IETF Logo Mail Archive

Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-access-token-jwt-12: (with COMMENT)

Vittorio Bertocci <vittorio.bertocci@auth0.com> Wed, 14 April 2021 07:18 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD8C13A117B for <oauth@ietfa.amsl.com>; Wed, 14 Apr 2021 00:18:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WrdfN2Mg2VVL for <oauth@ietfa.amsl.com>; Wed, 14 Apr 2021 00:18:53 -0700 (PDT)
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5420E3A111C for <oauth@ietf.org>; Wed, 14 Apr 2021 00:18:53 -0700 (PDT)
Received: by mail-pf1-x42e.google.com with SMTP id p67so8187186pfp.10 for <oauth@ietf.org>; Wed, 14 Apr 2021 00:18:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-transfer-encoding:mime-version; bh=1yG4WqoPLmPG14Ybtj3JjqltXcJU+8FicDYGlfptpgs=; b=PhBRI7zmDc+fFFIXroSbfZzHXAm5UFO06xftI/bXyiWrtx3akrYha9uq0bbDBe00w6 4x7d8jp+CUh/Jz3DAUPfdZSpfP5Uv7yLzbuzWCfaMEvFvHOjQ2znrnv7OGPjWPAVd9qd aswgPtjOPB+lnRT+DF4iWxrqm0vf1EVYOvC0rp9SRTLe2tS6Dalz9gOKcRxsa5avlMPe kmEq0ClJPi0qYxCtgMAiOHggM2BsnppN8kXRi84scGOropAwOHQCDjhLIEw3pqgInpaN fZpEJynU8FHU3F/yUYWKLjANVj3VxSPV2Tks2HOzEbzRFlQVM/UfLCrmLU61O3+Bo5Zg +3kQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-transfer-encoding:mime-version; bh=1yG4WqoPLmPG14Ybtj3JjqltXcJU+8FicDYGlfptpgs=; b=onycpwygejh+ypL7+wi8rh+5j+1gZ1jDGMZ4A5BMbfwOI5FnQ3s6GFO9ncUpKnzz+r gweTmkUKKNqDtV/5AtbYsSQ3Q3A6FW5lOWPAqVTzPp3+3Urixu+lMYsvQ8OOyh2x6b4m vz3LJdATY6/exqCWhwtD1+MN1X3VYZU7QVEQjHrvIK0TyJWGhVLcAoVPztJzLPRfcaBw gTG7eY1xacBb6EjXpMtpLMEBAGilYki3yEcb6vJLbRySJaKkfc4Dj+YwjFbTo8baFxr6 +yaOWedpPZWxa8g9zV3SIRC6OB72Nqy7d8IV3ijuPk+ui9dXfJxXxiT5Alw4LqBMCBtd MItg==
X-Gm-Message-State: AOAM53295f6ipzBKIDj0MVB5hinK9s3GRTPH3wOSSW4bX/dsGgtcFKJn MIppbKD9ukBWggMDq1bNCU2WkQ==
X-Google-Smtp-Source: ABdhPJz5s1r7fqRc9lln9RC9B12dtMoq45C5cW535FvZI1TDwD/VBSo89eG10AHbWwsIi88a3uHSQQ==
X-Received: by 2002:a63:43c2:: with SMTP id q185mr35424598pga.41.1618384731358; Wed, 14 Apr 2021 00:18:51 -0700 (PDT)
Received: from CO6PR18MB4052.namprd18.prod.outlook.com ([2603:1036:301:402a::5]) by smtp.gmail.com with ESMTPSA id w1sm16348598pgh.26.2021.04.14.00.18.50 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Apr 2021 00:18:50 -0700 (PDT)
From: Vittorio Bertocci <vittorio.bertocci@auth0.com>
To: Murray Kucherawy <superuser@gmail.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-oauth-access-token-jwt@ietf.org" <draft-ietf-oauth-access-token-jwt@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, Hannes Tschofenig <hannes.tschofenig@arm.com>
Thread-Topic: Murray Kucherawy's No Objection on draft-ietf-oauth-access-token-jwt-12: (with COMMENT)
Thread-Index: ATUxNDgwYmwhajVWzfY8mwnpZvepcMP/lGTY
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Wed, 14 Apr 2021 07:18:50 +0000
Message-ID: <CO6PR18MB4052516F8420BBF956A5992FAE4E9@CO6PR18MB4052.namprd18.prod.outlook.com>
References: <161786294101.28888.16150454715315694485@ietfa.amsl.com>
In-Reply-To: <161786294101.28888.16150454715315694485@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-Exchange-Organization-SCL: -1
X-MS-TNEF-Correlator:
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NCTIaonSjXonOYSXE8LTyt7y4sQ>
Subject: Re: [OAUTH-WG] Murray Kucherawy's No Objection on draft-ietf-oauth-access-token-jwt-12: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Apr 2021 07:19:00 -0000

Hi Murray,
Thank you for your comments! Answers inline

>   My co-AD pretty much nailed it.   I would go further and say that her comment
>    about "Why is this only SHOULD?" applies to a lot of the SHOULDs in here. 
>    SHOULD presents a choice; why might an implementer reasonably not do any of the
>    SHOULD things in here?
In line of principle, I agree- but that's where the consensus brought us. Many of the SHOULD you see in the current draft actually started as MUST, and the discussion drove toward them being relaxed. The technology we are trying to standardize here has been in production use for many years, hence there's a wealth of real world scenarios that influenced the debate.
For a more precise discussion, we should select specific instances: but for an example of typical circumstances that led toward SHOULD, the case discussed with Francesca is pretty typical.

>For readability, I suggest that the three registrations packed into Section
 >   7.2.1 be separated somehow, as right now they appear to be one continuous
 >   bullet list.  Separate subsections would work, or even just a line of prose
 >   before each would suffice.
Great suggestion, thank you! I added sections for improved readability.

>    The first half of the second paragraph of Section 6 seems much more like an
>    interoperability issue than a privacy issue to me.
I agree that, taken in isolation, the connection to privacy of that aspect is not immediately self-evident. I would argue it is not about interop either, given that noncompliance with the guidance given there doesn’t impact what's transmitted. Nonetheless, I believe the privacy section is the closest match we have for that guidance, given its many touch points to privacy matters (the ability of a client to inspect ATs is a privacy concern; the decision to use a JWT ATs, which ultimately makes spelling out the guidance necessary, is influenced by privacy considerations; and so on and so forth). In sum, although I agree it's not a perfect fit, I think that's the best fit we have; and given that consolidating consensus for that part has been particularly painful, I am inclined to leave that part as is.   


On 4/7/21, 23:22, "Murray Kucherawy via Datatracker" <noreply@ietf.org> wrote:

    Murray Kucherawy has entered the following ballot position for
    draft-ietf-oauth-access-token-jwt-12: No Objection
    
    When responding, please keep the subject line intact and reply to all
    email addresses included in the To and CC lines. (Feel free to cut this
    introductory paragraph, however.)
    
    
    Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
    for more information about IESG DISCUSS and COMMENT positions.
    
    
    The document, along with other ballot positions, can be found here:
    https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/
    
    
    
    ----------------------------------------------------------------------
    COMMENT:
    ----------------------------------------------------------------------
    
    My co-AD pretty much nailed it.   I would go further and say that her comment
    about "Why is this only SHOULD?" applies to a lot of the SHOULDs in here. 
    SHOULD presents a choice; why might an implementer reasonably not do any of the
    SHOULD things in here?
    
    For readability, I suggest that the three registrations packed into Section
    7.2.1 be separated somehow, as right now they appear to be one continuous
    bullet list.  Separate subsections would work, or even just a line of prose
    before each would suffice.
    
    The first half of the second paragraph of Section 6 seems much more like an
    interoperability issue than a privacy issue to me.

v2.23.0 | Report a Bug | By Email