Re: [OAUTH-WG] WGLC for draft-ietf-oauth-token-exchange-08
Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> Fri, 30 June 2017 22:00 UTC
Return-Path: <rifaat.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61D0912EABA for <oauth@ietfa.amsl.com>; Fri, 30 Jun 2017 15:00:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zo8kX7Wsom2N for <oauth@ietfa.amsl.com>; Fri, 30 Jun 2017 15:00:00 -0700 (PDT)
Received: from mail-ua0-x231.google.com (mail-ua0-x231.google.com [IPv6:2607:f8b0:400c:c08::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA38D129B95 for <oauth@ietf.org>; Fri, 30 Jun 2017 14:59:59 -0700 (PDT)
Received: by mail-ua0-x231.google.com with SMTP id w19so62543975uac.0 for <oauth@ietf.org>; Fri, 30 Jun 2017 14:59:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+W5GcW2YeIVvQnO8yhBNCsazs09W/KIZOiqGrcUpTFg=; b=U+9yn6sG95WgsLtuQybiHY8VHhYZewRV1qCWOZHavUNwXeACmBRuVgm6eR842qy+p2 hxgyPwpsYOb4jd1k/N7Fb3YHwiNXin+YLGVhZ6VNEBR6UM+1g7tGCsG2GXrr+ewm4Yre wuxufrLFSZ66EN1MIg3Kwz16Zy/nFXu9cbmfJxyjH4ths8Tgdkf/AoLBhfQKjjOykl/s QIh8HpNjcKIfxY5nkhyba4DieCrmDf+g8qWZgYlHcYuRk3tSDViNaRWSLYuIZt3Yg+lc Um24V7Il1EG2NxZQ9gqFf7TQYdRYC/z7XRkpZYfOGLvANnWGdYUDkIeBOjkGk7tMyr3w 6HBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+W5GcW2YeIVvQnO8yhBNCsazs09W/KIZOiqGrcUpTFg=; b=N70wDk075MOrt/0jHDpQIqIGhZrNdbEYKZC040gL+XSQur2KUHSjApqeFsRiaqGaFJ db5VJNgrOY1pRGmetVuIhkIuO0kxLBe5uEd80o5g/NtTXqfVxUFkQS38usCrV4uWCaN1 8qQPXiwrlecIDE87yzxIsRXSJ6YocaJ/LYZS0Qf95FiIPmtU/3Os35gS0WQTSI/Bf5ph Cn0jgEwjkmTGmBP89xMwRut9nxufD8XkCiKy7cBVJZ1/V1iJaIVEp9EWfBrEhJs5UgGS tiXBretTb0xGM/aHdmsBsxSx8QeWZYrPrXeFYESLNFDpCBrgHlezoreJwwa4YqIb10cX e1Jg==
X-Gm-Message-State: AKS2vOzooRlmq5Ir+hJqgpGr8r8IckNcJUZPzNYDPpKi6/QU/nPbflY0 h/r2MRNokq565fBl5IQAgd/97pBSTw==
X-Received: by 10.176.24.172 with SMTP id t44mr14684860uag.16.1498859998985; Fri, 30 Jun 2017 14:59:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.176.76.29 with HTTP; Fri, 30 Jun 2017 14:59:58 -0700 (PDT)
In-Reply-To: <CA+k3eCRnxoij85t1Qr_c+maUzN_ukQxtMLaW3JFDc3wbgdhN4A@mail.gmail.com>
References: <CAGL6ep+nx=XmHOJpKHhY6WnhWpAXF4krhQhGy2TBDTKFbyVfag@mail.gmail.com> <CAGL6epJtT55BH43bpSKKAXdFnvgCycTMkk8jNSbMovUFEsUfCg@mail.gmail.com> <CA+k3eCRnxoij85t1Qr_c+maUzN_ukQxtMLaW3JFDc3wbgdhN4A@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Date: Fri, 30 Jun 2017 17:59:58 -0400
Message-ID: <CAGL6ep+B7gYEkioS4Lf+egVTTs9cg1piuKrm2NMJ+YkKzKfuKQ@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="f40304379b88cec64c05533489d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AKKrN4ffR1V_oUWKJM4GJt6-vJw>
Subject: Re: [OAUTH-WG] WGLC for draft-ietf-oauth-token-exchange-08
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jun 2017 22:00:02 -0000
Thanks Brian. See my replies inline... On Fri, Jun 30, 2017 at 4:08 PM, Brian Campbell <bcampbell@pingidentity.com> wrote: > Thanks for the review, Rifaat. Replies are inline below... > > > On Mon, Jun 26, 2017 at 6:40 AM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com > > wrote: > >> Hi (as individual), >> >> I have reviewed this version of the document and I have the following >> comments/questions: >> >> >> Section 2.1, page 8, last paragraph: >> >> "In the absence of one-time-use or other semantics specific to the >> token type, the act of performing a token exchange has no impact on >> the validity of the subject token or actor token." >> >> Would the validity of the new issued token be impacted later on by the >> validity of the subject or actor tokens? >> > > No, the intent is that the tokens presented for exchange need to be valid > at the time of exchange but after that the validity of the issued token is > decoupled from, and has no dependency on, the subject or actor tokens. > > Do you feel that the doc should state this more explicitly? If so, a > sentence like this could be added following the text you quoted, > "Furthermore, the validity of the subject token or actor token have no > impact on the validity of the issued token after the exchange has > occurred." > > Yeah, your proposed text looks good to me. It is better to explicitly state that rather than leave it open to different interpretations. > > >> Section 2.2.2, page 10, second paragraph: >> >> "If the authorization server is unwilling or unable to issue a token >> for all the target services indicated by the "resource" or "audience" >> parameters, the "invalid_target" error code MAY be used in the error >> response." >> >> Can you please elaborate on why the above text is using "MAY" for the use >> of "invalid_target" in this case? >> >> > To be honest, I don't recall exactly why I went with "MAY" there. And on > seeing your question and reading it again, that feels like it should be > stronger than "MAY". > > Should that "MAY" be changed to a "SHOULD"? Or even a "MUST"? > > It seems to me that at least "SHOULD" is warranted here. Anybody has a strong opinion on this? > > > >> Section 4.1, page 14, second paragraph: >> >> "However, claims within the "act" claim pertain only to the identity >> of the actor and are not relevant to the validity of the containing >> JWT in the same manner as the top-level claims. Consequently, claims >> such as "exp", "nbf", and "aud" are not meaningful when used within >> an "act" claim, and therefore should not be used." >> >> If the "exp", "nbf", and "aud" claims are not meaningful inside the "act" >> claim, why is the sentence stating that it "should not be used"? >> Would it not be more appropriate to state that it "must not be used" >> instead? >> >> > My thinking here is that saying, 'such as "exp", "nbf", and "aud" claims' > is more of a general statement of guidance rather than a fully inclusive of > list of claims that aren't meaningful inside the 'act' claim. And a full > list isn't really feasible given that new claims can be defined in the > future. So the use of "should" seemed more appropriate in that context > rather than "must" or any RFC 2119 words. We can discuss changing that > somehow, if you and/or other WG members think a change is needed? But that > was my line of reasoning behind the current text. > > How about something along the line of the following to replace the last sentence above: "Consequently, non-identity claims (e.g. "exp", "nbf", and "aud") are not meaningful when used within an "act" claim, and therefore must not be used". Regards, Rifaat > > > >> >> >> > Regards, >> Rifaat >> >> >> >> >> >> On Fri, Jun 2, 2017 at 3:05 PM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com >> > wrote: >> >>> All, >>> >>> We are starting a WGLC on the Token Exchange document: >>> https://www.ietf.org/id/draft-ietf-oauth-token-exchange-08 >>> >>> Please, review the document and provide feedback on any issues you see >>> with the document. >>> >>> The WGLC will end in two weeks, on June 17, 2017. >>> >>> Regards, >>> Rifaat and Hannes >>> >>> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
- [OAUTH-WG] WGLC for draft-ietf-oauth-token-exchan… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] WGLC for draft-ietf-oauth-token-ex… Denis
- Re: [OAUTH-WG] WGLC for draft-ietf-oauth-token-ex… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] WGLC for draft-ietf-oauth-token-ex… Brian Campbell
- Re: [OAUTH-WG] WGLC for draft-ietf-oauth-token-ex… Brian Campbell
- Re: [OAUTH-WG] WGLC for draft-ietf-oauth-token-ex… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] WGLC for draft-ietf-oauth-token-ex… Brian Campbell
- Re: [OAUTH-WG] WGLC for draft-ietf-oauth-token-ex… Denis
- Re: [OAUTH-WG] WGLC for draft-ietf-oauth-token-ex… Brian Campbell
- Re: [OAUTH-WG] WGLC for draft-ietf-oauth-token-ex… Mike Jones