Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-assertions-08.txt> (Assertion Framework for OAuth 2.0) to Proposed Standard
Nat Sakimura <sakimura@gmail.com> Fri, 14 December 2012 15:03 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54F2721F85A6; Fri, 14 Dec 2012 07:03:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.387
X-Spam-Level:
X-Spam-Status: No, score=-1.387 tagged_above=-999 required=5 tests=[AWL=-1.261, BAYES_00=-2.599, FRT_FOLLOW2=0.422, HTML_MESSAGE=0.001, J_CHICKENPOX_71=0.6, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xJwSOU6+ywNa; Fri, 14 Dec 2012 07:03:07 -0800 (PST)
Received: from mail-ea0-f172.google.com (mail-ea0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2CB4821F85B2; Fri, 14 Dec 2012 07:03:06 -0800 (PST)
Received: by mail-ea0-f172.google.com with SMTP id a1so1367336eaa.31 for <multiple recipients>; Fri, 14 Dec 2012 07:03:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:from:mime-version:in-reply-to:date:message-id:subject:to :cc:content-type; bh=9f6srO+WaskT2GHpL3jWm/WP6g6wjWYzjvVLYZQ92Lc=; b=GZS6gHSPS06F1fMMB9bNaGipXe6rYP8DoSzJC/dmivbfwQzmoB1uxD9T1zBvferPcx 2iAvGiX9kSSJOv8R7QDIA2JmnSdQYvzslhVg5H4PcSYqFztzJ+vpsSy9ypO9dpJicYKN snWaswf8Eg6evG32YsWrqM1fzIhK4fGJKWcoxjqUoRAcp5kSyJCcov9WWufoG517afax NH+aDhcO2DFVgyq5ehi/Lv1gX0ip5YHHb+wHR08aEJxEaEdLTSiyOe3ACzopctjbX4ei urSpI9RGtgJLQf4ufrAFekNQ7FXICSAOL2TdufkRnyPvGOW7k31PaE+XrJJ5joZRDI7Y tjzg==
Received: by 10.14.214.132 with SMTP id c4mr15764163eep.18.1355497385339; Fri, 14 Dec 2012 07:03:05 -0800 (PST)
References: <OF6AFFEFB0.3752F820-ON48257AD4.000F9DD7-48257AD4.00103FB9@zte.com.cn>
From: Nat Sakimura <sakimura@gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <OF6AFFEFB0.3752F820-ON48257AD4.000F9DD7-48257AD4.00103FB9@zte.com.cn>
Date: Sat, 15 Dec 2012 00:02:58 +0900
Message-ID: <-5196739590250615087@unknownmsgid>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-assertions-08.txt> (Assertion Framework for OAuth 2.0) to Proposed Standard
To: "zhou.sujing@zte.com.cn" <zhou.sujing@zte.com.cn>
Content-Type: multipart/alternative; boundary="047d7b621df825ad2504d0d15442"
X-Mailman-Approved-At: Fri, 14 Dec 2012 09:26:48 -0800
Cc: "oauth@ietf.org" <oauth@ietf.org>, "oauth-bounces@ietf.org" <oauth-bounces@ietf.org>, Chuck Mortimore <cmortimore@salesforce.com>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2012 15:03:08 -0000
FYI, I have been writing HoK for JWT/JWS Token by introducing a new claim 'cid'. =nat via iPhone Dec 14, 2012 11:56¡¢"zhou.sujing@zte.com.cn" <zhou.sujing@zte.com.cn> ¤Î¥á¥Ã¥»©`¥¸: Yep, could do it soon later. Currently, I suggest a modification for "The token service is the assertion issuer; its role is to fulfill requests from clients, which present various credentials, and mint assertions as requested, fill them with appropriate information, and sign them." (in section 3 ) into "The token service is the assertion issuer, *it could be implemented in any entity besides client, e.g., Resource Owner, Authorization Server;* its role is to fulfill requests from clients, which present various credentials, and mint assertions as requested, fill them with appropriate information, and sign them." Chuck Mortimore <cmortimore@salesforce.com> дÓÚ 2012-12-14 10:44:05: > Correct. That said no one has yet profiled it for holder of key > > - cmort > > On Dec 13, 2012, at 6:39 PM, "zhou.sujing@zte.com.cn" < zhou.sujing@zte.com.cn > > wrote: > > Oh, But the description of assertion generation in the document > should not be limited by bear assertion, right? > > > Chuck Mortimore <cmortimore@salesforce.com> дÓÚ 2012-12-14 10:34:13: > > > You want a holder of key pattern. The draft touches on it > > > > > > The protocol parameters and processing rules defined in this document > > are intended to support a client presenting a bearer assertion to an > > authorization server. The use of holder-of-key assertions are not > > precluded by this document, but additional protocol details would > > need to be specified. > > > > > So - if you want this, you should put forth a holder of key > > profiling of this draft and see if there are any issues. The only > > profiles we have thus far are saml and jwt bearer assertions. > > > > > > - cmort > > > > On Dec 13, 2012, at 6:27 PM, "zhou.sujing@zte.com.cn" <zhou. > sujing@zte.com.cn > > > wrote: > > > > > I am not sure if the following usecase http://www.ietf.org/mail- > > archive/web/oauth/current/msg10233.html > > could be supported by assertion framework£¬ > > We have some discussion in > > http://www.ietf.org/mail-archive/web/oauth/current/msg10203.html > > http://www.ietf.org/mail-archive/web/oauth/current/msg10198.html > > > > In my use case or in some other cases, assertions don't need > > confidential protection, > > basically STS don't have to authenticate a client before issueing > > "assertion", if it could be called assertion here. > > > > Example,I trust my laywer, I may issue an "assertion" stating > > delegation in advance, and send to the lawyer when it is needed, > > it could be I give the assertion to a false lawyer, but it does not > > matter, because the lawyer has to prove he knows some credential > > corresponding to his ID, > > who is delegated some rights. > > > > If assertion framework want to support this use case, then > > generation of assertion should be relaxed, > > otherwise new work is required to support the use case. > > > > > > > > Chuck Mortimore <cmortimore@salesforce.com> дÓÚ 2012-12-14 10:08:34: > > > > > On Dec 13, 2012, at 4:30 PM, "zhou.sujing@zte.com.cn" <zhou. > > sujing@zte.com.cn > > > > wrote: > > > > > > > > From the language, I got an impression that assertion is only > > > generated by token service after clients presenting some credentials, > > > there are may be some cases that "assertion" don't need client's > > credential. > > > e.g., Resource owner as a token service could generate "assertion" > > > to a client he trusts, bu signing a statement that "This delegation > > > is given to a client called clinet-id > > > for doing something for me". > > > > > > So how does the STS trust the client? Presumably if it is trusted > > > it has some level of authentication, yes? > > > > > > -cmort > > > > > > > > > > > > > > > > > > Chuck Mortimore <cmortimore@salesforce.com> дÓÚ 2012-12-14 00:39:03: > > > > > > > The language is simply meant to help illustrate how the framework > > > > might be used. How do you think it will restrict usage? How > > > > could it be improved? > > > > > > > > -cmort > > > > > > > > On Dec 12, 2012, at 11:04 PM, <zhou.sujing@zte.com.cn> wrote: > > > > > > > > > > > > In "section 3 > > > > The token service is the assertion issuer; its > > > > role is to fulfill requests from clients, which present various > > > > credentials, and mint assertions as requested, fill them with > > > > appropriate information, and sign them." > > > > > > > > > > > > As I understand, an assertion generated by a STS, is done flollowing > > > > thess steps: > > > > 1. Client presents credential and requests an assertion > > > > 2. STS generates assertion and sends to Client > > > > Correct? > > > > > > > > That may restrict the use cases that this assertion framework > > > could support, > > > > is it a must? > > > > > > > > > > > > > > > > > > > > oauth-bounces@ietf.org дÓÚ 2012-12-11 02:33:57: > > > > > > > > > > > > > > The IESG has received a request from the Web Authorization Protocol WG > > > > > (oauth) to consider the following document: > > > > > - 'Assertion Framework for OAuth 2.0' > > > > > <draft-ietf-oauth-assertions-08.txt> as Proposed Standard > > > > > > > > > > The IESG plans to make a decision in the next few weeks, and solicits > > > > > final comments on this action. Please send substantive comments to the > > > > > ietf@ietf.org mailing lists by 2012-12-24. Exceptionally, > > comments may be > > > > > sent to iesg@ietf.org instead. In either case, please retain the > > > > > beginning of the Subject line to allow automated sorting. > > > > > > > > > > Abstract > > > > > > > > > > > > > > > This specification provides a framework for the use of assertions > > > > > with OAuth 2.0 in the form of a new client authenticationmechanism > > > > > and a new authorization grant type. Mechanisms are specified for > > > > > transporting assertions during interactions with a token > endpoint, as > > > > > well as general processing rules. > > > > > > > > > > The intent of this specification is to provide a common > framework for > > > > > OAuth 2.0 to interwork with other identity systems using > assertions, > > > > > and to provide alternative client authentication mechanisms. > > > > > > > > > > Note that this specification only defines abstract > message flows and > > > > > processing rules. In order to be implementable, companion > > > > > specifications are necessary to provide the corresponding concrete > > > > > instantiations. > > > > > > > > > > > > > > > > > > > > > > > > > The file can be obtained via > > > > > http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/ > > > > > > > > > > IESG discussion can be tracked via > > > > > http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/ballot/ > > > > > > > > > > > > > > > No IPR declarations have been submitted directly on this I-D. > > > > > > > > > > > > > > > _______________________________________________ > > > > > OAuth mailing list > > > > > OAuth@ietf.org > > > > > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > > > > OAuth mailing list > > > > OAuth@ietf.org > > > > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-asser… zhou.sujing
- Re: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-a… zhou.sujing
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-asser… Chuck Mortimore
- Re: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-a… zhou.sujing
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-asser… Nat Sakimura
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-asser… Chuck Mortimore
- Re: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-a… zhou.sujing
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-asser… Chuck Mortimore
- Re: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-a… zhou.sujing