IETF Logo Mail Archive

Re: [OAUTH-WG] Privacy Considerations section in OAuth 2.1?

Brian Campbell <bcampbell@pingidentity.com> Mon, 10 August 2020 17:04 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DED83A089F for <oauth@ietfa.amsl.com>; Mon, 10 Aug 2020 10:04:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8oN-aye3fQAp for <oauth@ietfa.amsl.com>; Mon, 10 Aug 2020 10:04:12 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A30B33A084D for <oauth@ietf.org>; Mon, 10 Aug 2020 10:04:12 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id w14so10401448ljj.4 for <oauth@ietf.org>; Mon, 10 Aug 2020 10:04:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eFZY5X7ryD2+KO8CAB8/LVB100mWZNQyodZLu0nX3qI=; b=UVoreLoRyJ/UZmawhkTx4pkEeiTuS2+gRNQuJ3s5lqBLEyvKCpcXLgBAdKfcn6irtG 1DmPhWhkD23q7YgAtQUt63xi3Kivv2LfgcI8ghqpQFong0tAmIT7BWazyNWZXogneESQ N83FQ981aXOb7XjdJOKpEgq7eImt0cSqSbsIBMfJ8GM6jdfex8E9snZr4sl2bnx+d6mk gnhO8nUlu4RiJYyRsxMWH0Rmwre76/ID7M+VHCEgZgIk9DqUySySbOPmMYOYYe0/Qdg0 rOuH4SHfCbxIfy08LdEen3bLqCw5DmA1nrE5nrrV6qG+BSY4bVyc9rKUEQHodyDPIixf LVpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eFZY5X7ryD2+KO8CAB8/LVB100mWZNQyodZLu0nX3qI=; b=qtApMgN4bawpkRemvzqBZBuSjZuVLPi8oZ0lZ8pxAXWK3RT3ai5ll6SFaz0xVYf7+l ok9aUEiDaN2fRWyTN4v+d20yh29miJLPs8TRTfnCZRUFVtIXbxDE5HfbN6gksDtXSJbR 3T1+L8uv9j0r+RDn6y22hX9o0tf/2ZOStxiMKm1u9NXRhU/aLyZlyQtqlsvpLRBGQlyC tlX2LCbjSvzAY21CqCjXNxBpsxes7UEMuypK/CGsQVwjPmQyIndGIX3Wp+qelsGsKxwT 58+cDgGHssxMsfp+geaq4irUsDSiLqT+G97s+KOsN6Md59H/DuA2rsf+nsXKM+lJGJeI toxw==
X-Gm-Message-State: AOAM530HmAu/Hdo/Dr+goIAi8M0iNNb46N4PRUidcnEVlfupYpmq/cCv Jw1mm+3uxzPLPNQp9JFO5IDloHM+WsNtVzZUoUTrZGWw+ZMoIhB+mU/Gv3AhtEeqKrKjSux7T4u 4pQ1fvGvwZ27BTg==
X-Google-Smtp-Source: ABdhPJyYnmi66InnM4iA3dPjkAnA+fCJg8Gzkd59xZm4xPs+nosNmmzukEmNg1M5voPpX3qbMPzw7uUPGgMOjKidbx0=
X-Received: by 2002:a2e:d1a:: with SMTP id 26mr997066ljn.422.1597079050569; Mon, 10 Aug 2020 10:04:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-uPT3Yp12gkkUaBEEwEc3P9uGdQpHTVPypf7gaescwKOw@mail.gmail.com>
In-Reply-To: <CAD9ie-uPT3Yp12gkkUaBEEwEc3P9uGdQpHTVPypf7gaescwKOw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 10 Aug 2020 11:03:44 -0600
Message-ID: <CA+k3eCReGMCBk3fH1NxP=2ZRUDvi+cVE7ncKUgx=9Su3dTCeWg@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007ce9cf05ac88f1c9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IC0DFBHkOQxzxD0gk0ve4B5qtYM>
Subject: Re: [OAUTH-WG] Privacy Considerations section in OAuth 2.1?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2020 17:04:15 -0000

I didn't have the reference offhand during the meeting today but
https://tools.ietf.org/html/rfc6973 looks to be a good source of
considerations for writing privacy considerations. As I mentioned, I've
written a number of such sections. Though these probably shouldn't be
considered exemplary they were published:
https://tools.ietf.org/html/rfc8707#section-4,
https://tools.ietf.org/html/rfc8705#section-8https://tools.ietf.org/html/rfc8693#section-6
<https://tools.ietf.org/html/rfc8693#section-6>,
https://tools.ietf.org/html/rfc7523#section-7,
https://tools.ietf.org/html/rfc7522#section-7, and
https://tools.ietf.org/html/rfc7521#section-8.4.

<https://tools.ietf.org/html/rfc7521#section-8.4>

I think including a pragmatic Privacy Considerations section in the OAuth
2.1 draft could be worthwhile.

On Mon, Aug 10, 2020 at 10:42 AM Dick Hardt <dick.hardt@gmail.com> wrote:

> In the PAR meeting today, Denis requested there be a privacy
> considerations section in PAR. I don't think there is anything specific in
> PAR that would change the privacy considerations of OAuth, and am checking
> if there is WG interest, and consensus, on including a Privacy
> Considerations section in the OAuth 2.1 draft.
>
> /Dick
> ᐧ
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email