Re: [OAUTH-WG] the meaning of audience in SAML vs. OAuth
Nat Sakimura <sakimura@gmail.com> Fri, 22 March 2013 00:21 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF5F421F8900 for <oauth@ietfa.amsl.com>; Thu, 21 Mar 2013 17:21:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.784
X-Spam-Level:
X-Spam-Status: No, score=-0.784 tagged_above=-999 required=5 tests=[AWL=-1.366, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, J_CHICKENPOX_48=0.6, NO_RELAYS=-0.001, SARE_HTML_USL_OBFU=1.666, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qqvkUzMuutHp for <oauth@ietfa.amsl.com>; Thu, 21 Mar 2013 17:21:07 -0700 (PDT)
Received: from mail-la0-x233.google.com (mail-la0-x233.google.com [IPv6:2a00:1450:4010:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id 6CAE821F88BE for <oauth@ietf.org>; Thu, 21 Mar 2013 17:21:06 -0700 (PDT)
Received: by mail-la0-f51.google.com with SMTP id fo13so6312242lab.38 for <oauth@ietf.org>; Thu, 21 Mar 2013 17:21:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=ciL4XB4MAYXXgvebTOmdOcc6I4MvsFr7mzx95kgSnMg=; b=Gdj+Z6N/EjV1aWJIeM4UGatn2Ql2lgYy+1xZOVyNIjIbBbOAKvOXVezboi/Wex90QA uGJJ7f0M7xmuaulyRddxYIkPcqgj/omCnVEDcp9Ti+GZT+aqPG5vxdjrnHhm69rWU1no 9SwiQZRTEvCk8gg1ghs6JJl33lGhUT7T/xy+i5kVRErCv8LqsdTQdXXr29gdKzLcrbDq Nh+8kZBEfbZHx2o2jB/ukmnaWUNrP/aNYGryZtXZwtGSWr3xVqZdW2eoKI/cyEPePL6p ne70xkAWWVaRe01IA+JSWwJAEHoHb3+apfkRWWSfODaVx4/BFt4TSyQetbVr89DtXrZ/ VFOQ==
MIME-Version: 1.0
X-Received: by 10.152.105.38 with SMTP id gj6mr8596262lab.25.1363911665220; Thu, 21 Mar 2013 17:21:05 -0700 (PDT)
Received: by 10.112.103.202 with HTTP; Thu, 21 Mar 2013 17:21:05 -0700 (PDT)
In-Reply-To: <514B6D66.9070809@oracle.com>
References: <1362079266.8952.YahooMailClassic@web141002.mail.bf1.yahoo.com> <512FCDF0.6010807@gmx.net> <5141EE22.2030306@oracle.com> <F38E6D5B-0062-4B27-BC93-1FB398F8808A@gmx.net> <51421CA0.7010400@oracle.com> <4E1F6AAD24975D4BA5B1680429673943675115B6@TK5EX14MBXC283.redmond.corp.microsoft.com> <CABzCy2AigUzN7TMVD__jf88F6gZSVCjCrJgVF8K5PnU0ndcWRg@mail.gmail.com> <514B6D66.9070809@oracle.com>
Date: Fri, 22 Mar 2013 09:21:05 +0900
Message-ID: <CABzCy2D_xi0X6c8NV5Jkd2kSo9xRxc+RBFqd9Uovgws=bZ-+Zw@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: prateek mishra <prateek.mishra@oracle.com>
Content-Type: multipart/alternative; boundary="f46d0408d3f74f842904d8786e18"
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] the meaning of audience in SAML vs. OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2013 00:21:08 -0000
Prateek, At this point, I would like to be a bit cautious about changing the claim names as it would impact bunch of implementations that are potentially being used by hundreds of millions of users now. I am more open to change the text that defines "aud". Currently, it goes: 4.1.3. "aud" (Audience) Claim The "aud" (audience) claim identifies the audiences that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific. Use of this claim is OPTIONAL. Personally, I think there are two ways to change it. The first way (Type 1) removes the processing requirements from aud claim. As an individual expert, I feel that JWT should not mandate the processing requirement on aud, but just give the semantics of it and let the protocols/profiles decide on the processing rules. 4.1.3. "aud" (Audience) Claim The "aud" (audience) claim specifies the audiences that the JWT is intended for. In the general case, the "aud" value is an array of case sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific. Use of this claim is OPTIONAL. Note 1: The issuer cannot prevent a party to whom the token is disclosed from taking action on the basis of the information provided. However, the aud claim allows the issuer to state explicitly that no warranty is provided to such a party in a machine readable form. While there can be no guarantee that a court would uphold such a warranty exclusion in every circumstance, the probability of upholding the warranty exclusion is considerably improved. A slight variation of Type 1 (Type 1a) alignes more closely to SAML's definition. (Much of the text is straight out of SAML Core 2.0) 4.1.3. "aud" (Audience Restriction) Claim The "aud" (audience restriction) claim specifies that the JWT is addressed to one or more specific audiences identified by the elements of its value. Although a receiving party that is outside the audiences specified is capable of drawing conclusions from the token, the issuer explicitly makes no representation as to accuracy or trustworthiness to such a party. In the general case, the "aud" value is an array of case sensitive strings, each containing a StringOrURI value that identifies the audience intended for. In the special case when the JWT has one audience, the "aud" value MAY be a single case sensitive string containing a StringOrURI value. The interpretation of audience restriction values is generally application specific. Use of this claim is OPTIONAL. Note 1: The issuer cannot prevent a party to whom the token is disclosed from taking action on the basis of the information provided. However, the aud claim allows the issuer to state explicitly that no warranty is provided to such a party in a machine readable form. While there can be no guarantee that a court would uphold such a warranty exclusion in every circumstance, the probability of upholding the warranty exclusion is considerably improved. The second way (Type 2) is to change the acronym text. 4.1.3. "aud" (Assertion Usage Destination) Claim The "aud" (assertion usage destination) claim identifies the party that the JWT is intended for. Each party intended to process the JWT MUST identify itself with a value in audience claim. If the party processing the claim does not identify itself with a value in the "aud" claim, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific. Use of this claim is OPTIONAL. Note that I changed principal to party, since principal has more specific meaning than wanted here. Among them, I actually prefer Type 1a as I believe that JWT should be generic. BTW, I feel that the way aud is written now is a bit confusing to developers. Is the value of the aud claim an array or string? It should still spell it out that both are permitted more explicitly. Nat 2013/3/22 prateek mishra <prateek.mishra@oracle.com> > Mike, Nat - > > I am honestly not sure what to propose in terms of wording clarification. > <Audience> has a specific meaning in SAML and thats different > from its current meaning in OAuth. This issue becomes even more confusing > as the SAML assertion draft goes onto > redefine the meaning of <saml:audience>. Its processing rules for > <saml:audience> duplicate those for the recipient attribute within > <saml:SubjectConfirmation>. > > In SAML request messages, <saml:destination> models what is represented by > "audience" in Oauth. > As I mentioned above, SAML assertions utilize a recipient attribute within > the <saml:SubjectConfirmation> element to achieve the > same effect. > > My suggestion would be to replace "audience" by "recipient" or > "recipients". That would maintain a certain parallelism > between SAML and JWT assertions. It would also avoid the current > duplication of processing rules > for <saml:audience> and the "recipient" attribute in the SAML assertion > draft. > > I understand that <saml:Audience> as defined in SAML 2.0 is under-used > and perhaps also widely misunderstood. Nevertheless there are > implementations that make proper use of this element and they are gonna be > quite confused when they try to > implement the SAML assertion draft. I can also see some real interop. > difficulties arising because of this mixup. > > - prateek > >> well.. the aud term came from googler's use of the term and not saml. >> I agree with Prateek that the intention of the jwt:aud is rather >> similar to saml:destination. >> JWT is imposing the processing rule on it while saml:audience is >> mainly concerned about the liability. >> >> Nat >> >> >> 2013/3/15 Mike Jones<Michael.Jones@microsoft.**com<Michael.Jones@microsoft.com> >> >: >> >>> The JWT meaning of the term "audience" is intended to be the same as >>> SAML. Suggested wording clarifications would be welcomed. >>> >>> -- Mike >>> >>> -----Original Message----- >>> From: prateek mishra [mailto:prateek.mishra@oracle.**com<prateek.mishra@oracle.com> >>> ] >>> Sent: Thursday, March 14, 2013 11:53 AM >>> To: Hannes Tschofenig; Mike Jones >>> Cc:oauth@ietf.org >>> Subject: the meaning of audience in SAML vs. OAuth >>> >>> Hannes - you make a good point. >>> >>> I believe that the usage of "audience" inhttp://www.ietf.org/id/** >>> draft-ietf-oauth-json-web-**token-06.txt<http://www.ietf.org/id/draft-ietf-oauth-json-web-token-06.txt> >>> >>> >>> also corresponds to <saml:destination> rather than <saml:audience>. >>> >>> [quote-jwt06] >>> The aud (audience) claim identifies the audiences that the JWT is >>> intended for. Each principal intended to process the JWT MUST identify >>> itself with a value in audience claim. If the principal processing the >>> claim does not identify itself with a value in the aud claim, then the JWT >>> MUST be rejected. In the general case, the aud value is an array of case >>> sensitive strings, each containing a StringOrURI value. In the special case >>> when the JWT has one audience, the aud value MAY be a single case sensitive >>> string containing a StringOrURI value. The interpretation of audience >>> values is generally application specific. Use of this claim is OPTIONAL. >>> [\quote] >>> >>> I think this is a point of quite some confusion (a similar problem arose >>> during the SAML assertion drafts discussion on Tuesday). >>> >>> To the extent that JWT re-uses concepts and names from SAML, I dont >>> think this is the correct name with the semantics implied by the processing >>> rules given in jwt06. >>> >>> - prateek >>> >>> >>> >>> >>> >>> Hi Prateek, >>>> >>>> I never had planned to make the term audience to align with the SAML >>>> specification. >>>> However, in case this could lead to confusion we could also define a >>>> different term. >>>> >>>> Btw, did you look at the JWT spec whether the audience term there is >>>> inline with the SAML spec? >>>> >>>> Ciao >>>> Hannes >>>> >>>> On Mar 14, 2013, at 11:34 AM, prateek mishra wrote: >>>> >>>> Hi Hannes, >>>>> >>>>> I wanted to point out that use of the term "audience" in this document >>>>> is not consistent with the SAML 2.0 specification. >>>>> >>>>> >>>>> What you are referring to here as "audience" corresponds to >>>>> <saml:destination> which is described as >>>>> >>>>> [quote-saml2.0] >>>>> Destination [Optional] >>>>> A URI reference indicating the address to which this request has been >>>>> sent. This is useful to prevent malicious forwarding of requests to >>>>> unintended recipients, a protection that is required by some protocol >>>>> bindings. If it is present, the actual recipient MUST check that the >>>>> URI reference identifies the location at which the message was >>>>> received. If it does not, the request MUST be discarded. Some protocol >>>>> bindings may require the use of this attribute (see [SAMLBind]). >>>>> [\quote] >>>>> >>>>> In contrast, <saml:audience> is a means of limiting the liability of >>>>> the asserting party and is described in the following manner - >>>>> >>>>> [quote-saml2.0] >>>>> <Audience> >>>>> A URI reference that identifies an intended audience. The URI >>>>> reference MAY identify a document that describes the terms and >>>>> conditions of audience membership. It MAY also contain the unique >>>>> identifier URI from a SAML name identifier that describes a system entity >>>>> (see Section 8.3.6). >>>>> The audience restriction condition evaluates to Valid if and only if >>>>> the SAML relying party is a member of one or more of the audiences >>>>> specified. >>>>> >>>>> The SAML asserting party cannot prevent a party to whom the assertion >>>>> is disclosed from taking action on the basis of the information >>>>> provided. However, the <AudienceRestriction> element allows the SAML >>>>> asserting party to state explicitly that no warranty is provided to >>>>> such a party in a machine- and human-readable form. While there can >>>>> be no guarantee that a court would uphold such a warranty exclusion in >>>>> every circumstance, the probability of upholding the warranty exclusion is >>>>> considerably improved. >>>>> [\quote] >>>>> >>>>> - prateek >>>>> >>>>> >>>>> ______________________________**_________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/**listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth> >>> >> >> > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
- [OAUTH-WG] Fw: IPR Disclosure: - What to Do with … Oleg Gryb
- Re: [OAUTH-WG] Fw: IPR Disclosure: - What to Do w… Leif Johansson
- Re: [OAUTH-WG] Fw: IPR Disclosure: - What to Do w… Hannes Tschofenig
- Re: [OAUTH-WG] Fw: IPR Disclosure: - What to Do w… prateek mishra
- Re: [OAUTH-WG] Fw: IPR Disclosure: - What to Do w… Hannes Tschofenig
- Re: [OAUTH-WG] Fw: IPR Disclosure: - What to Do w… Leif Johansson
- Re: [OAUTH-WG] Fw: IPR Disclosure: - What to Do w… Oleg Gryb
- Re: [OAUTH-WG] Fw: IPR Disclosure: - What to Do w… Mike Jones
- Re: [OAUTH-WG] Fw: IPR Disclosure: - What to Do w… Oleg Gryb
- Re: [OAUTH-WG] the meaning of audience in SAML vs… Mike Jones
- [OAUTH-WG] comment on draft-tschofenig-auth-audie… prateek mishra
- Re: [OAUTH-WG] comment on draft-tschofenig-auth-a… Hannes Tschofenig
- [OAUTH-WG] the meaning of audience in SAML vs. OA… prateek mishra
- Re: [OAUTH-WG] the meaning of audience in SAML vs… Nat Sakimura
- Re: [OAUTH-WG] the meaning of audience in SAML vs… prateek mishra
- Re: [OAUTH-WG] the meaning of audience in SAML vs… Chuck Mortimore
- Re: [OAUTH-WG] the meaning of audience in SAML vs… Igor Faynberg
- Re: [OAUTH-WG] the meaning of audience in SAML vs… prateek mishra
- Re: [OAUTH-WG] the meaning of audience in SAML vs… Nat Sakimura