Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard

Dick Hardt <dick.hardt@gmail.com> Sat, 29 August 2020 22:26 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52A4F3A1107; Sat, 29 Aug 2020 15:26:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nb57uoPWLaKi; Sat, 29 Aug 2020 15:26:35 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 486B63A1105; Sat, 29 Aug 2020 15:26:35 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id r69so588435lff.4; Sat, 29 Aug 2020 15:26:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=V8/wDmTDvQfVSRW+iS2wBksgTmfERoWfkWa2QNaN3s8=; b=NtnUpAFPNJ7iD9X30juxR24SlfYBoLEb7ZCka7og1ZGLtKYwzCWUJHfmPBz+D8VVXW J8gUNiO5izJIxlwZ8WUMxhSDPFRMQknEIESGbFxZYb5eXm3hUT0YXyBljzJe8aM0iLau 59QjsknnUTXnVQvi2Of72byLPCNcR8V2x2HS38WZivm6WAqK+JflKTo53R1LCanV+dUS aay9djyAxDA2zXn9D2MKRK1vDjbZOsxfLCp+hzcDvFsp4iAhx9pWPjoCU9UVaqOX5b+G bKxDGLQZFqHvmw0NXP9gml3lDfiSFbz+JxSGkO3GhEi0D+x6QiUKb6BmC3DkVxHAITRr Y4nQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=V8/wDmTDvQfVSRW+iS2wBksgTmfERoWfkWa2QNaN3s8=; b=H1El7elstbPD0aPFdj/lTEtLBvEdGvKPBQfO+/VF2Tp311yTHkD/ggI0jEwG6ngCAw liX6WqbjSQddmbxJQIw1zJjoZmjhQajIoomm4HXU9m4Cs10D5H6UXHQcXt0ZUvqm0UlK spk70m86+99x/ib/iRP1O1I/8GfWDG/3e4EmZjYsmieX36tDMcT9dI98GcgHhf5LhwOx C8n7lJsXPc9xnI6iXhYucv92BVJYYBeysZboL2irgXexVOQsEQrwcemx1r8PqAuo4+z4 8rZb2bKW1UbupO0wTtNs95+qmqJ8ZjEp2TyuiZsQr2fgj0hC0Uc0FGzdZVrSDvfWdyUX v+fg==
X-Gm-Message-State: AOAM531/1N8uUZPL6dtSVWguE8aGCoaUY6KDXpucLX0xiLsJTLrMpt4V DRnGnxtsqeWTUttvjg7PoAfFdCdUakAEY3ZIdDI=
X-Google-Smtp-Source: ABdhPJwbcXb8qnYQ1SNK2A0azrU1U3DOFhB+yEyo7G2Ki93aaVCjNGB2EKgrwqpZpLhAKBp+BagNbJw2zYGaLDE9uMI=
X-Received: by 2002:ac2:5298:: with SMTP id q24mr502592lfm.164.1598739993181; Sat, 29 Aug 2020 15:26:33 -0700 (PDT)
MIME-Version: 1.0
References: <CH2PR00MB0678DA2BC7234C2AC1CE784DF5541@CH2PR00MB0678.namprd00.prod.outlook.com> <412A63AD-DDE1-4BFE-8234-5A721A0ED88D@lodderstedt.net> <D68FCD40-7365-446A-9F64-2BB59C11B7AE@mit.edu> <CAD9ie-uqeM5jwQKuvO+X4NC5oXZkoLrRu1NWC2rrE4CD=ypa+g@mail.gmail.com> <08D01F36-367B-4F23-9602-9C2A2AE49DA3@mit.edu>
In-Reply-To: <08D01F36-367B-4F23-9602-9C2A2AE49DA3@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Sat, 29 Aug 2020 15:25:57 -0700
Message-ID: <CAD9ie-s+MmtFHRNzym74cHBcBxu-yKCSH+r898TJ_dtmPDMK2Q@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000061c4c605ae0ba924"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0K3rbfpfl7o4pw4LnxaoXYQBdJo>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Aug 2020 22:26:37 -0000

The "can" works better, agreed. Thanks!
ᐧ

On Sat, Aug 29, 2020 at 8:25 AM Justin Richer <jricher@mit.edu> wrote:

> Thanks, Dick. I agree with removing the excess parenthetical, but I
> intentionally avoided using a lowercase “may” in the middle of the
> text  (in favor of “can”) to avoid normative-sounding non-normative
> language, so I’d recommend that change be kept:
>
> Implementers should be aware that a token introspection request lets the
> AS know when the client
>     is accessing the RS, which can also indicate when the user is using
>     the client. If this implication is not acceptable, implementers can
> use other means to carry
>     access token data, e.g. directly transferring the data needed by the
> RS within the access token.
>
> On Aug 27, 2020, at 12:15 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>
> Here is a crisper revision.
>
> Implementers should be aware that a token introspection request lets the
> AS know when the client
>     is accessing the RS, which may indicate when the user is using
>     the client. If this implication is not acceptable, implementers can
> use other means to carry
>     access token data, e.g. directly transferring the data needed by the
> RS within the access token.
> ᐧ
>
> On Thu, Aug 27, 2020 at 7:19 AM Justin Richer <jricher@mit.edu> wrote:
>
>> I would clarify that this doesn’t necessarily say that the user’s there,
>> and remove the normative requirement (which doesn’t have enforceable teeth
>> in this context):
>>
>> Implementers should be aware that a token introspection request lets the
>> AS know when the client
>>     (and potentially the user) is accessing the RS, which *can also
>> indicate* when the user is using
>>     the client. If this implication is not acceptable, *implementers can
>> use other means* to carry
>>     access token data, e.g. directly transferring the data needed by the
>> RS within the access token.
>>
>>
>>  — Justin
>>
>> On Aug 27, 2020, at 9:48 AM, Torsten Lodderstedt <
>> torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>>
>> Will the following text work for you?
>>
>> Implementers should be aware that a token introspection request lets the
>> AS know when the client
>>     (and potentially the user) is accessing the RS, which is also an
>> indication of when the user is using
>>     the client. If this impliction is not accepatable, implementars MUST
>> use other means to carry
>>     access token data, e.g. directly transferring the data needed by the
>> RS within the access token.
>>
>>
>> On 26. Aug 2020, at 23:12, Mike Jones <
>> Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
>>
>> I agree with Dick’s observation about the privacy implications of using
>> an Introspection Endpoint.  That’s why it’s preferable to not use one at
>> all and instead directly have the Resource understand the Access Token.
>> One way of doing this is the JWT Access Token spec.  There are plenty of
>> others.
>>
>> The downsides of using an Introspection Endpoint should be described in
>> the Privacy Considerations section.
>>
>>                                                       -- Mike
>>
>> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Dick Hardt
>> Sent: Wednesday, August 26, 2020 9:52 AM
>> To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
>> Cc: last-call@ietf.org; oauth <oauth@ietf.org>
>> Subject: Re: [OAUTH-WG] Last Call:
>> <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for
>> OAuth Token Introspection) to Proposed Standard
>>
>>
>>
>> On Wed, Aug 26, 2020 at 4:37 AM Torsten Lodderstedt <
>> torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>> Hi Denis,
>>
>> On 25. Aug 2020, at 16:55, Denis <denis.ietf@free.fr> wrote:
>>
>>
>> The fact that the AS will know exactly when the introspection call has
>> been made and thus be able to make sure which client
>> has attempted perform an access to that RS and at which instant of time.
>> The use of this call allows an AS to track where and when
>> its clients have indeed presented an issued access token.
>>
>>
>> That is a fact. I don’t think it is an issue per se. Please explain the
>> privacy implications.
>>
>> As I see it, the privacy implication is that the AS knows when the client
>> (and potentially the user) is accessing the RS, which is also an indication
>> of when the user is using the client.
>>
>> I think including this implication would be important to have in a
>> Privacy Considerations section.
>>
>> /Dick
>> ᐧ
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>