Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-oauth-introspection-09: (with DISCUSS and COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 11 June 2015 14:17 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55BB11B29A8; Thu, 11 Jun 2015 07:17:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xt6L5asTxZqN; Thu, 11 Jun 2015 07:17:10 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE5811B29A7; Thu, 11 Jun 2015 07:17:09 -0700 (PDT)
Received: by wiwd19 with SMTP id d19so75773600wiw.0; Thu, 11 Jun 2015 07:17:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8qjJs18ldTDAs1BZzwlXrYX8ziXgA5mm+8zaH1/N15U=; b=o7DAkX0u/woSezZ5+IsS4fI437UT3LmP4tVTl6VuhWXIbiXiRS5rcN0tMSuY1n0uUV 9XQwJ94d1uGri1gv3wqbPkj5LKLOM3w+6UbPSyp+PDomIMemukXJBB3h4hSEkptIIxK7 4btjy6/AuHqAR1UG21wy2FfEgDrImPnAsPoNtIyGZN47F7E8acHHGU4RSItPFDhSHfH3 ACjrhb1CHJNiSVof77gwFB+EHW69GZfAQPai4zACpJDcjEhXSgPOLyFpujTJSY4njmm/ nWQukrTH5oBxKzZ+vdkUN0OVjlgDDSOyTWe3sCRYjeAaYPEjS1mZKYnRlMLrd9rT6Swo hrdg==
MIME-Version: 1.0
X-Received: by 10.194.222.230 with SMTP id qp6mr17307807wjc.70.1434032228519; Thu, 11 Jun 2015 07:17:08 -0700 (PDT)
Received: by 10.28.148.148 with HTTP; Thu, 11 Jun 2015 07:17:08 -0700 (PDT)
In-Reply-To: <20150608164044.24189.13985.idtracker@ietfa.amsl.com>
References: <20150608164044.24189.13985.idtracker@ietfa.amsl.com>
Date: Thu, 11 Jun 2015 10:17:08 -0400
Message-ID: <CAHbuEH5ro3xodHEAV4QmeOY9J1xGdTbvRNg5-g3Skm01wYxx5g@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Alissa Cooper <alissa@cooperw.in>
Content-Type: multipart/alternative; boundary=001a11c3bad893d7c105183ea530
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/JXZkW8RTAC-R3NvJdUnG94PJTD4>
Cc: draft-ietf-oauth-introspection@ietf.org, draft-ietf-oauth-introspection.ad@ietf.org, "oauth@ietf.org" <oauth@ietf.org>, draft-ietf-oauth-introspection.shepherd@ietf.org, The IESG <iesg@ietf.org>, oauth-chairs@ietf.org
Subject: Re: [OAUTH-WG] Alissa Cooper's Discuss on draft-ietf-oauth-introspection-09: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2015 14:17:12 -0000

Hi,

I haven't seen a response on this yet.  Please respond to discuss the
issues pointed out by Alissa.

Thank you,
Kathleen

On Mon, Jun 8, 2015 at 12:40 PM, Alissa Cooper <alissa@cooperw.in> wrote:

> Alissa Cooper has entered the following ballot position for
> draft-ietf-oauth-introspection-09: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-introspection/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> = Section 2.1 =
> "The endpoint MAY allow other parameters to provide further context to
>    the query.  For instance, an authorization service may need to know
>    the IP address of the client accessing the protected resource in
>    order to determine the appropriateness of the token being presented."
>
> How does the protected resource know whether it needs to include such
> additional parameters or not? What is meant by the "appropriateness" of
> the token?
>
> In general if we're talking about a piece of data that could be sensitive
> like client IP address, it would be better for there to be specific
> guidelines to direct protected resources as to when this information
> needs to be sent. I note that Section 5 basically says such
> considerations are out of scope, but if this specific example is to be
> provided here then they seem in scope to me.
>
> = Section 5 =
> "One way to limit disclosure is to require
>    authorization to call the introspection endpoint and to limit calls
>    to only registered and trusted protected resource servers."
>
> I thought Section 2.1 made authorization to call the introspection
> endpoint mandatory. This makes it sound like it's optional. Which is it?
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> = Section 1.1 =
> There is no reference to RFC2119 here, which may be okay but most
> documents include it if they use normative language (I think).
>
> = Section 2 =
> "The
>    definition of an active token is up to the authorization server, but
>    this is commonly a token that has been issued by this authorization
>    server, is not expired, has not been revoked, and is within the
>    purview of the protected resource making the introspection call."
>
> Is "within the purview" a term of art for OAuth 2.0? Is there a more
> specific way to describe what is meant here? Also, I note that in the
> description of the "active" member in Section 2.2, this criterion is not
> listed. It seems like these should be aligned.
>
> = Section 2.2 =
> "Note that in order to avoid disclosing too much of the
>    authorization server's state to a third party, the authorization
>    server SHOULD NOT include any additional information about an
>    inactive token, including why the token is inactive."
>
> Seems like this should be a MUST NOT unless there's some reason for
> providing anything other than active set to false. Same comment applies
> in Section 4.
>
> = Section 2.3 =
> It seems like there is another error condition and I'm wondering if its
> handling needs to be specified. Per my question in Section 2.1, if it's
> possible that the request is properly formed but is missing some
> additional information that the authorization server needs to evaluate
> it, should there be an error condition specified for that case?
>
>
>


-- 

Best regards,
Kathleen