> -----Original Message-----
> From: Ace <ace-boun...@ietf.org> On Behalf Of Ludwig Seitz
> Sent: Wednesday, October 24, 2018 1:00 AM
> To: ace@ietf.org
> Subject: Re: [Ace] Review of draft-ietf-ace-oauth-params-00
>
> On 23/10/2018 21:09, Hannes Tschofenig wrote:
>
> > 2) 'req_aud' parameter
> >
> > At the last IETF OAuth meeting in Montreal we agreed to adopt a new
> > document, called resource indicators, and it can be found here:
> >
> > https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-01
> >
> > I believe the parameter name and semantics defined in
> > draft-ietf-oauth-resource-indicators-01 should match what is defined
> > in draft-ietf-ace-oauth-params-00.
> >
> > The name of the parameter in draft-ietf-oauth-resource-indicators-01
> > is 'resource' and it is defined as
> >
> > resource
> >
> > Indicates the location of the target service or resource where
> >
> > access is being requested. Its value MUST be an absolute URI,
> > as
> >
> > specified by Section 4.3 of [RFC3986], which MAY include a
> > query
> >
> > component but MUST NOT include a fragment component. Multiple
> >
> > "resource" parameters MAY be used to indicate that the
> > requested
> >
> > token is intended to be used at multiple resources.
> >
> >
>
>
> Looking closer at this draft:
>
> The resource parameter seems to be much more limited than the audience
> claim, since a URI is required. As Steffi recently remarked in her review
of
> draft-ietf-oauth-authz, URIs are not a good way to identify resources in
> constrained environments, since the address of a device can change.
I rather have to agree that these do not seem to be doing the same thing.
The 'resource' parameter looks like it could actually be used in parallel
with the 'aud' parameter if you want to refer to a specific RS which is
hosting the audience in question. But that would be some form of narrowing
of scope.
>
> Furthermore there seems also to be an overlap with the 'scope'
> parameter, since the 'resource' parameter can be used to indicate specific
> resources and not only the target RS.
>
> What if we want to identify the audience by its public key instead of an
URI?
Ludwig, this is not actually a problem since there is a URI for doing that.
>
> What if a client wants to request a token for a group of RS identified by
a
> specific audience value (e.g. "thermostats-building-1")?
One of the things that I kept hearing is that an audience may be hosted by
multiple resource servers as long as I have been going to ACE meetings.
This does not seem to be a problem with the OAuth in HTTP right now as a CDN
would hide that level of detail.
Jim
>
>
> /Ludwig
>
>
> --
> Ludwig Seitz, PhD
> Security Lab, RISE
> Phone +46(0)70-349 92 51
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
