IETF Logo Mail Archive

[OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)

"Richard Barnes" <rlb@ipv.sx> Thu, 16 October 2014 03:47 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7BFC1A0151; Wed, 15 Oct 2014 20:47:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rT8fxFl8NTSQ; Wed, 15 Oct 2014 20:47:35 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D4551A0149; Wed, 15 Oct 2014 20:47:35 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Richard Barnes <rlb@ipv.sx>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 5.6.4
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20141016034735.18695.61014.idtracker@ietfa.amsl.com>
Date: Wed, 15 Oct 2014 20:47:35 -0700
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/MrdoWzUruBX3ox4-OB9jCVAzz5Y
Cc: draft-ietf-oauth-assertions@tools.ietf.org, oauth-chairs@tools.ietf.org, oauth@ietf.org
Subject: [OAUTH-WG] Richard Barnes' Discuss on draft-ietf-oauth-assertions-17: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 03:47:37 -0000

Richard Barnes has entered the following ballot position for
draft-ietf-oauth-assertions-17: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
http://datatracker.ietf.org/doc/draft-ietf-oauth-assertions/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

"The assertion MUST contain an Audience that identifies the Authorization
Server as the intended audience.  Assertions that do not identify the
Authorization Server as an intended audience MUST be rejected."

Could you please identify the threat model within which this "MUST" is
required?  This requirement doesn't follow from any of the threats
elaborated in Section 8.

The Audience is only necessary if the Issuer wishes to constrain the set
of Authorization Servers with which an assertion may be used.  So ISTM
that this should be "MAY contain..."


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

"keyed message digest" -> "Message Authentication Code"

That's the proper terminology [RFC4949], especially since there are MACs
that are not based on digests.

"This mechanism provides additional security properties." -- Please
delete this or elaborate on what security properties it provides.

Section 8.2 should note that "Holder-of-Key Assertions" are also a
mitigation for this risk.

v2.23.0 | Report a Bug | By Email