IETF Logo Mail Archive

Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Sun, 21 July 2019 04:28 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1D261200F5; Sat, 20 Jul 2019 21:28:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjffAVZPY9iW; Sat, 20 Jul 2019 21:28:49 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB43C1200EF; Sat, 20 Jul 2019 21:28:48 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x6L4SgG4029680 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 21 Jul 2019 00:28:44 -0400
Date: Sat, 20 Jul 2019 23:28:41 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Barry Leiba <barryleiba@computer.org>, oauth-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-oauth-token-exchange@ietf.org, oauth <oauth@ietf.org>
Message-ID: <20190721042841.GX23137@kduck.mit.edu>
References: <156348397007.8464.8217832087905511031.idtracker@ietfa.amsl.com> <CA+k3eCQR_yVZJdw0CmPL0qVCA3S0x5gZAr6_BwvDrZDW0NOPWA@mail.gmail.com> <CALaySJJ3chNzsJvWgTpg-6GudK8ot=D8Fvguyr=kpFuiVWLSPw@mail.gmail.com> <CA+k3eCR4yxwo1yGpjWHxjcs+=b3VAdJDsF-RZDSTTDArgGi3ew@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CA+k3eCR4yxwo1yGpjWHxjcs+=b3VAdJDsF-RZDSTTDArgGi3ew@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NVXgriH6W5Cj9wurbM0pMgan55I>
Subject: Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 04:28:50 -0000

On Fri, Jul 19, 2019 at 10:05:57AM -0600, Brian Campbell wrote:
> On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba <barryleiba@computer.org> wrote:
> 
> >
> > >> — Section 1.1 —
> > >> Given the extensive discussion of impersonation here, what strikes me as
> > >> missing is pointing out that impersonation here is still controlled,
> > that “A is
> > >> B” but only to the extent that’s allowed by the token.  First, it might
> > be
> > >> limited by number of instances (one transaction only), by time of day
> > (only for
> > >> 10 minutes), and by scope (in regard to B’s address book, but not B’s
> > email).
> > >> Second, there is accountability: audit information still shows that the
> > token
> > >> authorized acting as B.  Is that not worth clarifying?
> > >
> > > My initial response was going to be "sure, I'll add some bits in sec 1.1
> > along those lines to clarify
> > > that." However, as I look again at that section for good opportunities
> > to make such additions, I feel
> > > like it is already said that impersonation is controlled.
> > ...
> > > So I think it already says that and I'm gonna have to flip it back and
> > ask if you have concrete
> > > suggestions for changes or additions that would say it more clearly or
> > more to your liking?
> >
> > It is mentioned, true, and that might be enough.  But given that Eve
> > also replied that she would like more here, let me suggest something,
> > the use of which is entirely optional -- take it, don't take it,
> > modify it, riff on it, ignore it completely, as you think best.  What
> > do you think about changing the last sentence of the paragraph?: "For
> > all intents and purposes, when A is impersonating B, A is B within the
> > rights context authorized by the token, which could be limited in
> > scope or time, or by a one-time-use restriction."
> >
> 
> Sure, I think that or some slight modification thereof can work just fine.
> I'll do that and get it and the rest of these changes published when the
> I-D submission embargo is lifted for Montreal.

My brain is apparntly storming and not sleeping.  Another option for
consideration, is to have two sentences:

For all intents and purposes, when A is impersonating B, A is B within the
rights context authorized by the token.  A's ability to impersonate B could
be limited in scope or time, or even with a one-time-use restriction,
whether via the contents of the token or an out-of-band mechanism.

-Ben

v2.23.0 | Report a Bug | By Email