Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Sun, 21 July 2019 04:28 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1D261200F5; Sat, 20 Jul 2019 21:28:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zjffAVZPY9iW; Sat, 20 Jul 2019 21:28:49 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB43C1200EF; Sat, 20 Jul 2019 21:28:48 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x6L4SgG4029680 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 21 Jul 2019 00:28:44 -0400
Date: Sat, 20 Jul 2019 23:28:41 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Barry Leiba <barryleiba@computer.org>, oauth-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-oauth-token-exchange@ietf.org, oauth <oauth@ietf.org>
Message-ID: <20190721042841.GX23137@kduck.mit.edu>
References: <156348397007.8464.8217832087905511031.idtracker@ietfa.amsl.com> <CA+k3eCQR_yVZJdw0CmPL0qVCA3S0x5gZAr6_BwvDrZDW0NOPWA@mail.gmail.com> <CALaySJJ3chNzsJvWgTpg-6GudK8ot=D8Fvguyr=kpFuiVWLSPw@mail.gmail.com> <CA+k3eCR4yxwo1yGpjWHxjcs+=b3VAdJDsF-RZDSTTDArgGi3ew@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CA+k3eCR4yxwo1yGpjWHxjcs+=b3VAdJDsF-RZDSTTDArgGi3ew@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NVXgriH6W5Cj9wurbM0pMgan55I>
Subject: Re: [OAUTH-WG] Barry Leiba's No Objection on draft-ietf-oauth-token-exchange-18: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 04:28:50 -0000
On Fri, Jul 19, 2019 at 10:05:57AM -0600, Brian Campbell wrote: > On Fri, Jul 19, 2019 at 8:31 AM Barry Leiba <barryleiba@computer.org> wrote: > > > > > >> — Section 1.1 — > > >> Given the extensive discussion of impersonation here, what strikes me as > > >> missing is pointing out that impersonation here is still controlled, > > that “A is > > >> B” but only to the extent that’s allowed by the token. First, it might > > be > > >> limited by number of instances (one transaction only), by time of day > > (only for > > >> 10 minutes), and by scope (in regard to B’s address book, but not B’s > > email). > > >> Second, there is accountability: audit information still shows that the > > token > > >> authorized acting as B. Is that not worth clarifying? > > > > > > My initial response was going to be "sure, I'll add some bits in sec 1.1 > > along those lines to clarify > > > that." However, as I look again at that section for good opportunities > > to make such additions, I feel > > > like it is already said that impersonation is controlled. > > ... > > > So I think it already says that and I'm gonna have to flip it back and > > ask if you have concrete > > > suggestions for changes or additions that would say it more clearly or > > more to your liking? > > > > It is mentioned, true, and that might be enough. But given that Eve > > also replied that she would like more here, let me suggest something, > > the use of which is entirely optional -- take it, don't take it, > > modify it, riff on it, ignore it completely, as you think best. What > > do you think about changing the last sentence of the paragraph?: "For > > all intents and purposes, when A is impersonating B, A is B within the > > rights context authorized by the token, which could be limited in > > scope or time, or by a one-time-use restriction." > > > > Sure, I think that or some slight modification thereof can work just fine. > I'll do that and get it and the rest of these changes published when the > I-D submission embargo is lifted for Montreal. My brain is apparntly storming and not sleeping. Another option for consideration, is to have two sentences: For all intents and purposes, when A is impersonating B, A is B within the rights context authorized by the token. A's ability to impersonate B could be limited in scope or time, or even with a one-time-use restriction, whether via the contents of the token or an out-of-band mechanism. -Ben
- [OAUTH-WG] Barry Leiba's No Objection on draft-ie… Barry Leiba via Datatracker
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Benjamin Kaduk
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Eve Maler
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Brian Campbell
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Brian Campbell
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Benjamin Kaduk
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Benjamin Kaduk
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Brian Campbell
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Brian Campbell
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… Barry Leiba
- Re: [OAUTH-WG] Barry Leiba's No Objection on draf… John Bradley