Re: [OAUTH-WG] Privacy Considerations section in OAuth 2.1?
Denis <denis.ietf@free.fr> Tue, 11 August 2020 14:44 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D8C83A10EF for <oauth@ietfa.amsl.com>; Tue, 11 Aug 2020 07:44:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.632
X-Spam-Level:
X-Spam-Status: No, score=-1.632 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.212, NICE_REPLY_A=-0.949, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VQOiCzJJ30jN for <oauth@ietfa.amsl.com>; Tue, 11 Aug 2020 07:44:07 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp09.smtpout.orange.fr [80.12.242.131]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A0383A10EE for <oauth@ietf.org>; Tue, 11 Aug 2020 07:44:06 -0700 (PDT)
Received: from [192.168.1.11] ([90.79.51.120]) by mwinf5d44 with ME id EEk02300M2bcEcA03Ek1d7; Tue, 11 Aug 2020 16:44:05 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 11 Aug 2020 16:44:05 +0200
X-ME-IP: 90.79.51.120
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Cc: oauth <oauth@ietf.org>
References: <CAD9ie-uPT3Yp12gkkUaBEEwEc3P9uGdQpHTVPypf7gaescwKOw@mail.gmail.com> <CA+k3eCReGMCBk3fH1NxP=2ZRUDvi+cVE7ncKUgx=9Su3dTCeWg@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <762bc6d7-eddc-e417-9bd3-da33a82a3733@free.fr>
Date: Tue, 11 Aug 2020 16:43:51 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCReGMCBk3fH1NxP=2ZRUDvi+cVE7ncKUgx=9Su3dTCeWg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------D2AF2013AF03E2793BFB0564"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NaBP9hTl13ZVVLcEGom2uMfQtWs>
Subject: Re: [OAUTH-WG] Privacy Considerations section in OAuth 2.1?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 14:44:09 -0000
OAuth 2. 0 and the OAuth 2.1 draft share a common point: they do not include a Privacy considerations section. This is "normal" for OAuth 2. 0 since RFC 6749 was published before RFC 6973 ever existed. RFC 6973 is a good guidance document that should be read and used to add a Privacy Considerations section to the OAuth 2.1 draft. Denis > I didn't have the reference offhand during the meeting today but > https://tools.ietf.org/html/rfc6973 looks to be a good source of > considerations for writing privacy considerations. As I mentioned, > I've written a number of such sections. Though these probably > shouldn't be considered exemplary they were published: > https://tools.ietf.org/html/rfc8707#section-4, > https://tools.ietf.org/html/rfc8705#section-8https://tools.ietf.org/html/rfc8693#section-6 > <https://tools.ietf.org/html/rfc8693#section-6>, > https://tools.ietf.org/html/rfc7523#section-7, > https://tools.ietf.org/html/rfc7522#section-7, and > https://tools.ietf.org/html/rfc7521#section-8.4. > <https://tools.ietf.org/html/rfc7521#section-8.4> > > I think including a pragmatic Privacy Considerations section in the > OAuth 2.1 draft could be worthwhile. > > On Mon, Aug 10, 2020 at 10:42 AM Dick Hardt <dick.hardt@gmail.com > <mailto:dick.hardt@gmail.com>> wrote: > > In the PAR meeting today, Denis requested there be a privacy > considerations section in PAR. I don't think there is anything > specific in PAR that would change the privacy considerations of > OAuth, and am checking if there is WG interest, and consensus, on > including a Privacy Considerations section in the OAuth 2.1 draft. > > /Dick > ᐧ > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited.. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Privacy Considerations section in OAut… Dick Hardt
- Re: [OAUTH-WG] Privacy Considerations section in … Brian Campbell
- Re: [OAUTH-WG] Privacy Considerations section in … Aaron Parecki
- Re: [OAUTH-WG] Privacy Considerations section in … Filip Skokan
- Re: [OAUTH-WG] Privacy Considerations section in … Denis
- Re: [OAUTH-WG] Privacy Considerations section in … Denis
- Re: [OAUTH-WG] Privacy Considerations section in … Filip Skokan