[OAUTH-WG] Missed comments on the assertion framework

Brian Campbell <bcampbell@pingidentity.com> Sat, 19 January 2013 01:14 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A06F821F86A9 for <oauth@ietfa.amsl.com>; Fri, 18 Jan 2013 17:14:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.401
X-Spam-Level:
X-Spam-Status: No, score=-5.401 tagged_above=-999 required=5 tests=[AWL=0.575, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fxg5f1lDYREU for <oauth@ietfa.amsl.com>; Fri, 18 Jan 2013 17:14:46 -0800 (PST)
Received: from na3sys009aog105.obsmtp.com (na3sys009aog105.obsmtp.com [74.125.149.75]) by ietfa.amsl.com (Postfix) with ESMTP id 70E0121F8698 for <oauth@ietf.org>; Fri, 18 Jan 2013 17:14:23 -0800 (PST)
Received: from mail-ie0-f197.google.com ([209.85.223.197]) (using TLSv1) by na3sys009aob105.postini.com ([74.125.148.12]) with SMTP ID DSNKUPnzb1rvdG3L4pjdPnyE/lxzRoAchuN2@postini.com; Fri, 18 Jan 2013 17:14:23 PST
Received: by mail-ie0-f197.google.com with SMTP id 16so20414506iea.4 for <oauth@ietf.org>; Fri, 18 Jan 2013 17:14:22 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=aDguvFchZWDUmC9+DnBtRyJIsux4vwccUl9CfiJOtM8=; b=fJZMY3+fIEaVUmqCMalkCKwTes/4mK2hxJsNsXO8rTa5cMxWVIkEgzZHf8SZ/3bq08 H+vm8DhfPff0BQ7dkWxTF2Zo1a14xic9GSyID0l16PHEYQt2StnHQASJ8U4lsPKNBczJ xiQZWojLyxkMrLcEnFQlMO/dhsUHub7IuSpreIZtPtFPqDkTp6fxV/PkwvA347falE27 DNPQf7R7OYYljRq7CsIUxCWkNvyh2dDaXeCc7gBUeG2lARjY1UQaIIqPlEAqSPRPppmV tvjX2ETXyh6gZ8Gv8PwV8JaQjaj3vUppfspa2ULUGocwmtoPckuzLLXWLerEUkpfI2Sh xYpQ==
X-Received: by 10.50.108.161 with SMTP id hl1mr3523139igb.101.1358558062812; Fri, 18 Jan 2013 17:14:22 -0800 (PST)
X-Received: by 10.50.108.161 with SMTP id hl1mr3523130igb.101.1358558062508; Fri, 18 Jan 2013 17:14:22 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.17.134 with HTTP; Fri, 18 Jan 2013 17:13:52 -0800 (PST)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 18 Jan 2013 18:13:52 -0700
Message-ID: <CA+k3eCS_iLdgRdLKp3wkbTe-5+y7vDWPLqu13OKuCw=2SVhmdQ@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=f46d0402a9afb8fc3804d399f2b9
X-Gm-Message-State: ALoCoQnjcMcD6tgu/B8uVh7vjQxOwbjt16XvfH/qW6MDYBMgtjHCXAdYsHhDdC0oDWhqDRrtye8dbfqrxmMB7SnYG/cslvB3TE1YMMITfVz4c154Ha1ApiNPIuNVqpC5Vp1sczhBh5X9
Cc: shawn.emery@oracle.com
Subject: [OAUTH-WG] Missed comments on the assertion framework
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jan 2013 01:14:46 -0000

There were some comments on the document made by Shawn Emery as part of a
security directorate's review
http://www.ietf.org/mail-archive/web/secdir/current/msg03679.html that seem
to have gotten lost in the shuffle.

His editorial comments are spot on and I believe the changes he suggests
should all be made. I'm not sure if a new draft or a RFC editor's note is
more appropriate at this stage?

The question about providing more guidance on the Assertion ID is a little
less straightforward. The JWT and SAML instances of the framework both
inherit some guidance from their respective token format definitions -
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-06#section-4.1.7and
§1.3.4 ID and ID Reference Values of saml-core-2.0-os. Perhaps that is
sufficient. If we were to add something to draft-ietf-oauth-assertions, I'd
probably look to borrow some text from one or both of those locations.