IETF Logo Mail Archive

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

Denis <denis.ietf@free.fr> Mon, 13 April 2020 15:15 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE20E3A1752 for <oauth@ietfa.amsl.com>; Mon, 13 Apr 2020 08:15:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.398, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmUd-PtR-LZc for <oauth@ietfa.amsl.com>; Mon, 13 Apr 2020 08:15:30 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp11.smtpout.orange.fr [80.12.242.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E8943A17B2 for <oauth@ietf.org>; Mon, 13 Apr 2020 08:15:23 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d89 with ME id SFFH220084FMSmm03FFHlc; Mon, 13 Apr 2020 17:15:18 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Mon, 13 Apr 2020 17:15:18 +0200
X-ME-IP: 86.238.65.197
To: oauth@ietf.org
References: <158628195716.9275.10690808358259357603@ietfa.amsl.com> <CAGL6epJ6W6AKptXw72cw2eaO+582_iYhKSK5h6BGBWeDJW9zNg@mail.gmail.com> <CAGL6epJc4CGDy9DwL3-BJh6MrELY3C-RUmcH716WN4k3Un11FA@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <361d7891-01be-8e22-7765-613e727b2bc1@free.fr>
Date: Mon, 13 Apr 2020 17:15:16 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <CAGL6epJc4CGDy9DwL3-BJh6MrELY3C-RUmcH716WN4k3Un11FA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------DDBFB801289E5E6826556362"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7amynNQnPFk0q7zdbPbPmgcTKHQ>
Subject: Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2020 15:15:32 -0000

Hello,

More on privacy about "JWT Profile for Access Tokens".

The current document REQUIRES the claim names *sub* and *client_id*.

  * sub  REQUIRED - as defined in section 4.1.2 of [RFC7519].
  * client_id  REQUIRED - as defined in section 4.3 of [RFC8693]

*1) **sub  REQUIRED*

RFC 7519 states:

    4.1.2.  "sub" (Subject) Claim
        The "sub" (subject) claim identifies the principal that is the
        subject of the JWT.  The claims in a JWT are normally statements
        about the subject.  The subject value MUST either be scoped to**
    *be locally unique in the context of the issuer or be globally unique*.
        The processing of this claim is generally application specific.  The
        "sub" value is a case-sensitive string containing a StringOrURI
        value. *Use of this claim is OPTIONAL.*

If *sub *is *REQUIRED *for this profile, then this allows all resource 
servers to link accesses made by the same client on different servers.

*2) client_id  REQUIRED*

RFC 8693 states:

    4.3. "client_id" (Client Identifier) Claim
    The client_id claim carries the client identifier of the OAuth 2.0
    [RFC 6749] client that requested the token.

RFC 6749 states:

    2.2.  Client Identifier
        The authorization server issues the registered client a client
        identifier -- a unique string representing the registration
        information provided by the client.  The client identifier is not a
        secret; it is exposed to the resource owner and MUST NOT be used
        alone for client authentication. *The client identifier is
    unique to**
    **   the authorization server.*

If *client_id* is REQUIRED for this profile, this also allows all 
resource servers to link accesses made by the same client on different 
servers.

*Both claim names should be OPTIONAL *to allow to support the privacy 
principle of unlinkability.

Would both names remain *REQUIRED*, the Privacy considerations section 
should mention that such a linkage by different resource servers
will always be possible when using this profile.

Denis

> I have uploaded the second presentation for today's session, the JWT 
> Profile for Access Tokens.
> https://datatracker.ietf.org/meeting/interim-2020-oauth-04/session/oauth
>
> Regards,
>  Rifaat
>

v2.23.0 | Report a Bug | By Email