Re: [OAUTH-WG] Review of Assertions drafts

"Anganes, Amanda L" <aanganes@mitre.org> Tue, 06 November 2012 21:46 UTC

Return-Path: <aanganes@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69A5A21F8A5E for <oauth@ietfa.amsl.com>; Tue, 6 Nov 2012 13:46:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MdUGwZhKChEO for <oauth@ietfa.amsl.com>; Tue, 6 Nov 2012 13:46:18 -0800 (PST)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 703E521F8A44 for <oauth@ietf.org>; Tue, 6 Nov 2012 13:46:18 -0800 (PST)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id D357D1F0425; Tue, 6 Nov 2012 16:46:17 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG (imccas03.mitre.org [129.83.29.80]) by smtpksrv1.mitre.org (Postfix) with ESMTP id C1FDF1F032C; Tue, 6 Nov 2012 16:46:17 -0500 (EST)
Received: from IMCMBX04.MITRE.ORG ([169.254.4.53]) by IMCCAS03.MITRE.ORG ([129.83.29.80]) with mapi id 14.02.0318.004; Tue, 6 Nov 2012 16:46:17 -0500
From: "Anganes, Amanda L" <aanganes@mitre.org>
To: Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Review of Assertions drafts
Thread-Index: Ac28Xk9nIr2tXJNOQqS8h5pHWczTlQACK85AAABJo4A=
Date: Tue, 06 Nov 2012 21:46:16 +0000
Message-ID: <B61A05DAABADEA4EA2F19424825286FA1E631087@IMCMBX04.MITRE.ORG>
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943668A4CF4@TK5EX14MBXC283.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.4.120824
x-originating-ip: [172.31.38.41]
Content-Type: multipart/alternative; boundary="_000_B61A05DAABADEA4EA2F19424825286FA1E631087IMCMBX04MITREOR_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] Review of Assertions drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Nov 2012 21:46:19 -0000

Good catch, thanks for double-checking.

--Amanda

From: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>
Date: Tuesday, November 6, 2012 4:40 PM
To: "Anganes, Amanda L" <aanganes@mitre.org<mailto:aanganes@mitre.org>>, "oauth@ietf.org<mailto:oauth@ietf.org>" <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: RE: Review of Assertions drafts

Amanda wrote: [3] Section 2.2 first sentence: "client authentication grant" should just be "client authentication".

This change should also be applied to the first sentence of 2.2 in SAML draft, where the same phrase occurs.

                                                            -- Mike

From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org] On Behalf Of Anganes, Amanda L
Sent: Tuesday, November 06, 2012 12:41 PM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: [OAUTH-WG] Review of Assertions drafts

Hannes requested that some folks read through the assertion drafts and give feedback in light of the upcoming shepherd review.

[1] http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/
[2] http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/
[3] http://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bearer/

I can't speak to the security considerations or advisability of these drafts, but as far as the documents go I think they are well-organized, consistent (internally and across all 3 documents) and straightforward.

A few comments:

[1] Section 4.2.1 says in passing that it is an error condition "if more than one client authentication mechanism is used". If this is a true requirement / error state I think it should be called out more strongly. Perhaps 4.2 should say at the top that "Other client authentication mechanisms MUST NOT be used in conjunction with an assertion".

If so, [2] 3.2 and [3] 3.2 should also indicate that additional client credentials MUST NOT be used in addition to the assertion for Client Authentication.

[3] Section 2.2 first sentence: "client authentication grant" should just be "client authentication".

--Amanda Anganes