[OAUTH-WG] Bls: OAuth Digest, Vol 73, Issue 56
Panca Agus Ananda <panca70@outlook.com> Fri, 21 November 2014 20:21 UTC
Return-Path: <panca70@outlook.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BB401A6F0E for <oauth@ietfa.amsl.com>; Fri, 21 Nov 2014 12:21:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1hazvVLr6kIb for <oauth@ietfa.amsl.com>; Fri, 21 Nov 2014 12:20:55 -0800 (PST)
Received: from BLU004-OMC1S1.hotmail.com (blu004-omc1s1.hotmail.com [65.55.116.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 59AD91A6FB0 for <oauth@ietf.org>; Fri, 21 Nov 2014 12:20:54 -0800 (PST)
Received: from BLU406-EAS167 ([65.55.116.7]) by BLU004-OMC1S1.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Fri, 21 Nov 2014 12:20:53 -0800
X-TMN: [x+Sk/g+8XeTL6ASArEm4PKo5YgsCNQkB]
X-Originating-Email: [panca70@outlook.com]
Message-ID: <BLU406-EAS16782B41DB33239163D85A5A6770@phx.gbl>
Content-Type: multipart/mixed; boundary="===============0068995342=="
MIME-Version: 1.0
X-Client-ID: 1231
X-Mailer: BlackBerry Email (10.2.1.3442)
Date: Sat, 22 Nov 2014 03:20:47 +0700
From: Panca Agus Ananda <panca70@outlook.com>
To: oauth@ietf.org, oauth@ietf.org
X-OriginalArrivalTime: 21 Nov 2014 20:20:53.0374 (UTC) FILETIME=[A63391E0:01D005C8]
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/CgT3zNQKE4je2PzS6EZQufmSHV4
Subject: [OAUTH-WG] Bls: OAuth Digest, Vol 73, Issue 56
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Nov 2014 20:21:03 -0000
Dikirim dari ponsel cerdas BlackBerry 10 saya dengan jaringan Telkomsel. Dari: oauth-request@ietf.org Terkirim: Sabtu, 22 November 2014 03.01 Ke: oauth@ietf.org Balas Ke: oauth@ietf.org Perihal: OAuth Digest, Vol 73, Issue 56 Send OAuth mailing list submissions to oauth@ietf.org To subscribe or unsubscribe via the World Wide Web, visit https://www.ietf.org/mailman/listinfo/oauth or, via email, send a message with subject or body 'help' to oauth-request@ietf.org You can reach the person managing the list at oauth-owner@ietf.org When replying, please edit your Subject line so it is more specific than "Re: Contents of OAuth digest..." Today's Topics: 1. Re: Review of dynamic registration draft (Richer, Justin P.) 2. Re: Review of dynamic registration draft (Richer, Justin P.) ---------------------------------------------------------------------- Message: 1 Date: Thu, 20 Nov 2014 20:34:37 +0000 From: "Richer, Justin P." <jricher@mitre.org> To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Cc: oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] Review of dynamic registration draft Message-ID: <527AD765-4F4F-4DFB-A127-EB9B7DAB1F61@mitre.org> Content-Type: text/plain; charset="us-ascii" Kathleen, thanks for your review. Responses inline. On Nov 19, 2014, at 9:56 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> wrote: Hi, I reviewed draft-Ietf-oauth-dyn-reg-20 and have the following questions before we move this to IETF last call. Sect 2, Has there been any consideration in the WG of using alternate auth methods from HTTPAuth like HOBA? I realize this is referencing Oauth defined methods from the framework draft, but would like to know what was considered or not. HOBA is heading to IETF last call soon. Nobody brought up HOBA in this working group. This field is intentionally extensible, so if there's interest in defining how to use HOBA for OAuth client authentication it will make a perfectly reasonable extension document. Section 6: why is there a choice on TLS? I'd recommend you make it require 1.2 unless there is a really compelling argument to have that must as either 1.2 or 1.0 We copied this text straight from RFC6749. I know that a similar section exists in JWS with updated language, and we could adopt that directly here: Which TLS version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation. At the time of this writing, TLS version 1.2 [RFC5246<https://tools.ietf.org/html/rfc5246>] is the most recent version. To protect against information disclosure and tampering, confidentiality protection MUST be applied using TLS with a ciphersuite that provides confidentiality and integrity protection. See current publications by the IETF TLS working group, including RFC<https://tools.ietf.org/html/rfc6176> 6176<https://tools.ietf.org/html/rfc6176> [RFC6176<https://tools.ietf.org/html/rfc6176>] for guidance on the ciphersuites currently considered to be appropriate for use. Also, see Recommendations for Secure Use of TLS and DTLS [I-D.ietf-uta-tls-bcp<https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-37#ref-I-D.ietf-uta-tls-bcp>] for recommendations on improving the security of software and services using TLS. Whenever TLS is used, the identity of the service provider encoded in the TLS server certificate MUST be verified using the procedures described in Section 6 of RFC 6125<https://tools.ietf.org/html/rfc6125#section-6> [RFC6125<https://tools.ietf.org/html/rfc6125>] Will that work? Sect 6 paragraph 5 Why are the security recommendations listed as 'could'? Things listed as 'could' in this section were seen to be non-normative recommendations of possible mitigating behaviors. In other words, not trying to be prescriptive with the actions here but providing guidance. Most of these were relaxed from normative requirements in earlier drafts from WG feedback Sect 6 paragraph 7 What makes it 'valid and trusted'? The flow of this paragraph could be improved so the terms valid and trusted are connected to earlier statements to separate it better from the plain JSON objects. On the first level, this includes validating the JWS on the statement itself, but as is usually the case, determining "trust" of a source is going to be very application specific. I'm not quite Please add a section or interspersed statements on privacy considerations. Include text on what may be of concern (names, contacts, etc.) and what can be done to protect the values (interspersed may be easier) or that they may be left out to remove concerns. Most of this protocol doesn't deal with any user information, and so I don't think there are any privacy considerations for most of the document. The one part of this protocol that I can see being a possible privacy consideration is the "contacts" meatadata field, which contains user contact information. Since this field is self-asserted by the client or developer (whoever's doing the registration) for the express purpose of providing a means of contacting the developer of the client, I'm not sure what concerns this might have, if any. Do you have any other specific parts that you think would have privacy concerns that you'd like to address? Thanks for the review and the thoughtful comments. -- Justin Thank you, Kathleen Sent from my iPhone _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.ietf.org/mail-archive/web/oauth/attachments/20141120/55188a87/attachment.html> ------------------------------ Message: 2 Date: Thu, 20 Nov 2014 20:47:08 +0000 From: "Richer, Justin P." <jricher@mitre.org> To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Cc: oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] Review of dynamic registration draft Message-ID: <69636E15-B340-4E1B-A859-330876EC8539@mitre.org> Content-Type: text/plain; charset="us-ascii" Sorry, a sentence trailed off -- I meant to say: Sect 6 paragraph 7 What makes it 'valid and trusted'? The flow of this paragraph could be improved so the terms valid and trusted are connected to earlier statements to separate it better from the plain JSON objects. On the first level, this includes validating the JWS on the statement itself, but as is usually the case, determining "trust" of a source is going to be very application specific. I'm not quite ... convinced that we can really do much more than that, though we can explicitly state that this is the case if that would help. I agree that "valid and trusted" is a bit vague. -- Justin On Nov 20, 2014, at 3:34 PM, Justin Richer <jricher@mitre.org<mailto:jricher@mitre.org>> wrote: Kathleen, thanks for your review. Responses inline. On Nov 19, 2014, at 9:56 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> wrote: Hi, I reviewed draft-Ietf-oauth-dyn-reg-20 and have the following questions before we move this to IETF last call. Sect 2, Has there been any consideration in the WG of using alternate auth methods from HTTPAuth like HOBA? I realize this is referencing Oauth defined methods from the framework draft, but would like to know what was considered or not. HOBA is heading to IETF last call soon. Nobody brought up HOBA in this working group. This field is intentionally extensible, so if there's interest in defining how to use HOBA for OAuth client authentication it will make a perfectly reasonable extension document. Section 6: why is there a choice on TLS? I'd recommend you make it require 1.2 unless there is a really compelling argument to have that must as either 1.2 or 1.0 We copied this text straight from RFC6749. I know that a similar section exists in JWS with updated language, and we could adopt that directly here: Which TLS version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation. At the time of this writing, TLS version 1.2 [RFC5246<https://tools.ietf.org/html/rfc5246>] is the most recent version. To protect against information disclosure and tampering, confidentiality protection MUST be applied using TLS with a ciphersuite that provides confidentiality and integrity protection. See current publications by the IETF TLS working group, including RFC<https://tools.ietf.org/html/rfc6176> 6176<https://tools.ietf.org/html/rfc6176> [RFC6176<https://tools.ietf.org/html/rfc6176>] for guidance on the ciphersuites currently considered to be appropriate for use. Also, see Recommendations for Secure Use of TLS and DTLS [I-D.ietf-uta-tls-bcp<https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-37#ref-I-D.ietf-uta-tls-bcp>] for recommendations on improving the security of software and services using TLS. Whenever TLS is used, the identity of the service provider encoded in the TLS server certificate MUST be verified using the procedures described in Section 6 of RFC 6125<https://tools.ietf.org/html/rfc6125#section-6> [RFC6125<https://tools.ietf.org/html/rfc6125>] Will that work? Sect 6 paragraph 5 Why are the security recommendations listed as 'could'? Things listed as 'could' in this section were seen to be non-normative recommendations of possible mitigating behaviors. In other words, not trying to be prescriptive with the actions here but providing guidance. Most of these were relaxed from normative requirements in earlier drafts from WG feedback Sect 6 paragraph 7 What makes it 'valid and trusted'? The flow of this paragraph could be improved so the terms valid and trusted are connected to earlier statements to separate it better from the plain JSON objects. On the first level, this includes validating the JWS on the statement itself, but as is usually the case, determining "trust" of a source is going to be very application specific. I'm not quite Please add a section or interspersed statements on privacy considerations. Include text on what may be of concern (names, contacts, etc.) and what can be done to protect the values (interspersed may be easier) or that they may be left out to remove concerns. Most of this protocol doesn't deal with any user information, and so I don't think there are any privacy considerations for most of the document. The one part of this protocol that I can see being a possible privacy consideration is the "contacts" meatadata field, which contains user contact information. Since this field is self-asserted by the client or developer (whoever's doing the registration) for the express purpose of providing a means of contacting the developer of the client, I'm not sure what concerns this might have, if any. Do you have any other specific parts that you think would have privacy concerns that you'd like to address? Thanks for the review and the thoughtful comments. -- Justin Thank you, Kathleen Sent from my iPhone _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.ietf.org/mail-archive/web/oauth/attachments/20141120/94065061/attachment.html> ------------------------------ Subject: Digest Footer _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ------------------------------ End of OAuth Digest, Vol 73, Issue 56 *************************************
- [OAUTH-WG] Bls: OAuth Digest, Vol 73, Issue 56 Panca Agus Ananda