IETF Logo Mail Archive

Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)

Barry Leiba <barryleiba@computer.org> Sun, 21 July 2019 16:31 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D56C712018D; Sun, 21 Jul 2019 09:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.559
X-Spam-Level:
X-Spam-Status: No, score=-1.559 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.091, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGiu3OU3Nofp; Sun, 21 Jul 2019 09:31:17 -0700 (PDT)
Received: from mail-io1-f46.google.com (mail-io1-f46.google.com [209.85.166.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB8391201A2; Sun, 21 Jul 2019 09:31:16 -0700 (PDT)
Received: by mail-io1-f46.google.com with SMTP id o9so68800655iom.3; Sun, 21 Jul 2019 09:31:16 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=2PEhxwoTHW43d2v40FNbr2GieGDzzUBBOlFjVEbECqA=; b=qsV+popzGG74ofBCPBYm/4yoz/iDf+9Qc/CvLwYDUcM6GIWC3oVxJ74IdJ4oPr3ZTt OQb+VSiQWDz6izk13O29oFbhgmMBQGhZ29oPdn/7a9pB0JY275f6I5kb/80qMnWfwYrm Wz6f9B6q7nB9gxZxtv0soJyIjo4fYPyeFZU10vakZ+lOrVKO/HNLtDCj0SjTTyXZUvps y6y4rYkcrVQy2v7pi1M9+WMeqkq9FXB2MS6xusa7he+TF3rIiNnT7i+yKcij9q2CqLWd EPZOLGSI/1xodCAXTkiR1TrU/Riwn7VN/F7gcNFc7Giqz0IPHUdX+ybk66qbB2fbnOpv AG4g==
X-Gm-Message-State: APjAAAVyfakDyHqU5OLy3+vUBI9yMOK3dVM8K0Eq6rgvAu+hS/jMQ5jB 9SbK1epU+SRbTf8sBxiG+FcXgI926VMSxICNIFg=
X-Google-Smtp-Source: APXvYqwCBAS3MaUL5HBM+VNG0/klo+F7ufDZOW3VoI6UPHvQgXM+GToR8TxBrjviiwOFxkV61FchYV1oX+ygnxOy0xs=
X-Received: by 2002:a5d:9613:: with SMTP id w19mr23367361iol.140.1563726675920; Sun, 21 Jul 2019 09:31:15 -0700 (PDT)
MIME-Version: 1.0
References: <156348397007.8464.8217832087905511031.idtracker@ietfa.amsl.com> <CA+k3eCQR_yVZJdw0CmPL0qVCA3S0x5gZAr6_BwvDrZDW0NOPWA@mail.gmail.com> <CALaySJJ3chNzsJvWgTpg-6GudK8ot=D8Fvguyr=kpFuiVWLSPw@mail.gmail.com> <CA+k3eCR4yxwo1yGpjWHxjcs+=b3VAdJDsF-RZDSTTDArgGi3ew@mail.gmail.com> <20190721042841.GX23137@kduck.mit.edu> <CA+k3eCTB9hpmQvEnAHOV11w5tY6gKcedTD6mBXE=DzZk_o=fmA@mail.gmail.com> <CA+k3eCQqdPLcf1rUWnhh14L00PzvcTNwtF8VHTtj_WJac8NhWQ@mail.gmail.com>
In-Reply-To: <CA+k3eCQqdPLcf1rUWnhh14L00PzvcTNwtF8VHTtj_WJac8NhWQ@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Sun, 21 Jul 2019 12:31:04 -0400
Message-ID: <CALaySJLCDU3dZQ3hA02tgBTW0NRFsc0RJfb0AHD82aAzxv-jRQ@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, oauth-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-oauth-token-exchange@ietf.org, oauth <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MGVXHeukVPc6WlvEO2ltsvGDdkA>
Subject: Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 16:31:25 -0000

Thanks, Brian!

Barry

On Sun, Jul 21, 2019 at 11:43 AM Brian Campbell
<bcampbell@pingidentity.com> wrote:
>
> https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-19 has been published with the updates discussed in this thread.
>
> On Sun, Jul 21, 2019 at 6:14 AM Brian Campbell <bcampbell@pingidentity.com> wrote:
>>
>> That works for me.
>>
>> On Sat, Jul 20, 2019 at 10:28 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
>>>
>>> On Fri, Jul 19, 2019 at 10:05:57AM -0600, Brian Campbell wrote:
>>> > On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba <barryleiba@computer.org> wrote:
>>> >
>>> > >
>>> > > >> — Section 1.1 —
>>> > > >> Given the extensive discussion of impersonation here, what strikes me as
>>> > > >> missing is pointing out that impersonation here is still controlled,
>>> > > that “A is
>>> > > >> B” but only to the extent that’s allowed by the token.  First, it might
>>> > > be
>>> > > >> limited by number of instances (one transaction only), by time of day
>>> > > (only for
>>> > > >> 10 minutes), and by scope (in regard to B’s address book, but not B’s
>>> > > email).
>>> > > >> Second, there is accountability: audit information still shows that the
>>> > > token
>>> > > >> authorized acting as B.  Is that not worth clarifying?
>>> > > >
>>> > > > My initial response was going to be "sure, I'll add some bits in sec 1.1
>>> > > along those lines to clarify
>>> > > > that." However, as I look again at that section for good opportunities
>>> > > to make such additions, I feel
>>> > > > like it is already said that impersonation is controlled.
>>> > > ...
>>> > > > So I think it already says that and I'm gonna have to flip it back and
>>> > > ask if you have concrete
>>> > > > suggestions for changes or additions that would say it more clearly or
>>> > > more to your liking?
>>> > >
>>> > > It is mentioned, true, and that might be enough.  But given that Eve
>>> > > also replied that she would like more here, let me suggest something,
>>> > > the use of which is entirely optional -- take it, don't take it,
>>> > > modify it, riff on it, ignore it completely, as you think best.  What
>>> > > do you think about changing the last sentence of the paragraph?: "For
>>> > > all intents and purposes, when A is impersonating B, A is B within the
>>> > > rights context authorized by the token, which could be limited in
>>> > > scope or time, or by a one-time-use restriction."
>>> > >
>>> >
>>> > Sure, I think that or some slight modification thereof can work just fine.
>>> > I'll do that and get it and the rest of these changes published when the
>>> > I-D submission embargo is lifted for Montreal.
>>>
>>> My brain is apparntly storming and not sleeping.  Another option for
>>> consideration, is to have two sentences:
>>>
>>> For all intents and purposes, when A is impersonating B, A is B within the
>>> rights context authorized by the token.  A's ability to impersonate B could
>>> be limited in scope or time, or even with a one-time-use restriction,
>>> whether via the contents of the token or an out-of-band mechanism.
>>>
>>> -Ben
>
>
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email