IETF Logo Mail Archive

Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02

Brian Campbell <bcampbell@pingidentity.com> Sun, 21 July 2019 16:53 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEF97120162 for <oauth@ietfa.amsl.com>; Sun, 21 Jul 2019 09:53:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vMM5vswq-fah for <oauth@ietfa.amsl.com>; Sun, 21 Jul 2019 09:53:16 -0700 (PDT)
Received: from mail-io1-xd41.google.com (mail-io1-xd41.google.com [IPv6:2607:f8b0:4864:20::d41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A2D2120155 for <oauth@ietf.org>; Sun, 21 Jul 2019 09:53:16 -0700 (PDT)
Received: by mail-io1-xd41.google.com with SMTP id s7so68699536iob.11 for <oauth@ietf.org>; Sun, 21 Jul 2019 09:53:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Nm+PwnGPvAZfJJqo6E9XZT8uwLvV+byRkLKS0GL7GBc=; b=YGVaqSuzwTjULq5bL8z0ZfDf2MAoIV5mULHk1Ik7mpBlFbkqXvvovSCJW9vz9HGVas 4ZVNEgxB7PbOhd92M9kFRvIJLnQCgkAPjphbXelEhfBz7QFPre6E7yZhdrAwPb5WLGUS CmIG7UHszvbXZeuFBqwyPBBPPAIQMJEnTBChk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Nm+PwnGPvAZfJJqo6E9XZT8uwLvV+byRkLKS0GL7GBc=; b=j+uIVGpkOQNYhvEHFLfYF80JhrVVKtN88PnNgsFSi6Llhe3NgLt4LCPikv0KHSjVQU Q+ajl8FjbUIBdoDLXTaZASYuQJ2WJTnPZoMJr2apAA70wA93i5qizSkbE72uqMD93Zpo V0nqBmX300Ch0MfPsf9H6l0qm74kaKeUaaQw4yCsP2jOACJbfJOeXgU/r6IjztY5kVVZ zxYULtBccKFpg866GVIOjmg1PgvWO2wiZP985RYRK04ctreHQBMQxG9IBQRvr93YDc9o ALPLcTnwDxzMqxVvCA13juH0z8qpqdco4XEx09Gf8yaPv8oDPaIxnKvv34dW4GC790GC hbHQ==
X-Gm-Message-State: APjAAAUm6T6xfI2wwkwe0hirzBM+XwdwJ/OZd4IMhIgoSzp4Rf7i+JuJ 4aigDo2QQnYigYLZ8+bE7cwUpGscPbFizBZqcm0pk04H9OVrIOxFv/Osgtq5KQQCTEKgtuMiU8w PO5uS1cxu7vLBzA==
X-Google-Smtp-Source: APXvYqyxleT0yPzPB1AvQPpGVqS2xnp2J0jw8+PzZLAP3bG12B2wMC6vwFVPhq0azIZEfKuSrJyExofGoCW4yajJPX8=
X-Received: by 2002:a02:3b62:: with SMTP id i34mr70266269jaf.91.1563727995228; Sun, 21 Jul 2019 09:53:15 -0700 (PDT)
MIME-Version: 1.0
References: <359EC4B99E040048A7131E0F4E113AFC01B33D6046@marchand> <CA+k3eCRS2HKDUWkHQzwoMVauUK7UBadw_pWdF6cXh0+BSZTbBA@mail.gmail.com> <359EC4B99E040048A7131E0F4E113AFC01B33D784A@marchand>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B33D784A@marchand>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 21 Jul 2019 10:50:32 -0600
Message-ID: <CA+k3eCQFE+R3RiNuh6-dq7KvOqrkPwDMfAe_UKscG4B8HBbRSQ@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ae6ce3058e33cbe1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2ss3hDa0xPQxaWiW6txj9W-vpqo>
Subject: Re: [OAUTH-WG] AD Review: draft-ietf-oauth-resource-indicators-02
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 16:53:20 -0000

Doh, I got distracted with the registration question and lost track of this
fork of the thread. I'll need to do a -04 also (after maybe some more
discussion too) before I pass the ball back to the AD.

On Wed, Jul 17, 2019, 4:04 PM Roman Danyliw <rdd@cert.org> wrote:

> Hi Brian!
>
>
>
> *From:* Brian Campbell [mailto:bcampbell@pingidentity.com]
> *Sent:* Wednesday, July 17, 2019 4:35 PM
> *To:* Roman Danyliw <rdd@cert.org>
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] AD Review:
> draft-ietf-oauth-resource-indicators-02
>
>
>
> Thank you, Roman, for the review. Some replies are inline below. I'll aim
> to push out a -03 addressing this stuff sometime not too long after the I-D
> submission embargo is lifted next week.
>
>
>
>
>
> On Tue, Jul 16, 2019 at 5:23 PM Roman Danyliw <rdd@cert.org> wrote:
>
> Hi!
>
> The following is my AD review of draft-ietf-oauth-resource-indicators-02.
> The document is in good shape.
>
>
>
> That's always nice to hear :-)
>
>
>
>
> (1) Section 2. Per "The parameter can carry the location of a protected
> resource, typically as an https URL, or a more abstract identifier", is
> this "abstract identifier" still an absolute URI per Section 4.3 of RFC3986?
>
>
>
> Absolutely (see what I did there? sigh...). Syntactically it's an absolute
> URI. Semantically, while it might be an actual network addressable location
> identified by an HTTPS URL, it might also be a URN or something that more
> abstractly indicates a resource or grouping of resources. But its format is
> an absolute URI regardless.
>
>
>
> I'm not sure what, if anything, can be added or changed here to help
> clarify. But I'm happy to entertain suggestions, if you've got em and/or
> think something is needed.
>
>
>
> [Roman] Understood.  Concur there is nothing to do here.
>
>
>
>
> (2) Section 2.2.  in the sentence "To the extent possible, when issuing
> access tokens, the authorization server should adapt the scope value
> associated with an access token to the value the respective resource is
> able to process and needs to know":
>
> --  is this language suggesting that the authorization server is modifying
> the scope value based on the resource it sees?  I'm trying to understand
> what "adapt" means, especially in relation to the improved security and
> privacy the subsequent sentence suggests.
>
>
>
> Perhaps "adapt" wasn't the best choice of word but it's meant to say that
> an authorization server with sufficient understanding of what scopes are
> applicable to what resources (which won't always be the case or even
> possible but sometimes) could limit the scope associated with an access
> token (downscoping really) to only the scope that is applicable to the
> resource.
>
>
>
> Some of the examples (figures 2 - 6) attempt to show, among other things,
> a hypothetical case of how this might go down.
>
>
>
> In Figure 2 the initial authorization request that's approved has scope of
> calendar & contacts and resources https://contacts.example.com/ &
> https://cal.example.com/
>
>
>
> A subsequent access token request (Figure 3) has resource
> https://cal.example.com/ and the issued access token scope (Figure 4) is
> "adapted" to that resource to be only calendar
>
>
>
> Another subsequent access token request (Figure 5) has resource
> https://contacts.example.com/ and the issued access token scope (Figure
> 6) is downscoped based on that resource to be only contacts
>
>
>
> Would it be easier to understand if the word "downscope" was used rather
> than "adapt"?
>
>
>
> [Roman] Using “downscope” does work for me.  It captures that the server
> is going to reduce the scope (and certainly not expand it).
>
>
>
>
> -- (Depending on the above) Is there a security consideration here for the
> server relative to confidential scope values and how they might be modified?
>
>
>
> I'm not sure, to be honest. Downscopping when possible and to the extent
> possible is usually a good idea (least privilege and all that) but I think
> maybe I'm missing your point/question.
>
>
>
> [Roman] Yes, least privilege was part of it and I think the text above
> gets at it.  However, the other part is the relationship with the next
> sentence in the paragraph, “This further improves privacy as scope values
> give an indication of what services the resource owner uses and it improves
> security as scope values may contain confidential data”.  If the initial
> request was notionally a scope of “all the houses on the block”, but the
> server knew that this request was too broad and down-scoped to “only the
> corner house”, wouldn’t this actually be worse for privacy?  I also don’t
> follow how reducing the scope impacts confidential data.
>
>
>
>
> (3) Editorial
> ** Section 1 and 2.1.  Multiple Typo.  s/the the/the/g
>
>
>
> Apparently I'm fond of the double "the" and have a hard time spotting it
> myself. I think this is the second review in as many weeks that you've
> caught a few of those. Will fix.
>
>
>
>
> ** Section 2.  Editorial. s/resource at which/resource to which/
>
>
>
> Okay.
>
>
>
>
> ** Section 2.  Editorial.
> s/ And can also be used to inform the client that it has requested an
> invalid combination of resource and scope./
>         It can also be used to inform the client that it has requested an
> invalid combination of resource and scope./
>
>
>
> Yup.
>
>
>
>
> ** Section 2.1. Multiple Typo. s/an an/an/g
>
>
>
> Again with the double words. Sigh. A double double even.
>
>
>
>
>
>
> ** Section 2.2.  Editorial. s/token request and response/token request
> (Figure 3) and response (Figure 4)/
>
>
>
> Makes sense.
>
>
>
>
>
> ** Section 3.  Typo.  s/a invalid/an invalid/
>
>
>
> Of course.
>
>
>
>
> ** Section 3.  Missing words.  "A bearer token that has multiple intended
> recipients (audiences) can be used by any one of those recipients at any
> other."  Is it protected resource?
>
>
>
> Well, those are all the words that I'd intended to be there :/ But it does
> read a little curtly. How about the following instead?
>
>
>
> "A bearer token that has multiple intended recipients (audiences)
> indicating that the token is valid at more than one protected resource can
> be used by any one of those protected resources to access any of the other
> protected resources."
>
>
>
> [Roman] Thanks for fixing all of these.
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email