IETF Logo Mail Archive

Re: [OAUTH-WG] comment on draft-tschofenig-auth-audience-00.txt (incorrect use of audience)

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 14 March 2013 15:51 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F49711E810D for <oauth@ietfa.amsl.com>; Thu, 14 Mar 2013 08:51:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pK4m8az8s08M for <oauth@ietfa.amsl.com>; Thu, 14 Mar 2013 08:51:47 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by ietfa.amsl.com (Postfix) with ESMTP id A781A21F90C7 for <oauth@ietf.org>; Thu, 14 Mar 2013 08:51:46 -0700 (PDT)
Received: from mailout-de.gmx.net ([10.1.76.19]) by mrigmx.server.lan (mrigmx001) with ESMTP (Nemesis) id 0MCNfL-1UOeu03rYf-00958y for <oauth@ietf.org>; Thu, 14 Mar 2013 16:51:45 +0100
Received: (qmail invoked by alias); 14 Mar 2013 15:51:45 -0000
Received: from dhcp-1077.meeting.ietf.org (EHLO dhcp-1077.meeting.ietf.org) [130.129.16.119] by mail.gmx.net (mp019) with SMTP; 14 Mar 2013 16:51:45 +0100
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+1IrEv5Mm1OqZZUAP2PsB4CbHK9BOn1taF3S1mK0 mz9zSyth6v3u2A
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: text/plain; charset="us-ascii"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <5141EE22.2030306@oracle.com>
Date: Thu, 14 Mar 2013 11:51:42 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <F38E6D5B-0062-4B27-BC93-1FB398F8808A@gmx.net>
References: <1362079266.8952.YahooMailClassic@web141002.mail.bf1.yahoo.com> <512FCDF0.6010807@gmx.net> <5141EE22.2030306@oracle.com>
To: prateek mishra <prateek.mishra@oracle.com>
X-Mailer: Apple Mail (2.1085)
X-Y-GMX-Trusted: 0
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] comment on draft-tschofenig-auth-audience-00.txt (incorrect use of audience)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 15:51:47 -0000

Hi Prateek, 

I never had planned to make the term audience to align with the SAML specification. 
However, in case this could lead to confusion we could also define a different term. 

Btw, did you look at the JWT spec whether the audience term there is inline with the SAML spec?

Ciao
Hannes

On Mar 14, 2013, at 11:34 AM, prateek mishra wrote:

> Hi Hannes,
> 
> I wanted to point out that use of the term "audience" in this document is not consistent with the SAML 2.0 specification.
> 
> 
> What you are referring to here as "audience" corresponds to <saml:destination> which is described as 
> 
> [quote-saml2.0]
> Destination [Optional]
> A URI reference indicating the address to which this request has been sent. This is useful to prevent
> malicious forwarding of requests to unintended recipients, a protection that is required by some
> protocol bindings. If it is present, the actual recipient MUST check that the URI reference identifies the
> location at which the message was received. If it does not, the request MUST be discarded. Some
> protocol bindings may require the use of this attribute (see [SAMLBind]).
> [\quote]
> 
> In contrast, <saml:audience>  is a means of limiting the liability of the asserting party and is described
> in the following manner - 
> 
> [quote-saml2.0]
>  <Audience>
> A URI reference that identifies an intended audience. The URI reference MAY identify a document
> that describes the terms and conditions of audience membership. It MAY also contain the unique
> identifier URI from a SAML name identifier that describes a system entity (see Section 8.3.6).
> The audience restriction condition evaluates to Valid if and only if the SAML relying party is a member of
> one or more of the audiences specified.
> 
> The SAML asserting party cannot prevent a party to whom the assertion is disclosed from taking action on
> the basis of the information provided. However, the <AudienceRestriction> element allows the
> SAML asserting party to state explicitly that no warranty is provided to such a party in a machine- and
> human-readable form. While there can be no guarantee that a court would uphold such a warranty
> exclusion in every circumstance, the probability of upholding the warranty exclusion is considerably
> improved.
> [\quote]
> 
> - prateek
> 
>

v2.23.0 | Report a Bug | By Email