IETF Logo Mail Archive

Re: [Gen-art] [OAUTH-WG] Genart last call review of draft-ietf-oauth-token-exchange-14

Alissa Cooper <alissa@cooperw.in> Tue, 20 November 2018 19:53 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16B5E130DCF; Tue, 20 Nov 2018 11:53:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=sAV5tjfy; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=Wh7CAxI4
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ccSxXYlEzf0r; Tue, 20 Nov 2018 11:53:28 -0800 (PST)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96A8C130DD2; Tue, 20 Nov 2018 11:53:25 -0800 (PST)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 8A7DF24617; Tue, 20 Nov 2018 14:53:24 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute7.internal (MEProxy); Tue, 20 Nov 2018 14:53:24 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h= from:message-id:content-type:mime-version:subject:date :in-reply-to:cc:to:references; s=fm1; bh=0FTpxSnA6y63Iu6Snq4ein1 l6A0wxYlArzxrP7ARn9Y=; b=sAV5tjfy37C60DwZ3Dpn+XjpnbBqX+46dWE76bl JAecVPM5I+A3ZjPCduzKmGVPPqm+ZRCTrtQoXemiApBKX9qkf+4dMC/wXTuQwLj8 SY7q/rm9uQqD049dZw/IcbSvT6SKNu2GYFCQgiDfPVosGXR/arUs3LkADX5ujCUC dgKXd+XbJyndApmwwAOdMj5fsg8QskTbrm13JlRoDg3yYRce4AeaSzZrU+H/6qFw cJPagQ1UcwQUmu3SmBI1V/lmkb5TXqaHBwWnx5Fyzd1WzW+sWZ6l8WaYFiIU9Bdx PC5riBq6g8x8xX6M9jCd8DD4MU6hl+j2xzeUl3rGoX8WtCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=0FTpxS nA6y63Iu6Snq4ein1l6A0wxYlArzxrP7ARn9Y=; b=Wh7CAxI47q3gK2JPK5AfQR WfYFRV/3tFilJvtnc4Ccv6VKhsj+MhVWYIAV6wloLUYdjNJ0TZXZgr0E+H4aNSio sLvekNrWcjmcQr5wMfcCEmfpLx95sORRt39cURGxDqg4xhhelrGWERNepCPF1yJr t43DHkfKHQPAF3tzTTopDNCl/MtnD8vie2o873AyijIoi6XmuBGUgI+7+hmssnzC yu7+lX//FuJ31ZoYUErnjEtTprAXSYW4mWr4zlhHSJO09jfLsiwBqMXdYex5gGxt 8J2+c0MkVuIj9oSohzLWDZq+BJPA1H472NRGQt86htu0DSpre2eewRy8lSQYi73w ==
X-ME-Sender: <xms:M2b0WwPFXdurbtvMOtDzGwfaX5fbxD60y88iFkFLbbs2TBJXuHpPQA>
X-ME-Proxy: <xmx:M2b0W3tOW5DBhtc9db55_atNFtsWZ4-JeAKzcN30PJ0Lzj0EDPVW8w> <xmx:M2b0W2tyP-XSUaXP0C3mXFgL9ECBR6iOvOmg7rvGTaABWry4BgrQig> <xmx:M2b0W0EdwtgYIQJCpLXdRQOCKQwMQ9JdQWRQa7opFlLYYg6pK3b4DA> <xmx:M2b0W5Otv_05-hvN2V_ieJJtNQ3XmgqionBpF87tgYKbtZwiVTdipQ> <xmx:M2b0W7IU3o3RzVKh0W0bTqpP0-oOgved2lm4EQAWuMJzxd_tPt39RA> <xmx:NGb0W3xIY4gF6BP0VPj9yks3e89xt2ebBh3iqvJ9r7nrR_a_4JPctw>
Received: from alcoop-m-c46z.fios-router.home (pool-108-51-101-98.washdc.fios.verizon.net [108.51.101.98]) by mail.messagingengine.com (Postfix) with ESMTPA id 1F375102A0; Tue, 20 Nov 2018 14:53:23 -0500 (EST)
From: Alissa Cooper <alissa@cooperw.in>
Message-Id: <BC16734C-0F9B-4A51-8E1A-3EFDF7E63F3A@cooperw.in>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B02D3253-8711-49C6-BFE0-9FBBD5A2CACD"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Tue, 20 Nov 2018 14:53:21 -0500
In-Reply-To: <CA+k3eCTdkY+VDmCP0vgHU387t5=jxM_GjvmYfEgZdrjHm+5S6w@mail.gmail.com>
Cc: General Area Review Team <gen-art@ietf.org>, draft-ietf-oauth-token-exchange.all@ietf.org, oauth <oauth@ietf.org>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Jari Arkko <jari.arkko@piuha.net>
References: <153330418307.18499.9986651355808523631@ietfa.amsl.com> <CA+k3eCTdkY+VDmCP0vgHU387t5=jxM_GjvmYfEgZdrjHm+5S6w@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/c4UHgZ9y9QGtnZ2Qy3kmpgN_eCQ>
Subject: Re: [Gen-art] [OAUTH-WG] Genart last call review of draft-ietf-oauth-token-exchange-14
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 19:53:30 -0000

Jari, thanks for your review. Brian, thanks for your response. I flagged the issue Jari raises below in my DISCUSS ballot — it’s not clear to me why there aren’t normative requirements around confidentiality as there are in the JWT spec and the OAuth 2.0 spec.

Thanks,
Alissa

> On Aug 10, 2018, at 3:49 PM, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> 
> Thanks for the review Jari,
> 
> Regarding minimizing details, I'm thinking that incorporating some text along the lines of what's in the Privacy Considerations of RFC 7523 <https://tools.ietf.org/html/rfc7523#section-7> might be a worthwhile addition.  
> 
> 
> On Fri, Aug 3, 2018 at 7:49 AM Jari Arkko <jari.arkko@piuha.net <mailto:jari.arkko@piuha.net>> wrote:
> Reviewer: Jari Arkko
> Review result: Ready
> 
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
> 
> For more information, please see the FAQ at
> 
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>>.
> 
> Document: draft-ietf-oauth-token-exchange-14
> Reviewer: Jari Arkko
> Review Date: 2018-08-03
> IETF LC End Date: 2018-08-06
> IESG Telechat date: Not scheduled for a telechat
> 
> Summary:
> 
> This specification describes a standardised protocol for requesting and
> receiving security tokens from an OAuth 2.0 authorisation service.
> 
> I had no experience on OAuth previously, but the document was understandable
> and as far as I could determine, had no major issues.
> 
> It was a bit more difficult to determine completeness.  Security and privacy
> considerations sections were quite short, for instance, and maybe that's
> justifiable given the ability to refer to prior RFCs on this subject. However,
> I suspect one could say more, e.g., Section 7 says "Tokens typically carry
> personal information and their usage in Token Exchange may  reveal details of
> the target services being accessed", but it does not offer any advice on how
> such details might be minimised. But perhaps that's already in another RFC as
> well.
> 
> Major issues:
> 
> Minor issues:
> 
> Nits/editorial comments:
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> Gen-art mailing list
> Gen-art@ietf.org
> https://www.ietf.org/mailman/listinfo/gen-art

v2.23.0 | Report a Bug | By Email