Re: [OAUTH-WG] OAuth Digest, Vol 72, Issue 31
GHOST SPY <ghostcharmer13@gmail.com> Thu, 16 October 2014 11:37 UTC
Return-Path: <ghostcharmer13@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16DF31A1A43 for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 04:37:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BSNexA-ooFcU for <oauth@ietfa.amsl.com>; Thu, 16 Oct 2014 04:36:57 -0700 (PDT)
Received: from mail-vc0-x229.google.com (mail-vc0-x229.google.com [IPv6:2607:f8b0:400c:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16F9E1A1A37 for <oauth@ietf.org>; Thu, 16 Oct 2014 04:36:57 -0700 (PDT)
Received: by mail-vc0-f169.google.com with SMTP id hy4so2511537vcb.28 for <oauth@ietf.org>; Thu, 16 Oct 2014 04:36:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=x0oecetJSQgq8xT10C3DTkocQpMwnvLWv4Rz20mvA44=; b=l6MOcwF3Qkan1k2Nq3TqFfT+4s1mOMneMQm0UQAXT3axQCAK5ofjJtsrffbq9xxvoe PfDAnh5Oio7ZURys7b9HUlW5SS+wm0dqQTigcp4whCe9dcCJWuiZAo2JNNntdeViSlw0 8OfvUKoOQF1+0z3dL5lhHxpdD1I4ORmmAf5LGCXHAmr2wm1+f7JQJaZTBgQgopyPxV6x yqTKAFsKPsGkKY52DLcYjD4wKI7yMN2kJZ2ocqAvoccBvZPhWa30aXnYPTvZEEG8OI5q W5yYf0OTvCIldoL9BFBsQ4RmC0a1t1eNRlnO9LVef+0UDoJyM4uC3I7088lQrfyKtF47 3GOg==
MIME-Version: 1.0
X-Received: by 10.220.158.137 with SMTP id f9mr429805vcx.34.1413459415909; Thu, 16 Oct 2014 04:36:55 -0700 (PDT)
Received: by 10.220.162.68 with HTTP; Thu, 16 Oct 2014 04:36:55 -0700 (PDT)
Received: by 10.220.162.68 with HTTP; Thu, 16 Oct 2014 04:36:55 -0700 (PDT)
In-Reply-To: <mailman.390.1413458451.2945.oauth@ietf.org>
References: <mailman.390.1413458451.2945.oauth@ietf.org>
Date: Thu, 16 Oct 2014 04:36:55 -0700
Message-ID: <CAC9LZur+Kxe1dGCcii44vBMudz+WGUNgZtUEqpGHUbDPKUfBqA@mail.gmail.com>
From: GHOST SPY <ghostcharmer13@gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="001a11c28b1663c862050588aa9e"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/5ddsLPj5ssHpmnK5jwjtN7-7C_I
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 72, Issue 31
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 11:37:02 -0000
Ghostcharmer13@gmail.com On Oct 16, 2014 4:21 AM, <oauth-request@ietf.org> wrote: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > > You can reach the person managing the list at > oauth-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > > Today's Topics: > > 1. Re: Pete Resnick's No Objection on > draft-ietf-oauth-assertions-17: (with COMMENT) (Brian Campbell) > 2. Re: Pete Resnick's No Objection on > draft-ietf-oauth-assertions-17: (with COMMENT) (Pete Resnick) > 3. Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: > (with DISCUSS and COMMENT) (Richard Barnes) > 4. Richard Barnes' Discuss on draft-ietf-oauth-saml2-bearer-21: > (with DISCUSS) (Richard Barnes) > 5. Richard Barnes' Discuss on draft-ietf-oauth-jwt-bearer-10: > (with DISCUSS and COMMENT) (Richard Barnes) > 6. Stephen Farrell's No Objection on > draft-ietf-oauth-saml2-bearer-21: (with COMMENT) (Stephen Farrell) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 15 Oct 2014 17:35:19 -0600 > From: Brian Campbell <bcampbell@pingidentity.com> > To: Barry Leiba <barryleiba@computer.org> > Cc: "draft-ietf-oauth-assertions@tools.ietf.org" > <draft-ietf-oauth-assertions@tools.ietf.org>, Pete Resnick > <presnick@qti.qualcomm.com>, oauth <oauth@ietf.org>, > "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The > IESG > <iesg@ietf.org> > Subject: Re: [OAUTH-WG] Pete Resnick's No Objection on > draft-ietf-oauth-assertions-17: (with COMMENT) > Message-ID: > < > CA+k3eCTRRyK-oW_SaQVckgh3Hinbs_igiU8TBt4iPkASXaQNJQ@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Fair point. I'll add some text saying that in the next revision. > > On Wed, Oct 15, 2014 at 5:18 PM, Barry Leiba <barryleiba@computer.org> > wrote: > > > > >>> Assertions used in the protocol exchanges defined by this > >>> specification MUST always be protected against tampering using a > >>> digital signature or a keyed message digest applied by the issuer. > >>> > >>> Why is that? Aren't you using assertions over a protected channel (as > >>> required by the spec) and therefore not need to sign the assertions? > >>> Indeed, why would a self-issued Bearer Assertion need to be signed at > >>> all? Does that even make sense? > >>> > >>> > >> Yes, assertions are sent over a protected channel, which does provide > >> integrity protection for the transport form client to AS and also gives > >> server authentication. But it doesn't provide client authentication, > which > >> is kind of the point of the Client Authentication part of this draft. > And > >> for authorization the signing or MACing is what authenticates the > issuer of > >> the assertion - sometimes the issuer is the client but often the issuer > >> will be a 3rd party system. > >> > >> I do agree with you in one specific case that, if the client is trusted > >> to be the assertion issuer and the client is properly authenticated, > then > >> an unsigned assertion could be reasonably used as an authorization > grant. > >> But it's a fairly rare and very specific case. And one that can be > >> accommodated in other ways. So it's not worth introducing the complexity > >> and potential security problems that having the signature be option > would > >> bring. > >> > > > > In other words, the assertion must be protected against tampering *by the > > party that presents the assertion*. That is a significant point, and you > > should say it. > > > > Barry > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.ietf.org/mail-archive/web/oauth/attachments/20141015/27bf1330/attachment.html > > > > ------------------------------ > > Message: 2 > Date: Wed, 15 Oct 2014 21:30:26 -0500 > From: Pete Resnick <presnick@qti.qualcomm.com> > To: Brian Campbell <bcampbell@pingidentity.com> > Cc: "draft-ietf-oauth-assertions@tools.ietf.org" > <draft-ietf-oauth-assertions@tools.ietf.org>, > "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, The > IESG > <iesg@ietf.org>, oauth <oauth@ietf.org> > Subject: Re: [OAUTH-WG] Pete Resnick's No Objection on > draft-ietf-oauth-assertions-17: (with COMMENT) > Message-ID: <543F2DC2.1050300@qti.qualcomm.com> > Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" > > On 10/15/14 6:06 PM, Brian Campbell wrote: > > Thanks for your review and feedback, Pete. Replies are inline below... > > Thanks for addressing the comments, including Barry's followup. Just on > the questions: > > > On Tue, Oct 14, 2014 at 2:42 PM, Pete Resnick > > <presnick@qti.qualcomm.com <mailto:presnick@qti.qualcomm.com>> wrote: > > > > scope > > [...] > > As such, the > > requested scope MUST be equal or lesser than the scope > > originally > > granted to the authorized accessor. > > > > s/MUST/will (unless you explain whether it's the server or the client > > that's supposed to be obeying that MUST, and for what reason) > > > > > > They are both supposed to obey it - the client shouldn't ask for more > > and the server will reject the request, if it does. > > > > Is "will" more appropriate than "MUST" here? Or maybe a non 2119 > "should"? > > Ah, so you're saying that a client could conceivably (either purposely > or accidentally) try to sneak through a larger scope than it should, and > the client MUST NOT do that, and the server MUST reject if it gets one. > OK, that makes sense. (I do tend to like active MUSTs -- the foo MUST do > X or the bar MUST NOT do Y -- but this is probably OK as is.) > > > Here and throughout: s/non-normative example/example (As far as I > > know, > > there are no other kinds in IETF documents.) > > > > > > I thought I picked that language up from some other draft or RFC but > > I'm now not sure where it came from and can't easily find other > > examples of the same thing. So I am happy to remove the > > "non-normative" throughout, if it is already understood and/or not > > customary to say so. > > Yeah, we've seen other RFCs with such language. I've whined about it in > the past. Some authors roll their eyes at me. You are welcome to roll > your eyes if you like, but I find such text silly. :-) > > Thanks for the rest of the planned changes. Looks good. > > pr > > -- > Pete Resnick<http://www.qualcomm.com/~presnick/> > Qualcomm Technologies, Inc. - +1 (858)651-4478 > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://www.ietf.org/mail-archive/web/oauth/attachments/20141015/d746e674/attachment.html > > > > ------------------------------ > > Message: 3 > Date: Wed, 15 Oct 2014 20:47:35 -0700 > From: "Richard Barnes" <rlb@ipv.sx> > To: The IESG <iesg@ietf.org> > Cc: draft-ietf-oauth-assertions@tools.ietf.org, > oauth-chairs@tools.ietf.org, oauth@ietf.org > Subject: [OAUTH-WG] Richard Barnes' Discuss on > draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT) > Message-ID: <20141016034735.18695.61014.idtracker@ietfa.amsl.com> > Content-Type: text/plain; charset="utf-8" > > Richard Barnes has entered the following ballot position for > draft-ietf-oauth-assertions-17: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > "The assertion MUST contain an Audience that identifies the Authorization > Server as the intended audience. Assertions that do not identify the > Authorization Server as an intended audience MUST be rejected." > > Could you please identify the threat model within which this "MUST" is > required? This requirement doesn't follow from any of the threats > elaborated in Section 8. > > The Audience is only necessary if the Issuer wishes to constrain the set > of Authorization Servers with which an assertion may be used. So ISTM > that this should be "MAY contain..." > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > "keyed message digest" -> "Message Authentication Code" > > That's the proper terminology [RFC4949], especially since there are MACs > that are not based on digests. > > "This mechanism provides additional security properties." -- Please > delete this or elaborate on what security properties it provides. > > Section 8.2 should note that "Holder-of-Key Assertions" are also a > mitigation for this risk. > > > > > ------------------------------ > > Message: 4 > Date: Wed, 15 Oct 2014 20:56:40 -0700 > From: "Richard Barnes" <rlb@ipv.sx> > To: The IESG <iesg@ietf.org> > Cc: oauth-chairs@tools.ietf.org, > draft-ietf-oauth-saml2-bearer@tools.ietf.org, oauth@ietf.org > Subject: [OAUTH-WG] Richard Barnes' Discuss on > draft-ietf-oauth-saml2-bearer-21: (with DISCUSS) > Message-ID: <20141016035640.25108.27277.idtracker@ietfa.amsl.com> > Content-Type: text/plain; charset="utf-8" > > Richard Barnes has entered the following ballot position for > draft-ietf-oauth-saml2-bearer-21: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > As with draft-ietf-oauth-assertions, the requirement for an <Audience> > element seems entirely unnecessary. Holding this DISCUSS point pending > that discussion and its reflection in this document. > > "Assertions that do not identify the Authorization Server as an intended > audience MUST be rejected." -- What does it mean for an assertion to > "identify the Authorization Server"? Does the specified <Audience> need > to match the entire URL of the relevant OAuth endpoint? Just the origin? > Just the domain? Does the URL need to be canonicalized? > > > > > > > ------------------------------ > > Message: 5 > Date: Wed, 15 Oct 2014 21:01:22 -0700 > From: "Richard Barnes" <rlb@ipv.sx> > To: The IESG <iesg@ietf.org> > Cc: oauth-chairs@tools.ietf.org, > draft-ietf-oauth-jwt-bearer@tools.ietf.org, oauth@ietf.org > Subject: [OAUTH-WG] Richard Barnes' Discuss on > draft-ietf-oauth-jwt-bearer-10: (with DISCUSS and COMMENT) > Message-ID: <20141016040122.32277.7067.idtracker@ietfa.amsl.com> > Content-Type: text/plain; charset="utf-8" > > Richard Barnes has entered the following ballot position for > draft-ietf-oauth-jwt-bearer-10: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-bearer/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > As with draft-ietf-oauth-assertions, the requirement for an "aud" claim > seems entirely unnecessary. Holding this DISCUSS point pending that > discussion > and its reflection in this document. > > "Assertions that do not identify the Authorization Server as an intended > audience MUST be rejected." -- What does it mean for an assertion to > "identify > the Authorization Server"? Does the specified <Audience> need to match > the > entire URL of the relevant OAuth endpoint? Just the origin? Just the > domain? > Does the URL need to be canonicalized? > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > "keyed message digest" -> "MAC" > > Both this and the SAML document could save a lot of bits by just being > subsections of the -assertions document. > > > > > ------------------------------ > > Message: 6 > Date: Thu, 16 Oct 2014 04:20:32 -0700 > From: "Stephen Farrell" <stephen.farrell@cs.tcd.ie> > To: The IESG <iesg@ietf.org> > Cc: oauth-chairs@tools.ietf.org, > draft-ietf-oauth-saml2-bearer@tools.ietf.org, oauth@ietf.org > Subject: [OAUTH-WG] Stephen Farrell's No Objection on > draft-ietf-oauth-saml2-bearer-21: (with COMMENT) > Message-ID: <20141016112032.13008.86094.idtracker@ietfa.amsl.com> > Content-Type: text/plain; charset="utf-8" > > Stephen Farrell has entered the following ballot position for > draft-ietf-oauth-saml2-bearer-21: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > - intro para2: might be nice (no more) to add some refs to > other protocols that use SAML. > > - 2.2: What are "padding bits" in 4648? I don't recall such. > (But may be misremembering.) > > - section 3, list item 2: This doesn't quite say that the > token endpoint URL MUST (in the absence of another profile) be > in an Audience element. Why not? The text seems to me to allow > for the AS to map the token endpoint URL to any value in an > Audience element that the AS finds ok. I suspect that might be > unwise, but it at least needs to be clear. Is that the text > being ambiguous or me being paranoid/wrong? Same point seems > to apply elsewhere too: > = in item 3.A where it says "typically identifies" but > does not say how. > = in item 5 "or an acceptable alias" > > - section 3, item 7: How might an AS know that "the Assertion > was issued with the intention that the client act autonomously > on behalf of the subject"? > > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 72, Issue 31 > ************************************* >