Re: [OAUTH-WG] OAuth and OpenID Connect enterprise profiles
Daniel Fett <fett@danielfett.de> Tue, 03 March 2020 14:17 UTC
Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 880163A1BC4 for <oauth@ietfa.amsl.com>; Tue, 3 Mar 2020 06:17:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RFHlaLf-qTSB for <oauth@ietfa.amsl.com>; Tue, 3 Mar 2020 06:17:08 -0800 (PST)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 932193A0C22 for <oauth@ietf.org>; Tue, 3 Mar 2020 06:17:08 -0800 (PST)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 46D9648ED; Tue, 3 Mar 2020 14:17:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1583245026; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jfjORM9WAfMN/Jw8FeeiigvZj+/WfiV+74z64c6fVnk=; b=Ch6zNZkkPUvVaOU9E+tiKv9fQQqb/yyv1qhpahz7X8qy/VtZswki2XzSVuEV0SnnyKgkE/ 4RAwx1BycaiJtBIRO22Tq1t0LK+dKrlrxJaGSJDhUIvIbQ5pOHUtGc/muySUSmZssl3Evr aQZ/Vsq+zElQlzABiUWNlGfMfUCtWNw=
To: "Peck, Michael A" <mpeck@mitre.org>, "oauth@ietf.org" <oauth@ietf.org>
Cc: OAuthOIDCProfiles <OAuthOIDCProfiles@groups.mitre.org>
References: <1E8E2EDD-D87E-442B-9FDD-28145AD3350C@mitre.org>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <f7d6ed53-0d33-24f8-7440-7d5be3e7e6bd@danielfett.de>
Date: Tue, 03 Mar 2020 15:17:05 +0100
MIME-Version: 1.0
In-Reply-To: <1E8E2EDD-D87E-442B-9FDD-28145AD3350C@mitre.org>
Content-Type: multipart/alternative; boundary="------------CDEFED9805C82F1CF5083705"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1583245026; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jfjORM9WAfMN/Jw8FeeiigvZj+/WfiV+74z64c6fVnk=; b=E7cjKBBWvEh9vze5SL/cwlgs3N7s17DBfLhXDqfacxO5DBTR9QhRI9F74ua0hTkELDQu0X jGdjiBEORCi9BReLux1xSBSael8kkDA3INScDF1iydj4QXI3GD64WD8rWlreri85H4F2dT fta3hxmfGYf+ycI+hNsc9YGdZHIalHY=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1583245026; a=rsa-sha256; cv=none; b=N+l4fryn41Ca0wVgwezjjtkzKeoqrUEdaHXA/uu2F3WjO5HsJQ+bObOU0IwgXP2KGv3Bm6VRL+1/WsIRIfBwjqQVo3KcFiuC/MowBWas5zFw4LLFBZhEO8xVE++wfuESEhUMSKZfckwN8Ohv9FIH8P8bEYUwNmI0rdzHPDv7DAo=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CA0MrBbU9wTGq2MvMdV0a-4V8u8>
Subject: Re: [OAUTH-WG] OAuth and OpenID Connect enterprise profiles
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 14:17:11 -0000
Hi Michael et al., Thanks for the document, it is an interesting read! I like the "Security Rationale" section in particular. Very useful! In general, this seems to go into a similar direction as the FAPI 2.0 Baseline profile we are currently developing in the FAPI WG [1]. It might be worthwhile to compare the two. Some other points from a first read: (All page numbers as printed, not the PDF page count.) - Why is PKCE not mandatory for confidential clients? It provides a strong second layer of defense when authorization codes are stolen. - I found the description "front-end web server application" somewhat confusing (Section 2.1.1, p. 9) - The client runs on the server's backend, I assume? On the front-end (browser), it should be a public client. - In Section 3.7 (p. 22), the first and second paragraph seem to contradict each other. First one says "RECOMMENDED lifetimes", second one says "MUST have a valid lifetime no greater than one hour". - I was surprised that the Security BCP does not show up in Section 6. -Daniel [1] https://bitbucket.org/openid/fapi/src/master/FAPI_2_0_Baseline_Profile.md Am 02.03.20 um 20:53 schrieb Peck, Michael A: > Hello all, > > For anyone who may be interested: MITRE, in support of the U.S. Government, has developed tailored OAuth and OpenID Connect profiles for use in enterprise environments. We have leveraged previous standards efforts (e.g. work in the IETF and in the OpenID Foundation) and have detailed requirements to use the standards in a secure and interoperable manner to address enterprise environment use cases. > > These profiles should be considered informational as we seek feedback from subject matter experts. We’re interested in working with standards bodies and others to move these concepts forward. We welcome any comments and suggestions at OAuthOIDCProfiles@groups.mitre.org . > > The profiles can be found at: https://www.mitre.org/publications/technical-papers/enterprise-mission-tailored-oauth-20-and-openid-connect-profiles > > Michael Peck > The MITRE Corporation > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth and OpenID Connect enterprise pr… Peck, Michael A
- Re: [OAUTH-WG] OAuth and OpenID Connect enterpris… Daniel Fett
- Re: [OAUTH-WG] OAuth and OpenID Connect enterpris… Peck, Michael A