IETF Logo Mail Archive

Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer

Mike Jones <Michael.Jones@microsoft.com> Sat, 19 July 2014 16:01 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 005671B287E for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 09:01:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id od6gD84EzaAg for <oauth@ietfa.amsl.com>; Sat, 19 Jul 2014 09:01:00 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0183.outbound.protection.outlook.com [207.46.163.183]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D78CD1B2882 for <oauth@ietf.org>; Sat, 19 Jul 2014 09:00:59 -0700 (PDT)
Received: from BLUPR03CA031.namprd03.prod.outlook.com (10.141.30.24) by BN1PR03MB250.namprd03.prod.outlook.com (10.255.200.16) with Microsoft SMTP Server (TLS) id 15.0.985.8; Sat, 19 Jul 2014 16:00:57 +0000
Received: from BN1BFFO11FD022.protection.gbl (2a01:111:f400:7c10::1:158) by BLUPR03CA031.outlook.office365.com (2a01:111:e400:879::24) with Microsoft SMTP Server (TLS) id 15.0.995.11 via Frontend Transport; Sat, 19 Jul 2014 16:00:57 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD022.mail.protection.outlook.com (10.58.144.85) with Microsoft SMTP Server (TLS) id 15.0.980.11 via Frontend Transport; Sat, 19 Jul 2014 16:00:57 +0000
Received: from TK5EX14MBXC294.redmond.corp.microsoft.com ([169.254.3.103]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0195.002; Sat, 19 Jul 2014 16:00:25 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer
Thread-Index: AQHPoGf4gL6h/DUSdEmQrA3gAkL17Jum3AEAgACdYACAABqXAA==
Date: Sat, 19 Jul 2014 16:00:25 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439ADD6FBC@TK5EX14MBXC294.redmond.corp.microsoft.com>
References: <CAHbuEH6w9mfHLwN8WMJHHV5qZ8MzLJY6ky-Yp_xg39WfpGbC3g@mail.gmail.com> <CA+k3eCR__YW3e1Ca0+3ix3Y2MuGjdwaP=YHEjpnCcxshTOoRkA@mail.gmail.com> <60D7F5DB-0574-4F58-ADCB-C9E4D9850401@gmail.com>
In-Reply-To: <60D7F5DB-0574-4F58-ADCB-C9E4D9850401@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439ADD6FBCTK5EX14MBXC294r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(438002)(24454002)(51914003)(377454003)(199002)(52604005)(189002)(85306003)(81342001)(84676001)(19300405004)(33656002)(16236675004)(74502001)(26826002)(71186001)(81542001)(104016003)(107046002)(44976005)(86612001)(77096002)(95666004)(69596002)(512874002)(19580395003)(83322001)(106116001)(19580405001)(68736004)(84326002)(31966008)(92726001)(15975445006)(50986999)(86362001)(92566001)(19625215002)(74662001)(76176999)(21056001)(15202345003)(6806004)(85852003)(87936001)(2656002)(220493001)(4396001)(55846006)(46102001)(99396002)(83072002)(97736001)(106466001)(81156004)(54356999)(79102001)(77982001)(66066001)(64706001)(80022001)(19617315012)(76482001)(20776003); DIR:OUT; SFP:; SCL:1; SRVR:BN1PR03MB250; H:mail.microsoft.com; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; MX:1; LANG:en;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 02778BF158
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/LCSY3o2QMX4C2SriDVoELJUxyBg
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Jul 2014 16:01:05 -0000

I agree with Brian’s suggested text.  Thanks for writing this, Brian!

                                                            -- Mike

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Kathleen Moriarty
Sent: Saturday, July 19, 2014 7:24 AM
To: Brian Campbell
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] AD Review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer

Thanks for the quick response, Brian.  I think the text looks great.  The only change I'd like to suggest is in the second sentence, to change the 'may' to 'SHOULD'.

Best regards,
Kathleen

Sent from my iPhone

On Jul 19, 2014, at 1:00 AM, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:
How about the following (which is intentionally similar to the text I just put forth for your request for privacy consideration in draft-ietf-oauth-jwt-bearer-09)?
A SAML Assertion may contain privacy-sensitive information and, to prevent disclosure of such information to unintended parties, should only be transmitted over encrypted channels, such as TLS. In cases where it’s desirable to prevent disclosure of certain information the client, the Subject and/or individual attributes of a SAML Assertion may be encrypted to the authorization server.

Deployments should determine the minimum amount of information necessary to complete the exchange and include only that information in an Assertion (typically by limiting what information is included in an <AttributeStatement> or omitting it altogether). In some cases the Subject can be a value representing an anonymous or pseudonymous user as described in Section 6.3.1 of the Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants [http://tools.ietf.org/html/draft-ietf-oauth-assertions-16#section-6.3.1].

On Tue, Jul 15, 2014 at 2:04 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> wrote:
Hello,

I just finished my review of http://datatracker.ietf.org/doc/draft-ietf-oauth-saml2-bearer.  The draft looks great, thank you for all of your efforts on it!

I did notice that there were no privacy considerations pointing back to RFC6973, could that text be added?  The draft came after the Oauth framework publication (refernced in the security considerations), so I am guessing that is why this was missed as there are privacy considerations in the oauth assertion draft (I competed that review as well and the draft looked great.  I don't have any comments to add prior to progressing the draft).

Thank you.

--

Best regards,
Kathleen

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email