IETF Logo Mail Archive

Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)

Brian Campbell <bcampbell@pingidentity.com> Sun, 21 July 2019 12:15 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62EFA12011E for <oauth@ietfa.amsl.com>; Sun, 21 Jul 2019 05:15:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XY5Y3JCJBoJO for <oauth@ietfa.amsl.com>; Sun, 21 Jul 2019 05:15:03 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33D05120120 for <oauth@ietf.org>; Sun, 21 Jul 2019 05:14:59 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id g20so67909444ioc.12 for <oauth@ietf.org>; Sun, 21 Jul 2019 05:14:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ggi3uneTqRu/8pfYBLqPPA40G3tWWckq/4oWEkKPoxc=; b=nnNF9xp0ig5kBxQ6NxKCLpnHQ3QV/DFTJ8EPI6BZxLnnqWnmDoNWi4+A+5IBom26vj eJindXUfOqbLZf/rgbeXdL57wsPuwHUfCCbYyIviIriYTSUs7Vir9ba5/fgB/IRV4v6m r1qn8ZSUQnjm99F4IV650ffM4UjxeIfmKS78k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ggi3uneTqRu/8pfYBLqPPA40G3tWWckq/4oWEkKPoxc=; b=JQE6mg68REB3ZiJGHHtqLAQFoTxvxIqzL7lgC5GR4qdqQq0EffFmQ7f0oiPV0co8M9 qI8RAByg5dnzF0vWW6nDMsxY0d2V3kEzErOJoWfX1uGAy2RQOuC+Yu06wG+7aEJLc1Ky 3cOu+YVHN7Xi8TbeS5LKN/GBvNRGUpNy/WpXqo9/ja0ZkdB+fMfd1mutefZv/ewtRMlX d5ELOZz3Pt+YHc4uOlCQABnj/oKmHc4Dg+J+ZZXn9BKA3flkdcOwQ0m+2SGfbGbVONkW A9axJHfOZsL4J2Cye0FhXsL4eBgYTOurpLwHQbJMfEXLjHNArVSkWCpJb/jB3Vo3lDuT SEGg==
X-Gm-Message-State: APjAAAWaKQ5q/JNR+oeEdbtk4e/ppG36LzxgjqxlnYBWpXru4eMhGmeb z1+gRQp/X9egleGenlWBffYE8Tg0u3u0PPY91w3yBjrFG7wxUCRVuaV1S7QBpEyWv2lsicI2Bd1 l9qjdA5Z+cDb+ww==
X-Google-Smtp-Source: APXvYqzMdke6wPZtoqvoDW/TsV1MdVzqTlFwn0XburffzaShwYbq6H9IkQ+mdC4phwaVqd1PcSwghW+/Y+B9dwq5C6E=
X-Received: by 2002:a02:3b62:: with SMTP id i34mr69061215jaf.91.1563711298368; Sun, 21 Jul 2019 05:14:58 -0700 (PDT)
MIME-Version: 1.0
References: <156348397007.8464.8217832087905511031.idtracker@ietfa.amsl.com> <CA+k3eCQR_yVZJdw0CmPL0qVCA3S0x5gZAr6_BwvDrZDW0NOPWA@mail.gmail.com> <CALaySJJ3chNzsJvWgTpg-6GudK8ot=D8Fvguyr=kpFuiVWLSPw@mail.gmail.com> <CA+k3eCR4yxwo1yGpjWHxjcs+=b3VAdJDsF-RZDSTTDArgGi3ew@mail.gmail.com> <20190721042841.GX23137@kduck.mit.edu>
In-Reply-To: <20190721042841.GX23137@kduck.mit.edu>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 21 Jul 2019 06:14:32 -0600
Message-ID: <CA+k3eCTB9hpmQvEnAHOV11w5tY6gKcedTD6mBXE=DzZk_o=fmA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Barry Leiba <barryleiba@computer.org>, oauth-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-oauth-token-exchange@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000078925e058e2fe8c0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MEqNmoDvd8pz4taIblwL9yt0I9Y>
Subject: Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 12:15:04 -0000

That works for me.

On Sat, Jul 20, 2019 at 10:28 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Fri, Jul 19, 2019 at 10:05:57AM -0600, Brian Campbell wrote:
> > On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba <barryleiba@computer.org>
> wrote:
> >
> > >
> > > >> — Section 1.1 —
> > > >> Given the extensive discussion of impersonation here, what strikes
> me as
> > > >> missing is pointing out that impersonation here is still controlled,
> > > that “A is
> > > >> B” but only to the extent that’s allowed by the token.  First, it
> might
> > > be
> > > >> limited by number of instances (one transaction only), by time of
> day
> > > (only for
> > > >> 10 minutes), and by scope (in regard to B’s address book, but not
> B’s
> > > email).
> > > >> Second, there is accountability: audit information still shows that
> the
> > > token
> > > >> authorized acting as B.  Is that not worth clarifying?
> > > >
> > > > My initial response was going to be "sure, I'll add some bits in sec
> 1.1
> > > along those lines to clarify
> > > > that." However, as I look again at that section for good
> opportunities
> > > to make such additions, I feel
> > > > like it is already said that impersonation is controlled.
> > > ...
> > > > So I think it already says that and I'm gonna have to flip it back
> and
> > > ask if you have concrete
> > > > suggestions for changes or additions that would say it more clearly
> or
> > > more to your liking?
> > >
> > > It is mentioned, true, and that might be enough.  But given that Eve
> > > also replied that she would like more here, let me suggest something,
> > > the use of which is entirely optional -- take it, don't take it,
> > > modify it, riff on it, ignore it completely, as you think best.  What
> > > do you think about changing the last sentence of the paragraph?: "For
> > > all intents and purposes, when A is impersonating B, A is B within the
> > > rights context authorized by the token, which could be limited in
> > > scope or time, or by a one-time-use restriction."
> > >
> >
> > Sure, I think that or some slight modification thereof can work just
> fine.
> > I'll do that and get it and the rest of these changes published when the
> > I-D submission embargo is lifted for Montreal.
>
> My brain is apparntly storming and not sleeping.  Another option for
> consideration, is to have two sentences:
>
> For all intents and purposes, when A is impersonating B, A is B within the
> rights context authorized by the token.  A's ability to impersonate B could
> be limited in scope or time, or even with a one-time-use restriction,
> whether via the contents of the token or an out-of-band mechanism.
>
> -Ben
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email