Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-access-token-jwt-12: (with COMMENT)
Denis <denis.ietf@free.fr> Wed, 14 April 2021 08:26 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C0483A147E for <oauth@ietfa.amsl.com>; Wed, 14 Apr 2021 01:26:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.721
X-Spam-Level:
X-Spam-Status: No, score=-0.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7fthm0L6JS8I for <oauth@ietfa.amsl.com>; Wed, 14 Apr 2021 01:26:37 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp07.smtpout.orange.fr [80.12.242.129]) by ietfa.amsl.com (Postfix) with ESMTP id B747C3A1496 for <oauth@ietf.org>; Wed, 14 Apr 2021 01:26:21 -0700 (PDT)
Received: from [192.168.1.11] ([90.26.9.133]) by mwinf5d65 with ME id sYJn2400L2sDAeJ03YJn7U; Wed, 14 Apr 2021 10:18:50 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Wed, 14 Apr 2021 10:18:50 +0200
X-ME-IP: 90.26.9.133
To: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, Murray Kucherawy <superuser@gmail.com>, The IESG <iesg@ietf.org>
Cc: "draft-ietf-oauth-access-token-jwt@ietf.org" <draft-ietf-oauth-access-token-jwt@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
References: <161786294101.28888.16150454715315694485@ietfa.amsl.com> <CO6PR18MB4052516F8420BBF956A5992FAE4E9@CO6PR18MB4052.namprd18.prod.outlook.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <b837264b-6fba-f77c-c288-5b3e3c1a2214@free.fr>
Date: Wed, 14 Apr 2021 10:18:48 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <CO6PR18MB4052516F8420BBF956A5992FAE4E9@CO6PR18MB4052.namprd18.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------E14EDA3AB3E9AB1E2301683B"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5gDXBrpyZaywDclGNqOUiBg2q7o>
Subject: Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-access-token-jwt-12: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 08:26:39 -0000
Hi Murray, Thank you for your comments. I come back on one of your comments (while other comments and Vittorio's responses are deleted): > The first half of the second paragraph of Section 6 seems much more > like an interoperability issue than a privacy issue to me. I agree that, taken in isolation, the connection to privacy of that aspect is not immediately self-evident. I would argue it is not about interop either, given that noncompliance with *the guidance given there* doesn’t impact what's transmitted. Nonetheless, I believe the privacy section is the closest match we have *for that ****guidance*, given its many touch points to privacy matters (the ability of a client to inspect ATs is a privacy concern; the decision to use a JWT ATs, which ultimately makes spelling out *the guidance* necessary, is influenced by privacy considerations; and so on and so forth). In sum, although I agree it's not a perfect fit, I think that's the best fit we have; and given that consolidating consensus for that part has been particularly painful, I am inclined to leave that part as is. The second paragraph of Section 6 (Privacy Considerations) is as follows: The client *MUST NOT* inspect the content of the access token: the authorization server and the resource server might decide to change token format at any time (for example by switching from this profile to opaque tokens) hence any logic in the client relying on the ability to read the access token content would break without recourse. /T//he OAuth 2.0 framework assumes that access tokens are// // treated as opaque by clients./ Administrators of authorization servers should also take into account that the content of an access token is visible to the client. Whenever client access to the access token content presents privacy issues for a given scenario, the authorization server should take explicit steps to prevent it. As soon as there is a *MUST NOT*, this is not a *guidance *any more. Some words of this paragraph, i.e. "/any logic in the client relying on the *ability *to read the access token content/" simply recognize that the client *is able to inspect the content **of the access token*, but if it does it this is at its own risk since "/the resource server might decide to change//token format at any time (for example by switching from this profile to opaque tokens)/". The second paragraph may be rewritten by placing in front of it an important sentence that comes later on in this paragraph: The OAuth 2.0 framework assumes that access tokens are treated as opaque by clients. Then after, the first sentence that includes the *MUST NOT* can be removed and the current text can be re-used after it, by shuffling the order of the remaining sentences. The end result would be the following: The OAuth 2.0 framework assumes that access tokens are treated as opaque by clients. Administrators of authorization servers should take into account that the content of an access token is visible to the client. The authorization server and the resource server might decide to change token format at any time (for example by switching from this profile to opaque tokens) hence any logic in the client relying on the ability to read the access token content would break without recourse. Whenever client access to the access token content presents privacy issues for a given scenario, the authorization server should take explicit steps to prevent it. The key benefits are the following: the *guidance *is still there, but the sentence with the "*MUST NOT*" has been removed. Denis
- [OAUTH-WG] Murray Kucherawy's No Objection on dra… Murray Kucherawy via Datatracker
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Vittorio Bertocci
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Denis
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… vittorio.bertocci
- Re: [OAUTH-WG] Murray Kucherawy's No Objection on… Denis