From nobody Wed Aug 26 12:06:38 2020
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 08F153A0763;
 Wed, 26 Aug 2020 12:06:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level: 
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001,
 RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
 autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id AjKK-0K6Hfcm; Wed, 26 Aug 2020 12:06:27 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 6D93E3A0766;
 Wed, 26 Aug 2020 12:06:27 -0700 (PDT)
Received: from [192.168.1.11] (static-71-174-62-56.bstnma.fios.verizon.net
 [71.174.62.56]) (authenticated bits=0)
 (User authenticated as jricher@ATHENA.MIT.EDU)
 by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 07QJ6OEu027978
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Wed, 26 Aug 2020 15:06:24 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <EA61F4D6-9592-4D90-A00D-2AAA4F0E4E8D@mit.edu>
Content-Type: multipart/alternative;
 boundary="Apple-Mail=_212EF0BE-FC34-4AAF-835A-5E90539B21CA"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Wed, 26 Aug 2020 15:06:23 -0400
In-Reply-To: <CAD9ie-vqRVT438_Z1T8Dj29=Ou7BpAHgwNaGs9P-TLdkppJ9Fg@mail.gmail.com>
Cc: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>,
 last-call@ietf.org, oauth <oauth@ietf.org>
To: Dick Hardt <dick.hardt@gmail.com>
References: <159802288149.12737.11570006487802113668@ietfa.amsl.com>
 <87dbd1ed-e03d-a00d-e3a2-6f53500ef725@free.fr>
 <DE3B2E1A-BDC2-4CC7-A5B0-9828AACE1240@lodderstedt.net>
 <CAD9ie-vqRVT438_Z1T8Dj29=Ou7BpAHgwNaGs9P-TLdkppJ9Fg@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/A3vr_tRDqI55s548zkpkRkvUhRw>
Subject: Re: [OAUTH-WG] Last Call:
 <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for
 OAuth Token Introspection) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
 <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
 <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 19:06:29 -0000


--Apple-Mail=_212EF0BE-FC34-4AAF-835A-5E90539B21CA
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I would argue that by the nature of OAuth tokens not being bound to user =
presence or sessions, it=E2=80=99s not an indication that the user is =
present necessarily, unless you know something additional about the =
nature of the client. But it does tell the AS when the client is active =
for a particular AS, which in some cases is a privacy concern and in =
others it=E2=80=99s a signal into the AS for keeping an eye out for =
aberrant behavior that a single RS couldn=E2=80=99t detect.

This is all a general implication of the introspection process, and not =
unique to this draft. That said, it=E2=80=99s an aspect of privacy that =
we did not cover in the considerations for RFC7662, but I don=E2=80=99t =
know if it=E2=80=99s appropriate to add such a general consideration =
here.

 =E2=80=94 Justin

> On Aug 26, 2020, at 12:52 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>=20
>=20
>=20
> On Wed, Aug 26, 2020 at 4:37 AM Torsten Lodderstedt =
<torsten=3D40lodderstedt.net@dmarc.ietf.org =
<mailto:40lodderstedt.net@dmarc.ietf..org>> wrote:
> Hi Denis,
>=20
> > On 25. Aug 2020, at 16:55, Denis <denis.ietf@free.fr =
<mailto:denis.ietf@free..fr>> wrote:
>=20
> > The fact that the AS will know exactly when the introspection call =
has been made and thus be able to make sure which client=20
> > has attempted perform an access to that RS and at which instant of =
time. The use of this call allows an AS to track where and when=20
> > its clients have indeed presented an issued access token.
>=20
> That is a fact. I don=E2=80=99t think it is an issue per se. Please =
explain the privacy implications.=20
>=20
> As I see it, the privacy implication is that the AS knows when the =
client (and potentially the user) is accessing the RS, which is also an =
indication of when the user is using the client.
>=20
> I think including this implication would be important to have in a =
Privacy Considerations section.
>=20
> /Dick
> =E1=90=A7
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


--Apple-Mail=_212EF0BE-FC34-4AAF-835A-5E90539B21CA
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D"">I =
would argue that by the nature of OAuth tokens not being bound to user =
presence or sessions, it=E2=80=99s not an indication that the user is =
present necessarily, unless you know something additional about the =
nature of the client. But it does tell the AS when the client is active =
for a particular AS, which in some cases is a privacy concern and in =
others it=E2=80=99s a signal into the AS for keeping an eye out for =
aberrant behavior that a single RS couldn=E2=80=99t detect.<div =
class=3D""><br class=3D""></div><div class=3D"">This is all a general =
implication of the introspection process, and not unique to this draft. =
That said, it=E2=80=99s an aspect of privacy that we did not cover in =
the considerations for RFC7662, but I don=E2=80=99t know if it=E2=80=99s =
appropriate to add such a general consideration here.<div class=3D""><br =
class=3D""></div><div class=3D"">&nbsp;=E2=80=94 Justin<br =
class=3D""><div><br class=3D""><blockquote type=3D"cite" class=3D""><div =
class=3D"">On Aug 26, 2020, at 12:52 PM, Dick Hardt &lt;<a =
href=3D"mailto:dick.hardt@gmail.com" =
class=3D"">dick.hardt@gmail.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><meta =
http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8" =
class=3D""><div dir=3D"ltr" class=3D""><div dir=3D"ltr" class=3D""><br =
class=3D""></div><br class=3D""><div class=3D"gmail_quote"><div =
dir=3D"ltr" class=3D"gmail_attr">On Wed, Aug 26, 2020 at 4:37 AM Torsten =
Lodderstedt &lt;torsten=3D<a =
href=3D"mailto:40lodderstedt.net@dmarc.ietf..org" =
class=3D"">40lodderstedt.net@dmarc.ietf.org</a>&gt; wrote:<br =
class=3D""></div><blockquote class=3D"gmail_quote" style=3D"margin:0px =
0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex">Hi Denis,<br class=3D"">
<br class=3D"">
&gt; On 25. Aug 2020, at 16:55, Denis &lt;<a =
href=3D"mailto:denis.ietf@free..fr" target=3D"_blank" =
class=3D"">denis.ietf@free.fr</a>&gt; wrote:<br class=3D""><br class=3D"">=

&gt; The fact that the AS will know exactly when the introspection call =
has been made and thus be able to make sure which client <br class=3D"">
&gt; has attempted perform an access to that RS and at which instant of =
time. The use of this call allows an AS to track where and when <br =
class=3D"">
&gt; its clients have indeed presented an issued access token.<br =
class=3D"">
<br class=3D"">
That is a fact. I don=E2=80=99t think it is an issue per se. Please =
explain the privacy implications. <br class=3D""></blockquote><div =
class=3D""><br class=3D""></div><div class=3D"">As I see it, the privacy =
implication is that the AS knows <b class=3D"">when</b> the client (and =
potentially the user) is accessing the RS, which is also an indication =
of <b class=3D"">when</b> the user is using the client.</div><div =
class=3D""><br class=3D""></div><div class=3D"">I think including this =
implication would be important to have in a Privacy Considerations =
section.</div><div class=3D""><br class=3D""></div><div =
class=3D"">/Dick</div></div></div><div hspace=3D"streak-pt-mark" =
style=3D"max-height:1px" class=3D""><img alt=3D"" =
style=3D"width:0px;max-height:0px;overflow:hidden" =
src=3D"https://mailfoogae.appspot.com/t?sender=3DaZGljay5oYXJkdEBnbWFpbC5j=
b20%3D&amp;type=3Dzerocontent&amp;guid=3D8f26ac52-1083-4e6d-944a-bd91ed60f=
a8c" class=3D""><font color=3D"#ffffff" size=3D"1" =
class=3D"">=E1=90=A7</font></div>
_______________________________________________<br class=3D"">OAuth =
mailing list<br class=3D""><a href=3D"mailto:OAuth@ietf.org" =
class=3D"">OAuth@ietf.org</a><br =
class=3D"">https://www.ietf.org/mailman/listinfo/oauth<br =
class=3D""></div></blockquote></div><br =
class=3D""></div></div></body></html>=

--Apple-Mail=_212EF0BE-FC34-4AAF-835A-5E90539B21CA--