IETF Logo Mail Archive

Re: [OAUTH-WG] Privacy Considerations section in OAuth 2.1?

Denis <denis.ietf@free.fr> Tue, 11 August 2020 14:44 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D8C83A10EF for <oauth@ietfa.amsl.com>; Tue, 11 Aug 2020 07:44:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.632
X-Spam-Level:
X-Spam-Status: No, score=-1.632 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.212, NICE_REPLY_A=-0.949, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VQOiCzJJ30jN for <oauth@ietfa.amsl.com>; Tue, 11 Aug 2020 07:44:07 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp09.smtpout.orange.fr [80.12.242.131]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A0383A10EE for <oauth@ietf.org>; Tue, 11 Aug 2020 07:44:06 -0700 (PDT)
Received: from [192.168.1.11] ([90.79.51.120]) by mwinf5d44 with ME id EEk02300M2bcEcA03Ek1d7; Tue, 11 Aug 2020 16:44:05 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 11 Aug 2020 16:44:05 +0200
X-ME-IP: 90.79.51.120
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Cc: oauth <oauth@ietf.org>
References: <CAD9ie-uPT3Yp12gkkUaBEEwEc3P9uGdQpHTVPypf7gaescwKOw@mail.gmail.com> <CA+k3eCReGMCBk3fH1NxP=2ZRUDvi+cVE7ncKUgx=9Su3dTCeWg@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <762bc6d7-eddc-e417-9bd3-da33a82a3733@free.fr>
Date: Tue, 11 Aug 2020 16:43:51 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCReGMCBk3fH1NxP=2ZRUDvi+cVE7ncKUgx=9Su3dTCeWg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------D2AF2013AF03E2793BFB0564"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NaBP9hTl13ZVVLcEGom2uMfQtWs>
Subject: Re: [OAUTH-WG] Privacy Considerations section in OAuth 2.1?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 14:44:09 -0000

OAuth 2. 0 and the OAuth 2.1 draft share a common point: they do not 
include a Privacy considerations section.

This is "normal" for OAuth 2. 0 since RFC 6749 was published before RFC 
6973 ever existed.

RFC 6973 is a good guidance document that should be read and used to add 
a Privacy Considerations section to the OAuth 2.1 draft.

Denis


> I didn't have the reference offhand during the meeting today but 
> https://tools.ietf.org/html/rfc6973 looks to be a good source of 
> considerations for writing privacy considerations. As I mentioned, 
> I've written a number of such sections. Though these probably 
> shouldn't be considered exemplary they were published: 
> https://tools.ietf.org/html/rfc8707#section-4, 
> https://tools.ietf.org/html/rfc8705#section-8https://tools.ietf.org/html/rfc8693#section-6 
> <https://tools.ietf.org/html/rfc8693#section-6>, 
> https://tools.ietf.org/html/rfc7523#section-7, 
> https://tools.ietf.org/html/rfc7522#section-7, and 
> https://tools.ietf.org/html/rfc7521#section-8.4.
> <https://tools.ietf.org/html/rfc7521#section-8.4>
>
> I think including a pragmatic Privacy Considerations section in the 
> OAuth 2.1 draft could be worthwhile.
>
> On Mon, Aug 10, 2020 at 10:42 AM Dick Hardt <dick.hardt@gmail.com 
> <mailto:dick.hardt@gmail.com>> wrote:
>
>     In the PAR meeting today, Denis requested there be a privacy
>     considerations section in PAR. I don't think there is anything
>     specific in PAR that would change the privacy considerations of
>     OAuth, and am checking if there is WG interest, and consensus, on
>     including a Privacy Considerations section in the OAuth 2.1 draft.
>
>     /Dick
>     ᐧ
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and 
> privileged material for the sole use of the intended recipient(s). Any 
> review, use, distribution or disclosure by others is strictly 
> prohibited..  If you have received this communication in error, please 
> notify the sender immediately by e-mail and delete the message and any 
> file attachments from your computer. Thank you./
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email