2018 2:21 PM To: Kathleen Moriarty <kathleen.moriarty.i...@gmail.com> Cc: ace@ietf.org Subject: Re: [Ace] AD Review of draft-ietf-ace-cbor-

[Ace] CBOR Web Token (CWT) draft addressing IETF last call comments

The CBOR Web Token (CWT) specification has been updated to address IETF last call comments received to date, including GenArt, SecDir, Area Director, and additional shepherd comments. Changes were: * Clarified the registration criteria applied to different ranges of Claim Key values, as

Re: [Ace] Agenda Items for London

I would like to do brief presentations on the status of these drafts: - draft-ietf-ace-cbor-web-token - draft-ietf-ace-cwt-proof-of-possession 15 minutes each should be sufficient. Thanks, -- Mike -Original Message-

Re: [Ace] Genart telechat review of draft-ietf-ace-cbor-web-token-12

Replies inline… From: Ace On Behalf Of Dan Romascanu Sent: Tuesday, February 27, 2018 2:23 PM To: Jim Schaad Cc: gen-art ; ace@ietf.org; ietf ; Benjamin Kaduk ;

Re: [Ace] Genart telechat review of draft-ietf-ace-cbor-web-token-12

I agree with Jim. This information is in the registration template at https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-12#section-9.1.1, as follows: Claim Key: CBOR map key for the claim. Integer values between -256 and 255 and strings of length 1 are designated as

Re: [Ace] CBOR Web Token (CWT) draft addressing shepherd review comments

it. Grüße, -- Mike -Original Message- From: Carsten Bormann <c...@tzi.org> Sent: Friday, February 2, 2018 9:28 PM To: Mike Jones <michael.jo...@microsoft.com> Cc: ace@ietf.org Subject: Re: [Ace] CBOR We

Re: [Ace] shepherd review of draft-ietf-ace-cbor-web-token-11

Thanks for your useful review, Ben. I believe that https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-12 addresses all your comments and is ready to send to Kathleen. Best wishes, -- Mike -Original Message- From:

[Ace] CBOR Web Token (CWT) draft addressing shepherd review comments

The CBOR Web Token (CWT) specification has been updated to address the shepherd comments by Benjamin Kaduk. Changes were: * Updated the RFC 5226 reference to RFC 8126. * Made the IANA registration criteria consistent across sections. * Stated that registrations for the limited set

Re: [Ace] shepherd review of draft-ietf-ace-cbor-web-token-11

Thanks for the detailed read, Ben. Will do. -- Mike -Original Message- From: Benjamin Kaduk [mailto:ka...@mit.edu] Sent: Friday, February 2, 2018 2:25 PM To: ace@ietf.org; draft-ietf-ace-cbor-web-to...@ietf.org Subject: shepherd review of

Re: [Ace] Removal of the Client Token from ACE-OAuth draft

I agree with Hannes and Ben that the Client Token is speculative in nature, solving a problem that's it's not clear that we even have. It certainly isn't OAuth. I already made this point in my earlier comprehensive review of the spec, but I'll repeat again here. Please remove it!

[Ace] CBOR Web Token (CWT) draft correcting an example

A new CBOR Web Token (CWT) draft has been published that applies a correction to an example. The full list of changes is: * Corrected the "iv" value in the signed and encrypted CWT example. * Mention CoAP in the application/cwt media type registration. * Changed references of the

[Ace] CBOR Web Token (CWT) addressing 2nd WGLC comments

A new CBOR Web Token (CWT) draft has been published that addresses comments received during the second working group last call. Thanks to Hannes Tschofenig, Esko Dijk, Ludwig Seitz, Carsten Bormann, and Benjamin Kaduk for their feedback. All changes made were clarifications or formatting

Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token (ends 29 November)

Requiring extra code in recipients to ignore tags that already must not be present would make them needlessly more complicated and hurt interop. It's virtually certain that many implementations will not include this extra code that should never be executed. We shouldn't put developers in the

Re: [Ace] CWT - Scope Claim

I agree that CWT shouldn't define claims beyond those that correspond to the JWT claims. Other specs can do that via the registry established for that purpose. -- Mike From: Ace on behalf of Jim Schaad Sent:

Re: [Ace] CWT - Audience

Not having support for multiple audiences is semantically a non-starter. There are some differences in CWT from JWT that are intentional (such as binary key IDs) to better align CWT with COSE, but this particular divergence is unacceptable. My conclusion is that I will need read CWT

[Ace] CBOR Web Token (CWT) specification adding CBOR_Key values and Key IDs to examples

A new CBOR Web Token (CWT) draft has been published that adds CBOR_Key values and Key IDs to examples. Thanks to Samuel Erdtman for working on the examples, as always. Thanks to Giridhar Mandyam for validating the examples! I believe that it's time to request publication, as there remain no

Re: [Ace] draft-ietf-ace-cbor-web-token-08 - CWT CBOR Tag

I also agree that the spec already has this right. Typically no tag will be needed because the application knows the data structure is a CWT from context. The tag is available for any use cases where it's needed to resolve ambiguity that might otherwise be present.

[Ace] Initial Working Group Draft of Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

The initial working group draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been posted. It contains the same normative content as draft-jones-ace-cwt-proof-of-possession-01. The

[Ace] CBOR Web Token (CWT) specification addressing all known issues

A new CBOR Web Token (CWT) draft has been published that updates the diagnostic notation for embedded objects in the examples. Thanks to Samuel Erdtman for making these updates. Thanks to Carsten Bormann for reviewing the examples! This addresses all known issues with the specification. I

[Ace] Related work for draft-erdtman-ace-rpcc

These RFCs are all pertain to OAuth Client Authentication using signed assertions: * RFC 7521 - Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants * RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and

Re: [Ace] ace - Requested session has been scheduled for IETF 99

I'd like to request these ACE agenda slots in Prague: Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) - draft-jones-ace-cwt-proof-of-possession - Michael B. Jones - 15 minutes CBOR Web Token (CWT) - draft-ietf-ace-cbor-web-token - Michael B. Jones - 5 minutes

Re: [Ace] I-D Action: draft-ietf-ace-cbor-web-token-05.txt

Hi Jim. Draft -07 now uses deterministic signing algorithms, thanks to Samuel. Could you take another crack at reproducing the examples? -- Mike From: Jim Schaad [mailto:i...@augustcellars.com] Sent: Thursday, June 22, 2017 3:09 PM To:

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) spec addressing review comments

The Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been updated to address comments received since its initial publication. Changes were: * Tracked CBOR Web Token (CWT) Claims Registry updates. * Addressed review comments by Michael Richardson and Jim

Re: [Ace] Review of draft-jones-ace-cwt-proof-of-possession-00

Thanks for your useful review, Jim. Replies are inline below... -Original Message- From: Jim Schaad [mailto:i...@augustcellars.com] Sent: Tuesday, June 27, 2017 12:50 AM To: draft-jones-ace-cwt-proof-of-possess...@ietf.org Cc: ace@ietf.org Subject: Review of

Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

ike -Original Message- From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Michael Richardson Sent: Monday, May 22, 2017 11:17 AM To: Mike Jones <michael.jo...@microsoft.com> Cc: ace@ietf.org Subject: Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWT

[Ace] CBOR Web Token (CWT) specification addressing editorial comments

A new CBOR Web Token (CWT) draft has been published that addresses editorial comments made by Carsten Bormann and Jim Schaad. All changes were editorial in nature. The specification is available at: * https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-06 An HTML-formatted version

[Ace] CBOR Web Token (CWT) specification addressing WGLC feedback

A new CBOR Web Token (CWT) draft has been published that addresses the Working Group Last Call (WGLC) feedback received. Changes were: * Say that CWT is derived from JWT, rather than CWT is a profile of JWT. * Used CBOR type names in descriptions, rather than major/minor type

Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

Thanks for the catch. Yes, this should be a CBOR map. I failed to make this change when transforming RFC 7800 into this draft. I'll correct it in the next version. – Mike From: Michael Richardson<mailto:mcr+i...@sandelman.ca> Sent: Monday, May 22, 2017 2:19 PM To: Mike

Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token

, as always, Jim. -- Mike From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Mike Jones Sent: Monday, May 15, 2017 2:44 PM To: Jim Schaad <i...@augustcellars.com>; 'Samuel Erdtman' <sam...@erdtman.se> Cc: 'ace' <Ace@ie

Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token

...@augustcellars.com] Sent: Monday, May 15, 2017 2:31 PM To: Mike Jones <michael.jo...@microsoft.com>; 'Samuel Erdtman' <sam...@erdtman.se> Cc: 'ace' <Ace@ietf.org> Subject: RE: [Ace] WGLC on draft-ietf-ace-cbor-web-token It is correct that the tag can be added and subtracted at

Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token

<i...@augustcellars.com>; Mike Jones <michael.jo...@microsoft.com> Cc: ace <Ace@ietf.org> Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token Thanks for clarifications Jim, see my comments inline. Mike, there is a question for you inlined too. On Sun, May 14, 2017 at 10:12

Re: [Ace] CWT and PoP Tokens

See the reply that I just sent to Ludwig. I believe that we could get a straight RFC 7800 (“cnf” claim) port done as an RFC at the same time or soon after CWT becomes an RFC. ACE needs PoP keys and other applications do too, and we should try to provide them expeditiously. I invited Ludwig

[Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

With the CBOR Web Token (CWT) specification nearing completion, which provides the CBOR equivalent of JWTs, I thought that it was also time to introduce the CBOR equivalent of RFC 7800,

[Ace] CBOR Web Token (CWT) specification correcting inconsistencies in examples

A revised CBOR Web Token (CWT) draft has been published that corrects inconsistencies in the examples. Thanks to Jim Schaad for validating the examples and pointing out the inconsistencies and to Samuel Erdtman for fixing them. As before, people are highly encouraged to validate the updated

Re: [Ace] Review of draft-ietf-ace-cbor-web-token-03

Let me second the thanks for the thorough review, Jim, and especially for validating the examples. Replies to some of the points are inline… -- Mike From: Samuel Erdtman [mailto:sam...@erdtman.se] Sent: Sunday, April 2, 2017 10:58

Re: [Ace] Call for presentations for IETF98

I'd be glad to do a presentation on the status of CBOR Web Token (CWT) draft-ietf-ace-cbor-web-token. It should take 10-15 minutes. Thanks, -- Mike From: Ace

[Ace] IANA Considerations added to CBOR Web Token (CWT)

The CBOR Web Token (CWT) specification now establishes the IANA CWT Claims registry and registers the CWT claims defined by the specification. The application/cwt CoAP content type is now also registered. This version adds Samuel Erdtman as an editor in recognition of his already significant

Re: [Ace] A question for the ACE framework and CWT

I agree that we don’t need to / want to add this to the registry. From: Ace [mailto:ace-boun...@ietf.org] On Behalf Of Samuel Erdtman Sent: Tuesday, July 5, 2016 1:45 PM To: Ace@ietf.org Subject: Re: [Ace] A question for the ACE framework and CWT ping, any thoughts on this? //Samuel On Tue, Jun